Metasploitable/Apache

From charlesreid1

Metasploit HTTP Modules

First, here's a list of the scanner modules related to HTTP: https://www.offensive-security.com/metasploit-unleashed/scanner-http-auxiliary-modules/

This has a number of interesting modules to do the following:

  • check if https certificates are expired
  • check if directory listings are enabled on servers
  • scan for directories
  • bypass authentication using webdav unicode vulnerability [1]
  • use delicious.com to farm links
  • use archive.org to farm links
  • check for presence of interesting files
  • brute-force https login
  • look for open proxy servers
  • query IP addresses for web servers and capabilities
  • find robots.txt
  • grab SSL certificate information
  • get web server version
  • brute-force tomcat manager application login
  • bpyass authentication using different HTTP verbs
  • scan servers for webdav, content disclosure via webdav
  • brute-force Wordpress logins

Whew!

Where to Start?

Let's start with some basic HTTP scans, just to gather some info about the Apache server running on Metasploitable port 80 (we'll ignore that Tomcat server for now, and come back to it later.)

dir listing

the dir_listing module did not turn up anything useful: 

msf > use auxiliary/scanner/http/dir_listing
msf auxiliary(dir_listing) > show options

Module options (auxiliary/scanner/http/dir_listing):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PATH     /                yes       The path to identify directoy listing
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port
   THREADS  1                yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host

msf auxiliary(dir_listing) > set RHOSTS 10.0.0.27
RHOSTS => 10.0.0.27
msf auxiliary(dir_listing) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(dir_listing) >

dir scanner

the dir_scanner module turned up a few finds: 

msf auxiliary(dir_listing) > use auxiliary/scanner/http/dir_scanner
msf auxiliary(dir_scanner) > show options

Module options (auxiliary/scanner/http/dir_scanner):

   Name        Current Setting                                          Required  Description
   ----        ---------------                                          --------  -----------
   DICTIONARY  /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt  no        Path of word dictionary to use
   PATH        /                                                        yes       The path  to identify files
   Proxies                                                              no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                               yes       The target address range or CIDR identifier
   RPORT       80                                                       yes       The target port
   THREADS     1                                                        yes       The number of concurrent threads
   VHOST                                                                no        HTTP server virtual host

msf auxiliary(dir_scanner) > set RHOSTS 10.0.0.27
RHOSTS => 10.0.0.27
msf auxiliary(dir_scanner) > run

[*] Detecting error code
[*] Using code '404' as not found for 10.0.0.27
[*] Found http://10.0.0.27:80/cgi-bin/ 404 (10.0.0.27)
[*] Found http://10.0.0.27:80/doc/ 200 (10.0.0.27)
[*] Found http://10.0.0.27:80/icons/ 200 (10.0.0.27)
[*] Found http://10.0.0.27:80/index/ 200 (10.0.0.27)
[*] Found http://10.0.0.27:80/test/ 200 (10.0.0.27)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(dir_scanner) >


files dir

The files dir exploit checks for the presence of any interesting files on the web server. By default it uses a dictionary list that comes with Metasploit, /usr/share/metasploit-framework/data/wmap/wmap_files.txt, but you can also use your own. 

msf auxiliary(files_dir) > run

[*] Using code '404' as not found for files with extension .null
[*] Using code '404' as not found for files with extension .backup
[*] Using code '404' as not found for files with extension .bak
[*] Using code '404' as not found for files with extension .c
[*] Using code '404' as not found for files with extension .cfg
[*] Using code '404' as not found for files with extension .class
[*] Using code '404' as not found for files with extension .copy
[*] Using code '404' as not found for files with extension .conf
[*] Using code '404' as not found for files with extension .exe
[*] Using code '404' as not found for files with extension .html
[*] Using code '404' as not found for files with extension .htm
[*] Using code '404' as not found for files with extension .ini
[*] Using code '404' as not found for files with extension .log
[*] Using code '404' as not found for files with extension .old
[*] Using code '404' as not found for files with extension .orig
[*] Using code '404' as not found for files with extension .php
[*] Found http://10.0.0.27:80/index.php 200
[*] Using code '404' as not found for files with extension .tar
[*] Using code '404' as not found for files with extension .tar.gz
[*] Using code '404' as not found for files with extension .tgz
[*] Using code '404' as not found for files with extension .tmp
[*] Using code '404' as not found for files with extension .temp
[*] Using code '404' as not found for files with extension .txt
[*] Using code '404' as not found for files with extension .zip
[*] Using code '404' as not found for files with extension ~
[*] Using code '404' as not found for files with extension
[*] Found http://10.0.0.27:80/dav 301
[*] Found http://10.0.0.27:80/index 200
[*] Found http://10.0.0.27:80/phpMyAdmin 301
[*] Found http://10.0.0.27:80/test 301
[*] Using code '404' as not found for files with extension
[*] Found http://10.0.0.27:80/dav 301
[*] Found http://10.0.0.27:80/index 200
[*] Found http://10.0.0.27:80/phpMyAdmin 301
[*] Found http://10.0.0.27:80/test 301
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(files_dir) >

Apache Modules

Searching for Apache-specific modules yields more specific exploits: 


   auxiliary/dos/http/apache_commons_fileupload_dos          2014-02-06       normal     Apache Commons FileUpload and Apache Tomcat DoS
   auxiliary/dos/http/apache_mod_isapi                       2010-03-05       normal     Apache mod_isapi Dangling Pointer
   auxiliary/dos/http/apache_range_dos                       2011-08-19       normal     Apache Range Header DoS (Apache Killer)
   auxiliary/dos/http/apache_tomcat_transfer_encoding        2010-07-09       normal     Apache Tomcat Transfer-Encoding Information Disclosure and DoS
   auxiliary/gather/apache_rave_creds                                         normal     Apache Rave User Information Disclosure
   auxiliary/gather/impersonate_ssl                                           normal     HTTP SSL Certificate Impersonation
   auxiliary/scanner/http/apache_activemq_source_disclosure                   normal     Apache ActiveMQ JSP Files Source Disclosure
   auxiliary/scanner/http/apache_activemq_traversal                           normal     Apache ActiveMQ Directory Traversal
   auxiliary/scanner/http/apache_mod_cgi_bash_env            2014-09-24       normal     Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
   auxiliary/scanner/http/apache_userdir_enum                                 normal     Apache "mod_userdir" User Enumeration
   auxiliary/scanner/http/axis_local_file_include                             normal     Apache Axis2 v1.4.1 Local File Inclusion
   auxiliary/scanner/http/axis_login                                          normal     Apache Axis2 Brute Force Utility
   auxiliary/scanner/http/mod_negotiation_brute                               normal     Apache HTTPD mod_negotiation Filename Bruter
   auxiliary/scanner/http/mod_negotiation_scanner                             normal     Apache HTTPD mod_negotiation Scanner
   auxiliary/scanner/http/rewrite_proxy_bypass                                normal     Apache Reverse Proxy Bypass Vulnerability Scanner
   auxiliary/scanner/http/tomcat_enum                                         normal     Apache Tomcat User Enumeration
   exploit/multi/http/apache_mod_cgi_bash_env_exec           2014-09-24       excellent  Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
   exploit/multi/http/apache_roller_ognl_injection           2013-10-31       excellent  Apache Roller OGNL Injection
   exploit/multi/http/struts_code_exec                       2010-07-13       good       Apache Struts Remote Command Execution
   exploit/multi/http/struts_code_exec_classloader           2014-03-06       manual     Apache Struts ClassLoader Manipulation Remote Code Execution
   exploit/multi/http/struts_code_exec_exception_delegator   2012-01-06       excellent  Apache Struts Remote Command Execution
   exploit/multi/http/struts_code_exec_parameters            2011-10-01       excellent  Apache Struts ParametersInterceptor Remote Code Execution
   exploit/multi/http/struts_default_action_mapper           2013-07-02       excellent  Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
   exploit/multi/http/struts_dev_mode                        2012-01-06       excellent  Apache Struts 2 Developer Mode OGNL Execution
   exploit/multi/http/struts_include_params                  2013-05-24       great      Apache Struts includeParams Remote Code Execution
   exploit/multi/http/tomcat_mgr_deploy                      2009-11-09       excellent  Apache Tomcat Manager Application Deployer Authenticated Code Execution
   exploit/multi/http/tomcat_mgr_upload                      2009-11-09       excellent  Apache Tomcat Manager Authenticated Upload Code Execution
Retrieved from "https://charlesreid1.com/w/index.php?title=Metasploitable/Apache&oldid=9936"