Gaining a root on a vulnerable Linux system
When trying to learn how to scan and exploit a Linux machine, one major problem we encounter is where to try learning it. For this purpose, the Metasploit team has developed and released a VMware machine called Metasploitable. This machine has been made vulnerable purposefully and has many services running unpatched. Due to this, it becomes a great platform to practice or develop penetration testing skills. In this section, you will learn how to scan a Linux system, and then using the scanning result, find a service that is vulnerable. Using this vulnerable service, we shall gain root access to the system.
Getting ready
Backtrack 5R2 and the Metasploitable VMware system will be used in this section. The image file of Metasploitable can be downloaded from http://sourceforge.net/projects/metasploitable/files/Metasploitable2/.
How to do it…
Follow these steps to gain root access to a vulnerable Linux system:
- First, open the Metasploit console on the backtrack system by following this menu: navigate to Main Menu | Backtrack | Exploitation Tools | Network Exploitation Tools | Metasploit Framework | Msfconsole.
- Next, we need to scan the target (which is
192.168.0.1
in this example) with Nmap:This figure shows the output of the command that is executed:
In the preceding command, the
-Ss
option allows us to perform a stealth scan, and the-A
option tries to discover the version information of the OS and service.Also, in the preceding command, we can see that there are many services running on different ports. Among them is Samba, which runs on ports 139 and 445.
Note
Note that Samba is a service that provides the SMB file and prints services for Windows systems.
- Once we are able to locate the Samba service, we will just focus on it now. From the preceding output, we can see that Samba is running version 3.x. Now, we shall try to get more specific information about the service. To do this, we will use any of the auxiliary modules of Metasploit, such as the scanner section, and look for the SMB protocol.
- We can see that the scanner section has a SMB version detector. Now, we'll get the exact version of Samba using the SMB detector program. If we search online for all the vulnerabilities of the particular version of Samba, we will find the username map script.
- We can now search in the list of exploits available in Metasploit to check whether an exploit exists for the
map script
username using thesearch samba
command. - We have found an exploit for the map script username, and it has a rating that is excellent, which means that we can use this exploit.
- Now, use the map script username to gain a root level shell in the system.
Now, we shall gain root-level access to the system using the preceding exploit. Once we choose the exploit and configure it with the target IP address (in this case, 192.168.0.1
), we will execute a command to run the exploit. Doing this will create and give us a remote session on the target system and also open a command shell. Now, run the id
command in the remote shell. This will give a result—uid=0(root)gid=0(root)
. This confirms that we have remote root access to the target system.
How it works
We first performed an Nmap scan to check for running services and open ports and found the Samba service running. Then, we tried to find the version of the SMB service. Once we got this information, we searched for any exploit available for Samba. Using the exploit, we tried to attack the target system and got the root shell on it.
There's more…
Let's learn about a few more exploits and attacks that are peculiar to Linux.
In this section, we shall go through a few of the common exploits and attacks that Linux is vulnerable to. However, in this section, will not cover any recipes to deal with the attacks. This section is just to let you know about the common exploits used in Linux.
Null or default passwords
Often, administrators use default passwords that are provided to them by a vendor or they may even leave the administrative password blank. This happens mainly while configuring devices, such as routers, and also in BIOSes. Even some services running on Linux can contain the default administrator password. It is always recommended that you change the default password and set a new one that is only known to the administrator.
IP spoofing
An attacker can find vulnerabilities on our systems and servers, and using these, they can install background programs or attack a network. This can be done if the attacker connects his system to our network in a way that makes it appear as though there's a node in the local network. There are various tools available to assist crackers while performing IP spoofing.
Eavesdropping
An attacker can collect data passing between two active nodes that communicate on a network by eavesdropping. This type of attack works mostly with protocols such as Telnet, FTP, and HTTP. Attacks of this kind can be done when the remote attacker already has access to any system on the network. This can be made possible using other attacks such as the Man in the Middle Attack.
Service vulnerabilities
If an attacker is able to find a flaw or vulnerability in any service running on the network system, they can compromise the entire system and its data as well as other systems on the network.
Administrators should stay updated about any patches or updates that are available for any service or application running on the network system.
Denial of Service (DoS) attack
When an attacker sends unauthorized packets to the target system, which could be a server, router, or a workstation, in large numbers, it forces the resource to become unavailable to legitimate users.
The packets being sent by the attacker are usually forged, making the investigation process difficult.