The essence of hacking itself comes from the discovery of vulnerabilities as well as building exploit code that will 'take advantage' of that code. Throughout the years, various exploit code have been developed for many different systems and technologies. Built within Kali Linux and can be downloaded on Windows is what is known as the Metasploit Framework, which is an exploitation tool which contains an archive of exploits as well as post-exploitation modules which allow for swiftness in workflow during a pentest or a hacking investigation. It is basically an archive of modules that can be utilized at any time.
Metasploit assists with vulnerability scanning, exploit development, post-exploitation modules which aid in achieving privilege escalation and lateral movement within compromised networks, which are all done by searching for the relevant module according to the engagement. The framework is also supported as a GUI (Graphical User Interface) but comes installed by default in offensive security linux distributions such as Kali Linux or BlackArch Linux.
Exploiting vsftpd 2.3.4 Backdoor Vulnerability
To demonstrate the usefulness of Metasploit, I've prepared a demo hack against a virtual machine called metasploitable which you can find here, which is a Ubuntu-based virtual machine made intentionally insecure, with a plethora of vulnerabilities which can be used to practice various hacking in a more legal environment. WARNING: Do not expose the VM to an untrusted network. Consider the following:
IP: 10.0.0.2 (Domain: metasploitable.local)
OS: Ubuntu (Linux Distribution)
Network Recon
To exploit the target machine, we need to identify the machine's open ports in order to know the services running as well as the versions of the services. This is one of the most crucial steps of the information gathering phase against the target as the information can aid in crafting a means to have initial access to the machine and eventually escalate our privileges and totally compromise the system.
command: 'nmap -A metasploitable.local'
The image above shows the result of the nmap scan I did against the target system. The '-A' flag in nmap allows nmap to do an aggressive scan, which in more serious situations is not exactly wise as this form of scanning generates alot of network traffic which can alert an IDS (Intrusion Detection System). A hacker planning on being more stealthy would use a less alarming flag nmap has available. The nmap result shows the open tcp port, the state, which shows whether a port is open or closed and the version of the service running on the respective service.
The results take up more than what is shown on the image. The nmap result further shows that the target metasploitable.local has a web server running on port 80, which can be a very useful attack vector, allowing us to directly interact with the server and possibly attack the server with vulnerabilities such as CSRF (Cross Site Request Forgery) and XSS (Cross Site Scripting) as well as SMB (Server Message Block) running on port 445. For this demonstration, I will be exploiting port 21, which is the FTP protocol, in charge of file transfer between different hosts. On this target however, the service running on port 21 is vsftpd 2.3.4, which is an outdated version of vsftpd.
command: 'searchsploit vsftpd 2.3.4'
Within Kali Linux is another utility called SearchSploit, which is a copy of the Exploit-DB online, found locally. This utility allows for efficiency as sometimes when there is no access to an internet connection, the exploits found online can be found locally. Aside from that, it can also show whether there is a metasploit exploitation module available.
Vulnerability exploitation & ROOT Access
The information we found as a result of the nmap scan allowed us to identify the vulnerable service and searchsploit has shown that the exploit is available locally, now we move on to exploiting the vulnerable service. To access the metasploit framework in the terminal, consider the following:
command: 'sudo msfdb run'
the command above needs to be run with root privileges, hence the command beginning with 'sudo'. the command essentially initializes the metasploit database and as soon as it is done metasploit starts up. Since we are exploiting vsftpd 2.3.4, we have to search for the exploit using the 'search' command.
command: 'search vsftpd 2.3.4'
As we can see, the exploit is available. To use the exploit, we follow either of the instructions in green. (use exploit/unix/ftp/vsftpd_234_backdoor)
As you notice with the terminal prompt, the path to the vsftpd 2.3.4 exploit within metasploit is highlighted in red, indicating that it is now in use. The next thing to do is to configure the TARGET host IP or Domain we want to exploit. To see the list of options to configure, we use the 'show options' command.
Within metasploit, there are three commonly used parameters used to configure modules.
RHOSTS: This is the parameter responsible for the TARGET HOST IP. So this is where you would configure the IP of the target machine, which in our case is metasploitable.local
LHOST: This is where we would configure the IP of our attacker machine, which in our case is 192.168.7.20
PORT: This is where we would configure the tcp port where the vulnerable service is being hosted. Most of the time, metasploit will have this pre-configured so you wouldn't have to configure this. For this exploit, port 21 is pre-configured by default.
We have all the parameters now configured. The last thing to do is now to run the exploit. We do this using either the 'run' or 'exploit' command. As soon as we do, we will have root access to the metasploitable.local machine, meaning that we have fully compromised the target machine.
The exploit has worked and we now have root access to the metasploitable.local machine. This means we have fully taken advantage of the vsftpd 2.3.4 vulnerability. A black hat would use this and integrate metasploit with a C2 (Command and Control) Server like PowerShell Empire and continue to compromise other machines with the same vulnerability, if need be.
==================================================================
In Future posts, we will look at other attack vectors on how to exploit this machine in more advanced ways and also look at other privilege escalation techniques.
No comments:
Post a Comment