Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI

Ismail Fahmi

Seminar Perpustakaan Kemdikbud - 26 April 2016

Case Study

https://offshoreleaks.icij.org/search?country=&q=indonesia

Analisa Teknis

Versions of Revslider all the way up to 3.0.95 are vulnerable to attack.

Non-authoritative user bisa menjalankan Ajax call, yg harusnya hanya untuk previliged user saja!!!

Dan bisa menerima file yang diupload oleh hacker.

Bugs Program

Cross Site Scripting

SQL Injection

http://www.ibtimes.co.uk/panama-papers-hacker-claims-sql-injection-vulnerability-found-mossack-fonseca-server-1554559

Pemasangan Firewall

Struktur Jaringan Lama

Web Server

Mail Server

200.46.144.0

Dalam blok yang sama

Bagaimana anda tahu kelemahan yang ada dalam implementasi IT di perpustakaan anda?

?

Case Study 2

Menggunakan…

23 vulnerabilities!!

[!] Title: WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing Reference: https://wpvulndb.com/vulnerabilities/7528 Reference: https://core.trac.wordpress.org/changeset/29384 Reference: https://core.trac.wordpress.org/changeset/29408 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5204 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5205 [i] Fixed in: 3.9.2

[!] Title: WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite Reference: https://wpvulndb.com/vulnerabilities/7529 Reference: https://core.trac.wordpress.org/changeset/29398 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5240 [i] Fixed in: 3.9.2

[!] Title: WordPress 3.6 - 3.9.1 XXE in GetID3 Library Reference: https://wpvulndb.com/vulnerabilities/7530 Reference: https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc Reference: http://getid3.sourceforge.net/ Reference: http://wordpress.org/news/2014/08/wordpress-3-9-2/ Reference: http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html Reference: https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053 [i] Fixed in: 3.9.2

[!] Title: WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout Reference: https://wpvulndb.com/vulnerabilities/7531 Reference: http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout Reference: http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5868 [i] Fixed in: 4.0

[!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS) Reference: https://wpvulndb.com/vulnerabilities/7680 Reference: http://klikki.fi/adv/wordpress.html Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/ Reference: http://klikki.fi/adv/wordpress_update.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031 [i] Fixed in: 4.0

[!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS) Reference: https://wpvulndb.com/vulnerabilities/7681 Reference: http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html Reference: https://wordpress.org/news/2014/11/wordpress-4-0-1/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034 Reference: https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos Reference: https://www.exploit-db.com/exploits/35413/ Reference: https://www.exploit-db.com/exploits/35414/ [i] Fixed in: 4.0.1

[!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF) Reference: https://wpvulndb.com/vulnerabilities/7696 Reference: http://www.securityfocus.com/bid/71234/ Reference: https://core.trac.wordpress.org/changeset/30444 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038 [i] Fixed in: 4.0.1

[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8126 Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213 [i] Fixed in: 3.9.8

[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack Reference: https://wpvulndb.com/vulnerabilities/8130 Reference: https://core.trac.wordpress.org/changeset/33536 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730 [i] Fixed in: 3.9.8

[!] Title: Catablog <= 1.6 - Cross Site Scripting Reference: https://wpvulndb.com/vulnerabilities/6286 Reference: http://packetstormsecurity.com/files/112619/

[+] Name: grand-media - v1.0.0 | Location: http://perpustakaan.kemdikbud.go.id/perpus/wp-content/plugins/grand-media/ | Readme: http://perpustakaan.kemdikbud.go.id/perpus/wp-content/plugins/grand-media/readme.txt [!] The version is out of date, the latest version is 1.8.20 [!] Directory listing is enabled: http://perpustakaan.kemdikbud.go.id/perpus/wp-content/plugins/grand-media/

[!] Title: Gmedia Gallery 1.2.1 - Shell Upload Reference: https://wpvulndb.com/vulnerabilities/7544 Reference: http://packetstormsecurity.com/files/127725/ [i] Fixed in: 1.2.2

