Password cracking with Metasploit on Kali Linux (with video tutorial)
Premise
It's been a while since my last blog post and in the meantime I started delving into pentesting. For who doesn't know what this term means, it is attacking computer systems, based on explicit permission by their owners, to find vulnerabilities and patch them before bad guys could hack in.
In this post I want to show how easy is to hack into a vulnerable system and why it's so important to apply all the latest updates and patches as soon as possible. Companies, especially small ones, consider IT Security only as a cost and often overlook that each dollar spent in improving cyber security is a dollar saved in terms of legal and economic aftermaths of a breach. The bigger the breach, the higher the amount of damage that can be caused, which in the most extreme situations can even force a company to close for good.
In this post I want to show how easy is to hack into a vulnerable system and why it's so important to apply all the latest updates and patches as soon as possible. Companies, especially small ones, consider IT Security only as a cost and often overlook that each dollar spent in improving cyber security is a dollar saved in terms of legal and economic aftermaths of a breach. The bigger the breach, the higher the amount of damage that can be caused, which in the most extreme situations can even force a company to close for good.
LEGAL DISCLAIMER: This
"hack" has been performed by using virtual machines running on my own
computer, configured to be vulnerable to certain exploits. Don't use it against other people's systems, unless you've
been given explicit written permission by their owners. I'm not
responsible for any unintended use of these instructions.
The philosophy behind that is called offensive security and I believe a lot in it. It means analyzing a system under the attacker's point of view (see How to think like a hacker), to find weaknesses and vulnerabilities that could go otherwise undetected.
Defensive security is often implemented by using automated systems, such as IDSs (Intrusion Detection Systems) and may overlook what's really going on. They're mostly based on automated rules, which may originate lots of false positives. Sadly, the fact an event isn't marked in red and purple doesn't always exclude an attack is going on (you can find an outstanding real-life example of this here. The lecturer mentions a case where a hack has gone undetected for years, just because no one took the hassle to read through the automatically-generated report). The attacker may be so smart to keep a low profile by disguising its activity under other events, including false positives, which may be automatically rejected without further analysis. Pentesters, also called white hat hackers or ethical hackers, work under the offensive security perspective and they get hired by the owners of the systems they need to test. I'm not big on the term ethical hacker because hackers should have an ethic, i.e. improve systems and make them more secure. In my opinion, the word black hat hackers (defining who hack to commit a crime, steal information from a system, or damage it) is incorrect because they're unethical by definition and don't deserve that name.
Password cracking with Metasploit
a) Introduction
I'm going to show how to run a specific exploit with Metasploit against a special Linux configuration that can be used for testing purposes. Metasploit is a software that acts like a framework, collecting thousands of exploit in a database for an easier access. It saves pentesters and hackers the hassle of looking for individual exploits and is included, along with a bunch of other tools, in Kali Linux. Kali is the de facto standard today with regards to forensics and hacking tools. In fact the entry-level Offensive Security pentesting certification (PWK, Pentesting with Kali Linux) is conducted exclusively by using its tools, which is good and bad for different reasons (I don't have time to talk about it right now. Check their website if you want more information about it).
The hack I describe here has been performed in my own virtual lab. Don't try to hack into other people's systems nor ask me for help doing it (I have no intention of testing the U.S. jail system, thanks).
Authorities are big on fighting hackers today (and the definition of hacker has become wide and vague). They would love to fry a new one, the younger the better.
The hack I describe here has been performed in my own virtual lab. Don't try to hack into other people's systems nor ask me for help doing it (I have no intention of testing the U.S. jail system, thanks).
Authorities are big on fighting hackers today (and the definition of hacker has become wide and vague). They would love to fry a new one, the younger the better.
If you want to do something stupid, it is completely your call, but be aware you could find yourself locked behind bars for good much sooner than you think.
b) Sofware used
I setup two VirtualBox virtual machines, by using a Bridged network configuration (see figure below):
- Metasploitable 2 (victim machine): A purposefully vulnerable Linux configuration created for pen-testing purposes, with a bunch of open ports and services. An example of how NOT to setup an operating system.
- Kali Linux (attacking machine): A well-known forensics and hacking Linux distro. I've utilized its 64-bit version.
The Hack
- Recover the victim's IP address by entering ifconfig on Metasploitable VM.
- Start Metasploit on the Kali attacking machine from Kali/Exploitation Tools/Metasploit Framework.
- Perform a port scan with Metasploit on the above address by using nmap. If used with the -sV option, nmap will return the services running on each port. The scan returns numerous open ports, but what we need is port 139, used by Samba. Samba is "the standard Windows interoperability suite of programs for Linux and Unix" and allows Windows and Linux computers to communicate. The software has vulnerabilities for which exploits exist. We'll recover the passwords from the victim machine, where Samba is running on ports 139 and 445, by using one specific exploit.
- Search the available exploits for samba by entering search samba. From the exploit list, select and copy exploit/multi/samba/usermap_script.
- Enter use exploit/multi/samba/usermap_script to utilize the selected exploit, which will give access to the victim machine when Samba server is outdated.
- To perform this exploit, we need to setup some options. By entering show options, we notice that we can setup the target IP address (RHOST) and the target port (139 is already selected and it's OK in this case). We'll setup RHOST as the victim's IP address.
- That done, we can finally launch our exploit (by entering the magic command exploit), which will open up a shell on the victim machine. Use CTRL/Z to background the session.
- At this point, we can grab the password hashes by entering use post/linux/gather/hashdump. To use this exploit we need to configure a session parameter, which will be set to SESSION 1.
- We can now run the exploit, which returns a vulnerable hash file, called Unshadowed Password File, that can be decrypted by password-cracking software like John the Ripper, included in Kali Linux. We'll copy the complete path to the unshadowed file to a new terminal window.
- Here, we'll launch the password cracker to grab the passwords and, voilĂ , after a while I could get usernames and passwords in clear text. Hopefully now you guys understand first-hand the importance of implementing strong passwords and regularly updating and patching your software. It's not IT gibberish, it's a safeguard to your private information and, often times, your money. This is an educational-wise example, but the same exploit could be used against your computer to hack your valuable personal information. What could it happen then?
I'll leave the answer to you and I hope this gave you enough food for your thoughts.
Resources
Comments
Post a Comment