Metasploitable Guide Part 5 : Nessus Bridge, and Local Escalation

Posted: December 4, 2011 in Guides
Tags: , , , , , , ,

So here is the final chapter in the Metasploitable Guide. I was originally intending this to be a 10 part guide, but frankly if I don’t finish it today, it’s never going to get done. Ubuntu 12.04 is in Alpha stage and I’d like to spend some time putting together half decent server and desktop security guides for the new LTS, as such this needs to end here. If you’re just finding this guide and would like to start from the beginning links to the other chapters of the guide can be found here.

Scanning for additional local vulnerabilities with Nessus Bridge

This is just something amusing we can do, in an actual environment where this system is sitting on a network with an IDS/IPS this probably isn’t the best idea as Nessus makes a huge amount of noise. That being said, the Nessus bridge is a fun plugin for Metasploit, so I figured I’d hit it up for the sake of illustrating its functionality, there is also a similar plugin module for OpenVAS if that is your preffered vulnerability scanner.

Configuring A Nessus Policy

The first step to doing this is to make sure we have a preconfigured Nessus policy you can use a pre-existing policy if you’d like however, since we know pretty much everything about this host at this stage of the game it makes more sense to fine tune a policy in order to reduce the time it takes to perform the audit, and decrease the chances of being discovered by any IDS (if there were one).

Using Nessus Bridge In Metasploit

After we’ve started the Nessus daemon, and configured our scan policy we can execute the scan against our target directly in Metasploit by doing the following.

load nessus
nessus_connect root:toor@localhost:8834
nessus_scan_new -5 Metasploitable 192.168.0.7

Where root:toor is the username password for your nessus user and -5 is the policy number you want to use Metasploitable is the name of the scan and 192.168.0.7 is the target.

Nessus Report

After our Nessus scan is complete we will see that there are quite a few additional vulnerabilities in this system, we do not obviously have to exploit all of them if we do not want to. However, if this were a real world situation we would want to at least verify that they are all legitimate and not false positives due to backports.

In this report we find this advisory particularly interesting: CVE-2009-1185

Local Escalation through Udev

A quick search for this CVE yields us code that will allow escalation to root privileges : That source code is here.

Rooting Metasploitable…Again

Now — we already have root privileges however, what if we didn’t what if the only method we had for gaining entry to the server was weak ssh user credentials

We’re going to utilize the public exploit code for the udev escalation in conjunction with our previosuly obtained credentials for user to gain a root shell on our target.

Creating our Payload

First step here is to create our payload — we’ll use Metasploit to create a simple reverse shell and listener.

The next step is to use SCP to upload our exploit and payload to the target using our stolen credentials , user:user.

Once we have uploaded our exploit and payload we can open an ssh session to the victim, cd into /tmp, compile our exploit run it…

 

..and win 😉

That’s all folks — that brings our Metasploitable Guide to an end, there are a ton of other things you can do with this vulnerable Virtual Machine, however that should be more than enough pwnage to inspire you and keep you motivated to try new and exciting things.

Hopefully it was a learning experience and you enjoyed it greatly, I had a good time writing it 🙂

Advertisements
Comments
  1. D. Dieterle says:

    Exceptional series Adam. Very nice job!
    Thank you!

    • dangertux says:

      Thanks for the encouragement Dan! As we’ve talked about I’ve been struggling lately man — it was hard to chug out the 600 words or whatever it took to finsih this up. Maybe I need a break for a while :-/

  2. Carlos says:

    Hey Adam, Glad to see that you will be covering Ubuntu 12.04 desktop and server best security practices. Could you also include how to manage passwords?

    Thanks,

    Carlos

    • dangertux says:

      Carlos —

      When you say managing passwords in what regard do you mean? Are you talking about password management from a sysadmin’s point of view on a server? Or do you mean desktop password management systems like Keepass? OR Do you mean procedures for generating strong passwords?

      Thanks

      Adam

      • Carlos says:

        Adam,

        I was talking about something like Keepass or lastpass on the desktop. Also, some password management from the sysadmin’s point of view would be nice too :).

        Thanks,

        Carlos

  3. dangertux says:

    Sounds good — I have started working on them and want them to be very in depth since the new LTS will be around for the next 5 years. So look for a lot of interesting stuff. If you have anything else you’d like to see please let me know guys.

    The Desktop guide will likely be first — The server guide may be split into two parts as I want to start getting into some of the UEC stuff , though I am hardware challenged at the moment…Any one up for paypal donations? (kidding) lol.

    Thanks all for the comments and encouragement 🙂

  4. haqking says:

    nice guide DT as always, bit quiet of late though, 4 days and no new posts ? never mind working for a living 😉

    • dangertux says:

      Three reasons honestly.

      1 — Been busy as hell I’ve told you that 😛
      2 — I have no idea what else to write about except the one thing that I’m writing about currently
      3 — the afforementioned one thing from #2 is in fact a 10,000+ word Ubuntu 12.04 LTS comprehensive post install desktop security guide which covers everything under the sun so far up to and including creating an SELinux sandbox in Ubuntu (yes…overkill I know)

      So yeah…If you got some suggestions let me know. But I think I’ve owned Ubuntu about as many different ways as I can at this point. I considered making a crappy wifi cracking guide, but that is easy and on about 12,000 websites already lol.

      • Carlos says:

        Hey Alan, so you’re gonna cover how to configure and settup selinux in ubuntu? I heard installing it would break the system.

      • dangertux says:

        It won’t break it however it does conflict with Apparmor so it’s an alternative. Apparmor will also be discussed fairly in depth.

  5. Carlos says:

    Hey Adam,

    Dont forget to add this in your guide for the firewall.

    iptables-save > /etc/iptables.rules

    sudo nano /etc/NetworkManager/dispatcher.d/01firewall

    if [ -x /usr/bin/logger ]; then
    LOGGER=”/usr/bin/logger -s -p daemon.info -t FirewallHandler”
    else
    LOGGER=echo
    fi

    case “$2” in
    up)
    if [ ! -r /etc/iptables.rules ]; then
    ${LOGGER} “No iptables rules exist to restore.”
    return
    fi
    if [ ! -x /sbin/iptables-restore ]; then
    ${LOGGER} “No program exists to restore iptables rules.”
    return
    fi
    ${LOGGER} “Restoring iptables rules”
    /sbin/iptables-restore -c /etc/iptables.rules
    ;;
    *)
    ;;
    esac

    • dangertux says:

      Nice script — thanks for that, I still hate how Debian based Distros deal with iptables apply / save / throw in trash lol..

      I’ll definitely include that — though I’m about tired of writing firewall guides for Ubuntu it’s somewhat obligatory.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s