[+] Name: page-layout-builder - v1.9.3 | Location: http://perpustakaan.kemdikbud.go.id/perpus/wp-content/plugins/page-layout-builder/ | Readme: http://perpustakaan.kemdikbud.go.id/perpus/wp-content/plugins/page-layout-builder/readme.txt [!] The version is out of date, the latest version is 2.0.3 [!] Directory listing is enabled: http://perpustakaan.kemdikbud.go.id/perpus/wp-content/plugins/page-layout-builder/

[!] Upload directory has directory listing enabled: http://perpustakaan.kemdikbud.go.id/perpus/wp-content/uploads/

Information Gathering

List informasi dalam DNS

Informasi singkat tentang Name Server, Mail Server

DNS Zone Transfer

List semua informasi dalam DNS

Dapat digunakan untuk menyusun peta jaringan

target

[*] A @.kemdikbud.go.id 118.98.166.162[*] A noc2.kemdikbud.go.id 118.98.166.80[*] A unnesonline.kemdikbud.go.id 118.98.221.174[*] A mailbox-zimbra2.kemdikbud.go.id 118.98.222.92[*] A www.atdik-berlin.kemdikbud.go.id 118.98.232.123[*] A anugerahkihajar.kemdikbud.go.id 118.98.221.14[*] A awanpustekkom.kemdikbud.go.id 118.98.236.161[*] A p4tkbispar.kemdikbud.go.id 118.98.236.244[*] A asem-education-secretariat.kemdikbud.go.id 118.98.236.197[*] A mailbox10.kemdikbud.go.id 118.98.222.30[*] A nuptk.kemdikbud.go.id 118.98.221.43[*] A buku.kemdikbud.go.id 118.98.166.55[*] A www.saibpsdm.kemdikbud.go.id 118.98.221.90[*] A sip.kemdikbud.go.id 118.98.234.47[*] A rtf.kemdikbud.go.id 118.98.221.14[*] A vod-tve.kemdikbud.go.id 118.98.222.63[*] A ijso2016.kemdikbud.go.id 118.98.232.227[*] A sms.kemdikbud.go.id 118.98.221.14[*] A pengaduanpip.kemdikbud.go.id 118.98.234.85[*] A www.bse.kemdikbud.go.id 118.98.221.236[*] A emonitoring.kemdikbud.go.id 118.98.232.125[*] A sso.kemdikbud.go.id 118.98.221.58[*] A buonline.kemdikbud.go.id 118.98.223.51[*] A rept.kemdikbud.go.id 118.98.221.175[*] A studihasilukg.kemdikbud.go.id 118.98.166.114[*] A ldaprpc.kemdikbud.go.id 118.98.222.89[*] A www.buonline.kemdikbud.go.id 118.98.223.51[*] A video.kemdikbud.go.id 118.98.221.143[*] A jurnalkwangsan.kemdikbud.go.id 118.98.226.30[*] A monevrbi.kemdikbud.go.id 118.98.232.123[*] A bimbel.kemdikbud.go.id 118.98.221.19[*] A registrasi.cpns.kemdikbud.go.id 118.98.223.101

