Thursday, December 22, 2011


I read Metasploit: The PenetrationTester’s Guide.  It was an incredibly, well-written book.  The book gave me a better understanding of the Metasploit’s Framework and the ability to take full advantage of the Framework and its exploits.  Chapter 17 consisted of a “simulated penetration test” for the vulnerable Linux machine called Metsploitable (torrent).  Metasploitable is meant to apply the techniques learned in the previous chapters to crack the machine in order to acquire full control with administrative access.  This blog post will comprise of two parts.  The first will demonstrate the steps I took to get control of the vulnerable Metasploitable machine and the second part will give a brief description of the Metasploit’s Framework and the layout structure in BackTrack 5.
The basic methodology for a penetration test consists of:
·         Reconnaissance
·         Scanning (Port and Vulnerability)
·         Exploitation
·         Maintaining Access
·         Post-Exploitation
For this demo, I will be using VMWareWorkstation for BackTrack 5 (attacker) and Metasploitable (victim) virtual machines. 
First, I’ll scan the network for live hosts from BackTrack 5 with Nmap (network mapping) tool.  I will use the command:
With the results, I discovered a live host with abnormal amounts of open ports running on To further probe those ports for services running and version detection, I’ll apply the command:
nmap -sS -A
·         -sS equals tcp syn scan. This will give a SYN-ACK packet back to acknowledge an open port. To further understand this process, research the three-way handshake for TCP.
·         -A means aggressive.  It will apply the combination of -O for OS detection, -sV for version detection,-sC to perform the scan with default scripts, and --traceroute for the path to host. -A is great.
Through this probe, I find a couple of Apache servers running.  I determine if there are any websites running on those ports.  Unfortunately, there are not and both are running default pages for Apache and TomCat servers.  My next move is to further analyze the SSH port since it has a version number and type.  I do a search on The Open Source Vulnerability Database with the assumption that everything running on this system is unpatched.
When I conduct a search for “Debian on OpenSSL” it leads me to a vulnerability for cryptographic weakness.  I click on the ID, 45029.  From there, I usually look for a link to Exploit-DB.  They have an incredible amount of exploits explaining the workings of the exploits.  Off topic, they have informative papers written by individuals interested in the field.  Beginners to experts can benefit from skimming through the papers of their interest.
I click on the link next to Exploit Database: 5720.  It leads me directly to an exploit for “Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python).
A Perl script was made to use precalculated SSH keys to brute force the SSH login prompt.
I will execute the script:
python /root/Desktop/rsa/2048 root 22 5
·         Python is the language of the code and needed to execute
·         The directory is where the keys are stored for the code to run
·         Root is the username
·         22 is the port of SSH
·         5 is the number of tasks it is able to run at one time.  Instead of running one script per login in, the attacker can run multiple login in parallel.  Although, it is not good to run this number to high.  Keep it reasonable.
After reviewing the script, I learned that the vulnerability was caused by Debian OpenSSL only producing 65,536 possible or so keys to be generated.  Obviously, this means an attacker with enough keys can brute force their way to login to the system given enough time.
In the comments, it is laid out in sequential order on how to exploit this system.
2.       Once downloaded, type the command: tar –jxvf debian_ssh_rsa_2048_x86.tar.bz2
3.       Hit enter to extract it to the current directory.
4.       The contents are the SSH keys needed to brute force the system
5.       Type command: python *the directory of the rsa keys *the target IP address root 22 5
a.       Ex: python /root/Desktop/rsa/2048 root 22 5
6.       Once the key is found, type the command: ssh -lroot -p22 -i *directory of the keys/*the key that was found *target IP address
a.       You will be able to copy and paste the result. When the scan is over, it will give you the exact command you need to crack the system.
b.      Ex: sshlroot –p22 –I /root/Desktop/rsa/2048/*Found key

I apologize but for some odd reason, Vimeo is not working in Internet Explorer.  I tried with multiple users and each user was unable to view my video.  I really liked their service in comparison to YouTube.  Until, I find Vimeo working on Internet Explorer, I will be posting my YouTube videos.  My YouTube videos have music playing in the background. If that seems annoying, please view go to my Vimeo page for this blog and view it in Firefox or scroll to the bottom of the page for the embedded Vimeo video (Firefox only). Thank you and afterwards, be sure to continue reading to receive further understanding of the amazing Metasploit's exploitation framework.

I do not know the reason but the YouTube video is nearly 7 minutes longer; although, it contains the same content.

In short, the vulnerability was caused by the limited amount of "random" keys generated.  For this program, an attacker had a 1 in 2 to the power of 15 chance of choosing the correct key (1 in 32,768).  With today's computing power, there is no effort in being able to pick the correct key.  Usually programs have at least 2 to the power of 1024; which equals 1.797693134862315907729305190789e+308.  It's kind of surprising that they would leave that line of code in there, but oh well. :)  It makes it fun to crack.

Metasploit is a free and open source framework for exploitation.  Msfconsole and msfcli are the user interfaces that Metasploit offers.  Armitage is the GUI interface for MetasploitMetasploit allows exploiting a vulnerable system through different methods and to maintain interaction and control with that system.  The Framework's directory is well organized and collected with the latest exploits for a variety of systems and numerous payloads to deliver.
An exploit is a piece of code that can take advantage of a system’s vulnerability.  A vulnerability includes an unpatched software or operating system, a poorly written third-party software, etc.  A payload is a piece of code that executes something on the victim’s machine due to the exploit.  For example, the attacker would exploit a vulnerable system for the advantage of controlling that system.  With this advantage, the attacker will send a payload (a written code) for the system to execute and give the attacker interactive capabilities.  The interactive capabilities includes a shell prompt (similar to the command prompt in Windows), VNC (virtual network computing) access (similar to Remote Desktop in Windows), and dozens more.
To access the framework and view the contents in BackTrack 5, change directories as follows:
cd /pentest/exploits/framework
·         Documentation includes information about how to use the various aspects of Metasploit.
·         Msfconsole provides an all-in-one interface to almost every option and setting avilabe in the Framework (Kennedy, O'Gorman , Kearns & Aharoni, 2011).
·         Msfcli runs directly from the command line.
·         Msfupdate updates the Framework with the latest exploits.

cd /modules
·         Auxiliary modules are associated with scanning for vulnerable systems.
·         Exploits allows an attacker to take advantage of a flow within a system, an application, or a service (Kennedy, O'Gorman , Kearns & Aharoni, 2011).  It is organized by the operating system; such as, Linux, Solaris, UNIX, Windows, and others.
·         Payload is a selected code from the Framework and delivered by the attacker for the targeted system to execute.

 Under the “windows” directory for exploits, you will be able to view a wide range of exploits.  The useful ones include:
·         dcerpc which stands for Distributed Computing Environment Remote Procedure Call.  This will allow an attacker remote access to the system.
·         browser for client-side exploits for Internet Explorer, RealPlayer, Facebook, Quicktime, iTunes, etc.  It’s a huge list.
·         iis (Internet Information Services) includes server-side exploits for Microsoft’s web server.
·         smb (Server Message Block) for server-side exploits.
Under “payloads” in the modules directory, you will see directories for singles, stages, and stages.
·         Singles are stand-alone payloads.  The functionality of the payload and its communication with the attacker are bundled together.  For Windows, an attacker will be able to add a user, obtain an interactive shell, download files, etc.
·         Stagers are codes that are loaded into memory that allow communication to the attacker.  This includes listening on a TCP ports or having full connection on a TCP port among others.
·         Stages are the end result of payload functionality.  This includes remote shell, Meterpreter session, VNC session for GUI control, etc.

1.       Kennedy, D., O'Gorman , J., Kearns, D., & Aharoni, M. (2011). Metasploit: The penetration tester guide. No Starch Press.

Thank you to the Authors for a great book. However, I’m still a work in progress in trying to get past the self-conscious feeling of being a script-kiddie.  My next move is to have a better understanding of the C language and Assembly language, I bought the book, Hacking: The Art of Exploitation, and I plan on reading Gray Hat Hacking 3rd Edition.  Thank you to the security community for the amount of knowledge you have passed on for me and others to learn.

Metasploitable from Surapheal Belay on Vimeo.

No comments:

Post a Comment