To interact with the session, the session i 1 command was used.After that we will conduct penetration testing to evaluate the security of FTP service and then we will also learn the countermeasures for vulnerabilities.They were installed using the following command (ProFTPD, 2013): yum -y groupinstall Development tools 3 The ProFTPD server runs as a non-privileged user on the Linux system for security reasons.
A group called ftpd was created and then a user called ftpd was also created that belonged to the ftpd group. The following commands were used to achieve this (ProFTPD, 2011). Microsoft Ftp Service Exploit Software Is GoingThis script checks the build dependencies and the machine architecture on which the software is going to compile. The main task of this command is to generate a file called Makefile. ![]() The installuser and installgroup commands instruct the configure utility that the user and group used by the ProFTPDare ftpd and ftpd, respectively. The prefixusr instructs the configure utility that the binaries should be installed on usr directory rather than usrlocal directory (default). Finally, the sysconfdiretc instructs the configure script that the configuration files should be installed in the etc directory. The configuration is heavily commented (comments starts with sign) for explanation. Microsoft Ftp Service Exploit Password Prithak TwiceThe following commands were used: useradd prithak passwd prithak (enter password prithak twice) Similarly, another user called Daniel was also added to the system. The user prithak (having password prithak) was able to successfully log into the ProFTPD server and at the same time the ProFTPD server produced debugging logs on the standard output to confirm the details of the login. The proftpd was started using the following command line options: proftpd -n -d 4 -c etcproftpd.conf ipv4 The options are as follows. Additionally, all output (log or debug messages) are sent to stderr, rather than the syslog mechanism. ![]() The 4 parameter increases the verbosity of the logging to 4. Instructs the ProFTPD daemon to read the configuration file located at etcproftpd.conf. Instructs the ProFTPD daemon to listen only on IPV4 addresses, i.e., disabled IPV6 (if present). Finally, the ProFTPD service was turned on, using the chkconfig command. To complete this step a port scan against the target machine should be launched. Following the same principal, nmap port scanner was launched against the machine using the following parameters: rootbt: nmap -sS -PN -n -sV -sC 192.168.79.135 The Nmap scan result indicated that the remote machine has two open ports: 22 (SSH) and 21 (FTP). Also, the version of the FTP server running on the remote machine is ProFTPD 1.3.3a and that of SSH is OpenSSH 5.3. Also, the SSH server only supports SSH protocol version 2.0. Buffer Overflow Attack Against the ProFTPD Service When known vulnerabilities for ProFTPD 1.3.3a were searched on the Internet, the following results were obtained: The vulnerability CVE-2010-4221 was identified to be affecting the version of ProFTPD 1.3.3.a that we were running. According to the site, Multiple stack-based buffer overflows in the prnetiotelnetgets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server. The screenshot of the same is shown below: To successfully exploit the remote machine running the vulnerable version of ProFTPD, metasploit was launched using the following commands in Backtrack Linux system: rootbt: cd optmetasploitmsf3 rootbt:optmetasploitmsf3.msfconsole The exploit for the vulnerable version of ProFTPD running on 192.168.79.135 was loaded using the following command (commands are in red). The reverse shell payload connects back to the attacker after the exploit is successful. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |