Hacking your target : Step by Step demonstration on a Metasploitable VM

Hello everyone !

I've seen so far much tutorials onhow to hack this or this, but once more no one gives real methodology, or if so, it's scattered all around the web.
Everyone focuses on only one part of hacking, whereas there's three steps :
1) Recon
2) Exploitation
3) Post-Exploitation



 (Image taken from : http://www.knowthetrade.com/footprinting.html)

Please notice that, we'll only work on Metasploitable's VM, which is only one machine. This is no real situation, that's why we'll skip all the "information gathering on target's network/company"

We'll get into it step by step.

GOAL : Compromise Metasploitable's VM, get root

What we'll learn :
- How to use differents scanners for vulnerability detection
- Use openvas in combination with metasploit
- Use metasploit's database
- Use this database to pwn
- Hacking through deprecated/misconfigured services

What we'll not learn here, but will be exposed in my next post :
- Hacking through a webapp with your browser and the same tools plus burpsuite, owasp-zap etc...

0) Pre-Requesites : 

You'll need a computer with all hackings tools you'll use. I guess it's already the case.
A software to run a VM. I use Virtualbox : apt-get install virtualbox
 And... obviously your Metasploitable image :
http://sourceforge.net/projects/metasploitable/

And get it working like this :
http://kanishkashowto.com/2013/09/05/how-to-install-metasploitable-in-virtualbox/

Oh, and a network too...

Log into Metasploitable with the following credentials :
login : msfadmin
password : msfadmin

Also notice that metasploitable uses a QWERTY keyboard so European AZERTY-based keyboards will have to exchange :
- ',' and 'm'
- 'q' and 'a'
- 'w' and 'z'

I) Your local environment : 

Beeing organized is really important. Here's some basic organisation tips :
- Create a folder for your targets and cd into it
- Have some sub-directories
- Seperate your :
   - Ports scan results
   - Vulnerability scanning reports
   - Other active scan/passive scan
- Make a folder for programming exploits, scripts and forging requests
- Make a folder for your personal notes, keep your advancement
Etc etc... Just modify it according to your needs. Here's a sample scheme :


   

  II) Main Idea : 

1) Determine your goal : 
a ) Get a shell (root or not)
b ) Upload a backdoor to keep a hold on the system (please notice that Metasploitable cannot be "destroyed", or permanently backdoored. The system is re-initialized into his initial state each time your restart it, so the "post-exploitation part" is only for training)
c ) Cover your traces

2) Organize your workspace 
 - Use the above advices
 - Switch between your workspaces tabs
- Organize well your terminals : Don't  hesitate to use TMUX

Here's my organization in one workspace for example :





III) Start the hacking process

*Please notice that i'll show only a guiding-line : Metasploitable has too much vulns to be all shown in one how to : I'll simply show the different ways to hack into it *

1) Start scanning : 

There's so much utilities to scan a hosts :
a) Nmap : 
Let's start an Agressie scan and save its results :

nmap -T4 -A -oN [target IP]

-T4 : Specifies the speed
-A :  Means "Agressive scan"
-oN : One of the output's formats, here's a simple txt format. You can also have html and... $ckr1pt K1ddi3z.... (or brain-retarded mode... )

b) Nikto
Nikto is a known vuln scanner. Not the best though, but still useful as a first contact :

nikto -h [target IP] -output "Nikto.txt"

-h : Specifies your target host
-output : Tells Nikto you want a report. Take care to the extension name you use


You have the two previous scans in top left hand and right corner
c) W3af
W3af is another known vuln scanner. He's really nice, except the fact he lacks the possibility to save and load a session... So I suggest you to use the "script" command to keep a trace of the scan.
Also, it displays lots of things on screen so... better use a different terminal/workspace if you run it as GUI.

w3af_console
help 
profiles (define your scan config)
list (list the available configs)
use audit_high_risk (OWASP_TOP10 is nice too)
back
target (to specify your target etc)
view
set target [target ip]
back
start

