Metasploitable 3 Windows Walkthrough: Part II

Just for the sake of organization, like it was done for Metasploitable 2, let’s start exploring the services in ascending port order.

Exploiting Port 21 – IIS FTP

The Web Server (IIS) role in Windows Server provides a secure, easy-to-manage, modular and extensible platform for reliably hosting websites, services, and applications.

In Windows Server 2008, Internet Information Services (IIS) gained a new administration interface and configuration store, and the new FTP service is tightly integrated with this design. Microsoft rewrote the FTP service and this updated version service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options.

But in spite of being integrated in the Web Server, the IIS FTP service works pretty much like any other FTP server,

Brute forcing IIS using Hydra

Users can access the Metasploitable 3 VM by logging into the FTP server with a valid set of credentials. Therefore, it is a good idea to try some of the most commonly used combinations and try to brute force the access to the FTP server. Kali Linux has a number of wordlists that can be used for this purpose. Let’s use Hydra to launch an attack:

hydra -L [users file] -P [passwords file] [IP] [service]

Brute forcing FTP with Hydra

This will take a very long time because the tool will try every password for each user. And it might not return any good results unless you use carefully selected wordlists.

This is an example of successful results obtained with custom created wordlists:

Brute forced FTP using Hydra

Once you have found a valid credential set, you can use it to login to the remote FTP server:

FTP login with brute forced credentials

This can then be used to download/upload files, etc.

Brute forcing IIS using Metasploit

Metasploit has an auxiliary module that can also be used to brute FTP force passwords just like Hydra did.

 Brute forcing FTP with Metasploit

Using the custom wordlists previously created will produce the same results. But using Metasploit has a major advantage over Hydra because the credentials found are automatically added to the database.

Brute forced credentials added to MSF's database

Brute forcing IIS using Nmap

Using wordlists provided with Kali, and using the proper Nmap script (ftp-brute) you will get positive results.

Brute forcing FTP with Nmap

IIS Directory Traversal

The FTP server will open a connection to the site and files of the port 80 IIS website.

Even if you want, you cannot escape that directory.

FTP directory lock

You can try a traversal attack to escape the directory location. This can be done manually or via a tool such as dotdotpwn as shown below.

It will take a significant amount of time to test all the generated directories, and it will probably fail. But it is worth the try to understand how this kind of attack works.

Directory traversal attempt

Directory traversal failed

IIS FTP Denial of Service

If you look closely at the OpenVAS scan results, you will see this:

OpenVAS reporting DoS vulnerability

Searching for the CVE online will give you give access to an exploit:

DoS exploit in ExploitDB

And that same exploit is available in your Kali machine:

DoS exploit failed

The reason for failure is certainly related to the use of old Python code. It would be a waste of time trying to update it; the exploit will only cause the remote machine to crash. Not very useful…

Posted by
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)