Network Security Audit

A1Target Metasploitable2

Submitted By

Uddeshya Sinha
IN 618 Security
Feb-June 2018
Lecturer

Dr. Thomas Laurenson

Date: Tuesday 10th April
 Executive Summary
The major objective of the security audit is to find and extract valuable
information from a remote Metasploitable2 server. The extraction of
information was possible because of several vulnerabilities found on
the open ports in the server. Since, there is no firewall implemented on
the Metasploitable2 server, all the open ports along with the services
running on them is visible to the attacker. Vulnerabilities on port 21, 22
and the irc ports- 6667, 6697, and 8067 have been found. Exploitation
of any of the irc ports provides the remote access to the
Metasploitable2 server but not as a super user. However, gaining
access as a super user wasn’t difficult as the password for darth_vader
was sitting in the boba_fett folder in the home directory. This makes
the vulnerability to be of high severity. One of the other two
vulnerabilities is of high severity (ftp) as it gives remote access to the
web configuration files and the last one is of medium severity (ssh). For
strengthening the security of the remote server, a strong firewall must
be in place along with updated software services running on it. Finally,
the password for a super user such as darth_vader should not be saved
as plaintext.
 1) HOST DISCOVERY

First of all, the Kali VM’s IP address was found to be 192.16.100.100 by

running the command “ifconfig”. We know that the target machine is in
the same network. So, by using the nmap command “nmap –sn
192.168.100.*” ("Host Discovery | Nmap Network Scanning", n.d.), the
target’s machine IP address and the MAC address if discovered and
documented below:
• Target hostname: A1Target
• Target IP address: 192.168.100.222
• Target MAC address: 00:50:56:86:4C:4F
• Operating System (reported by nmap): Linux 3.X/4.X
Running (reported by nmap): Linux 3.10 – 4.8
• Actual Operating System Version: Ubuntu 14.04.1 LTS
Actual Linux Kernel version: Linux 3.13.0-32-generic x86_64
• Username: darth_vader
• Password: daddy_issues2277
2) Information Gathering
For determining the open ports and the associated services running
on them, nmap’s command “nmap –sV -p- 192.168.100.222” (Duc,
2015) was used. The result shows all the open ports and the services
running on them. A total of 13 open ports were found open and the
rest 65,522 ports were closed as listed below:

PORT STATE SERVICE VERSION

21/tcp Open ftp ProFTPD 1.3.5
22/tcp Open ssh OpenSSH
6.6.1p1 Ubuntu
2ubuntu2.10
80/tcp Open http Apache httpd
2.4.7
111/tcp Open rpcbind 2-4 (RPC
#100000)
139/tcp Open netbios-ssn Samba smbd 3.X
- 4.X
445/tcp Open netbios-ssn Samba smbd 3.X
- 4.X
3306/tcp Open mysql MySQL
(unauthorized)
6667/tcp Open irc UnrealIRCd
6697/tcp Open irc UnrealIRCd
8067/tcp Open irc UnrealIRCd
8080/tcp Open http Jetty
8.1.7.v20120910
 8181/tcp Open http WEBrick httpd
1.3.1 (Ruby
2.3.6 (2017-12-
14))
52319/tcp Open status 1 (RPC #100024)

3) Vulnerability Identification and Exploitation

Vulnerabilities were found on 5 ports (out of which 3 runs the same service).
1) Vulnerability on port 6667, 6697 and 8067 (irc)
The most crucial exploit of the target server as it resulted in accessing the target remotely
as a normal user named “boba-fett”. Under the folder of “boba-fett”, there is a text file
named “darth_vaders_password.txt” containing the password for the super-user
“darth_vader” as plaintext.
Vulnerability Summary:
• Protocol: Internet Relay Services (IRC)
• Port Number: 6667, 6697, 8067
• Software Name: UnrealIRCd
• Software Version: 3.2.8.1

Exploit Summary: ("CVE-2010-2075 UnrealIRCD 3.2.8.1 Backdoor Command Execution |

Rapid7", n.d.)
• Discovered: search exploit database for “search unrealircd”
• Exploit Tool: Metasploit Framework
• Exploit Name: UnrealIRCD 3.2.8.1 Backdoor Command Execution
• Payload: cmd/unix/reverse
• URL:
https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor
• Source Code: https://github.com/rapid7/metasploit-
framework/blob/master/modules/exploits/unix/irc/unreal_ircd_3281_backdoor.rb
• Exploit Result: Successful (remote terminal as a normal user)
• Severity: High
• CVE Number: CVE-2010-2075
• Module: exploit/unix/irc/unreal_ircd_3281_backdoor
• Description: This module exploits a malicious backdoor that was added to the Unreal
IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz
archive between November 2009 and June 12th 2010.
2) Vulnerability on port 21 (ftp)
This vulnerability gives us access to the remote server as a user named “www.data”. Since,
this user has the ownership to configure web files on Apache2 server, this exploit could be
very dangerous for the remote server as the important web files could get exposed to the
attacker.
Vulnerability Summary:
• Protocol: File Transfer Protocol (FTP)
• Port Number: 21
• Software Name: ProFTPD
• Software Version: 1.3.5

