ClsHack:Computer Security Blog    

Metasploit 3.4 and Metasploitable

Posted on: 28 May 2010

Ed è uscita anche la release di metasploit 3.4 ;)
Molte le novità, a partire dall’introduzione dell’attacco a forza-bruta :D (brute-force )


Ricordo, per chi non lo sapesse cos’è Metasploit:
Metasploit Framework è un progetto che mira alla sicurezza dei sistemi operativi, per scoprirne le vulnerabilità, semplificando il lavoro di penetration-testing.
Come si può intuire dal nome, Metasploit è un programma che raccoglie una serie numerosa di exploit per attaccare macchine remote e testarne la sicurezza.
Ecco il changelog di questa nuova versione:

General

  • The dns_enum auxiliary module now supports bruteforcing IPv6 AAAA records thanks to a patch from Rob Fuller
  • Command shell sessions can now be automated via scripts using an API similar to Meterpreter
  • The console can be automated using Ruby code blocks within resource files
  • Initial sound support is available by loading the “sounds” plugin
  • The Report mixin and report_* methods are now one-way, you can write to the database but not work with the results. This increases the scalability of the database.
  • Many modules report information to the database by default now (auxiliary/scanner/*)
  • Lotus Domino version, login bruteforce, and hash collector auxiliary modules
  • Upgrade any command shell session to Meterpreter via sessions -u (Windows only)
  • The VNC injection payload now uses the latest TightVNC codebase and bypasses Session 0 isolation
  • Several modules were renamed to include their Microsoft Technet bulletin number, e.g. ie_xml_corruption is now ms08_078_xml_corruption
  • Code can now interface directly with an installed Java Development Kit via a Java mixin. See the java_signed_applet exploit for an example.
  • Tomcat and JBoss installations can be exploited to gain sessions (Windows x86/x64, Linux x86/x64)
  • The msfencode utility can now generate WAR payloads for Tomcat and JBoss
  • Oracle XDB SID brute forcing is much more comprehensive thanks to Thomas Ring
  • The msfencode utility can now inject into an existing executable while keeping the original functionality
  • The XMLRPC server has been improved and additional APIs are available
  • The db_import command now supports NeXpose Simple XML, NeXpose Export XML, Nessus (NBE, XMLv1, XMLv2), QualysGuard XML, and Nmap
  • The sqlite3 driver has been deprecated. To ease the transition away from sqlite3, the postgres driver is installed by default in the Linux installer.
  • There is a new db_status command that shows which driver is currently in use and whether your database connection is active

Bruteforce Support

  • Account brute forcing has been standardized across all login modules
  • Login and version scanning module names have been standardized
  • The SSH protocol is now supported for brute force and fingerprint scans
  • The telnet_login and ssh_login modules now create sessions
  • MySQL is now supported for brute forcing, enumeration, service fingerprinting, and arbitrary SQL queries
  • Postgres fingerprinting (pre-authentication) using the line numbers in the error messages
  • Tomcat is now supported for brute forcing and session creation

Meterpreter

  • The Meterpreter process management APIs and commands can now see all processes on WinNT 4.0 -> Windows 7 (32 & 64)
  • The Meterpreter can now migrate from 32 to 64 and from 64 to 32, in addition to using a new mechanism to do the migration.
  • The Meterpreter adds the steal_token, drop_token, getprivs, and getsystem commands (including kitrap0d integration)
  • The Meterpreter pivoting system now supports bidirectional UDP and TCP sockets
  • The Meterpreter protocol handle now supports ZLIB compression of data blocks
  • The Meterpreter can now take screenshots (jpeg) without process migration and bypasses Session 0 isolation
  • The Meterpreter can now stage over a full-encrypted SSL 3.0 connection using the reverse_https stager
  • The Meterpreter and Command Shell scripts are now evaluated in the context of a new Rex::Script object
  • The “hashdump” Meterpreter script provides a safe way to dump hashes for the local user accounts
  • Automatically route through new subnets with the auto_add_route plugin

Per installarlo su ubuntu o derivati, possiamo leggere questa guida aggiornata:
come-installare-metasploit-su-ubuntu
Con l’uscita di metasploit 3.4, è uscito anche: Metasploitable

Metasploitable è un server web (immagine VMWare=> compatibile con VirtualBox ) che contiene un numero di pacchetti vulnerabili.

Metasploitable monta un Ubuntu 8.04 .
Noi non dovremo far altro che esercitarci a entrare in questo server :D
Le sue caratteristiche sono:
System credentials:
-------------------
msfadmin:msfadmin
user:user
service:service
postgres:postgres
(2 other system accounts)
Discovery:
-------------
ftp 21/tcp 220 ProFTPD 1.3.1 Server (Debian) [::ffff:127.0.0.1]
ssh 22/tcp SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
telnet 23/tcp Ubuntu 8.04\x0avulnerability login:
smtp 25/tcp 220 ubuntu804-base.localdomain ESMTP Postfix (Ubuntu)
dns 53/tcp ISC BIND 9.4.2
dns 53/udp ISC BIND 9.4.2
http 80/tcp Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
netbios 137/udp VULNERABILITY:<00>:U :VULNERABILITY:<03>:U :VULNERABILITY:<20>:U :MSFVULN:<00>:G :MSFVULN:<1e>:G :00:00:00:00:00:00
smb 139/tcp
smb 445/tcp Unix Samba 3.0.20-Debian (language: Unknown) (domain:MSFVULN)
mysql 3306/tcp 5.0.51a-3ubuntu5
distccd 3632/tcp
postgres 5432/tcp 8.3.8
http 8180/tcp Apache-Coyote/1.1 (Tomcat 5.5)
Bruteforce:
-----------
smb Anonymous
ssh 6 sessions
telnet 6 sessions
bind n/a
apache 2 web apps (twiki and tikiwik)
postgres db compromise (postgres:postgres)
mysql db compromise (root:root)
tomcat 5.5 shelled (tomcat:tomcat)
Exploits:
---------
distcc Excellent 1 session on all ranking levels
tomcat_mgr_deploy Excellent requires credentials
tikiwiki_graph_formula Excellent 1 session on all ranking levels
twiki Excellent information disclosure
mysql_yassl_getname Good triggers crash, but not working
TODO:
-----
switch to a vulnerable version of sendmail
configure proftpd with vulnerabilities (sql injection? others? downgrade?)
Expected sessions:
------------------
From Bruteforce:
6 ssh, 6 telnet, 1 tomcat
From Exploit:
1 distcc and 1 tikiwiki_graph_formula

Naturalmente, sul blog di metasploit, viene affrontato questo argomento, e ci sono video e articoli interessanti.

DOWNLOAD Metasploitable

Metasploit Blog

Buon divertimento :D

Related posts:

  1. [metasploit]Aprire una sessione VNC :)
  2. IE 6/7 EXPLOIT XML Remote Code Execution with METASPLOIT
  3. [guida]Oday-Exploit Adobe Reader: Hack di Windows con metasploit
  4. Autopwn?…e Metasploit fa tutto da solo :)
  5. KiTrap0D Virtual-DOS oday per metasploit :)

This entry was posted on Friday, May 28th, 2010 at 2:01 pm and is filed under GNU/Linux, Hacking, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Tagged with: