Difference between revisions of "Episode223"

From Security Weekly Wiki
Jump to navigationJump to search
Line 14: Line 14:
 
= Tech Segment:  Gettin' down with Armitage =
 
= Tech Segment:  Gettin' down with Armitage =
  
Armitage
+
A new third party GUI for Metasploit.  Looks really sexy.  Sometimes you just need a pretty GUI… This one by the folks over at fastandeasyhacking.com.
 
 
A new third party GUI for Matasploit.  Looks really sexy.  Sometimes you just need a pretty GUI… This one by the folks over at fastandeasyhacking.com.
 
  
 
Let's get it up and running! You need a database, mysql, postgres, or mysql.  I chose mysql.  I'll leave the Mysql setup for Metasploit as an exercise for the reader.
 
Let's get it up and running! You need a database, mysql, postgres, or mysql.  I chose mysql.  I'll leave the Mysql setup for Metasploit as an exercise for the reader.
Line 22: Line 20:
 
We'll need to make sure tht you have the ruby modiles installed.
 
We'll need to make sure tht you have the ruby modiles installed.
  
 +
<pre>
 
# gem install mysql
 
# gem install mysql
 +
<pre>
  
 
Now we can start all of our services, such asstart the msf rpc set up and start armitage:
 
Now we can start all of our services, such asstart the msf rpc set up and start armitage:
Line 63: Line 63:
 
[file:arm7.jpg]  
 
[file:arm7.jpg]  
  
 
+
or we can go for the Hail Mary, otherwise known as db_autopwn.
…or we can go for the Hail Mary, otherwise known as db_autopwn.
 
  
 
[file:arm8.jpg]
 
[file:arm8.jpg]
  
 
   
 
   
  It works, for sure, but I'm not convinced.  I thin the by port works better (more tries) than by vulnerability…by vulnerability, I've had it try stuff that didn't work across the board and have them be vulnerable to other items.  I think this stems form the fact that we haven;t really discovered much about the targets.  Either way, it will fire off a whole bunch of attacks:
+
It works, for sure, but I'm not convinced.  I thin the by port works better (more tries) than by vulnerability…by vulnerability, I've had it try stuff that didn't work across the board and have them be vulnerable to other items.  I think this stems form the fact that we haven;t really discovered much about the targets.  Either way, it will fire off a whole bunch of attacks:
  
 
[file:arm9.jpg]  
 
[file:arm9.jpg]  
Line 78: Line 77:
  
 
So, it works, it works well, but there are some issues in how I like to use it for legitimate purposes. For example:
 
So, it works, it works well, but there are some issues in how I like to use it for legitimate purposes. For example:
 +
  
 
# Output of meterpreter commands end up in a Java window, which can be a nightmare to copy and paste into something else.  Sure, using the Gui equivalent can often dump stuff into a new tab that can be exported (such as hashdump), but then the output isn't in pwdump format, then not easily identifiable by machine.
 
# Output of meterpreter commands end up in a Java window, which can be a nightmare to copy and paste into something else.  Sure, using the Gui equivalent can often dump stuff into a new tab that can be exported (such as hashdump), but then the output isn't in pwdump format, then not easily identifiable by machine.

Revision as of 19:35, 9 December 2010



Announcements

PaulDotCom Security Weekly - Episode 223 "Cigar Lounge soiree" - for Thursday December 9th, 2010.

Roundtable Discussion Topic:

Which cigars does the PaulDotCom crew want in their stockings for Christmas?


Tech Segment: Gettin' down with Armitage

A new third party GUI for Metasploit. Looks really sexy. Sometimes you just need a pretty GUI… This one by the folks over at fastandeasyhacking.com.

Let's get it up and running! You need a database, mysql, postgres, or mysql. I chose mysql. I'll leave the Mysql setup for Metasploit as an exercise for the reader.

We'll need to make sure tht you have the ruby modiles installed.

# gem install mysql
<pre>

Now we can start all of our services, such asstart the msf rpc set up and start armitage:

I put it all in a script:

<pre>
# !/bin/sh
sudo /opt/local/lib/mysql5/bin/mysqld_safe &
~/msf3/msfrpcd -f -U msf -P test -t Basic &
~/armitage/armitage.sh &

Now we get a GUI about connecting to the database and our Metasploit XMLRPC instance:

[file:arm1.jpg]

Put in the correct information and off we go. Yay, a GUI:

[file:arm2.jpg]

Once started, we need some targets. How about some targets from Nessus? We can import Targets into Armitage from all sorts of inputs…

[file:arm3.jpg]

From a scan completed Nessus scan, I select only the high severity results, then downlaod the report.

[file:arm4.jpg]

I picked the .nessus (XML) v1. I tried the v2 but had a crash on import. this works repeatedly. (of course we can use nmap, even direct from Armitage.)

[file:arm5.jpg]

Oooh, look, targets! Ok, so what do we attack with? Let's have Armitage find attacks with Attacks, find attacks by port.

[file:arm6.jpg]

Once done we get this nice attack menu now when we right click. We can go through them methodically, which can be good…

[file:arm7.jpg]

or we can go for the Hail Mary, otherwise known as db_autopwn.

[file:arm8.jpg]


It works, for sure, but I'm not convinced. I thin the by port works better (more tries) than by vulnerability…by vulnerability, I've had it try stuff that didn't work across the board and have them be vulnerable to other items. I think this stems form the fact that we haven;t really discovered much about the targets. Either way, it will fire off a whole bunch of attacks:

[file:arm9.jpg]

Once an attack is successful, we can interact directly with a meterpreter session, or continue to navigate the menus:

[file:arm10.jpg]

So, it works, it works well, but there are some issues in how I like to use it for legitimate purposes. For example:


  1. Output of meterpreter commands end up in a Java window, which can be a nightmare to copy and paste into something else. Sure, using the Gui equivalent can often dump stuff into a new tab that can be exported (such as hashdump), but then the output isn't in pwdump format, then not easily identifiable by machine.
  2. Screenshots, (and other output, best I can tell) are revealed in a tab, but NOT left on disk. I'm assuming this information is stored in the database somewhere, but there is no indication as to how to get it back - I have to use this stuff in the report!
  3. How the hack? Of course there is no record in the host definition what was used to compromise the system, either manually or via db_autopwn. I know that metasploit doesn't but if there are some addition things happening, maybe this can get captured. Without, I have to go back and manually re-exploit (if possible) to figure it out. Again, I need this stuff for a report!

Stories For Discussion

  1. Low Orbit Ion Cannon - [Larry] A quote I saw on twitter today, "Remember when your DDoS tools weren't on SourceForge?". So, this is the tool that Anonymous is using as part of the voluntary DDoS attacks against those that are "against" Wikileaks. Now the source is out there. I wonder if there is any special attack, an additional implementation of slowloris. At least now we have the source that we can learn from the code. After a quick look, it doesn't appear to be a terribly sophisticated attack, but apparently it doesn't need to be.
  2. Maintaining administrative access on the DL - [Larry] - Compromise a system and now create an account (or use ASPNET) for maintaining access. Hopefully a good admin will note that, if you make the user an admin in the admin group. So, how do you keep it under wraps? This issue with SAM allows for a user to be modified so that it looks like a regular user, but with admin privileges. Microsoft says that there is no investigation needed, as other vulnerabilities are required to compromise the system first.
  3. How do astronauts wipe? - [Larry] - Apparently not very well. NASA has been found to be disposing of a couple of machines that had not been properly sanitized. In addition to un-wiped hard drives, several machines were found to be marked externally with identifying information and ip addresses…

Other Stories of Interest