Linux Exploitation: Lab 1 - Remote Enumeration

overview

This exercise will help you understand how to perform enumeration on the remote linux systems to find vulnerable services, valid users and enumerate the benefits of finding juicy information.

Lab Environment

In this lab environment, the user will access a Kali GUI instance. A vulnerable application can be accessed using the tools installed on Kali on:

• http://demo.ine.local

• http://demo2.ine.local

• http://demo3.ine.local

• http://demo4.ine.local

Dictionaries to use: * /usr/share/metasploit-framework/data/wordlists/common_users.txt * /usr/share/metasploit-framework/data/wordlists/unix_users.txt

Tools

The best tools for this lab are:

• Nmap

• SMTP-user-enum

• finger-user-enum

• rpcclient

• enum4linux

• Bash Shell

• smbmap

• Metasploit Framework

Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course will dramatically reduce the benefits of a hands-on lab!

Solutions

Step 1: Open the lab link to access the Kali GUI instance.

Step 2: First, check the machine's IP address.

Command

Step 3: Now, let's run nmap and discover all the hosts using nmap ping sweep.

Command

Note: Please verify your IP address range and do not attack the gateway located at IP address 192.X.Y.1

We can observe that there are four hosts are alive. (excluding Attacker and Gateway Machine)

Do not run attacks on the gateway machine 192.X.Y.1 :)

Now, let's find open ports on all the hosts using nmap.

Step 4: Before finding all the open ports for four hosts. We will create a file and keep all hosts' names in it for the scanning.

Command

-iL hosts : Providing hosts file as an input target for scanning

--open : Only show open port host.

We have discovered all the open ports on all four machines:

We will enumerate all the services to find exciting, valuable information for getting into the system.

Step 5: First, let's target the demo.ine.local host.

Target demo.ine.local is exposed to port 25, and it is default port for the SMTP (Simple Mail Transfer Protocol) service.

Let's enumerate the SMTP server for enabled methods and users.

Before enumerating the users, let's find the running SMTP server name.

Commands

Target is running Postfix smtpd. Now, let's use the nmap smtp-commands script to find all the enabled methods.

Commands

We are only interested in these two methods, VRFY and ETRN.

VRFY : Command is used for validating users.

ETRN : Command tells the actual delivery address of aliases and mailing lists.

We will use the VRFY method to find valid username on the target machine. Now, there are multiple ways to find valid users using the below tools:

1. Metasploit Framework

2. SMTP-user-enum (A Perl script)

3. Nmap script smtp-enum-users

First, let's use Metasploit Framework to find all the users.

Commands

Let's use the smtp enumeration module and check all available module options.

Commands

We have to change the USER_FILE and set the RHOSTS value and then run the module.

Commands

We have found seven users, i.e. administrator, anon, auditor, demo, diag, rooty, sysadmin using Metasploit Framework.

Similarly, now let's run smtp-user-enum.pl script. The script is located inside /usr/bin/smtp-user-enum

Commands

-M VRFY : A method to use for user verification

-U /usr/share/metasploit-framework/data/wordlists/common_users.txt : A username lists

-t demo.ine.local : Target server

In this case, also we have discovered seven users.

Now, use the nmap script to do the same job.

Commands

We can notice that we have received only 3 users as valid. It's because nmap uses a different username list for user verification. So, in that list the administrator, sysadmin, and root users are present; hence we have received output for these users only.

Here is the list: /usr/share/nmap/nselib/data/usernames.lst

We have successfully enumerated all the users via SMTP service using different tools. Now, let's target demo2.ine.local where the Samba service is running.

Step 6: We already know that port 445 is the default port for Samba share.

We could extract tons of sensitive information from the samba service too.

First, let's identify the running service name and version.

Command

The target is running Samba smbd 3.X - 4.X.

Let's start with user enumeration using the enum4linux script and the grep command. We can conduct "RID Cycling" with the "-r" switch and obtain a list of local users on the host identified as running samba server.

Command

We have successfully identified six users, excluding the nobody user.

Now we can use smbmap to identify shares and permissions on the host identified as running samba server. The shares configured with "READ" and even more so "WRITE" permissions should be of specific interest to us.

Command

We can observe that we only have access to the public share. The permission is set on that folder is READ, WRITE.

In our quest to identify the actual share content, we should first determine whether the shares identified on both systems allow anonymous or guest access. We can use Nmap's smb-enum-shares NSE script to determine that.

Command

While trying to determine anonymous or guest access with the "smb-enum-shares" NSE script, we notice that the Nmap NSE scan returns output for all the shares.

We can notice that the public folder is accessible to the Anonymous users with READ/WRITE permission.

In some cases, when we can't definitively determine whether or not a particular share on a Samba server allows anonymous or guest access with a Nmap script scan, we can try a direct connection attempt using smbclient to one of the available shares we identified.

In this case, the public share, while making sure to specify the "-N" option for no password, and then the "-U" with a blank username.

Commands

We can observe there is one more folder inside public share, i.e., secret. Let's switch to that folder.

Commands

We have found the flag file. Let's download it to the attacker's machine and read it.

Commands

We have found the flag: 03ddb97933e716f5057a18632badb3b4

Similarly, we can also use the rpcclient command to get all the users and target machine information. The rpcclient utility is compelling for enumerating and managing the samba server.

Let's connect to the target server using rpcclient.

Command

We can perform all below operations using rpcclient.

• enumdomusers: Enumerate users

• enumdomgroups: Enumerate domain groups

• enumdomains: Enumerate domain information

• queryuser john#: Identify user information for the given user relative ID number

We can create/delete users on the target samba server based on the privilege.

Step 7: Now, let's enumerate the finger service running on host demo3.ine.local.

Finger Protocol

The Name/Finger protocol and the Finger user information protocol are simple network protocols for the exchange of human-oriented status and user information. The finger daemon runs on TCP port 79. The client will (in the case of remote hosts) open a connection to port 79. An RUIP (Remote User Information Program) is started on the remote end of the connection to process the request. The local host sends the RUIP one line query based upon the Finger query specification, and waits for the RUIP to respond. The RUIP receives and processes the query, returns an answer, then initiates the close of the connection. The local host receives the answer and the close signal, then proceeds to close its end of the connection. Source: https://en.wikipedia.org/wiki/Finger_(protocol)

We could use the Metasploit module to enumerate the valid usernames on the target machine via finger protocol.

We all know that root is a built-in account on all Linux systems. First, let's use the finger command on the target to get root user information.

Command

We can observe that we have received root user information, but nothing interesting was found. Now, let's use the Metasploit framework finger auxiliary module to gather valid users. Then we will find information about those users.

Commands

Let's use the finger_users enumeration module and check all available module options.

Commands

We only have to set the RHOSTS value and run the module.

Commands

We have gathered all the present users on the target machine via finger protocol. Most of them are the default users of the Linux system.

We could also use the finger-user-enum.pl script to find valid users.

The script is located in /root/Desktop/tools/finger-user-enum directory.

Command

We have found all the users. However, we also found three flags. The flags are present in the gopher, diag, and webmaster users.

We can also get these results properly using finger utility.

Commands

FLAG1: 098F6BCD4621D373CADE4E832627B4F6

FLAG2: F765F7A0A169F4F6654EE72A84A9EB

FLAG3: C4CA4238A0B923820DCC509A6F75849B

Now, we are familiar with the finger protocol. Let's answer the following questions:

1. What is the office phone number of the user admin?

Command

2. The email of user tom is forwarded to which user?

Command:

3. Find the project details on which user tim is working.

Command:

4. Which users among tim,jim,jil,tom and john have a pgpkey?

Command:

5. What is the plan of user jil?

Command:

6. Find the date and time when user tim logged in to the system.

Command:

We have successfully enumerated the finger service and found a lot of exciting information. Now, let's move and target the demo4.ine.local host where port 21 is open.

Step 8: We already know that the host demo4.ine.local runs an FTP service. But, we don't see the name and version of it.

Let's run the nmap scan on the target machine to discover the running FTP service.

Command:

We notice that on port 21, the ProFTPD 1.3.3c service is running. We need to confirm that it is vulnerable to any known public exploit.

There are multiple ways in which we can find the vulnerability. The simlest way we can try is searching on google, i.e., proftpd 1.3.3 exploit. It should suggest vulnerability to a specific 1.3.3c version. Finding a version of a running service is very crucial information. The attacker can find almost all types of exposure targeting that particular version.

We can also use automated vulnerability analysis tools and discover the vulnerability. In this case, we will use nmap script vuln to detect the vulnerability of the proftpd service.

Let's run the nmap vuln script on the demo4.ine.local host.

Command:

We have easily detected the running service vulnerability. The proftpd is vulnerable to the backdoored installation. Also, if we closely notice the output of the nmap, it has actually executed the id command on the target and returned the output. Hence, this confirms that the target is indeed vulnerable and exploitable.