Skip navigation
All Places > Metasploit > Blog > 2016 > April
2016
egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Apr 27, 2016

I did some security research on industrial control systems for a while. It was a fun and rewarding experience in which I found tons of usually very simple bugs. Security in that sector was nascent, with the technology being brought forward from the dark ages of everything being on serial. Things are a bit different today, in no small part due to the fine work of many security researchers convincing vendors to step up their game and buyers learning how to ask the right questions before a purchase. SCADA gear is increasingly moving toward modern operating systems with modern security protections. This is very much a Good Thing (tm).

 

Nevertheless, software is hard. From last week's graph, you already know that the more software you have, the more likely that some of it is broken. Further, there's a lot of super old code in ICS.

 

Enter Adventech WebAccess Dashboard Viewer, "a fully web-based HMI and SCADA software package for industrial automation." It's basically a web application written in ASPX that lets you twiddle valves and flip switches. Like many web apps, it offers the ability to upload files, and like many web apps, it stores them in the web root and doesn't really care what those files are. Which, of course, means a very simple path to arbitrary code execution.

 

Maybe someday we'll get rid of newb mistakes. Not today, though.

 

New Modules

 

Exploit modules (1 new) * Advantech WebAccess Dashboard Viewer Arbitrary File Upload by Zhou Yu, and rgod exploits ZDI-16-128

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.21...4.11.22

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Apr 21, 2016

(In)security Appliances

 

IT management is a tough job with lots of moving parts. To deal with that reality, IT administrators use a lot of tools and automation to help keep an eye on all the devices they are responsible for, some custom, some off the shelf, and some big-box enterprisy stuff. What the sales rep won't tell you, though, is that every line of code you add to your network is more complexity. And as complexity increases, so does the risk of bugs. I made you a handy graph to illustrate what that looks like.

 

Untitled presentation.png

 

There are lots of statistics out there about bug density, all of which are flawed in some ways of course, but it really comes down to the more code you expose to the network, the higher the probability of there being an exploitable bug in that code. IT management tools and security appliances are no exception to that rule.

 

All of that is what makes vulnerabilities in these things possible (and even likely) but what makes them fun is they are often the custodians of some of the most important data on a network. An inventory management system will have... wait for it... a list of targets, probably with the name of the human associated with each of them which also gives you an idea of what kind of data they'll be holding. A patch/update management solution will most likely have a simple way to deploy executables (ostensibly to patch something) to lots of boxes all at once, an example of authenticated remote code execution by design on a massive scale. In other words, a thing you want to pwn.

 

This week we have another example of this class: Dell's KACE K1000 systems are intended to "[s]treamline IT asset management, secure network-connected devices, and service end-user systems more efficiently." Which all sounds to me like marketing-speak for pop boxes, steal data.

 

If you have any of these sorts of things in your network, it might be a good idea to make sure only IT staff can talk to it. Bob in finance doesn't need to see all that stuff.

 

If you are a pentester, anything that says "Administration" or "System Management" in its <title> tag is probably already a priority, so nothing I've said here is news to you.

 

New Modules

 

Exploit modules (3 new)

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.20...4.11.21

 

The bug image in my awesome graph is CC-By-SA MesserWoland.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Apr 15, 2016

Meterpreter Unicode Improvements

 

Pentesting in places where English is not the primary language can sometimes be troublesome. With this week's update, it's a little bit easier. After Brent's work making Meterpreter's registry system support UTF-8, you can now do things like use the venerable post/windows/gather/hashdump to steal hashes and other attributes of local users whose username contains non-ascii characters, e.g.:

 

msf > use post/windows/gather/hashdump
msf post(hashdump) > setg session -1
session => -1
msf post(hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 168de610cd477d23e9f7713684342744...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

bcook:"normal"
mönkey:"blah"

SSH Backdoors

 

In this week's episode of Authenticated Code Execution by Design, we have a couple of new SSH modules.

System administrators and attackers alike love to use services like SSH to get into and control systems. Sometimes, vendors use them for coordinating multiple systems performing the same task. Such is the case with ExaGrid backup storage devices. Each ExaGrid box uses SSH to talk to other ExaGrid devices on the network, presumably to keep an eye on disk usage and other metrics that such devices care about. To make things fun, this was accomplished by shipping the same passwordless private key on every device, so now Metasploit has that private key, too.

Going a little further back in time to last December, Juniper shipped a backdoored sshd on their ScreenOS devices after a compromise allowed attackers to modify it, allowing access with and username and the remarkably clever password <<< %s(un='%s') = %u. I love it because it doesn't stand out in the output of strings(1). Well played, unknown blackhat backdoor creators, well played. Now you can easily scan for these backdoors with Metasploit.

Consistent options display

 

When you type options in msfconsole, you get a nice table of the things your current module needs to know to do its job. Formerly, advanced and evasion options used a different layout that made it a lot harder to read, especially since there are usually a lot more of them than normal options. It has bothered me for a while and finally pissed me off enough to do something about it -- now all the option types give you the same kind of output.

New Modules

 

Exploit modules (6 new)

Auxiliary and post modules (7 new)

Get it

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.19...4.11.20

securing-your-metasploit-logsOriginal post from Logentries found here: Securing your Metasploit Logs

by Justin Buchanan

 

 

Metasploit, backed by a community of 200,000 users and contributors is the most impactful penetration testing solution on the planet. With it, uncover weaknesses in your defenses, focus on the highest risks, and improve your security outcomes. Your Metasploit Pro console produces a lot of important logs. It is essential to be able to review these logs, alert on them, and keep them secure.

 

Why should I monitor these logs?

The logs produced by your Metasploit Pro console are helpful when troubleshooting, and also for monitoring the usage of the Metasploit product. Metasploit Pro is impressively powerful, which also makes it crucial to closely monitor the usage. Unfortunately, you must always plan fo the worst possible scenario, including the potential for a Metasploit user to alter the logs created by the console to hide their actions. Sending these logs to a secure central location in real-time, can ensure that they remain unaltered and easy to review.

What and where are the Metasploit Pro Logs?

The list below details all of the logs created by your Metasploit Pro console and where they are saved. Your installation root directory may vary; by default the installation root for Linux is: /opt/metasploit and for Windows: C:\metasploit

  • $INSTALL_ROOT/apps/pro/nginx/logs/error.log – Console web server error log
  • $INSTALL_ROOT/apps/pro/nginx/logs/access.log – Console web server access log
  • $INSTALL_ROOT/apps/pro/ui/log/production.log – Rails (ruby) log
  • $INSTALL_ROOT/apps/pro/engine/config/logs/framework.log – Metasploit Framework log
  • $INSTALL_ROOT/apps/pro/engine/prosvc_stdout.log – Metasploit RPC output log
  • $INSTALL_ROOT/apps/pro/engine/prosvc_stderr.log – Metasploit RPC error log
  • $INSTALL_ROOT/apps/pro/tasks – Task logs
  • $INSTALL_ROOT/apps/pro/engine/license.log – License log

 

As a best practice, all of the above logs should be sent to a secure, off-site, location for storage and analysis. For the purposes of this post we will focus on the three most imperative logs:

  1. tasks
  2. framework.log
  3. access.log

 

The tasks directory

The tasks directory provides text files detailing all of the actions taken by all Metasploit users.  It will record any exploit that is run, the creation of a listener, establishment of a pivot, and any other action taken through the console.

 

Configure the Logentries Agent

To capture the log data saved to the tasks directory first ensure that you have installed the appropriate Logentries Agent on the Metasploit Console machine. The Logentries Agent can automatically identify and forward the newest log file written to a directory by using a wildcard configuration. For the Linux Agent issue the following command to follow the tasks directory:

sudo le follow '/opt/metasploit/apps/pro/tasks/*.txt'

and with the Windows Agent:

AgentService.exe follow c:\metasploit\apps\pro\tasks\*.txt

Always remember to restart the Logentries service after making changes to its configuration.

View in Logentries

Now as new tasks are written to the directory on your console server you can see them stream into Logentries in real time, creating an immutable offsite backup of these important audit trails.

 

Securing Your Metasploit Logs

framework.log

framework.log is your best friend when you are trying to troubleshoot an issue you are encountering with Metasploit. All the logged errors are saved here.  When you dig into this log you will gain insight into which exploits failed, and for what reasons, as well as general stack traces.

 

Configure the Logentries Agent

In this case, because framework.log is just a single file, there is no need for special configuration. The command to follow this file with the Linux Agent would simply be:

sudo le follow /opt/metasploit/apps/pro/engine/config/logs/framework.log

access.log

 

The final log discussed here is the NGINX access.log produced by the Metasploit console. The information available in this log is imperative to maintain complete audit trails of all actions taken in the console. This log will contain every request made to the web interface including the ip address of the requester, making it invaluable in an investigation.

 

Metasploit's NGINX server is configured to log in combined log format, and as a result Logentries will be able to perform in-depth analysis on these logs with ease.  The video below provides a tutorial on using the advanced search functionalities of Logentries to query an Apache access.log, all the same features and functionality will be available with this NGINX access.log.

 

building-a-query-how-to-video

 

Ready to secure your Metasploit logs? Give it a try by creating a free Logentries account today!

Yesterday, we announced the availability of a PowerShell extension for Meterpreter, primarily as a toy for laughs because no one would seriously consider using it for anything important.

 

But today? Today we've got a real treat for you. For serious programmers and serious pentesters, what you really want is a serious language. Something with the power of a Turing Machine and the readability of raw bytecode. Something beautiful and subtle, like a chainsaw. Something with a name you can pronounce in polite company, unlike the crude "Python".

 

You need BF.

 

2001_ape_monolith_460.jpg

 

Today, we landed an incredible tool that will be the benchmark for ease in post-exploitation for years to come. Today, you can run BF inside Meterpreter.

Filter Blog

By date: By tag: