Whitelist

Saturday, June 11, 2016

METASPLOIT - Linux - Tomcat

LINUX - TOMCAT

- Layout for this exercise:

- Tomcat is an open-source web server developed by the Apache Software Foundation (ASF). Tomcat implements several Java EE specifications including Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, and provides a "pure Java" HTTP web server environment in which Java code can run.

https://en.wikipedia.org/wiki/Apache_Tomcat

- Metasploit Framework provides a module that attempts to login to a Tomcat Application Manager instance using a specific user/pass.

https://www.rapid7.com/db/modules/auxiliary/scanner/http/tomcat_mgr_login

- Required options for this exploit are remote host (victim's IP) and port (8180):

- The exploit achieves a successful login with valid username and password, using a wordlist provided by Metasploit:

........

- Now, a new module can be used to execute a payload on Tomcat servers that have an exposed "manager" application.
Required options are, aside from RHOST and RPORT, the username and password discovered in the previous step (tomcat/tomcat):

https://www.rapid7.com/db/modules/exploit/multi/http/tomcat_mgr_deploy

- Also, this payload will generate a remote reverse meterpreter :

- Required options are local attacker's IP and listening port:

- Launching the exploit, a meterpreter session is generated as expected:

- Also, using discovered credentials the attacker has got easy access to the Tomcat Administration Tool web page:

Friday, June 10, 2016

METASPLOIT - Linux - VSFTPD

LINUX - VSFTPD

- Layout for this exercise:

- vsftpd is a GPL licensed FTP server for UNIX systems, including Linux. A malicious backdoor was added to the VSFTPD download into the vsftpd-2.3.4.tar.gz archive. This backdoor was later removed, but Metasploit provides a module to exploit it.

- Payload is set to cmd/unix/interact:

- Required option is just the remote host's IP:

- Setting RHOST to the victim's IP:

- Launching the exploit a remote shell is achieved:

METASPLOIT - Linux - Distcc

LINUX - DISTCC

- Layout for this exercise:

- distcc is a program to distribute compilation or builds of C, C++, Objective C or Objective C++ code across several machines on a network. Metasploit provides an exploit to take control of a system running distcc:

- The payload cmd/unix/reverse triggers a reverse shell connection:

- Required options are remote and local hosts:

- Setting RHOST (victim) and LHOST (attacker):

- Launching the exploit, the result is a remote shell on the victim:

METASPLOIT - Linux - Samba

LINUX - SAMBA

- Layout for this exercise:

- The attacker scans possible open ports and servicies at the victim's machine using NMAP:

- On port 139 the victim is running Samba, service used for File Sharing that in this case suffers from a vulnerability. Metasploit provides the usermap_script exploit to take advantage of that vulnerability:

- Let's set the payload to cmd/unix/reverse:

- Required options include remote host (victim) and local host (attacker):

- Setting remote host's IP:

- Setting attacker's IP:

- Launching the exploit, the result is a remote shell that allow postexplotaition of the victim:

- For instance, from the remote shell both /etc/passwd and /etc/shadow content can be discovered:

METASPLOIT - Windows 7 - Bypassing DNS by HOSTS file injection

WINDOWS 7 - BYPASSING DNS BY HOSTS FILE INJECTION

- Layout for this exercise:

- The hosts file is a plain text file used by an operating systems to map hostnames and IP addresses.

https://en.wikipedia.org/wiki/Hosts_(file)

- In this practice we'll se how to inject a crafted hosts file into the victim machine, so that

the well known URL www.google.com is redirected to the attacker's website.

- This is a case of the so called phishing, where a trustworthy website is masqueraded by a fake website.

https://en.wikipedia.org/wiki/Phishing

- One of the keys for this attack to be successful is the name resolution order performed by Windows systems. First, the Windows 7 looks up into the hosts file entries. Second, Domain Name System (DNS) servers are queried.

- For this reason, if a crafted hosts file is injected into the victim's machine, the victim would not be able to notice that the web destination is actually a fake one.

https://support.microsoft.com/en-us/kb/172218

- Let's start the attack backgrounding the active meterpreter session:

- Now, the post explotaition inject_host exploit is used:

- Options for this exploit:

- The domain to be faked:

- The attacker's IP:

- The active meterpreter session:

- Now, all required options are fulfilled:

- The exploit is launched and successfully completed:

- As a result, back into the victim, the hosts file has got now a new entry, pointing www.google.com to the attacker's IP:

- On the attacker's side, with the purpose of taking advantage of the attack, a web server is set up on port 80, adding a message of welcome:

- From the victim's machine, when trying to connect to www.google.com, the connection is redirected to the attacker's website:

- Let's notice that this redirection or phising could be done on the victim's site with any trustworthy type of websites, like banks, email services, businesss, ... , and on the attacker's side with a fake website where the victim could introduce valid credentials, potentially being stolen by the attacker.

- It is interesting to check the different way that commands ping and nslookup handle this situation.

- When ping-ing www.google.com, the resolution is between www.google.com and 192.168.1.12:

- On the other hand nslookup is a network administration command-line tool available for querying the Domain Name System (DNS) to obtain domain name or IP address mapping.

https://en.wikipedia.org/wiki/Nslookup

- In this way, nslookup only checks for DNS resolution, not paying attention to the hosts file, and resolves www.google.com into the real IP 216.58.216.228: