Metasploitable/Apache/Python: Difference between revisions
From charlesreid1
| Line 109: | Line 109: | ||
https://github.com/tkisason/KillApachePy | https://github.com/tkisason/KillApachePy | ||
This module exploits a bug to create huge loads on CPU servers, leading to denial of service: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3192 | |||
==SSL2 Drown Attack== | ==SSL2 Drown Attack== | ||
Revision as of 22:41, 27 March 2016
Recon
Nikto
Nikto is a web server vulnerabilities scanner. It provides an excellent starting point for recon and for determining next steps. We'll use it to gather information about vulnerabilities in Metasploitable's web servers.
Basic usage of nikto: https://cirt.net/nikto2-docs/usage.html
# nikto -h 10.0.0.27
This reveals a number of web server vulnerabilities, both through Apache and through other things like PHP:
root@morpheus:~/codes/nikto# nikto -h 10.0.0.27
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.0.0.27
+ Target Hostname: 10.0.0.27
+ Target Port: 80
+ Start Time: 2016-03-27 13:07:26 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script>: Output from the phpinfo() function was found.
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server leaks inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Tue Dec 9 09:24:00 2008
+ OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ /phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script>: Output from the phpinfo() function was found.
+ /phpinfo.php?cx[]=mjpaEzhPVxNxLefyhCCDNnEWM0owXVGpquGiZ0ofAhVR3ltaiOqM3vl0u7qNYTlIfDj6SKXBN8BwCqDjBfuP2KqQ4KaBjeUhacOPF2se7aP66we1EBUM5ushoPBgNWaET0YmA7XNKFXgUnbpNGRGgy41wsMeaA3x1rPmWtMMq0aCS8dklMIplLb3PBMDpGfv1lHJjESTkpKcLI49kYE2IYkavCSKM6nTwEW90YIWMqvTzgvZEp6q4IJe4a0x9JExYzICrQ9xdh5jsi613pwdcgtxhSk05aeMxFqd2ZBkN3pHBQVitJ72ocrS8kfGbAZeupfQLjdVbDPcJrNEauLk5AjK8XqVeHVUFDh9pAsx6wChuYH39g3cZrkdG3erDZ0ZDtNzoPGc4p7oppA8x0nTv0dWQRknvLK5Kc6jhw0HTFeMYvl3aYbnMbLQ3IyUcK940yADWu9eetrJ5bjz8unxNMBZkfUerllnJYe5jBPs2ZlMA0LCtOHpb3D5sG14QxBU9gqWUcSE59Hjjp2OSKp5eSD7z7CGaobpJeaAMhVZgrOidPECGsUHmhyKG3lfM9ntlKDdloX32eGmQG0vBQATYI1IMJNQ27tXmOaqIqlsEkjR6p6ATlHCNxr4JMSMKVT4rTq3JXHzvUNxd3TojbvjmginOJbxzEdPjpdWAwfAkCDW02x6qXhgd7fPYQS1wowg9wk3bu8vmeSvuGmRITHAef9dQDAsrGrT9U6pZT4zumgxDAMw3g5fAj4RpUKyAeD5s10oLKYtqGrDtWLDZu4NNH8tjqWpZDTwrbROFn0bCo88nHsLmu1Zy6mK91IAerLAjcfvgiAws192OAaVMHSgvKve2tsWLYL31WoAS4KbZrHO77DAncU4V0yFkIFGIL1sBgi7YBtI9omQLiBDtFH0hCvCENf8nFKND0nJMxsSmahEBnHWssbUBgKH2hiJQqQ3lfiqV7MSzGbKPnAVGkPBZTEZklVKG6sXHInhl2Z4XNxlGAsDtqSJDdO9IgraCWQA8u7BgO9yI7zFVMQX5XPcb4tACJFs83U9oEjMl9j9JNl69yAe51PHxYEnAlGlkr8EQvlzVRSil6NUGjlZkaoP1moiE9tvp2kP1y0dyEmrPOMPyf9cv34kXiLyyhgkIZDRA4yVtBbaan5iVbxAmYoVxDUHzxAweSihxxb9pwQTlXutvjDmkmFdoLX2bf8PykQRSvRflMUr7hCOzITcXbfc3LXrdYiyxsZCpuw0FlCUffaEZXTwFnyTo9vF0pokjMOB8eDubZgF3rCeFkAYp3uAV5DNXkRtTPO8GS7JwS3uFmqC98HnyUM3S5ix5CPGepdGlGBNvlXTuzOgFNAHDbABtg4pZgPt0t7ZgA7EPSQBkAOkaQfEx51XHZuSNyQHwxTb3g1sFwC9NA7J0KP9lB2UheBqDgtWFUpVB9xzFeSNl36SsK7xEHc4s9ckSXv6RkyztLh7TThgzZA9WoMCDaI4zubK4cwyUryrncy84cy69fS766nmuCu2FaCfG8XO9KCZ4QCkN4iL8pwqzwbDHdpAXE2FhQcAhgm9FbKr77faJHjxyOUrBCyR3BgxMS4lwLvC9WbcZxscvvZXaK28QuJgodAE6TqrwJrhhgSUa7Wz8XfsxP9i8mVf9SusKmawzM3vQhgtXEfDr3pOI2SyN86GsyBnP8hBtWhEfAFmolkxaRqnhLR0JGOm9pkW9ujqSiaslePGhQyoPiwjLmgy9fc3IdC4GLQy8xuDJC2pBaWJqX8CTLlVE1WIW0tVVtxCHPPiiPlGW7r1fxzLqNyDboqfvsA3S94h3IqC4Wr6aQErthWd4ALwcjRmwzB5Pzyy38flxHGl4HjCS1KuKFThRxO4T1LBII4HYBZw5byFpkqTmjN643MBjQnfzTULk8xmSzh52ZuCO29gy1N5d8se3a4PQ5WW34DzFMIFHa7L6nfYjafqRzuFrEe0hVQbzUhIySbd6NHGt1gOba1XBSYU7GZ9MFODVtWx643SInaKbRnZNa8hv5tCKV3Lp6eRHAz4H0xLOIfsVpZQi4p406vnB3TZb1C4uvvvLCZOUHjjQmPUDtduY7dAsOEmGYthqAN87moEJB8mgzU0Vd5WbLpcjCBXEx5lbUxakcMzmhulQ33EA6oQWeLatrlOnaaSN3Lz4cMoRLFjHs8qHZYX58BPvjrR4CAf9PhRuL7x2QN3UGWJ29Rt5wyOk8NV6xOcddUUIml0O82SLLStg4LRFq36s2Bt65vGUcRC7cmsBZFhE149XjNqqCztf0TeYvSlMTxMX8jikW1RDsqPL20xXUC3ddHCSE08hqfACwaOv1fbwn7ycv1E4IHsAzWaUI7DPgypltIiTy2XPo3FOcBYo4USCNEuXFOvwftrxZgngQ325tExTXc29XpIrTbwb04AFYffppL1IqqO6qAbyJuDj8GhvfH7AcsdOY7orPy667RnAv2jhm0VW6A5zOw3luS6IktY3MBoZyWaEsMj0ZxRQNe0j6Pf9hFuQR783WocLLRkJvIzBqMEoiF8vnlthYfRHVWEo5dtfYwrp0kNI9IHSegzMsekPp0TMLEgD0cswD1eDUEEmtftKi3RVITzwDQ3hoTgJJEW7BmpMTWoy2xUtmLkWTfRFnRer5sNzJeSztLxcn3QPBDJsLH2lWDGRQLiLqUlLppOhh6bxazlQeLflgmLtFoTGesvHVg0fvGuB6TSAXn3LIVbsW0vWuZicqiQf75W6QbpBartWpccLpgVHZN070ISqBrj7tCyd50tBRDo2iwHmatJvrYRKBf4DX10NtnS4FPAGdO4a3wLRXgtizEBwPnGDdpkYIMJwKqrVjaqPmhOxoIfVrymZ2RTNt5P6aa7Czqau4szXe7o1SICJapzbyrRdETdhkZ9lyQ8Ca9lCa8pnTiHv2h7LaQprlG3bEcxBRUIj7JlwGQpsL1I2EDFKg2itltBlQYsSSOb2xHBYX97RvlDHObrTatDhrUjupDSjZAt1KxOHWkYahV8ukzXx8BSyXetk3IupiVdDjtc5sg4SR0I7LRx6ziS4xJxbssUaCbzo39VjOTZtHG5DVNxfXzCcLpDeIlzLxlf0V6cRuI1o5iG4oUonXhX0UmFDf4UKF2vYvdQV8CnVMyBANkz2a4ZDxhD4pu7PSDejdRCcQNI2O5tD4x0B4izdjGAiy8l2RsVS84ZCGLClPpRFtMELPamUxjKdKFqyDPUJHuBrlMvJpsBOEqDsZSZH39iHUMTVmus5Ocgfmdrg6DE8nXft83SeMFj9L8MX2KWoZoFhaeiJpePToUEyD41luJnK3PxVFS3SO0uNLwTsor9gQwwb0IvKwJkmBKMxbxant2oFpoyNjM1dZhhPBJ5kxfGgIv8cRarvDVe1MQvQS7XHk5lUUIjx97dsoiWWtwj5iAh92WLMu3i51uRa5WLDJUeNLh3MZeL85yGoBlSzcSkWSpBS7mYM4OVGtXsJ1iLOvKOnNZ4etVrWvZejeJl0d2sElZ67KTE6BiYdYSnoRCKeYUJ7ZUGd4xbuL4mDCWFvA1SWJf5unIzONRkYx3QTgdzcxbPLtXnjQ3C3zF9gNgCwprr8Cf3SOvaxr2LPDIhX11khDx3QGXVWKebeGW9UTtmp7JRpdjkYqjimNypaf2mTBiQYMJy7CddNQFyyqNA0o6S6Wyd19y7QYR1bx2noKQ0CxJJ8fpMu7jLqEjQhRgC15qEwZaXHuHV1EB55Sl7esk9NQKuX8Wsly1HNndFcfcmDjyISJZOL4Has29vh0dM2cXKTUgcmmUunj5nJaS1GDz9fyCeJWMD8TFi7rB0RZel0ti6bFXvypas4bGFZpjNBa1Xm29nvGmdnGWnhRLvYKUMWXauQGDAoON9AENsSpMCvpiEeZEwb5AaRk0ab2z87eD4cvc5885o4VMxCb6jFSgG5qBhFa7DHT3TFEhxlIkA0T6f37bGxUcrlJXTJ6g5rh2b4fbY7EIjqKxHyCMCNDmujSlgba8UiaDSQ27VLWOvwnvV5xf4gSb89PPvZxPfxrb9vqvtDL0B0Ie80FJaFzMZk9fCWTtXtXsVDUZn8qF1qwV1NOX8<script>alert(foo)</script>: Output from the phpinfo() function was found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpMyAdmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8329 requests: 0 error(s) and 29 item(s) reported on remote host
+ End Time: 2016-03-27 13:08:29 (GMT-7) (63 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
The following vulnerability identified by Nikos is exploited on the Metasploitable/Apache page:
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
Python Attacks
This page covers some techniques for abusing the Apache server on the Metasploitable machine using Python.
Slow Death
https://github.com/evert/slowdeath
Slow death is a python script that opens a (large) fixed number of connections to send a payload of a specified size, then proceeds to send the payload very, very, very slowly.
This is the computer networking equivalent of when you go to the bank, and just before you get to the teller window, a little old lady with a giant sack of pennies says "I'd like to deposit $573 in pennies. 1... 2... 3... 4... 5..." Except, an army of old ladies showing up in front of every teller window.
Before
Here's what you should see before the attack when you punch in the IP address of the Metasploitable machine:
(Note that here the machine is at 192.168.56.101 - a set up that corresponds to creating a host-only network adapter for the VirutalBox. That means we'll be creating a network and only virtual machines on the host computer will be able to see the network.)
Running
To use slowdeath:
# python slowdeath.py -t 200 http://192.168.56.101
This will open 200 simultaneous connections and send data very, very slowly over those 200 connections.
During/After
This swamps the server temporarily, and anyone visiting 192.168.56.101 in the browser will experience a denial of service:
This will continue to open new connections as existing connections die:
Once the attack is killed, everything is back to normal.
Kill Apache Py
https://github.com/tkisason/KillApachePy
This module exploits a bug to create huge loads on CPU servers, leading to denial of service: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3192
SSL2 Drown Attack
Based on a 2016 CVE: http://www.thegeekstuff.com/2016/03/drown-attack-test-and-fix/
Flags
 |
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
|
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|