Exploitation is the main part of
penetration testing many security professionals’ careers. The ability to
gain full control over a targeted machine is a great feeling. Various system
and network protections have made it increasingly more difficult to succeed
with basic exploits. So we need to know advance exploitation.
In this article, we move into more
difficult attack methods, beginning with command-line interfaces to the
Metasploit Framework. Most of the attacks and customizations discussed in this
article will occur in msfconsole, msfencode, and msfpayload.
Before you begin to exploit
systems, we need to understand a few things about penetration testing and
exploitation.
Basic Exploitation:-
The Metasploit Framework contains
hundreds of modules, and it’s impossible to remember them all. So we use
"show" command from msfconsole. We will display every module
available in the Framework.
msf> show exploits
Exploits operate against the vulnerabilities
that you discover during a penetration test. New exploits are always being
developed. And the list will continue to grow. This command will display every
currently available exploit within the Framework.
We can search particular exploits.
See bellow examples.
Example: if you want to launch an
attack against SQL. You could search for SQL like this:
#msf > search mssql
We can search other exploit like ms08_067.
Choosing exploit is main
thing during exploitations. If you are choosing wrong exploit, then you cannot
success for you exploitation. So be careful for choosing exploit.
If module is found you
could load the found module with the use command as shown bellow
msf> show auxiliary
Auxiliary modules in Metasploit can be used for
a wide range of purposes. They can operate as scanners, denial-of-service
modules, fuzzers, and much more. This command will display all auxiliary models
and list their features.
msf> show options
Before we go for show options command, we need
to set our module. After set module we can use show options command, and it
display all options that can be set by us.Metasploit will display only the
options that apply to that particular module.
msf> show payloads
When you run show payloads from a
module specific prompt. Metasploit displays only the payloads that are
compatible with that module. To see an active list of payloads, run the
following command.
#show payload
This
would show you all payloads available in Metasploit. However, if you are in an
actual exploit, you will see only payloads applicable to the attack. You cannot
use other payload against target. So be carefully.
For example:
running show payloads from the msf exploit(ms08_067_netapi)
prompt would result in the output shown above screenshot.
Next step is choosing your payload from above
list. We just use windows/shell/reverse_tcp for target. So let’s do that.
When we enter show options again
we see that additional options are shown bellow
Notice
that when the payload is selected and the options are displayed. We
are presented with some additional options in the payload Section such as LHOST
and LPORT.
In this example, you could configure the payload to connect back to the
attacker machine on a specific IP address and port number, called a reverse
payload.
In reverse payloads, the connection is
actually triggered by the target machine and it connects to the attacker. You
might use this technique to bypass a firewall or NAT installation. So we need
to set LHOST and LPORT which is our ip address and port.
msf>
show targets
Using the show
targets command at MS08-067, prompt
displays a list of exploit targets. The success of the exploit will depend on
the version of Windows you are targeting. Sometimes automatic detection will
not work and could even trigger the wrong exploit, which will usually lead to a
service crash.
We can
show targets using the show target
command as shown bellow.
In
this example, you can see that the exploit lists Automatic Targeting one
option. Often, an exploit module will attempt to target the operating system
automatically based on its version and select an exploit based on the system’s
fingerprint. We can also set particular target, if you know about operating
system and its version.
InfoWhen the short description of a module provided by the
show and
search commands
isn’t sufficient, then use the info
command to display all the information, options, and
targets available for that module as shown bellow.
Set and unset
All the options for a given Metasploit module must be
either set or unset, especially if they are marked as required or yes.
When you enter show options, you will see information that is wrong or miss
configure. Use the unset Command to set again.
We set the target IP address (RHOST)
to 192.168.20.128 and we set IP address (LHOST) to 192.168.20.132. Now Running show options confirms
that our settings have been saved or not then use unset command for remove miss
configuration.
Check
After configure our exploit, we can check our
exploit against target without exploiting using check command. We can show bellow.
Exploiting
Windows XP SP2 Machine:
If
you used the vulnerability scanners against your Windows XP SP2 machine. We’ll
begin by finding this vulnerability on our own. As your skills as a penetration
tester improve the discovery of certain open ports will trigger ideas about how
you might exploit a particular service.
There is many vulnerability by default in operating
systems. We know that windows xp sp2 is vulnerable for SMB. So we search ms08_067_netapi exploit and use that to
access of windows xp sp2 machine as shown bellow.
We can see above options,
we need to set RHOST, PAYLOAD, LHOST and TARGET. but keep in mind many
Metasploit module choose automatic target select. You can also see list of
target available for this module using show target command as seen before.
After set all credentials we need to check options again for conformation.
In
above screenshot we set RHOST which
is out target IP address. Also set PAYLOAD
as Windows-based shell reverse_tcp.
Which is start a connection on the target machine and connect back to the
attacking machine. We also set LHOST which is attacker (Our machine IP
address).
Now our exploit is configured and we are ready for
exploit target machine. We use exploit command
for exploiting target machine.
Here
we get target machine shell. We also check IP address of target machine for
conformation.
Exploiting
Linux Machine:-
Let’s try a different exploit on Linux machine. The
steps are pretty much the same as for the preceding exploit except that we will
select a different payload. We see there are many open ports and its services
with version as shown bellow.
We are
most interested in the above line. As above you can see many ports are
open, so you can choose your exploit according to target vulnerability. We use distcc_exec. This module uses a documented
security weakness to execute arbitrary commands on any system running distccd.
Now search module in
msfconsole, use these module and also check options.
Now set RHOST, PAYLOAD, and LHOST and check options
again for conformation.
After conforms all options
we need to exploit the target machine using exploit command. After exploiting target you can see the session 1
open that means the attacker machine is connected with target machine using
port 4444. And also check iip address using ifconfig command, as shown bellow.
Brute
Forcing Ports:-
We can see in many scenarios the
reverse port always being open. But what if we are attacking an organization
with very strict egress port filtering? Most companies block outbound
connections except those from a few defined ports, and it can be difficult to
determine which ports can make outbound connections. We can guess that port 443
won’t be inspected and will allow a TCP connection out, and that FTP, Telnet,
SSH, and HTTP may be allowed.
But why guess when Metasploit has a
very specific payload for use in finding open ports. Metasploit’s payload will
try every available port until it finds an open one. Let’s use this payload and
have it try all ports connecting outbound until we get one that is successful.
So let’s start.
First we need to choose exploit for
hack target. We just use ms08_067_netapi, now set RHOST, LHOST and TARGET. And set PAYLOAD to
windows/meterpreter/reverse_tcp_allports. It will try every available port until
it finds an open one.
Now you are ready for exploiting target that has port
filtering facilities. So let’s exploit it using exploit command.
Here
you can see we are successfully exploit target using reverse_tcp_allports
payload. We can also see
ip address of target machine. Notice that we do not set an LPORT
instead. We use allports because
we are going to try to connect out of the network on each port until we find an
open one.
If you
will see that our attacker machine is bound to: 1 (all
ports) and that it finds a port outbound on port 1137 on the target network.
Resource
Files:
Resource files are
script files that automate commands within msfconsole.
They contain a list of commands that are executed from msfconsole
and run sequentially. Resource files can greatly reduce
testing and development times, allowing you to automate many repetitive tasks,
including exploitation.
Resource files can be loaded from msfconsole
with the resource command,
or they can be passed as a command-line argument with the -r
switch.
For
example: creates a resource file that displays our ip address and then ping
target machine. So first we create resource file named test.rc and check file content as shown bellow.
Now load our resource file
in msfconsole using –r option as told before.
As
you can see resource file makes task automated and increases penetration
testing speed. You may configure different things in resource file according to
your need and make your pentesting faster and batter.
Exploiting windows server 2003:
Windows
2003 Server is one of the most widely used enterprise-based operating systems
of Microsoft. We will see how we can exploit a Windows 2003 Server. The updated
versions of the Windows 2003 Server are patched so the dcom
Vulnerability doesn't work in it. So we will try different
vulnerability in this topic. We will be using the netapi32.dll
vulnerability.
As
we can see, above of the results, the exploit has a great rating. So we will
prefer using this exploit.
Now our exploit and payload are ready. The next and the
final step is to use the exploit command.
Let us analyze the result of the execution.
We
have a shell connection with our target. This gives us access to the target
machine through the command line. You can see how powerful Metasploit can be
for penetrating target machines. As shown above screenshot session 1
is open and attacker machine is connected to windows server 2003 with 4444
port.
Exploiting windows 7 / windows
server 2008 R2:
There are very few exploits available
for Windows 7 and Windows Server 2008. The SMB client infinite loop is one such
vulnerability that causes a system crash. This vulnerability will not provide
any session or shell connectivity, but it is worth discussing. We will deal with
the DLL injection flaw in Windows 7.
The SMB client in the kernel in
Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers and
man-in-the-middle (MITM) attackers to cause a denial of service (infinite loop
and system hang) via SMBv1 or SMBv2 response packet. The packet contains an
incorrect length value in a NetBIOS header or an additional length field at the
end of this response packet. This incorrect header value is the main reason for
the vulnerability.
Metasploit
contains an auxiliary module auxiliary/dos/windows/smb/ms10_006_
negotiate_response_loop which can be used to exploit the SMB
server and cause a denial of service.
We
will use the run command to execute the auxiliary
module. Once the module executes, it generates a shared folder link which has
to be sent to the target. In this case, the link generated is
“\\192.168.221.146\Shared\Anything”.
We can make the link look less suspicious by crafting
a web page and attaching this link to it and then sending it to the target user
(using social Engineering). Once the target clicks on this link, the system
will completely freeze and will lead to a complete denial of service.
Conclusion
Thus how exploitation works using MSF. In my previous two articles you have seen how to do information gathering and vulnerability scanning. This was the exploitation parts and my next article you will see about post exploitation and bypassing firewall rules.
References
Visit New Information Security Blog
No comments:
Post a Comment