|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +The R Services (rexecd, rlogind, and rshd) are a suite of unencrypted remote command/login services developed in the 1980s. |
| 4 | +These services are all but unused in modern computing, as they have been replace by telnet and ssh. |
| 5 | + |
| 6 | +The following was done on Kali linux: |
| 7 | + |
| 8 | + 1. `apt-get install rsh-server` which includes: `rexecd`, `rlogind` and `rshd`. |
| 9 | + 2. Start the service: `service openbsd-inetd start` |
| 10 | + |
| 11 | +## Verification Steps |
| 12 | + |
| 13 | + 1. Install and configure rexec |
| 14 | + 2. Start msfconsole |
| 15 | + 3. Do: `use auxiliary/scanner/rservices/rlogin_login` |
| 16 | + 4. Do: `set rhosts` |
| 17 | + 5. Set any other credentials that will need to be set |
| 18 | + 6. Do: `run` |
| 19 | + |
| 20 | +## Scenarios |
| 21 | + |
| 22 | + A run against the configuration from these docs |
| 23 | + |
| 24 | + ``` |
| 25 | + msf > use auxiliary/scanner/rservices/rlogin_login |
| 26 | + msf auxiliary(rlogin_login) > set rhosts 10.1.2.3 |
| 27 | + rhosts => 10.1.2.3 |
| 28 | + msf auxiliary(rlogin_login) > set password test |
| 29 | + password => test |
| 30 | + msf auxiliary(rlogin_login) > set username test |
| 31 | + username => test |
| 32 | + msf auxiliary(rlogin_login) > run |
| 33 | + |
| 34 | + [*] 10.1.2.3:513 - 10.1.2.3:513 - Starting rlogin sweep |
| 35 | + [*] 10.1.2.3:513 - 10.1.2.3:513 - Attempting: 'test':"test" from 'root' |
| 36 | + [*] 10.1.2.3:513 - 10.1.2.3:513 - Prompt: Password: |
| 37 | + [*] 10.1.2.3:513 - 10.1.2.3:513 - Result: The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. |
| 38 | + [+] 10.1.2.3:513 - 10.1.2.3:513, rlogin 'test' successful with password "test" |
| 39 | + [!] 10.1.2.3:513 - *** auxiliary/scanner/rservices/rlogin_login is still calling the deprecated report_auth_info method! This needs to be updated! |
| 40 | + [!] 10.1.2.3:513 - *** For detailed information about LoginScanners and the Credentials objects see: |
| 41 | + [!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners |
| 42 | + [!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module |
| 43 | + [!] 10.1.2.3:513 - *** For examples of modules converted to just report credentials without report_auth_info, see: |
| 44 | + [!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/pull/5376 |
| 45 | + [!] 10.1.2.3:513 - https://github.com/rapid7/metasploit-framework/pull/5377 |
| 46 | + [*] Command shell session 1 opened (10.1.2.3:1023 -> 10.1.2.3:513) at 2017-05-11 20:04:24 -0400 |
| 47 | + [*] Scanned 1 of 1 hosts (100% complete) |
| 48 | + [*] Auxiliary module execution completed |
| 49 | + ``` |
| 50 | + |
| 51 | +## Confirming using NMAP |
| 52 | + |
| 53 | +Utilizing [rlogin-brute](https://nmap.org/nsedoc/scripts/rlogin-brute.html) |
| 54 | + |
| 55 | + ``` |
| 56 | + nmap -p 513 --script rlogin-brute 10.1.2.3 |
| 57 | + |
| 58 | + Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-11 20:07 EDT |
| 59 | + Nmap scan report for test (10.1.2.3) |
| 60 | + Host is up (0.000039s latency). |
| 61 | + PORT STATE SERVICE |
| 62 | + 513/tcp open login |
| 63 | + | rlogin-brute: |
| 64 | + | Accounts: No valid accounts found |
| 65 | + |_ Statistics: Performed 6662201 guesses in 609 seconds, average tps: 10491.0 |
| 66 | + |
| 67 | + Nmap done: 1 IP address (1 host up) scanned in 608.75 seconds |
| 68 | + ``` |
0 commit comments