Exploit Summary: ("CVE-2015-3306 ProFTPD 1.3.5 Mod_Copy Command Execution |

Rapid7", n.d.)
• Discovered: search exploit database for “search proftpd”
• Exploit Tool: Metasploit Framework
• Exploit Name: ProFTPD 1.3.5 Mod_Copy Command Execution
• Payload: cmd/unix/bind_perl
• URL:
https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_modcopy_exec
• Source Code: https://github.com/rapid7/metasploit-
framework/blob/master/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
• Exploit Result: Successful (remote terminal as user “www.data”)
• Severity: High
• CVE Number: CVE-2015-3306
• Module: exploit/unix/ftp/proftpd_modcopy_exec
• Description: This module exploits the SITE CPFR/CPTO commands in ProFTPD version
1.3.5. Any unauthenticated client can leverage these commands to copy files from
any part of the filesystem to a chosen destination.

3) Vulnerability on port 22 (ssh)

This vulnerability could be of great importance only if the attacker gets hold of a Username
and a Password file of common passwords. These files could be used to brute-force against
different username-password combination. ("Scanner SSH Auxiliary Modules", n.d.) All the
passwords for the users are present in the “rockyou.txt” file. The home directory of the
target machine has all the usernames and putting these usernames in a text file would give
us our Username file to brute force along with the rockyou.txt file.
Vulnerability Summary:
• Protocol: Secure Shell (SSH)
• Port Number: 22
• Software Name: OpenSSH
 • Software Version: 6.6.1

Exploit Summary: ("CVE-1999-0502 SSH Login Check Scanner | Rapid7", n.d.)

• Discovered: search exploit database for “search ssh”
• Exploit Tool: Metasploit Framework
• Exploit Name: SSH Login Check Scanner
• URL: https://www.rapid7.com/db/modules/auxiliary/scanner/ssh/ssh_login
• Source Code: https://github.com/rapid7/metasploit-
framework/blob/master/modules/auxiliary/scanner/ssh/ssh_login.rb
• Exploit Result: Successful (remote terminal as root user)
• Severity: Medium
• CVE Number: CVE-1999-0502
• Module: use auxiliary/scanner/ssh/ssh_login
• Description: This module will test ssh logins on a range of machines and report
successful logins. If you have loaded a database plugin and connected to a database
this module will record successful logins and hosts so you can track your access.

4) Information Extraction
All the information needed by the Rebel Alliance in order to destroy “death-star” is provided
below. The table below contains information about each person involved in the “death-star”
along with their passwords.

Summary:
Tool: Hashcat 4.1.0
• File: /etc/shadow
• Hashing Algorithm: Message Digest 5 (MD5)
• Salting Method: md5(salt + hash)
• Hashcat Algorithm Mode: Mode 500 (md5crypt)
Logged in as one of the super user. Access the shadow file which has the salts and hashes for
each user and also information about the hashing algorithm. “$1” which means the hashing
algorithm is MD5. A new text file called “assignment.txt” was created in the hashcat folder and
the contents of the shadow file was added to it. Make sure that the file “rockyou.txt” is present
in the hashcat folder. 15 passwords for 15 users was extracted using hashcat in Windows
Powershell. The password for the user “vagrant” was not extracted.
Hashcat command for password retrieval: hashcat64.exe -m 500 assignment.txt rockyou.txt
 USERNAME SALT HASH Plaintext-Password
storm_trooper_1 mhzU7fKc 3kI1bYA7VcD28TvsZB/rY/ theDARKside

storm_trooper_2 Oq2zvoKD nf7zaPAFuPfT0LNRZrv91/ stillup2nogood

storm_trooper_3 Ury0Ax4Z a5XSPA6ID1BA/0msCmN8/0 darksidethugs

storm_trooper_4 GDYbz3x8 5oYuMe5krxnX//wNeR7P11 supertrooper

storm_trooper_5 flxe38hz VOaLPAoE6eO7JeWFMsBZS. kittenswithmittens

imperial_guards K6jM.Fyf YOlctYfbkT.BGx913.SDb/ darkside2700

boba_fett vT1OA4dm oNGwR/9tffr3eJv30WpuS. bountyhunter1976

captain_needa r/imXmvK tj.uveUEE/tnD.eZcNYIy. [email protected]

general_veers tsWMwd/T VY1DCNtWBSNSBXlp9GaLI0 darkside131

admiral_piett iWH9/gx. njNg/iimHFO6ZAxaZrfW81 DarkSideForever0

admiral_ozzel /I/zGQCr RVoUXL8QDGTgxJ7FrZamf/ theadmiral

death_star_admin C8hQ8YVy qLlODYV.XRA8FeJmV6Q5u/ deathstar313

emperor_palpatine sF67XzYD kTPzQAS4bhFnKUrxvGY.x0 darkside!

darth_vader dqkERFiQ oMihN1usY.gnbemCa48Pk1 daddy_issues2277

darth_sidious udZXIBn5 7v57gK8MQn6PPfVDbrYg40 darksideismine

Death-star plans leaked!

