Exploiting Port 21 – ProFTPD
The FTP service can potentially be exploited in several ways. Let’s try a few of them. Users can access the Metasploitable VM by logging into the FTP server with a valid set of credentials. Therefore, it is a good idea to try get access to this service. Pay attention to the results you got from OpenVAS:
Brute forcing ProFTPD using Hydra
Kali Linux has a number of wordlists that can be used for this purpose. Let’s use Hydra to launch an attack:
hydra -L [users file] -P [passwords file] [IP] [service]
This will take a very long time because the tool will try every password for each user. And it might not return any good results unless you use carefully selected wordlists.
Brute forcing ProFTPD using Nmap
Using wordlists provided with Kali, and using the proper Nmap script (ftp-brute) you will also get positive results and sometimes faster than you what can get using Hydra.
Brute forcing ProFTPD using Metasploit
Metasploit has an auxiliary module that can also be used to brute FTP force passwords just like Hydra did. I like to use it last with custom wordlists.
Using the custom wordlists previously created will produce the same results. But using Metasploit has a major advantage over Hydra because the credentials found are automatically added to the database.
Enumerating via ProFTPD
Once you have found a valid credential set, you can use it to login to the remote FTP server:
You have now a list of the systems’ users and you can explore further to get extra data.
Exploiting ProFTPD using Metasploit
If you look closely at the OpenVAS scan results, you will see this:
Searching for an exploit in MSF will return these results:
As you can see, there a specific module for this vulnerability. Use it!
This exploit gained remote access as the www-data user. Not very useful but always better than nothing, right?
Don’t forget to clean your tracks by removing the payload used.
Exploiting Port 22 – SSH
This port/service can also be attacked using the usual tool of the trade. Besides, keep in mind that sometimes it will be easy to get credentials for other running services. Then, using the previously identified credentials it is easy to create a small custom list of usernames and passwords and attempt to get more using the usual tools.
Brute forcing SSH using Hydra
Basically, the same as before, but this time much slower due to limitation in SSH.
Brute forcing SSH using Nmap
Using Kali’s wordlists, you will get some results.
Brute forcing SSH using Metasploit
Now that you have at least one valid credential, it might be a good idea to use it in Metasploit. Each successful login will immediately open a session on the remote machine and the valid credentials are added to the MSF database.
You will get a command session and you can upgrade it to a Meterpreter session!
No comments:
Post a Comment