…

[*] A www.atdik-portmoresby.kemdikbud.go.id 118.98.232.123[*] A pslb.kemdikbud.go.id 118.98.177.180[*] A warisanbudaya.kemdikbud.go.id 118.98.234.40[*] A pip.kemdikbud.go.id 118.98.234.85[*] A psmk.kemdikbud.go.id 118.98.234.110[*] A pjj.kemdikbud.go.id 118.98.223.45[*] A kniu.kemdikbud.go.id 118.98.236.117[*] A owa.kemdikbud.go.id 118.98.234.49[*] A beasiswa.kemdikbud.go.id 118.98.235.57[*] A jurnaldikbud.kemdikbud.go.id 118.98.221.14[*] A padatiweb.kemdikbud.go.id 118.98.233.140[*] A psb.kemdikbud.go.id 118.98.223.56[*] A ptkdikdasmen.kemdikbud.go.id 118.98.236.72[*] A saibpsdm.kemdikbud.go.id 118.98.221.90[*] A rbi.kemdikbud.go.id 118.98.166.80[*] A sso2.kemdikbud.go.id 118.98.221.59[*] CNAME lpmpjogja.kemdikbud.go.id www.lpmpjogja.org. 104.28.10.84[*] CNAME lpmpjogja.kemdikbud.go.id www.lpmpjogja.org. 104.28.11.84[*] CNAME lpmpkalbar.kemdikbud.go.id www.lpmp-kalbar.net. 49.50.8.86[*] CNAME lpdpdiknas.kemdikbud.go.id www.lpdp.depkeu.go.id. 202.137.230.221[*] CNAME bsnp-indonesia.kemdikbud.go.id www.bsnp-indonesia.org. 103.11.74.20[*] CNAME lpmpjateng.kemdikbud.go.id www.lpmpjateng.go.id. 116.213.48.171[*] CNAME p4tkpenjasbk.kemdikbud.go.id www.p4tkpenjasbk.or.id. 103.3.59.74[*] CNAME p4tkbmti.kemdikbud.go.id www.tedcbandung.com. 180.235.151.11[*] CNAME lpdp.kemdikbud.go.id www.lpdp.depkeu.go.id. 202.137.230.221[*] CNAME lpmpsulteng.kemdikbud.go.id www.lpmpsulteng.net. 202.150.213.148[*] CNAME lpmpaceh.kemdikbud.go.id www.lpmp-aceh.com. 198.23.80.60[*] CNAME lpmpaceh.kemdikbud.go.id www.lpmp-aceh.com. 2607:f0d0:2102:55::2[*] CNAME p4tkboe.kemdikbud.go.id www.vedcmalang.com. 184.107.26.76[*] CNAME p4tkmatematika.kemdikbud.go.id p4tkmatematika.org. 216.185.109.195[*] CNAME lpmpriau.kemdikbud.go.id www.lpmpriau.go.id. 202.78.195.34[*] CNAME lpmppapua.kemdikbud.go.id www.lpmp-papua.web.id. 104.168.172.179[*] CNAME p4tkbahasa.kemdikbud.go.id www.pppptkbahasa.net. 202.53.229.122[*] CNAME lpmpdki.kemdikbud.go.id www.lpmpdki.web.id. 101.50.1.116[*] SRV _sip._tls.kemdikbud.go.id sip 443 0 no_ip[*] SRV _sipfederationtls._tcp.kemdikbud.go.id sip 5061 0 no_ip

Dapat digunakan untuk memilih target yang akan diserang.

Analisa Aplikasi Web

Scanning

Alerts

High priority!

SQL Injections

Meet Kali Linux, a distro built to hammer your security

Daftar Perangkat Uji Keamanan Kali Linux

http://tools.kali.org/tools-listing

SQL Mapper

Network Mapper

Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing.

root@kali:~# nmap -v -A -sV perpustakaan.kemdikbud.go.idStarting Nmap 7.01 ( https://nmap.org ) at 2016-04-24 11:24 EDTNSE: Loaded 132 scripts for scanning.NSE: Script Pre-scanning.Initiating NSE at 11:24Completed NSE at 11:24, 0.00s elapsedInitiating NSE at 11:24Completed NSE at 11:24, 0.00s elapsedInitiating Ping Scan at 11:24Scanning perpustakaan.kemdikbud.go.id (118.98.232.10) [4 ports]Completed Ping Scan at 11:24, 0.05s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 11:24Completed Parallel DNS resolution of 1 host. at 11:24, 7.39s elapsedInitiating SYN Stealth Scan at 11:24Scanning perpustakaan.kemdikbud.go.id (118.98.232.10) [1000 ports]Discovered open port 80/tcp on 118.98.232.10Discovered open port 8080/tcp on 118.98.232.10Discovered open port 443/tcp on 118.98.232.10Discovered open port 53/tcp on 118.98.232.10Discovered open port 25/tcp on 118.98.232.10Discovered open port 21/tcp on 118.98.232.10Discovered open port 143/tcp on 118.98.232.10Discovered open port 110/tcp on 118.98.232.10...Discovered open port 3011/tcp on 118.98.232.10Discovered open port 1100/tcp on 118.98.232.10Discovered open port 19780/tcp on 118.98.232.10Completed SYN Stealth Scan at 11:24, 1.68s elapsed (1000 total ports)Initiating Service scan at 11:24Scanning 602 services on perpustakaan.kemdikbud.go.id (118.98.232.10)Completed Service scan at 11:26, 119.80s elapsed (604 services on 1 host)Initiating OS detection (try #1) against perpustakaan.kemdikbud.go.id (118.98.232.10)Retrying OS detection (try #2) against perpustakaan.kemdikbud.go.id (118.98.232.10)Initiating Traceroute at 11:26Completed Traceroute at 11:26, 0.10s elapsedInitiating Parallel DNS resolution of 15 hosts. at 11:26Completed Parallel DNS resolution of 15 hosts. at 11:26, 13.00s elapsedNSE: Script scanning 118.98.232.10.

Nmap scan report for perpustakaan.kemdikbud.go.id (118.98.232.10) Host is up (0.016s latency).rDNS record for 118.98.232.10: 232-10.sny.kemdiknas.go.idNot shown: 396 closed portsPORT STATE SERVICE VERSION1/tcp open tcpwrapped3/tcp open tcpwrapped6/tcp open tcpwrapped9/tcp open tcpwrapped19/tcp open tcpwrapped21/tcp open tcpwrapped22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 1024 1e:dc:af:54:2c:99:e3:4c:be:72:14:b2:83:2c:5e:d5 (DSA)| 2048 10:73:0b:fb:32:f8:a5:ad:b5:fa:92:c8:23:6e:3a:e5 (RSA)|_ 256 4f:b1:2d:27:0a:8e:94:f5:b4:16:8f:e7:e1:5e:e4:33 (ECDSA)25/tcp open tcpwrapped|_smtp-commands: Couldn't establish connection on port 2532/tcp open tcpwrapped33/tcp open tcpwrapped37/tcp open tcpwrapped42/tcp open tcpwrapped43/tcp open tcpwrapped49/tcp open tcpwrapped53/tcp open domain| dns-nsid: |_ bind.version: 9.9.5-3ubuntu0.8-Ubuntu70/tcp open tcpwrapped79/tcp open tcpwrapped|_finger: ERROR: Script execution failed (use -d to debug)80/tcp open http Apache httpd 2.4.7 ((Ubuntu))|_http-favicon: Unknown favicon MD5: 324F774689F580B14976BECE7F5D5DDC|_http-generator: WPSSO 3.29.5-1/G| http-methods: |_ Supported Methods: GET HEAD POST OPTIONS| http-robots.txt: 1 disallowed entry |_/sftwrs/|_http-server-header: Apache/2.4.7 (Ubuntu)| http-title: Site doesn't have a title (text/html; charset=UTF-8).|_Requested resource was perpus/

443/tcp open ssl/http Apache httpd 2.4.7|_http-generator: WPSSO 3.29.5-1/G| http-methods: |_ Supported Methods: GET HEAD POST OPTIONS| http-robots.txt: 1 disallowed entry |_/sftwrs/|_http-server-header: Apache/2.4.7 (Ubuntu)| http-title: Site doesn't have a title (text/html; charset=UTF-8).|_Requested resource was perpus/| ssl-cert: Subject: commonName=perpustakaan.kemdikbud.go.id| Issuer: commonName=StartCom Class 1 DV Server CA/organizationName=StartCom Ltd./countryName=IL| Public Key type: rsa| Public Key bits: 2048| Signature Algorithm: sha256WithRSAEncryption| Not valid before: 2016-04-21T04:32:00| Not valid after: 2017-04-21T04:32:00| MD5: 7d2b bdd1 e9f0 82aa 82df b396 6a8f 8843|_SHA-1: 6263 4932 9c34 bd6a ed9b caf4 9abe b85d 7835 2eb0|_ssl-date: TLS randomness does not represent time...8008/tcp open http| http-methods: |_ Supported Methods: GET HEAD POST OPTIONS|_http-title: Did not follow redirect to https://perpustakaan.kemdikbud.go.id:8010/8009/tcp open tcpwrapped8010/tcp open ssl/http-proxy FortiGate Web Filtering Service|_hadoop-datanode-info: |_hadoop-tasktracker-info: |_hbase-master-info: | http-methods: |_ Supported Methods: GET POST|_http-title: Web Filter Block Override| ssl-cert: Subject: commonName=FortiGate/organizationName=Fortinet/stateOrProvinceName=California/countryName=US| Issuer: commonName=support/organizationName=Fortinet/stateOrProvinceName=California/countryName=US| Public Key type: rsa| Public Key bits: 2048| Signature Algorithm: sha1WithRSAEncryption| Not valid before: 2011-02-21T21:13:04| Not valid after: 2038-01-19T03:14:07| MD5: f829 467c f6b5 eb98 f4d5 d8e8 575d ea12|_SHA-1: 0bc4 90af d22b f753 2042 557f 4591 dd88 7fa2 b3ed|_ssl-date: TLS randomness does not represent time|_sstp-discover: SSTP is supported.

TRACEROUTE (using port 995/tcp)HOP RTT ADDRESS1 13.97 ms 192.168.100.12 14.20 ms 1.subnet125-161-160.speedy.telkom.net.id (125.161.160.1)3 8.73 ms 225.subnet125-160-14.speedy.telkom.net.id (125.160.14.225)4 11.82 ms 61.94.171.975 12.03 ms 209.subnet118-98-51.astinet.telkom.net.id (118.98.51.209)6 21.95 ms 109.subnet118-98-58.astinet.telkom.net.id (118.98.58.109)7 15.55 ms 122.subnet125-160-9.speedy.telkom.net.id (125.160.9.122)8 92.86 ms 218.100.36.29 20.51 ms jardiknas.openixp.net (218.100.27.84)10 34.53 ms 118.98.132.20211 37.32 ms 118.98.132.20612 23.47 ms 118.98.132.11313 23.68 ms 118.98.159.214 13.56 ms 118.98.159.615 24.25 ms 232-10.sny.kemdiknas.go.id (118.98.232.10)

NSE: Script Post-scanning.Initiating NSE at 11:29Completed NSE at 11:29, 0.00s elapsedInitiating NSE at 11:29Completed NSE at 11:29, 0.00s elapsedRead data files from: /usr/bin/../share/nmapOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 271.02 seconds Raw packets sent: 1223 (55.792KB) | Rcvd: 1038 (43.316KB)

Dan masih banyak lagi tool untuk uji keamanan jaringan menggunakan

Kali Linux.

Silahkan coba sendiri…

Cara instalasi Kali Linux

https://www.kali.org/

https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/

Download image untuk virtualbox atau vmware

https://www.virtualbox.org/

Download VirtualBox

Kali Linux dalam VirtualBox Mac OSX

Start up…

Login: root Password: toor

Kali Linux - https://www.kali.org Download Kali Linux - https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/ Silabus training Kali Linux - https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf Slide dan Buku - http://www.slideshare.net/search/slideshow?searchfrom=header&q=kali+linux Sample of Penetration Test Report - https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf

Referensi

IsmailFahmi,PhDEmail: ismail.fahmi@gmail.comHp: 081289083894

Founder of:

Amediamonitoringandanalyticscompany

TechnicalConsultant of:

Terimakasih