Apache vulnerabilities by version: https://httpd.apache.org/security/vulnerabilities_22.html
- 1 Recon
- 2 Python Attacks
- 3 Command-Line Utility Attacks
- 4 Flags
Nikto is a web server vulnerabilities scanner. It provides an excellent starting point for recon and for determining next steps. We'll use it to gather information about vulnerabilities in Metasploitable's web servers.
Basic usage of nikto: https://cirt.net/nikto2-docs/usage.html
# nikto -h 10.0.0.27
This reveals a number of web server vulnerabilities, both through Apache and through other things like PHP:
The following vulnerability identified by Nikos is exploited on the Metasploitable/Apache page:
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
This page covers some techniques for abusing the Apache server on the Metasploitable machine using Python.
SlowLoris DoS Attack
SlowLoris that opens a (large) fixed number of connections to send a payload of a specified size, then proceeds to twiddle its thumbs.
Slowloris is basically an HTTP Denial of Service attack that affects threaded servers.
We start making lots of HTTP requests.
We send headers periodically (every ~15 seconds) to keep the connections open.
We never close the connection unless the server does so. If the server closes a connection, we create a new one keep doing the same thing.
This exhausts the servers thread pool and the server can't reply to other people.
This is the computer networking equivalent of when you go to the bank, and just before you get to the teller window, a little old lady with a giant sack of pennies says "I'd like to deposit $573 in pennies. 1... 2... 3... 4... 5..." Except, an army of old ladies showing up in front of every teller window.
Slow Death Script
This is a Python script that implements the SlowLoris attack with a fixed number of threads opening connections with the web server. This will completely swamp, e.g., an Apache server on a single machine.
See the section below about slowhttptest for a nicer frontend with more options. What is covered below is some simple and straightforward Python.
Here's what you should see before the attack when you punch in the IP address of the Metasploitable machine:
(Note that here the machine is at 192.168.56.101 - a set up that corresponds to creating a host-only network adapter for the VirutalBox. That means we'll be creating a network and only virtual machines on the host computer will be able to see the network.)
To use slowdeath:
# python slowdeath.py -t 200 http://192.168.56.101
This will open 200 simultaneous connections and send data very, very slowly over those 200 connections.
This swamps the server temporarily, and anyone visiting 192.168.56.101 in the browser will experience a denial of service:
This will continue to open new connections as existing connections die:
Once the attack is killed, everything is back to normal.
Kill Apache DoS
In 2011 a vulnerability was released related to Apache. By sending requests with a specially crafted header, an attacker could swamp a web server's CPU and memory and crash it, leading to a denial of service. This vulnerability was released in 2011 (CVE-2011-3192).
There is a perl version of this code called killapache.pl here: http://www.hackersgarage.com/apache-killer-denial-of-service-flaw-in-apache-webserver.html
There is a Python version of this code here: https://github.com/MaYaSeVeN/KillApachePy
However, the version of Apache on Metasploitable (2.2.8) is too old to be vulnerable to this exploit.
R U Dead Yet (RUDY) Attack
(This attack relies on POST requests. This means the site you are attacking must have a form.)
Some background info on the RUDY attack: https://www.incapsula.com/ddos/attack-glossary/rudy-r-u-dead-yet.html
This type of DoS attack opens a few connections, and leaves them open for long periods of time. This will eventually exhaust the server's resources, although the slow speed of the attack means it "should" go undetected.
The attack starts by browsing the target website and finding forms. RUDY then sends very long POST requests, and sends the large payload one byte at a time. The server won't kill the connection.
This proof of concept code is in Python and uses BeautifulSoup to automatically search for forms: https://github.com/loganhasson/r-u-dead-yet
Tor's Hammer Slow Body Attack
Tor's Hammer (https://sourceforge.net/projects/torshammer/) is a tool that uses the slow body attack to swamp Apache servers and cause a denial of service. It does this by sending a POST request with a large declared content-length, then sending data one bit at a time.