Once the scan is done :
kb
list
list shells
list vulns
list infos
back
exploit


Theses "preliminary scans" will give you a nice overview of the system. Or maybe even a shell if W3af plugins managed  to exploit a vuln

They also should have done the "Banner Grabing" work for you


2) Metasploit for further recon : OPENVAS and first exploits attempts

a) Start Metasploit and Postgresql services
In order to have an organized environment with vulns stored in databases and to do more recon, you'll need to use theses services.

service postgresql start
service metasploit start
msfconsole
 
(I encourage you to script it... Yeah be lazy)

b) Start OPENVAS services : 
If it's the first time you use openvas, first run "openvas initial setup"
You can run it in command line or in the Kali menu :
Applications > KaliLinux > Vulnerability Analysis > OPENVAS >
Or : openvas-setup

Then launch openvas services ( Openvas > openvas start)
Or openvas-start

Check them (openvas > Openvas check setup)
Or openvas-check-setup

Fix them if needed


*Personal thought : I have a really ... particular relation with Openvas...
One one hand I love it for its effectivenes and its strenght, and how it works great with metasploit but... in another hand... I HATE IT SO MUCH FOR ALL THE ISSUES I HAVE TO FIX EACH TIME I F*CKIN USE IT !!!
But that's still a great tool so... Yeah use it

Also, I recently dowloaded the latest version of kali linux that contains the lates openvas, and followed their instructions, it's now working perfectly, just follow theses instructions :
https://www.kali.org/penetration-testing/openvas-vulnerability-scanning/

Also, try not to interupt brutally your openvas, it causes lots of issues. If you do so, just run again "openvas-setup"

Last, but not least, if it seems openvas is not working, just launch htop (or top) to see the processes runing. If you see that "openvas is loading xxx on 39000 nvts", just wait a few minutes and relaunch htop periodically to check if the number xxx has increased, then once it has finished loading, retry to use openvas. 
If it still bugs, just rape openvas-setup until it works*


c) Create a workspace for your target : 
Check the databases if its connected :

db_status
it should say "msf3 connected to sql"

workspace -a Metasploitable

workspace to list available workspaces
workspace -a to add a workspaces
workspace -d to delete a workspace

d) Get into openvas :
(theses screenshots are taken from infosec institute's writeup : 
http://resources.infosecinstitute.com/vulnerability-scanning-metasploit-part-2/ )

load openvas

openvas_help for a list of commands


 First, connect to openvas : openvas_connect <login> <password> <localhost> <port ( 9390 for metasploit and 9392 for browser)> ok
 
 


To Start  scanning a host there's two steps : 
1) Create a target
2) Create a task && launch it

Create a target : 
openvas_target_create <Name> <IP> <Comments>

(tab completion works...)




To create a task, you'll need a specific configuration, (ID 0 to 4 on the screenshot, but in fact the actual versions gives 7 possibilities)




Then : create your task :
openvas_target_create <name> <comments> <Config ID (previous screen)> <Target id : before previous screen>





Periodically launch openvas_task_list to check the progress



Here comes the best part :)
Once openvas scan is done, Even thought sometimes it'll hang at 98% (you can stop it manually with openvas_task_stop <id>), it'll generate a report, with all vulnerabilities.

The idea here is to import this report into our database and exploit it !
Check the report list : openvas_report_list


The problem is that metasploit only accepts two formats : XML and NBE.
I have issues with nbe that's why I only use XML (raw !!) : ID = 13





So just type openvas_report_import <report id> <format id -> use 13 raw xml!)

And thats it ! 

Check your target using metasploit's functions :

hosts
services



And finally, savor your labor : check the vulnerabilites :

vulns



Oh shit, that's a goldmine xD No really, for beginners, don't excpet to have that much vulns in other challenges ;)

III) Exploitation time !!

1) How to exploit a vulnerability ?

a) Directly exploit it using a dedicated tool. Ex : Sql injection detected, just fire up sqlmap or any tool you'd prefer

b) Use a Metasploit Module(see below)

c) Searchsploit for searching locally an exploit ready against the service (sse below)

d) Exploit-db, inject0r (even though it seems to have problems... something is not clear) etc etc, all places that holds lot of exploitd (see below)

e) Search the web for CVEs etc and exploit related

f) Your browser

I'll try not to spoil the differents ways to hack Metasploitable, so you'll be able to do the work yourself - particularly if you're a beginner -that's why we'll only focus on the exploitation of one service : vsftpd - and the easiest one btw... - 



For example, let's keep it simple : 
We can see that this version of vsftpd was compromised : There's a metasploit module for it, let's search it !

Exploitation with : a/b) Metasploit 

search vsftpd
use exploit/unix/ftp/vsftpd_234_backdoor 

 

Set up your options and exploit :)


Exploitation with : c)searchsploit 

Searchsploit is a tool integrated in your kali system that search it's offline database (stored in /usr/share/exploitdb/) for the keywords you enter

For example : 
searchsploit vsftpd 2.3


About the use of searchsploit :
Searchsploit is an useful tool to look for already existing exploits on your computer. HOWEVER, 90% of the time you'll need to fix them, modify the code, and test a lot of them to find which one will (maybe) work...
Thoses exploits are, in their vast majority useless on your target.

Our target is a metasploitable VM so, it's vulns are really axed on metasploit modules.

You can see the same exploit we used above (99% of cases an exploit that finishes by .rb is a metasploit module)

To copy/see it :
more /usr/share/exploitdb/platforms/the_path_shown_above

 Then just compile it /run it / fix it

Exploitation with : d) Exploit-db (and things like that) :

Exploit-db and other sites that stores lists of exploits can be used in the same way as searchsploit. They offer much more exploits



BUUUT sometimes, exploits or potential vulnerabilities won't be stored on exploit-db, 1337-day, etc etc...

That's why you must have different sources, search the web for
"[target_service_version] vulnerability" and you should find sites like :
- rapid7
- www.cvedetails.com
- https://web.nvd.nist.gov




But, on theses sites you'll be less likely to find "ready to use exploits", you'll often have to dig a little bit, or code it yourself, reading technical details
f) This will be treated in my next post

IV) Post-Exploitation

This VM is meant to be a playground, in which you can experiment as much as you want. One of its main features is the fact that none of the changes you make is persistent.

Of course you can, for fun and experience try do to some post-exploitation tasks :

-  Upload a meterpreter shell to use scripts such as persistence, arpscan etc... : Use this machine to get a pivot for example
- Get the /etc/shadow file, crack its contents
- Setup cron scripts to launch scans for example
- Upload your own post exploit script
- Try to upgrade your privilege if not root :)
- Erase logs and replace 'em with fake one, don't forget to modificate the last-modified date, and shred (and not only rm) the old logs
- Upload your hacking tools to it, and try to use this pivot to hack a second VM

Here's a script really useful that will help you finding further weakness once you got in the system :

https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
 

V)Conclusion !

Anndd there we are my friends. We've been through a lot of differents faces of hacking.
Already experimented people will see this as a very basic writeup - it is, and technically it's really easy - and this is totally right.

I just wanted to share a bit of methodology.

Don't forget : 90% of the time what we did above is not sufficient to break into a simple system. Nowadays there's almost no that misconfigured servers, and you'll need further researchs, and more particularly digging inside the web application
BUT, the methodology given above is still usable, scan, research, find similar configs, find similar exploit, adapt yourself, adapt your exploit, and you'll be in.

Hack the planet guys.

To conclude... if you managed to hack this vm or any other one, try to improve your elegance, efficience etc etc. Persistence and determination guys and you'll do it like this : 
 LIKE A BOSS















 






Aucun commentaire:

Enregistrer un commentaire

Inscription à : Articles (Atom)