Skip navigation
All Places > Metasploit > Blog > 2011 > August

A worm abusing the Remote Desktop service is making the rounds, currently named Morto. This worm gains access by trying a small number of weak passwords for the local Administrator account. After compromising the server, the worm propogates using mapped shares and provides remote access to the worm's creator. Most public reports involve Morto gaining access to internet-facing servers, however it is likely that once Morto is behind a firewall, it can propogate to other local systems.


Fortunately, Metasploit (Framework, Express, and Pro) provide an easy way to test for weak passwords on the local Administrator account. The Metasploit Framework provides the smb_login module, which accepts a USERPASS_FILE option for accounts to test. This module can be used to quickly sweep your network for machines that Morto can gain access to. The usage for the Metasploit Framework is below.


First grab a copy of the USERPASS_FILE that corresponds to the username and password combinations that Morto tries. This is a simple text file containing the username followed by a space and then the password, one per line. You can download a copy of this file from HERE (save it to disk).


Now that the file has been saved to disk, start your copy of the Metasploit Framework, preferably via the Metasploit Console (msfconsole).


$ msfconsole


Once the console has loaded, select the smb_login module and configure the USERPASS_FILE option.



msf > use auxiliary/scanner/smb/smb_login

msf auxiliary(smb_login) > set USERPASS_FILE /tmp/morto.txt



Now set the target range (RHOSTS) and increase the thread count (THREADS) to make things run smoothly. Disabling verbose output also makes the resulting output much more readable.


msf auxiliary(smb_login) > set RHOSTS

msf auxiliary(smb_login) > set THREADS 128

msf auxiliary(smb_login) > set VERBOSE false

Finally, let this module run and watch the output for successful logins. Any machine found vulnerable that has Remote Desktop exposed could become easy prey for this worm.


msf auxiliary(smb_login) > run


[*] Scanned 026 of 256 hosts (010% complete)

[+]|WORKGROUP - SUCCESSFUL LOGIN (Windows 5.1) 'Administrator' : 'admin'

[*] Scanned 125 of 256 hosts (048% complete)

[*] Scanned 127 of 256 hosts (049% complete)

[*] Scanned 142 of 256 hosts (055% complete)

[*] Scanned 157 of 256 hosts (061% complete)

[*] Scanned 256 of 256 hosts (100% complete)

[*] Auxiliary module execution completed


Metasploit Express and Metasploit Pro users can do the exact same thing via the Modules tab or via the Metasploit Pro Console. There is an easier way, however, especially if you already have an active project. Login to the user interface, select a project containing recent scan data, choose Bruteforce, check only the SMB protocol, and select "Known only" as the depth. Expand the Advanced Options screen and paste the contents of the morto.txt file into the Additional Credentials field, then click Launch Bruteforce. Not only will this identify vulnerable systems, but it will return sessions on each system.


An interesting thing happened to me this year while at Defcon 19. I was in the shwag line waiting for some friends to pick out some items for their order when all of a sudden I saw a rather familiar face. At first I had no idea who he was but we both just looked at each other for a second and finally he came up to me and said "You look very familiar do I know you?". After talking for a minute I realized this was one of my friends from back home in Upstate NY, Jonathan Claudius. I actually used to ride the school bus with him and he lived about half a mile away from my house. I lived in a small town so this chance encounter was pretty mind blowing. In fact the population of the area I grew up in was roughly 12,000 according to a survey in 2009. Pretty small compared to the nearest city which had a population of 200,000 according to the same survey in 2009.


What does all this have to do with Metasploit? Well Jonathan was giving a Skytalk at Defcon and wanted me to come see his presentation. I made sure I went to the talk to see what he had been up to. It turns out his talk really impressed me. He had come up with a way of dealing with broken NAT implementations which will sometimes reply to a request with a different IP address rather than the original destination IP. This causes the communication channel to be dropped because the client does not expect this reply to come from another IP address and just sends a RST(reset) packet to the host that replied.


When you run into one of these broken implementations nmap will usually show the port your trying to reach as "filtered". Most people simply think this means the port is firewalled off and unreachable. But Jonathan, came up with a set of tools which can detect BNAT(broken NAT) implementations, and repair the communications. The tools basically listen for replies to the initial request made to detect if another IP address replies. Fixing up the communication is the next step, he wrote a tool which will fix up the source IP address of the incoming replies so that the client can handle the communications as normal.


Originally, the BNAT tools were written in ruby and using todb's PacketFu. The tools were standalone and sitting in a GIT repository. When I saw Jonathan's talk I asked him why not make the tools into modules for Metasploit. We already include the needed library, PacketFu, so porting the tools over was just a matter of cleaning up the code a little and throwing it into a module template. Jonathan wanted to port the tools over but he had never developed for Metasploit before so he needed some help. So, one night I called him up on the phone and we worked on porting the tools over for a few hours. A few days later the tools were in the Metasploit SVN repository ready for use by everyone!


The following video demos the tools and shows how a "filtered" port might actually lead to gaining access to a network:


Hopefully, after seeing the demo you can see the full potential these modules might bring to external pentests. We started out with a nmap scan which just showed the port as "filtered" and we managed to fix up the communication channel, and finally exploit a vulnerability. The purpose of this demo was to show that in networking, sometimes things are not always as they seem. A filtered/closed port can sometimes be really be open you just need to know how to communicate with it.


There are however, some caveats you need to consider when performing BNAT scanning and hijacking that make it a little harder than your normal everyday symmetric TCP communication exploit.


  1. You need IPTables or a host-based firewall to selectively suppress reset packets or your BNAT sessions can be prematurely reset.  In IPTables it can be done as follows as a preliminary setup on the Router host.
    • iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP 
  2. In order to perform scanning activities over the public Internet, you need to be bridged to the Internet and not behind any firewall/nat service that would enforce state or you will not even notice when you trigger BNAT because that service will prevent us from completing the session.


As always, if your interested in this and want to discuss it further you can reach us on #metasploit or follow us on twitter @claudijd and @msfbannedit.

If you're packing to go to Black Hat, Defcon or Security B-Sides in Las Vegas, make sure you also download Metasploit 4.0 to entertain you on the plane ride. If you missed the recent announcement, check out this blog post for a list of new features.


The new version is now available for all editions, and here's how you upgrade:


  • Metasploit Pro and Metasploit Express 4.0: For fresh installs, download version 4.0 of Metasploit Pro or Metasploit Express and install (to try these versions, use the same links). If you already have Metasploit Pro or Metasploit Express installed, simply go to the menu item "Administration" and choose "Software Update".
  • Metasploit Framework 4.0: For fresh installs, download version 4.0 of Metasploit Framework and install. If you already have Metasploit Framework installed, you can use the SVN update function to upgrade to version 4.0. If you selected the automatic update during the installation of 3.7.2, youre installation should already be ready to go. If not, you can use the following steps to update:


$ sudo bash

# cd /opt/framework-3.x.x/msf3/

# svn update


In case you get stuck or have any questions, make sure you visit the Rapid7 Community to find answers, tips & tricks. Alternatively, just drop by our Black Hat booth #109 and ask us directly!


It's been a long road to 4.0. The first 3.0 release was almost 5 years ago and the first release under the Rapid7 banner was almost 2 years ago. Since then, Metasploit has really spread its wings. When 3.0 was released, it was under a EULA-like license with specific restrictions against using it in commercial products. Over time, the reasons for that decision became less important and the need for more flexibility came to the fore; in 2008, we released Metasploit 3.2 under a 3-clause BSD license. Licensing is definitely not the only place Metasploit's fexibility has increased. Over the last 5 years, we've added support for myriad exploitation techniques, network protocols, automation capabilities, and even user interfaces. The venerable msfweb is gone along with the old gtk-based msfgui. Taking their place are the newer java-based msfgui and armitage, both of which have improved by leaps and bounds since their respective introductions.


Five years ago, every exploitation tool out there was focused on running an exploit and getting a shell (usually a crappy cmd.exe shell, at that). Today, Metasploit encompasses every aspect of a penetration test. Dozens of auxiliary modules assist with reconnaisance, more than two hundred others help with information gathering and discovery; hundreds of exploits get you a toe-hold on the network; and the newest addition to the module family, post modules, help simplify and automate increasing your access. All of the data you gather can be stored in a database. For high-quality reporting and even greater automation, Metasploit Pro rounds out an engagement. Five years ago, Metasploit had already come a long way in making exploit development easier but the widespread adoption of DEP and ASLR has pushed the project even further toward accelerating what has now become a much more difficult process.


All of that leads us to the Metasploit Framework version 4.0, released today.


To make the awesomeness of 4.0 stand out visually from its predecessors, we've built an array of stunning new ASCII art banners. My favorite, of course, is this one:




In addition to the visual differences, Metasploit Framework 4.0 comes with an abundance of new features and bug fixes. Contributor TheLightCosine continues with his onslaught of password-stealing post modules and another contributor, Silent Dream, has begun helping out in that arena as well. Other post modules have seen considerable improvement and expansion thanks to Carlos Perez. The recent Exploit Bounty netted a total of six new exploit modules, and other development added another 14 since the last release.


Adding to Metasploit's extensive payload support, Windows and Java Meterpreter now both support staging over http and Windows can use https. In a similar vein, POSIX Meterpreter is seeing some new development again. The last developer left it with little documentation on how to build it, so getting it to compile was a hurdle that we put off for too long. Now that it compiles, you can expect a more flexible payload for Linux. It still isn't perfect nor is it nearly as complete as the windows version, but many features already work.


Another flexibility improvement comes in the form of a consolidated pcap interface. The pcaprub extension ships with the Linux installers as of this release and support for Windows will come soon. Modules that used Racket for generating raw packets have been converted to Packetfu, which provides a smoother API for modules to capture and inject packets. As always, you can get the latest version from and full details of this release can be found in the Release Notes.


Everyone on the Metasploit team is proud of the first major version bump in half a decade. May it bring you many shells.

Filter Blog

By date: By tag: