This page covers activities on the Metasploitable virtualbox related to the postgresql service that is running.

Recon

Results

Recon

Reminder, the remote machine (Metasploitable) is available at 10.0.0.27.

$ nmap -sS -sV -A 10.0.0.27

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT
Nmap scan report for 10.0.0.27
Host is up (0.016s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time.
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      42810/tcp  mountd
|   100005  1,2,3      45599/udp  mountd
|   100021  1,3,4      34385/tcp  nlockmgr
|   100021  1,3,4      60702/udp  nlockmgr
|   100024  1          38085/udp  status
|_  100024  1          52004/tcp  status
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    Java RMI Registry
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 53
|   Version: .0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression
|   Status: Autocommit
|_  Salt: w$K,8vk7k8tagd@PR*zK
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    Unknown security type (33554432)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 1:05:20
|   source ident: nmap
|   source host: 6D4CD63B.D3975B40.7B559A54.IP
|_  error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2016-03-22T21:31:31-04:00

TRACEROUTE
HOP RTT      ADDRESS
1   16.11 ms 10.0.0.27

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds

Search Metasploit for Exploits

msf auxiliary(postgres_version) > search postgresql

Matching Modules
================

   Name                                                       Disclosure Date  Rank       Description
   ----                                                       ---------------  ----       -----------
   auxiliary/admin/http/manageengine_pmp_privesc              2014-11-08       normal     ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
   auxiliary/admin/http/rails_devise_pass_reset               2013-01-28       normal     Ruby on Rails Devise Authentication Password Reset
   auxiliary/admin/postgres/postgres_readfile                                  normal     PostgreSQL Server Generic Query
   auxiliary/admin/postgres/postgres_sql                                       normal     PostgreSQL Server Generic Query
   auxiliary/scanner/postgres/postgres_dbname_flag_injection                   normal     PostgreSQL Database Name Command Line Flag Injection
   auxiliary/scanner/postgres/postgres_login                                   normal     PostgreSQL Login Utility
   auxiliary/scanner/postgres/postgres_version                                 normal     PostgreSQL Version Probe
   auxiliary/server/capture/postgresql                                         normal     Authentication Capture: PostgreSQL
   exploit/linux/postgres/postgres_payload                    2007-06-05       excellent  PostgreSQL for Linux Payload Execution
   exploit/multi/http/manage_engine_dc_pmp_sqli               2014-06-08       excellent  ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
   exploit/windows/postgres/postgres_payload                  2009-04-10       excellent  PostgreSQL for Microsoft Windows Payload Execution
   post/linux/gather/enum_users_history                                        normal     Linux Gather User History

Scanner

One of the first pieces of information you will need, even before running a brute-force attack on a PostgreSQL login, is a database name.

Start with an exploit to obtain a PostgreSQL database name:

Postgres dbname flag injection

Use the postgres_dbname_flag_injection exploit:

msf > use auxiliary/scanner/postgres/postgres_dbname_flag_injection 

Information about Exploit

These two commands will show some

msf auxiliary(postgres_dbname_flag_injection) > info auxiliary/scanner/postgres/postgres_dbname_flag_injection 
msf auxiliary(postgres_dbname_flag_injection) > advanced auxiliary/scanner/postgres/postgres_dbname_flag_injection 

Here is the output of basic information:

msf auxiliary(postgres_dbname_flag_injection) > info auxiliary/scanner/postgres/postgres_dbname_flag_injection 


       Name: PostgreSQL Database Name Command Line Flag Injection
     Module: auxiliary/scanner/postgres/postgres_dbname_flag_injection
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  hdm <x@hdm.io>

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOSTS                    yes       The target address range or CIDR identifier
  RPORT    5432             yes       The target port
  THREADS  1                yes       The number of concurrent threads

Description:
  This module can identify PostgreSQL 9.0, 9.1, and 9.2 servers that 
  are vulnerable to command-line flag injection through CVE-2013-1899. 
  This can lead to denial of service, privilege escalation, or even 
  arbitrary code execution.

