Next, we will go through an example of how vulnerabilities can be identified from scanned targets. First, perform the same mapping steps as in the previous module. Start the lab and follow along.
Mapping phase
The next step is similar to the previous module and consists of the following commands.
# Database preparation
service postgresql start
msfdb init
# Starting Metasploit
msfconsole
# Scanning (we use -p- which tells us to scan all ports)
db_nmap -p- <IP>
db_nmap -A -p- <IP>Afterwards, we can verify that we have visibility of the target's open ports and the services listening on them.
msf6 > services
Services
========
host port proto name state info
---- ---- ----- ---- ---- ---- ----
10.0.2.51 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
10.0.2.51 25 tcp smtp open Postfix smtpd
10.0.2.51 53 tcp tcpwrapped open
10.0.2.51 111 tcp rpcbind open 2 RPC #100000
10.0.2.51 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP
10.0.2.51 445 tcp 0����)��u open Samba smbd 3.0.20-Debian workgroup: WORKGROUP
10.0.2.51 2121 tcp ftp open ProFTPD 1.3.1
10.0.2.51 3306 tcp mysql open MySQL 5.0.51a-3ubuntu5
10.0.2.51 3632 tcp distccd open distccd v1 (GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)
Vulnerability Detection
Now we can start identifying potential vulnerabilities. This process often includes using public sources, such as the Exploit-DB website. The idea is to compare detected services to known vulnerabilities and search for correlations between them. Simply put, we compare scanned services and their versions to known vulnerabilities. However, there are also automatic approaches, such as nmap vulnerability scripts, which search for known vulnerabilities in these services. The accuracy of these varies, but it is a good way to start mapping vulnerabilities.
Performing a vulnerability scan on an open port 3632 which has a distcc service.
db_nmap -p3632 --script vuln <IP>From the output, we can see that the service in question has a serious public vulnerability that allows for the execution of commands by an attacker.
[*] Nmap: Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 15:24 UTC
[*] Nmap: Nmap scan report for 10.0.2.51
[*] Nmap: Host is up (0.00018s latency).
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 3632/tcp open distccd
[*] Nmap: | distcc-cve2004-2687:
[*] Nmap: | VULNERABLE:
[*] Nmap: | distcc Daemon Command Execution
[*] Nmap: | State: VULNERABLE (Exploitable)
[*] Nmap: | IDs: CVE:CVE-2004-2687
[*] Nmap: | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
[*] Nmap: | Allows execution of arbitrary commands on systems running distccd 3.1 and
[*] Nmap: | earlier. Vulnerability is the consequence of weak service configuration.
[*] Nmap: |
[*] Nmap: | Disclosure date: 2002-02-01
[*] Nmap: | Extra information:
[*] Nmap: |
[*] Nmap: | uid=1(daemon) gid=1(daemon) groups=1(daemon)
[*] Nmap: |
[*] Nmap: | References:
[*] Nmap: | https://distcc.github.io/security.html
[*] Nmap: | https://nvd.nist.gov/vuln/detail/CVE-2004-2687
[*] Nmap: |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 10.36 secondsWe can search for ready-made attack modules (exploits) in Metasploit to exploit vulnerability.
msf6 > search Exploit distcc
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution
We can also read more information about the module in question using the info command.
msf6 > info exploit/unix/misc/distcc_exec
Name: DistCC Daemon Command Execution
Module: exploit/unix/misc/distcc_exec
Platform: Unix
Arch: cmd
Privileged: Well
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2002-02-01
Provided by:
[MISSION]
Available targets:
Id Name
-- ----
=> 0 Automatic Target
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- -------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 3632 yes The target port (TCP)
Payload information:
Space: 1024
Description:
This module uses a documented security weakness to execute
arbitrary commands on any system running distccd.
References:
https://nvd.nist.gov/vuln/detail/CVE-2004-2687
OSVDB (13378)
http://distcc.samba.org/security.html
View the full module info with the info -d command.You can try to exploit the vulnerability using Metasploit and see if you can gain control of the target machine. It is important to remember that not every vulnerability can be found in Metasploit and that automated approaches are not always perfect. If you want to have the most reliable information, it is wise to use Google and search for information about possible vulnerabilities that may exist in services. This is especially true if it concerns less known services or very new vulnerabilities. Later in the course, we will go through how to add new modules to Metasploit that are not included by default.
Who built that distcc module? - Appears in the provided field.
Ready to become an ethical hacker?
Start today.
As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.