Penetration Testing usando un Contenedor.
Hoy probamos una imágen preparada para realizar pruebas de seguridad (principalmente de penetración), fue preparada por SZalek y es pública en el Hub de Docker. ( https://hub.docker.com/r/szalek/pentest-tools/ )
Para descargarla haremos un
# docker pull szalek/pentest-tools
Parece una imágen bastante completa porque mide mas de 2.2 gb y esta basada en un Ubuntu bastante viejito. 16.04.5 LTS (Xenial Xerus)
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
szalek/pentest-tools latest 86dd70727fa0 9 months ago 2.26GB
# uname -a
Linux 7f11c2dfa7ae 5.1.15-050115-generic #201906250430 SMP Tue Jun 25 04:33:37 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Tenemos que actualizar unos cuantos paquetes.
apt apt-transport-https base-files bash bind9-host binutils bsdutils bzip2 ca-certificates cpp-5
curl debconf distro-info-data dnsutils dpkg dpkg-dev file g++-5 gcc-5 gcc-5-base git git-man
iproute2 krb5-locales libapparmor1 libapt-pkg5.0 libasan2 libatomic1 libbind9-140 libblkid1
libbz2-1.0 libc-bin libc-dev-bin libc6 libc6-dev libcc1-0 libcilkrts5 libcurl3 libcurl3-gnutls
libcurl4-openssl-dev libdb5.3 libdns-export162 libdns162 libdpkg-perl libexpat1 libexpat1-dev
libfdisk1 libgcc-5-dev libgnutls-openssl27 libgnutls30 libgomp1 libgssapi-krb5-2
libisc-export160 libisc160 libisccc140 libisccfg140 libitm1 libk5crypto3 libkmod2 libkrb5-3
libkrb5support0 libldap-2.4-2 liblsan0 liblwres141 libmagic1 libmount1 libmpx0 libperl5.22
libpython2.7 libpython2.7-dev libpython2.7-minimal libpython2.7-stdlib libpython3.5
libpython3.5-minimal libpython3.5-stdlib libquadmath0 libruby2.3 libsasl2-2 libsasl2-modules
libsasl2-modules-db libseccomp2 libsmartcols1 libsqlite3-0 libssl-dev libssl-doc libssl1.0.0
libstdc++-5-dev libstdc++6 libsystemd0 libtsan0 libubsan0 libudev1 libuuid1 libxslt1-dev
libxslt1.1 linux-libc-dev login mount multiarch-support nodejs openssh-client openssl passwd
perl perl-base perl-modules-5.22 python-lxml python2.7 python2.7-dev python2.7-minimal python3.5
python3.5-minimal ruby2.3 ruby2.3-dev sudo systemd systemd-sysv util-linux vim vim-common
vim-runtime wget
122 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 135 MB of archives.
En este caso para crear y usar un contenedor hacemos.
# docker run -it szalek/pentest-tools
root@10a24d5b872a:/# df -h
Filesystem Size Used Avail Use% Mounted on
overlay 469G 311G 134G 70% /
tmpfs 64M 0 64M 0% /dev
tmpfs 7.7G 0 7.7G 0% /sys/fs/cgroup
/dev/sda1 469G 311G 134G 70% /etc/hosts
shm 64M 0 64M 0% /dev/shm
tmpfs 7.7G 0 7.7G 0% /proc/asound
tmpfs 7.7G 0 7.7G 0% /proc/acpi
tmpfs 7.7G 0 7.7G 0% /proc/scsi
tmpfs 7.7G 0 7.7G 0% /sys/firmware
Lo que nos para dentro del Contenedor.
Ahora buscaremos vulnerabilidades del ProFTPD (un producto tradicional que usamos porque estuvo lleno de bugs)
# searchsploit ProFTPD
[i] Found (#2): /opt/exploit-database/files_exploits.csv
[i] To remove this message, please edit "/opt/exploit-database/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#2): /opt/exploit-database/files_shellcodes.csv
[i] To remove this message, please edit "/opt/exploit-database/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------- -----------------------------------------
Exploit Title | Path
| (/opt/exploit-database/)
---------------------------------------------------------- -----------------------------------------
FreeBSD - 'ftpd / ProFTPd' Remote Command Execution | exploits/freebsd/remote/18181.txt
ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Local Overflow | exploits/linux/local/394.c
ProFTPd - 'mod_mysql' Authentication Bypass | exploits/multiple/remote/8037.txt
ProFTPd - 'mod_sftp' Integer Overflow Denial of Service ( | exploits/linux/dos/16129.txt
ProFTPd 1.2 - 'SIZE' Remote Denial of Service | exploits/linux/dos/20536.java
ProFTPd 1.2 < 1.3.0 (Linux) - 'sreplace' Remote Buffer Ov | exploits/linux/remote/16852.rb
ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Over | exploits/linux/remote/19475.c
ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Over | exploits/linux/remote/19476.c
ProFTPd 1.2 pre6 - 'snprintf' Remote Root | exploits/linux/remote/19503.txt
ProFTPd 1.2.0 pre10 - Remote Denial of Service | exploits/linux/dos/244.java
ProFTPd 1.2.0 rc2 - Memory Leakage | exploits/linux/dos/241.c
ProFTPd 1.2.10 - Remote Users Enumeration | exploits/linux/remote/581.c
ProFTPd 1.2.7 < 1.2.9rc2 - Remote Code Execution / Brute | exploits/linux/remote/110.c
ProFTPd 1.2.7/1.2.8 - '.ASCII' File Transfer Buffer Overr | exploits/linux/dos/23170.c
ProFTPd 1.2.9 RC1 - 'mod_sql' SQL Injection | exploits/linux/remote/43.pl
ProFTPd 1.2.9 rc2 - '.ASCII' File Remote Code Execution ( | exploits/linux/remote/107.c
ProFTPd 1.2.9 rc2 - '.ASCII' File Remote Code Execution ( | exploits/linux/remote/3021.txt
ProFTPd 1.2.x - 'STAT' Denial of Service | exploits/linux/dos/22079.sh
ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injection | exploits/multiple/remote/32798.pl
ProFTPd 1.3.0 (OpenSUSE) - 'mod_ctrls' Local Stack Overfl | exploits/unix/local/10044.pl
ProFTPd 1.3.0 - 'sreplace' Remote Stack Overflow (Metaspl | exploits/linux/remote/2856.pm
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer | exploits/linux/local/3330.pl
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer | exploits/linux/local/3333.pl
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' exec-shield Local Over | exploits/linux/local/3730.txt
ProFTPd 1.3.0a - 'mod_ctrls' 'support' Local Buffer Overf | exploits/linux/dos/2928.py
ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer | exploits/linux/remote/16878.rb
ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Ov | exploits/linux/remote/16851.rb
ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code | exploits/linux/remote/15662.txt
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | exploits/linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | exploits/linux/remote/36803.py
ProFTPd 1.3.5 - File Copy | exploits/linux/remote/36742.txt
ProFTPd 1.x - 'mod_tls' Remote Buffer Overflow | exploits/linux/remote/4312.c
ProFTPd IAC 1.3.x - Remote Command Execution | exploits/linux/remote/15449.pl
ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16921.rb
WU-FTPD 2.4.2 / SCO Open Server 5.0.5 / ProFTPd 1.2 pre1 | exploits/linux/remote/19086.c
WU-FTPD 2.4.2 / SCO Open Server 5.0.5 / ProFTPd 1.2 pre1 | exploits/linux/remote/19087.c
WU-FTPD 2.4/2.5/2.6 / Trolltech ftpd 1.2 / ProFTPd 1.2 / | exploits/linux/remote/20690.sh
---------------------------------------------------------- -----------------------------------------
Shellcodes: No Result
No podia faltar identificar los problemas de SMB en Windows. Que aunque parezca increible todavía hay servidores vulnerables en Internet (algunos problemas son del 2000).
# searchsploit smb windows local
[i] Found (#2): /opt/exploit-database/files_exploits.csv
[i] To remove this message, please edit "/opt/exploit-database/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#2): /opt/exploit-database/files_shellcodes.csv
[i] To remove this message, please edit "/opt/exploit-database/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
---------------------------------------------------------- -----------------------------------------
Exploit Title | Path
| (/opt/exploit-database/)
---------------------------------------------------------- -----------------------------------------
Microsoft SMB Driver - Local Denial of Service | exploits/windows/dos/28001.c
Microsoft Windows XP/2000 - 'Mrxsmb.sys' Local Privilege | exploits/windows/local/1911.c
VideoLAN VLC Client (Windows x86) - 'smb://' URI Buffer O | exploits/windows_x86/local/16678.rb
---------------------------------------------------------- -----------------------------------------
Shellcodes: No Result
En nuestro propio contenedor, no tiene mucho sentido, pero probamos la herramienta NMAP. No vemos puertos abiertos.
# nmap -sSV -Pn 127.0.0.1
Starting Nmap 7.01 ( https://nmap.org ) at 2019-07-09 10:07 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000060s latency).
All 1000 scanned ports on localhost (127.0.0.1) are closed
Vemos que el contenedor está funcionando correctamente en la red actual.
# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
Salimos del contenedor, lo arrancamos nuevamente y nos conectamos al shell.
# docker images
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7f11c2dfa7ae szalek/pentest-tools "/bin/bash" About a minute ago Up About a minute happy_hugle
# docker start 7f11c2dfa7ae
# docker exec -it 7f11c2dfa7ae /bin/bash
root@7f11c2dfa7ae:/# df -h
Filesystem Size Used Avail Use% Mounted on
overlay 469G 312G 134G 70% /
tmpfs 64M 0 64M 0% /dev
tmpfs 7.7G 0 7.7G 0% /sys/fs/cgroup
/dev/sda1 469G 312G 134G 70% /etc/hosts
shm 64M 0 64M 0% /dev/shm
tmpfs 7.7G 0 7.7G 0% /proc/asound
tmpfs 7.7G 0 7.7G 0% /proc/acpi
tmpfs 7.7G 0 7.7G 0% /proc/scsi
tmpfs 7.7G 0 7.7G 0% /sys/firmware
Finalmente nuestro contenedor tiene unos 520 megas ocupados. A partir de este punto, tendremos un contenedor preparado para temas de seguridad.
CONTAINER ID IMAGE COMMAND LOCAL VOLUMES SIZE CREATED STATUS NAMES
7f11c2dfa7ae szalek/pentest-tools "/bin/bash" 0 523MB 7 minutes ago Up 3 minutes happy_hugle