A total of 8 files were found on the target machine which contains sensitive
information about the death-star project. The deathstar files were found by using
the find command with the grep command with the keywords “deathstar” and
“death-star”
 5 of the files – deathstar-crafts.PNG
deathstar-cross-section.PNG
deathstar-operations.PNG
deathstar-summary.PNG
deathstar-technical-specs-diagram.PNG
were found in the location /home/death_star_admin.
 1 of the files – deathstarinfographic.PNG
was found in the location /opt/proftpd/share/locale
 1 of the files –death-star- our only weakness.PNG
was found in the location /home/darth_sidious
 1 of the files – i-love-my-death-star.jpg
Was found in the location /home/darth_vader
Below are the screenshots of the death-star plans:
5) Security Recommendations
a) Outdated OS
The metasploitable2 server runs an older version of Ubuntu Linux i.e.
14.04. There are many security problems with this old version. Out-
of-bounds write vulnerability (CVE-2017-0750), denial-of-service
code execution (CVE-2017-0861), netlink wireless configuration
interface vulnerability (CVE-2017-12153) to name a few.
Recommendation: These problems could be mitigated if the OS is
upgraded to Ubuntu 17.10 which is the latest version.
b) Outdated Software Services
The services running on the open ports are all outdated, which is one
of the major reason for the target machine being susceptible to
remote code execution attacks.
Port Metasploitable2 New Stable Release
Outdated Version
21 Proftpd 1.3.5 Proftpd 1.3.6
22 OpenSSH 6.6.1 OpenSSH 7.6
80 Apache Httpd 2.4 Apache Httpd 2.4.33
6667,6697,8067 IRC 3.2.8.1 IRC 3.7
8080 Jetty 8.1.7 Jetty 9.4.8
8181 WebRick Httpd 1.3.1 WebRick Httpd 1.3.9

Recommendation: The old version of Proftp could be exploited to

upload or download files from the remote server by the attacker and
hence it should be updated to the latest version.
There should only be a single port for a single service. Redundant
services such as IRC running on three different ports should be avoided.
Database service such as MySQL running is redundant as well.
c) Firewall
The open ports and the services running on them is visible to an
attacker because the Metasploitable2 server doesn’t have any firewall
implemented to monitor the incoming/outgoing traffic.
Recommendation: There should be a firewall on the remote server so
that the attacker could not figure out the vulnerabilities present on the
server.
d) User Passwords and the Hashing Algorithm
Even though the user passwords are stored securely in the shadow
file (which could only be accessed by a super user), password
extraction using hashcat is possible since the passwords are very
common. Another problem is that one of the super user’s
(darth_vader) password is stored in plaintext in a file which could
even be accessed by other users with a lower privilege level. Also,
the hashing algorithm used for hashing the passwords is MD5, which
is found to have serious security consequences (especially brute-
force attacks)
Recommendation: The users should never store their passwords in
plaintext. A better hashing algorithm than MD5 should be used such
as SHA256 or SHA512. The passwords should be stronger as they
should contain a mixture of alphabets, numbers and special
characters. A necessary password rule and a minimum password
length would be suited for this job. The administrator of the server
should encourage the users to change their passwords frequently.
 6) Conclusion
In conclusion, since there are so many vulnerabilities resulting from
outdated softwares, the softwares must always be up-to-date. A
firewall with a strong policy should be in place to monitor
incoming/outgoing packets. Strong passwords must always be used
by all the legitimate users and they should be changed frequently as
well. The security audit reflects the three major vulnerabilities which
must be tackled at once. The Users should change their passwords
immediately to avoid any security breaches. The server should be
tested again and again on regular intervals to find any existing
loopholes in the server.

7) References
Host Discovery | Nmap Network Scanning. (N.A.). Nmap.org. Retrieved 10 April 2018, from
https://nmap.org/book/man-host-discovery.html
Duc, H. (2015). Nmap - Gathering Additional Host Information - Pentestmag. Pentestmag.
Retrieved 10 April 2018, from https://pentestmag.com/nmap-gathering-additional-host-
information/
CVE-1999-0502 SSH Login Check Scanner | Rapid7. Rapid7.com. Retrieved 10 April 2018, from
https://www.rapid7.com/db/modules/auxiliary/scanner/ssh/ssh_login
Scanner SSH Auxiliary Modules. Offensive-security.com. Retrieved 10 April 2018, from
https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/
CVE-2015-3306 ProFTPD 1.3.5 Mod_Copy Command Execution | Rapid7. Rapid7.com. Retrieved
10 April 2018, from
https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_modcopy_exec
CVE-2010-2075 UnrealIRCD 3.2.8.1 Backdoor Command Execution | Rapid7. Rapid7.com.
Retrieved 10 April 2018, from
https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor