First of all , type in the terminal : Armitage
then click connect . Wait a minute ! Armitage in progress
Armitage’s User Interface
The Armitage user interface has three parts. The modules area lets you search and launch any of Metasploit’s modules. The targets area displays your active targets and sessions. Below the modules and targets are the tabs. Each dialog, shell, and console is opened in its own tab.
The Armitage User Interface
Scanning
Before we can attack a host, we must first perform our reconnaissance step. Armitage provides several tools for this in the Hosts menu. You can import a vulnerability or port scan, launch NMap, or launch Metasploit’s discovery modules.I recommend launching NMap outside of Armitage and importing the results. By doing this, you will get feedback on the scan while it runs. To launch a full port scan with OS detection and service identification, use:
nmap -p 1-65535 -T5 -A -v 172.16.146.0/24 -oX scan.xml
Replace 172.16.146.0/24 with your network description or the IP address of Metasploitable. Once the scan is complete, import it into Armitage. Go to Hosts -> Import Hosts -> Nmap Scan Results and select your file. You will now see the Metasploitable Linux box in the Armitage targets view.
A Host
Metasploitable’s Services
Attack: Simple Remote Exploitation
Metasploit has over 650 exploits. If you don’t know which one you want to use, this list may seem intimidating. Fortunately, Armitage can help narrow this list down. Go to Attacks -> Find Attacks -> by port. Armitage will analyze your hosts and build a custom attack menu for each. Wait for the "Attack analysis is complete" dialog before continuing.Right-click on the target and you’ll notice an attack menu. The attack menu will have submenus for each exploitable service on the target host. Not all of these exploits are applicable, but these are the best candidates.
Looking at the services information (see previous section), we see that Metasploitable is running ProFTPD 1.3.1. Go to Attack -> ftp and select one of the ProFTPD exploits. Selecting an exploit will bring up a dialog with information about the exploit and options you can adjust. If you read the description, you’ll see that the ProFTPD exploits are for a different version of ProFTPD. Drats, this attack won’t work for us.
Armitage’s Exploit Launcher Dialog
If you’re successful, the target host will turn red with lightning bolts. Congratulations, you’ve exploited the target! Right-click your target and select Shell 1 -> Interact to open a tab with your shell. We’ll cover this more when we get to post-exploitation.
A Compromised Host
Now let’s undo all that work by selecting the Console tab and typing
sessions -K. This will kill all existing sessions.
Attack: Web Application Exploitation
In the future, I expect the Metasploit Framework will have a mature capability to audit and attack any web application. Today, there are several exploits for common web applications. Right-click the target, go to Attack -> Webapp to see some of them.
So many web app exploits!
These exploits were chosen, because they’re associated with the open
port on your target. Unfortunately, you may not know which of these
applications are installed. This is ok as Armitage will help again.
Select the check exploits… item at the bottom of this menu.
The check exploits… command will open a console tab and
run an active check of each exploit against the selected target. This
is accomplished using Metasploit’s check command. Some exploits do not
support this, but many of them do.
Once the checks are complete, type Ctrl+F to open a search dialog. Type vulnerable and hit enter. This search will lead you to any exploits that worked.
Found a Working Exploit
You’ll notice that tikiwiki_graph_formula_exec is vulnerable. Right-click the target and select Attack -> Webapp -> tikiwiki_graph_formula_exec. As we did before, click the Launch button when the dialog comes up. Now just wait for the computer to turn red.
To kill this shell, right-click the target and navigate to Shell 2 -> Disconnect.
Attack: Brute Force Login
This next attack will require a few steps. Look at port 8180 in the
services tab. From the info field, we can see this port is running
Apache Tomcat JSP 1.1.
Click the search field in the module browser. Type
tomcat and press enter. There is one exploit for Tomcat: exploit/multi/http/tomcat_mgr_deploy.
Double-click this module to open its launch dialog. If you look at the
variables, you’ll notice we need a username and a password. We don’t
have these yet, so close this launch dialog. 
Module Search Results
Metasploit has several auxiliary modules for guessing usernames and
passwords. These modules are usually named service_login. Looking at the
module search results for tomcat, you’ll auxiliary/http/tomcat_mgr_login. This is what we need. Double-click it to open a launch dialog.
tomcat_mgr_login Dialog
You’ll notice all of the parameters are set including the USERPASS_FILE option. USERPASS_FILE
points to a file with a list of usernames and passwords. If you
double-click this option in the Option column, Armitage will open a file
chooser to let you select another file. Fortunately, this file is fine.
Make sure you set RPORT to the correct value though. The target is running Tomcat on port 8180, not the default value of 8080.
Password Guessing Output
Click launch to start the brute force. If you read the output, you’ll notice the login is tomcat:tomcat. That’s easy enough.