def _send_http_post(self, pause=10): global stop_now self.socks.send("POST / HTTP/1.1\r\n" "Host: %s\r\n" "User-Agent: %s\r\n" "Connection: keep-alive\r\n" "Keep-Alive: 900\r\n" "Content-Length: 10000\r\n" "Content-Type: application/x-www-form-urlencoded\r\n\r\n" % (self.host, random.choice(useragents)))
Notice that big
Tor's Hammer then sends a little it of data across the connection, then sleeps for a random amount of time:
for i in range(0, 9999): if stop_now: self.running = False break p = random.choice(string.letters+string.digits) print term.BOL+term.UP+term.CLEAR_EOL+"Posting: %s" % p+term.NORMAL self.socks.send(p) time.sleep(random.uniform(0.1, 3)) self.socks.close()
Tor's Hammer, in particular, provides a Python script that enables running the slow body attack through a web proxy like Tor, to provide anonymity. It also implements other disguising elements like a slew of User Agent headers.
Command-Line Utility Attacks
This one's pretty straightforward. Download and install slowhttptest:
# apt-get install slowhttptest
This comes bundled with multiple utilities for multiple types of DoS attacks:
- Slow POST mode (sends unfinished HTTP message bodies)
- SlowLoris mode (sends unfinished HTTP requests)
- Range header mode (tests the killapache vulnerability, mentioned above, which Metasploitable is not vulnerable to)
- Slow Read mode (reads HTTP responses slowly)
SlowLoris DoS Attack
To use the SlowLoris denial of service attack and open a bunch of idle connections with a web server, use the
# slowhttptest -H -u http://10.0.0.27
-u flag specifies the URL of the target. However, we'll want to spice it up a bit more - specify a thousand connections
-c 1000, and a few other parameters
-i 10 for interval between two tests,
-r 200 for 200 connections per second,
-t GET to make these requests GET requests (keep it simple).
-x 24 flag sets a cap on the amount of data sent, chunk-by-chunk, to the web server.
-p 3 marks the server as DoS'ed if it doesn't respond after 3 seconds.
# slowhttptest -H -c 1000 -H -i 10 -r 200 -t GET -x 24 -p 3 -u http://10.0.0.27
This strangles the web server. Here's what it looks like when the Metasploitable machine is under attack:
and here's what it looks like once the attack has been stopped:
Slow POST Attack
Not sure how this attack works without a form on the page being attacked, but somehow, it works.
To run the slow body attack, use the
-B flag, and specify the URL target:
# slowhttptest -B -u http://10.0.0.27
Pictured below is a screenshot of the attack being run from two different machines, against the target at 10.0.0.27. With two machines attacking a single web server, there's no hope for 10.0.0.27.
Metasploitany and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label
MSF/Wordlists - wordlists that come bundled with Metasploit
MSFVenom - msfvenom is used to craft payloads
Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Flags · Template:MetasploitFlag · e
Metasploitable: The Red TeamMetasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL
Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP
SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force
SSH Penetration with Keys: Metasploitable/SSH/Keys
SSH Penetration with Metasploit: Metasploitable/SSH/Exploits
Exploiting NFS: Metasploitable/NFS
Exploiting DNS Bind Server: Metasploitable/DNS Bind
Exploiting Apache (with Metasploit): Metasploitable/Apache
Exploiting Apache (with Python): Metasploitable/Apache/Python
Tor's Hammer DoS Attack: Metasploitable/TorsHammer *
Apache DAV: Metasploitable/Apache/DAV *
Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
General approach to memory-based attacks: Metasploitable/Memory
Investigating memory data: Metasploitable/Volatile Data Investigation
Dumping Memory from Metasploit: Metasploitable/Dumping Memory
(Have not done much work on fuzzing Metasploitable...)
Flags · Template:MetasploitableRedTeamFlag · e
Metasploitablue: The Blue TeamMetasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue.
Metasploitable On-Machine Defenses:
Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation
Linux Artifact Investigation: Metasploitable/Artifact Investigation
Linux Iptables Essentials: Metasploitable/Iptables
Firewall Assurance and Testing: Metasploitable/Firewall
Password Assessment: Metasploitable/Password Assessment
Standard Unix Ports: Unix/Ports
Nmap (Blue Team): Metasploitable/Nmap
Network Traffic Analysis: Metasploitable/Network Traffic Analysis
Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns
Snort IDS: Metasploitable/Snort
Flags · Template:MetasploitableBlueTeamFlag · e