viernes, 12 de agosto de 2016

Intrusión a Metasploitable 2 parte 5

Teníamos del post anterior, la siguiente salida de nmap

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-01 11:43 CEST
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:43
Completed NSE at 11:43, 0.00s elapsed
Initiating NSE at 11:43
Completed NSE at 11:43, 0.00s elapsed
Initiating ARP Ping Scan at 11:43
Scanning 192.168.1.131 [1 port]
Completed ARP Ping Scan at 11:43, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:43
Completed Parallel DNS resolution of 1 host. at 11:43, 0.15s elapsed
Initiating SYN Stealth Scan at 11:43
Scanning 192.168.1.131 [1000 ports]
Discovered open port 21/tcp on 192.168.1.131
Discovered open port 139/tcp on 192.168.1.131
Discovered open port 111/tcp on 192.168.1.131
Discovered open port 5900/tcp on 192.168.1.131
Discovered open port 22/tcp on 192.168.1.131
Discovered open port 445/tcp on 192.168.1.131
Discovered open port 80/tcp on 192.168.1.131
Discovered open port 25/tcp on 192.168.1.131
Discovered open port 23/tcp on 192.168.1.131
Discovered open port 53/tcp on 192.168.1.131
Discovered open port 3306/tcp on 192.168.1.131
Discovered open port 8009/tcp on 192.168.1.131
Discovered open port 2049/tcp on 192.168.1.131
Discovered open port 1524/tcp on 192.168.1.131
Discovered open port 512/tcp on 192.168.1.131
Discovered open port 6667/tcp on 192.168.1.131
Discovered open port 6000/tcp on 192.168.1.131
Discovered open port 513/tcp on 192.168.1.131
Discovered open port 8180/tcp on 192.168.1.131
Discovered open port 2121/tcp on 192.168.1.131
Discovered open port 514/tcp on 192.168.1.131
Discovered open port 5432/tcp on 192.168.1.131
Discovered open port 1099/tcp on 192.168.1.131
Completed SYN Stealth Scan at 11:43, 0.15s elapsed (1000 total ports)
Initiating Service scan at 11:43
Scanning 23 services on 192.168.1.131
Completed Service scan at 11:43, 11.31s elapsed (23 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.131
NSE: Script scanning 192.168.1.131.
Initiating NSE at 11:43
Completed NSE at 11:44, 14.52s elapsed
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Nmap scan report for 192.168.1.131
Host is up (0.00059s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after:  2010-04-16T14:07:45
| MD5:   dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2016-07-01T09:43:21+00:00; -35s from scanner time.
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41183/tcp  mountd
|   100005  1,2,3      49986/udp  mountd
|   100021  1,3,4      41855/udp  nlockmgr
|   100021  1,3,4      54128/tcp  nlockmgr
|   100024  1          42483/tcp  status
|_  100024  1          49051/udp  status
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  rmiregistry GNU Classpath grmiregistry
|_rmi-dumpregistry: Registry listing failed (No return data received from server)
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41183/tcp  mountd
|   100005  1,2,3      49986/udp  mountd
|   100021  1,3,4      41855/udp  nlockmgr
|   100021  1,3,4      54128/tcp  nlockmgr
|   100024  1          42483/tcp  status
|_  100024  1          49051/udp  status
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 53
|   Version: .0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: SupportsTransactions, Support41Auth, SupportsCompression, SwitchToSSLAfterHandshake, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew
|   Status: Autocommit
|_  Salt: 7HD[!-`|m0EJ$q2@-^sH
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    Unknown security type (33554432)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 0:04:04
|   source ident: nmap
|   source host: 5AD5FCE2.78DED367.FFFA6D49.IP
|_  error: Closing Link: gjtkunzrr[192.168.1.134] (Quit: gjtkunzrr)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:67:3E:A2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 497.102 days (since Fri Feb 20 08:16:41 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=202 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   METASPLOITABLE<00>   Flags: <unique><active>
|   METASPLOITABLE<03>   Flags: <unique><active>
|   METASPLOITABLE<20>   Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2016-07-01T05:43:21-04:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.59 ms 192.168.1.131

NSE: Script Post-scanning.
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.64 seconds
           Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)
Nos encontramos estos puertos abiertos

39/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

Samba es un sistema para compartir archivos entre Windows y Linux.

Si ponemos

smbclient -L //192.168.1.131

nos dará un listado de todos los servicios Samba

No hace falta meter contraseña, le dais a intro y se acabó.

Si abrimos el navegador y ponemos smb://192.168.1.131
Si ponemos smbclient //192.168.1.131/CARPETA Accederemos a la carpeta tmp porque hemos visto una cosa muy rara escrita, ¿verdad?
Si usamos el módulo samba_symlink_traversal Nos arroja el siguiente resultado
 
Si ahora nos conectamos a smbclient //192.168.1.131/tmp/ Y nos metemos en eldirectorio que nos ha dado (rootfs)

No hay comentarios:

Publicar un comentario

Nota: solo los miembros de este blog pueden publicar comentarios.