Getting root on a remote machine can be interesting and is definitely a major step in the right direction (depending on your scope and the purpose of the test, it could be the only step necessary). If your task is not complete, then you will need to find methods of transferring data to and from your victim machines. There are several tools that will assist you in this task. Here are a few that may make your life easier in the long run.
TFTP can be very handy at times. Many systems will already have a TFTP client installed and using this protocol is quick and easy. The Kali distribution should have the atftpd server installed; if not, you can install it with the apt-get
command. In a terminal window on kali enter apt-get install atftpd
.
Starting TFTP as a standalone daemon pointing to /tmp
on the standard port and bound to IP address 192.168.75.12
can be accomplished by typing:
# atftpd --daemon --port 69 --bind-address 192.168.75.12 /tmp
You can check to see if the daemon started correctly by invoking netstat and grepping for 69
.
# netstat -anu |grep 69
If everything started correctly, you should see something similar to:
udp 0 0 192.168.75.12:69 0.0.0.0:*
If your version of Kali does not have pure-ftpd
installed it may be added using the apt-get install pure-ftpd
command. If the package is not found, then the Kali 2.0 package is not stable enough for release; you can either use the Kali 1.10 version or you can build the tool from the source. You can navigate to http://pureftpd.org/project/pure-ftpd/download. Once you have downloaded the tarball, enter the following:
tar –xzfv pure-ftpd-1.0.42.tar.gz cd pure ftpd-1.0.42 ./configure make install-strip
For the full functionality of pure-ftpd
, you will need to add users and perform other minor configuration changes prior to use.
# echo /etc/pureftpd.pdb > PureDB
Add /etc/pureftpd.pdb
to the PureDB
configuration file:
# groupadd -g 7777 ftpz
Add a group to the Kali machine:
# useradd -u 7777 -s /bin/false -d /dev/null -c "pureFTP" -g ftpz Testerz
Create folders that will be used:
# mkdir /var/ftp /var/ftp/public /var/ftp/public/ftplogin
Modify the ownership:
# chown -R Testerz:ftpz /var/ftp/public/ftplogin
Add the account to the system:
# pure-pw useradd ftplogin -u Testerz -d /var/ftp/public/ftplogin Password: password Enter it again: password
Set up a virtual account that can be used with FTP connections:
# pure-pw mkdb
Reload the database:
# pure-pw show ftplogin
Perform a quick lookup in the Pure-FTP database to let us know the user statistics.
Login : ftplogin Password : $1$/NF5jAg0$I0oRJKViA5NYs455Afelr1 UID : 7777 (Testerz) GID : 7777 (ftpz) Directory : /var/ftp/public/./ Full name : Download bandwidth : 0 Kb (unlimited) Upload bandwidth : 0 Kb (unlimited) Max files : 0 (unlimited) Max size : 0 Mb (unlimited) Ratio : 0:0 (unlimited:unlimited) Allowed local IPs : Denied local IPs : Allowed client IPs : Denied client IPs : Time restrictions : 0000-0000 (unlimited) Max sim sessions : 0 (unlimited)
The following command will start pure-ftpd
:
#/usr/local/sbin/pure-ftpd start
This server can be tested by connecting to localhost:
# ftp 127.0.0.1
The output should be similar to the following:
Connected to 192.168.75.12. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 17:02. Server port: 21. 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. Name (192.168.75.12:root): ftplogin 331 User ftplogin OK. Password required Password: 230-User ftplogin has group access to: 7777 230 OK. Current directory is / Remote system type is UNIX. Using binary mode to transfer files. ftp>
Production versus a controlled test lab environment
Consider setting up a dedicated user account and appropriate security measures on your production Kali instance. Make certain to provide FTP accounts with the necessary permissions to write files; otherwise, expect to receive errors when making these attempts from victim machines. An important point that is often overlooked is that you have control of the testing machine and need to ensure that the configuration is set to support you in the field. This will save you time when you are performing your testing.