Just for the sake of organization, like it was done for Metasploitable 2, let’s start exploring the services in ascending port order.
Exploiting Port 21 – IIS FTP
The Web Server (IIS) role in Windows Server provides a secure, easy-to-manage, modular and extensible platform for reliably hosting websites, services, and applications.
In Windows Server 2008, Internet Information Services (IIS) gained a new administration interface and configuration store, and the new FTP service is tightly integrated with this design. Microsoft rewrote the FTP service and this updated version service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options.
But in spite of being integrated in the Web Server, the IIS FTP service works pretty much like any other FTP server,
Brute forcing IIS using Hydra
Users can access the Metasploitable 3 VM by logging into the FTP server with a valid set of credentials. Therefore, it is a good idea to try some of the most commonly used combinations and try to brute force the access to the FTP server. Kali Linux has a number of wordlists that can be used for this purpose. Let’s use Hydra to launch an attack:
hydra -L [users file] -P [passwords file] [IP] [service]
This will take a very long time because the tool will try every password for each user. And it might not return any good results unless you use carefully selected wordlists.
This is an example of successful results obtained with custom created wordlists:
Once you have found a valid credential set, you can use it to login to the remote FTP server:
This can then be used to download/upload files, etc.
Brute forcing IIS using Metasploit
Metasploit has an auxiliary module that can also be used to brute FTP force passwords just like Hydra did.
Using the custom wordlists previously created will produce the same results. But using Metasploit has a major advantage over Hydra because the credentials found are automatically added to the database.
Brute forcing IIS using Nmap
Using wordlists provided with Kali, and using the proper Nmap script (ftp-brute) you will get positive results.
IIS Directory Traversal
The FTP server will open a connection to the site and files of the port 80 IIS website.
Even if you want, you cannot escape that directory.
You can try a traversal attack to escape the directory location. This can be done manually or via a tool such as dotdotpwn as shown below.
It will take a significant amount of time to test all the generated directories, and it will probably fail. But it is worth the try to understand how this kind of attack works.
IIS FTP Denial of Service
If you look closely at the OpenVAS scan results, you will see this:
Searching for the CVE online will give you give access to an exploit:
And that same exploit is available in your Kali machine:
The reason for failure is certainly related to the use of old Python code. It would be a waste of time trying to update it; the exploit will only cause the remote machine to crash. Not very useful…
No comments:
Post a Comment