Saturday, June 11, 2016

METASPLOIT - Linux - Post Exploitation


- Layout for this exercise:

- First of all, let's exploit the Linux system:

- As a consequence of the attack a remote shell session is open. For handling the attack in a better way, the session is backgrounded:

- Metasploit provides several post exploitation tools, for instance hashdump gathers hashes of all the passwords available at the victim's machine:

- Also, checkvm determines whether the remote system is a real or virtual machine:

- enum_configs gathers information about the victim's configuration, related to installed applications and services:

- enum_network collects data about the network, like IPTables rules, interfaces, ports, connections, DNS, SSH, etc ...

enum_protections module looks for applications used to prevent or detect attacks, like Antivirus, IDS/IPS, firewalls, etc ...

- enum_system module gathers system information, like installed packages, services, mount information, user list, user bash history and cron jobs:

enum_users_history module gathers user information like user lists, bash history, mysql history, vim history, etc ...

METASPLOIT - Linux - RLogin


- Layout for this exercise:

- Rlogin (Remote Login) is an old service used for remote administration that allows users to connect machines over a network. In some way it can be considered predecessor of SSH. Rlogin suffers from several security issues, like unencrypted transmission and unreliable authentication protocols. For this reason nowadays it is rarely used across untrusted networks. However, some Linux systems have the service enabled by default, which can be taken advantage by malicious attackers. Rlogin runs at port TCP 513.

- Scanning the victim with  NMAP the attacker views that port 513 is open:

- The attacker just tries to connect remotely to the victim, under root username (not asking for password), achieving a shell without any problem. The example shows how the authentication protocol is really weak, because it does not ask for a password:

- Once there, the attacker can totally manage the victim's system:

- netstat command displays connection between victim and attacker:



- Layout for this exercise:

- NFS (Network File System) is a service available on Linux systems, which function is to allow users manage of shared folders over a network. In case of misconfiguration NFS might convert into a serious vulnerability allowing attackers access to the whole system. 

- The attacker discover the NFS service running on port 2049:

- showmount displays a list of exported directories from a specific machine, in this case the vulnerable victim's IP. 

- The result (/*) shows that even the root directory at the victim is shared, which it is actually a huge security breach, because the whole system is available to be shared by any attacker.

- As a consequence, the filesystem accessed with showmount can be mounted or attached into a temporary folder at the attacker's machine. The option nolock ensures disabling file locking: 

- A a result, the attacker can see locally the whole content of the remote system:

- For instance, etc/passwd is obtained by the attacker:

METASPLOIT - Linux - Tomcat


- Layout for this exercise:

-  Tomcat is an open-source web server developed by the Apache Software Foundation (ASF). Tomcat implements several Java EE specifications including Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, and provides a "pure Java" HTTP web server environment in which Java code can run.

- Metasploit Framework provides a module that attempts to login to a Tomcat Application Manager instance using a specific user/pass.

- Required options for this exploit are remote host (victim's IP) and port (8180):

- The exploit achieves a successful login with valid username and password, using a wordlist provided by Metasploit:



- Now, a new module can be used to execute a payload on Tomcat servers that have an exposed "manager" application.
Required options are, aside from RHOST and RPORT, the username and password discovered in the previous step (tomcat/tomcat):

- Also, this payload will generate a remote reverse meterpreter :

- Required options are local attacker's IP and listening port:

- Launching the exploit, a meterpreter session is generated as expected:

- Also, using discovered credentials the attacker has got easy access to the Tomcat Administration  Tool web page:

Friday, June 10, 2016



- Layout for this exercise:

- vsftpd is a GPL licensed FTP server for UNIX systems, including Linux. A malicious backdoor was added to the VSFTPD download into the vsftpd-2.3.4.tar.gz archive. This backdoor was later removed, but Metasploit provides a module to exploit it.

- Payload is set to cmd/unix/interact:

- Required option is just the remote host's IP:

- Setting RHOST to the victim's IP:

- Launching the exploit a remote shell is achieved:

METASPLOIT - Linux - Distcc


- Layout for this exercise:

- distcc is a program to distribute compilation or builds of C, C++, Objective C or Objective C++ code across several machines on a network. Metasploit provides an exploit to take control of a system running distcc:

- The payload cmd/unix/reverse triggers a reverse shell connection:

- Required options are remote and local hosts:

- Setting RHOST (victim) and LHOST (attacker):

- Launching the exploit, the result is a remote shell on the victim:

METASPLOIT - Linux - Samba


- Layout for this exercise:

- The attacker scans possible open ports and servicies at the victim's machine using NMAP:

- On port 139 the victim is running Samba, service used for File Sharing that in this case suffers from a vulnerability. Metasploit provides the usermap_script exploit to take advantage of that vulnerability:

- Let's set the payload to cmd/unix/reverse:

- Required options include remote host (victim) and local host (attacker):

- Setting remote host's IP:

- Setting attacker's IP:

- Launching the exploit, the result is a remote shell that allow postexplotaition of the victim:

- For instance, from the remote shell both /etc/passwd and /etc/shadow content can be discovered: