Monthly Archives: February 2012

Metasploit Community Unleased

A few weeks ago, I saw a message on the Metasploit mailing list (which you should also join, or at least follow on  seclists.org) regarding Metasploit Community Edition. The fine folks at Offensive Security have an outstanding training site covering the Metasploit Framework, but do not cover the Community Edition. While by no means is this on the same level as Metasploit Unleashed, I  present to you…


Metasploit Community Unleashed


Background

Metasploit Community Edition is a free subset of the paid versions of Metasploit available from Rapid 7. It is initendied to simplify network discovery and vulnerability verification.
Further information about this excellent project can be obtained at: http://www.rapid7.com/products/metasploit-community.jsp

To install Metasploit Community on Backtrack, simply type apt-get install Metasploit at a shell prompt. The wizards at backtrack-linux made the install seamless.

Once the install is complete, start the Metasploit web interface, by selecting the Backtrack Miscellaneous menu or /opt/metasploit/ctlscript.sh start. Metasploit Community Edition runs as a ssl web application on port 3790. On first run, you must license your copy with Rapid 7 and create a user.

Metasploit Community Edition Scanning

Begin by creating a new project and filling in the project name, description and network range. On the new workspace select the scan button. Enter the IP address or range to scan. Selecting  Show Advanced Options  allows fine grained tuning of the scan details including adding specific nmap scanning options. exclusions and timing options.

Once the scan is completed, the analysis section can be used to sort the discovered devices.
Clicking on Hosts will provide a summary of what was found.
You can also import scans from a variety of different vulnerability scanners. Metaspolit Community Edition will parse through the vulnerabilities and display the relevant Metasploit modules.
To run  Metasploit modules against discovered devices, check zero or more devices in the Anlysis section and click on the Modules icon, or select the Modules section.
Search the modules to find the Metasploit module to run. Search keywords can be used as shown in the example for smb version scanning.
Depending on the module selected, extra options may need to be provided.
Exploiting 
Select services and we cam see that one of our targets is running Windows XP SP2 so we will attempt to run the exploit for MS08-067 against it.  
In the analysis section, select the XP machine and click on Modules and search for ms08-067. By default, a Meterpreter TCP connection will be used as the payload.
After a succesful exploit click on session and then click on the new session. Several ways are available to interact with the system including shells, file browsing and the numerous Post Exploitation Modules available in Metasploit.
Have Fun and consider making a donation to Hackers for Charity http://www.offensive-security.com/metasploit-unleashed/Donate

Nessus and WSUS

Tenable recently added the ability to query various patch deployment management systems to get the patching status of the system being scanned.

This is a handy feature when you can not use scans in order to query the scanned system directly because of credential or port restrictions.

The set up is explained very well at http://blog.tenablesecurity.com/2011/12/wsus-patch-management-and-nessus.html.

When testing in my environment, the WSUS scan was not working. Looking at the event logs on the WSUS server, showed several account logon failures. A little searching  lead me to make the changes detailed in http://technet.microsoft.com/en-us/library/cc720470(WS.10).aspx and voilà…patch management status and other vulnerability details all in one handy report.

Christmas Challenge 2011

Well….I didn’t win the annual Ed Skoudis and friends Christmas Challenge (http://pen-testing.sans.org/blog/2012/01/26/holiday-challenge-2011-winners-answers) but thought I would share my solution anyway.
Please fell free to sing along…………….

Well now Rudolph was frantic
cause Grandma was missing
The police thought he did it
His iPhone confirmed it.
The GPS on the phone
Matched a jpg showing Grandma’s coat alone.

Rudolph heard little Timothy
interrupt and tell the court.
He had found some evidence
but did not know how to parse it out.

Cupid had mad Wireshark skills
and went right to work.
The first thing that he noticed
was an email and a doc in Word.

The email revealed a secret plan
that Grandma had cooked up.
She planned to frame Rudolph
and topped her insurance up.

The capture showed a fatal flaw
with Santaslist PHP.
Grandma took over MyDNS,
by hacking her some Apache.

Then with trojaned updates
and the DNS manipulation,
SQLite was used to add
the damning CellLocation.
Rudolph was proven innocent.
The Plaza was where they knew,
the police could find Grandma
wearing one red shoe.

BONUS: Extended special live only verse
And so little Timmy Tweeted,
“Network Miner is ‘freein’
Rudolph’s not a flea bitten beast
and for Grandma there’ll be no Caribbean”

W3AF update on Samurai WTF

Here is my unscientific will probably only work once method for getting the latest version of w3af to run in Samurai WTF (http://samurai.inguardians.com/):

After I updated w3af using the svn update menu in Samurai, launching the w3af GUI present some errors. It seems that the latest version of w3af needs some extra python fu libraries. Fortunately, w3af is very helpful and suggests which packages to install. Unfortunately, doing an apt-get for the required packages returned a message of Couldn’t find package __X__ for each package.

The Samurai WTF version I am using, .9something, is running an older version of Ubuntu, Jaunty, whose packages are not actively maintained.
:
To get the required packages, the following worked for me”

Add the following to /etc/apt/sources

deb http://old-releases.ubuntu.com/ubuntu/ jaunty main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ jaunty-updates main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ jaunty-security main restricted universe multiverse

Do an apt-update
apt-get python-svn python-scapy and python2.6-dev
The next piece of the puzzle was python-nltk, which had to be installed manually from nltk.org. The source is available on the site. It require one python-yaml, which could be added with another apt-get install python-yaml..
Then finally, follow the instructions from w3af on how to install pybloomfiltermap and success….w3af GUI goodness.

Your mileage may vary.