Open the launcher for the tomcat_mgr_deploy exploit. Set the RPORT option to 8180 as well. Set USERNAME and PASSWORD
to tomcat. Select the Target of the host. Here we’re attacking a Linux
host. Click Launch and wait. Congratulations you have obtained another
shell!
Post Exploitation
Now that you’ve learned how to get access to the host, let’s talk about
post exploitation. Right-click the compromised host, go to the Shell 3 menu, and select Interact to interact with the shell. This will bring the shell up in its own tab.
Standard console features apply here. You may use the up/down arrows to
access your command history. You may also type Ctrl+F if you need to
search through the output. If you close the tab, your shell session will
still exist. You may open it again by selecting the Interact menu item
again.
To find out who you are, type:
id in the shell. You’ll see from the Tomcat attack that you’re tomcat55. Let’s work on getting root.
Privilege Escalation
Privilege escalation in Linux is something that depends on your environment. If you’re looking for some ideas, visit http://www.exploit-db.com and search for recent local exploits on Linux. One bug found by Tavis Ormandy stands out. This bug
allows us to create a new world-writeable file owned by the root user
anywhere on the system. Tavis’s example writes a file to crontab and
uses that to run our desired commands as the root user. In my tests,
crontab did not execute these commands on Metasploitable. This happens.
So, what else can we do? Examining other recent advisories, you’ll learn
about the Ubuntu mountall privilege escalation vulnerability. A bug in the mountall utility leaves a world-writeable root.rules file in /dev/.udev/rules.d. Anyone capable of writing to this file can use it to execute arbitrary commands as the root user. A quick ls reveals that root.rules doesn’t exist in this folder. Maybe this is not our lucky day.
Do you see any options? Let’s modify Tavis’s example to create a
world-writeable root.rules file and get a root shell through it. Type
the following commands into your target’s shell:
export LD_AUDIT="libpcprofile.so"
export PCPROFILE_OUTPUT="/dev/.udev/rules.d/root.rules"
ping
export LD_AUDIT=""
cd /tmp
You will now have a world-writeable root.rules file in /dev/.udev/rules.d. You now need to upload mountall-CVE-2010-2961.py to the Metasploitable host. Right-click in the shell window and select the Upload… menu item. Navigate to the mountall-CVE-2010-2961.py
file and click Open. Armitage will use the UNIX printf command to
upload the file. Since the file is so small, the upload will be instant.
If the file were larger, Armitage would display the upload progress.
This Python script populates the root.rules file with commands to create a setuid shell at /tmp/toor.
It also generates UDEV events to force the system to evaluate the rules
file. Run this python script on the target to get root:
whoami
Armitage Privilege Escalation
Congratulations, you’re now root. Make sure to cover your tracks by deleting the root.rules, the mountall-CVE-2010-2961.py, and /tmp/toor files.
Persistence
Once you have root, the next step is to add a backdoor to keep your
access. Clear the module browser search box and hit enter. This will
restore the default module list. Navigate to payload/linux/x86/shell_reverse_tcp. Double-click shell_reverse_tcp to open a launch dialog.
Here you can generate a Metasploit payload executable. Change the LPORT
value to 1234. Select elf for the output type. Elf is a file format for
executables on Linux. Click Launch and save the file as backdoor. Now we have a program that will connect to our attack box on port 1234 with a shell when run.
Now let’s set up a listener for our callback shell. Go to Armitage -> Listeners -> Reverse. Type 1234 as the port and click Start Listener.
Right-click in the shell window and select Upload… to upload backdoor to the target host. Type the following commands:
chmod +x /usr/bin/setup.host
chmod ug+s /usr/bin/setup.host
echo "setup.host &n" >>/etc/profile
These commands add our setuid backdoor to the global profile file. When a
user logs in, we will receive a root shell from our target.
Kill all shell sessions with
sessions -K in the Metasploit
console. Switch to the Metasploitable virtual machine. Login as the user
msfadmin with the password msfadmin. If you look at Armitage, you
should see a new shell session. Open it up and type whoami.
Conclusion
I’ve shown you how to attack a Linux machine. You saw how to use nmap to
scan the target. You learned how to interpret the results of the scan
to find and launch attacks. You also learned how to escalate your
privileges and persist yourself.
While Metasploit and Armitage weren’t the only tools in this adventure,
you can see how they aided this process. Armitage does not hack for you,
but it provides tools (e.g., the printf upload feature) to make the
process easier.
Some of the steps from this article are shown in the following video.
Watch it to whet your appetite. To get the most out of this article,
download the materials mentioned and carry out this scenario yourself.
If you want to challenge yourself, try getting into Metasploitable in
other ways. Good luck and happy hacking!
0 comments:
Post a Comment