References:
  http://cvedetails.com/cve/2013-1899/
  http://www.postgresql.org/support/security/faq/2013-04-04/

msf auxiliary(postgres_dbname_flag_injection) > show options

Module options (auxiliary/scanner/postgres/postgres_dbname_flag_injection):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    5432             yes       The target port
   THREADS  1                yes       The number of concurrent threads

<pre>
msf auxiliary(postgres_dbname_flag_injection) > set RHOSTS 10.0.0.27
RHOSTS => 10.0.0.27
msf auxiliary(postgres_dbname_flag_injection) > set RPORT 5432
RPORT => 5432

Now we can show the advanced options:

msf auxiliary(postgres_dbname_flag_injection) > advanced

Module advanced options (auxiliary/scanner/postgres/postgres_dbname_flag_injection):

   Name           : CHOST
   Current Setting: 
   Description    : The local client address

   Name           : CPORT
   Current Setting: 
   Description    : The local client port

   Name           : ConnectTimeout
   Current Setting: 10
   Description    : Maximum number of seconds to establish a TCP connection

   Name           : Proxies
   Current Setting: 
   Description    : A proxy chain of format type:host:port[,type:host:port][...]

   Name           : SSL
   Current Setting: false
   Description    : Negotiate SSL for outgoing connections

   Name           : SSLCipher
   Current Setting: 
   Description    : String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"

   Name           : SSLVerifyMode
   Current Setting: PEER
   Description    : SSL verification method (Accepted: CLIENT_ONCE, 
      FAIL_IF_NO_PEER_CERT, NONE, PEER)

   Name           : SSLVersion
   Current Setting: TLS1
   Description    : Specify the version of SSL/TLS to be used (TLS and SSL23 are 
      auto-negotiate) (Accepted: SSL2, SSL3, SSL23, TLS, TLS1, TLS1.1, 
      TLS1.2)

   Name           : ShowProgress
   Current Setting: true
   Description    : Display progress messages during a scan

   Name           : ShowProgressPercent
   Current Setting: 10
   Description    : The interval in percent that progress should be shown

   Name           : VERBOSE
   Current Setting: false
   Description    : Enable detailed status messages

   Name           : WORKSPACE
   Current Setting: 
   Description    : Specify the workspace for this module

When an Exploit Doesn't Work

This version of PostgreSQL is actually too old to be vulnerable to the postgres_dbname_flag_injection exploit.

msf auxiliary(postgres_dbname_flag_injection) > set RHOSTS 10.0.0.27
RHOSTS => 10.0.0.27
msf auxiliary(postgres_dbname_flag_injection) > run

[*] 10.0.0.27:5432 does not appear to be vulnerable to CVE-2013-1899
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Related

Kali Linux "The quieter you become, the more you are able to hear." Penetration testing Linux distribution. Kali  · Category:Kali Kali/Wireless Reboot Kali Software: Kali Tools Kali Top 10 Aircrack  · Wireshark  · John the Ripper  · Nmap  · Metasploit Framework Dsniff  · Tcpdump  · Hydra  · Sqlmap  · Burpsuite  · Commix Dirbuster  · Valgrind Attack Workflow: Kali/Workflow 1 Physical Attacks: Kali/Layer 1 Attacks 2 Data/MAC Attacks: Kali/Layer 2 Attacks 3 Network Attacks: Kali/Layer 3 Attacks 4 Transport Attacks: Kali/Layer 4 Attacks 5 Session Attacks: Kali/Layer 5 Attacks 6 Presentation Attacks: Kali/Layer 6 Attacks 7 Application Attacks: Kali/Layer 7 Attacks Red Team Blue Team Metasploitable - Red Team Metasploitable - Blue Team Networking: Kali/Hotspot  · Kali/OpenVPN  · Kali/OpenVPN/Hotspot  · Kali/OpenVPN/PIA Kali/IPv6 Booting: Kali/Dual Boot OS X  · Kali/Live USB  · Kali/Persistent USB Installing: Kali/Installing  · Kali/Post Install  · Kali/Fixes Kali on Raspberry Pi: Kali Raspberry Pi  · Kali Raspberry Pi/Installing  · Kali Raspberry Pi/Headless  · Kali Raspberry Pi/Post-Install Category:Security  · Category:Wireless  · Category:Passwords  · Category:Man in the Middle  · Category:Evil Twin Flags  · Template:KaliFlag  · e