This section will cover server-side attacks, starting with information gathering. Information gathering is used to obtain details about the target system, including the installed programs, operating system, running services, and associated ports. By identifying the installed services, we can attempt to gain access to the system by using default passwords.
Many individuals install services and fail to properly configure them, leading to potential vulnerabilities. One common issue is that certain services are designed to provide remote access to a computer, but they require appropriate security measures to prevent unauthorized access. Misconfigurations can occur, which can be exploited to gain entry to these systems. Additionally, some services may contain backdoors or vulnerabilities such as remote buffer overflow or code execution vulnerabilities, which could enable full access to the computer system.
One way to identify vulnerabilities in a website is to use Zenmap, which is a straightforward method. By providing the IP address of the website, Zenmap can identify all the services running on that website. Then, for each service, we can perform a Google search to determine if any known vulnerabilities exist. As an example, the Metasploitable device is a website, and we can obtain its IP address by pinging it. With this information, we can run Zenmap against the Metasploitable device and obtain a list of all the services running on that device, allowing us to identify potential vulnerabilities. It is important to note that this approach is not limited to websites only, as it can also be used to identify running services on any computer device.
To launch Zenmap, we can open the terminal and type the command “zenmap”. Once the application opens, we can enter the IP address that we wish to test. In this scenario, we will enter the IP address of our target device, the Metasploitable device, which in our example is 10.0.2.4. After entering the IP address, we can initiate the scan, and this will generate a list of all the installed applications on the target device. The list can be viewed in the following screenshot:
After the scan is complete, we will have a list of open ports and associated services running on the target device. To investigate these services for potential vulnerabilities, we can navigate to the “Nmap Output” tab and review each port and its corresponding service. We can then perform a Google search for each service name to identify any known vulnerabilities associated with it.
In the screenshot provided, we can see that port 21 is open, which is typically associated with an FTP service. FTP is used to transfer files to and from a remote server and usually requires a username and password for access. However, in this particular instance, the FTP service has been misconfigured, and it allows anonymous FTP login, meaning that we can log in without providing any login credentials. This vulnerability is highlighted in the subsequent screenshot.
To exploit the anonymous FTP login vulnerability, we can download an FTP client, such as FileZilla, and connect to the target device’s IP address on port 21. After connecting, we can Google the FTP server’s version, which in this instance is vsftpd 2.3.4, to identify any potential misconfigurations or known exploits. After researching, we discover that vsftpd 2.3.4 was released with a pre-installed backdoor, which makes it vulnerable to code execution exploits. We can perform this research for each service listed in the Zenmap output to identify any potential vulnerabilities or misconfigurations.
After examining the ports listed in the Zenmap output, let’s say we have gone through them one by one and found nothing of significance. However, when we reach port 512, we notice that something is unusual, as indicated in the following screenshot.
Since we don’t recognize the service running on port 512, we perform a Google search and identify it as netkit-rsh, a remote execution program. If we can successfully log in to this program, we will be able to execute commands on the target device. The program uses rsh rlogin, which is a built-in program that comes with Linux and allows for remote command execution, similar to SSH.
To connect to the netkit-rsh service, we must first ensure that we have the appropriate tools installed. Upon examining the netkit-rsh package, we see that it is intended for use on Ubuntu. Since our target computer is also running on Ubuntu, we know that we can use the rsh-client service to connect. The rsh-client is a client program that enables remote shell connections. To install rsh-client, we can use the following command:
Using the apt-get command will install and configure the rsh-client service for us. After installation, we can use the rlogin command to log in to the target device, since we know that the netkit-rsh package uses rlogin to facilitate the login process. If we are unsure of how to use the rlogin command, we can use the –help flag to view the usage instructions, as shown in the accompanying screenshot.
We will execute the rlogin command with the username (-l) set as “root,” which has the highest level of privileges on the system, and the target IP (10.0.2.4) as the host. The command to execute is:
At this point, we have successfully logged into the Metasploitable machine as root. We can confirm this by executing the “ID” command, which displays the user and group ID of the current user, and seeing that we are indeed logged in as root. Additionally, executing the “uname -a” command will display the system’s hostname and the version of the Linux kernel that is running on the machine. This confirms that we have successfully gained root access to the Metasploitable machine.
In summary, we gained access to the target computer by exploiting the misconfigured rlogin service. This manual method is a basic way of gaining access to a target computer by exploiting a misconfiguration in an installed service. We were able to access the target computer simply by Googling what was associated with the port and using rlogin to log in with root access.
We hope that the information provided on Server-Side Attack Basics was helpful to you, and we encourage you to stay tuned with us @ tutorials.freshersnow.com for more insights on Ethical Hacking.