I am going to go through an example of gaining a shell on a target system using Metasploit.
In this scenario, I have a VPN tunnel to a lab with no other Information, this is often referred to as a backbox test. If on a client’s site this would equate to being given nothing more than a connection to the network, this allows the tester can assess what damage can be done by an inside threat or a criminal who managed to gain access to the building and sit down with their laptop and plug into the network. Clients often say they do not believe that a criminal could gain access to their building let alone gain access to their network, I am afraid to say this assumption is very often proven wrong.
So, I have plugged in and I have a connection, first thing I do is establish my IP address.
I can see from the ifconfig output that my Internet Protocol version 4 address (IPv4) is 172.16.64.10 with a netmask of 255.255.255.0, I know this is a netmask length of 24 bits often noted as /24.
I will use fping to produce a list of IPv4 addresses which respond to Internet Control Message Protocol (ICMP) echo on the 172.16.64.0/24 network range. Let us take a look at the command:
• Fping- this is the tool I am using
• -a show systems that are alive
• -g generate a target list
• 16.64.0/24 Scan the all 256 IPv4 addresses ranging from 172.16.64.0 – 172.16.64.255
• 2>/dev/null When using -a, fping will also show the hosts which are unreachable. 2> redirects the standard errors to /dev/null. Essentially it throws them away.
Try the command without this and see what the standard errors are.
The output of our scan can also be saved to file, in this case I don’t as only 5 hosts are alive, one of which is my IPv4 so I only have to remember 4 hosts.
I now want to gain some information about these hosts so that I can look for ways to exploit them, Nmap is one way of doing this. Always save scan output to prevent having to rerun scans.
Create a directory and work from there, I have called by directory ‘labs’ which is created using the command:
mkdIr labs
Nmap is a very powerful tool which will help me enumerate the hosts to find an attack vector. I recommend using it as much as possible as well as acquiring Gordon Lyon’s book as it goes into great deal on the specifics.
I begin with an all ports (Transmission Control Protocol) TCP scan, I should be careful what demands are place on the network by running scans. As this is a lab, I will push the speed a little.
• Nmap the tool I am using
• -sSVC sS is TCP SYN scan, the first of TCP handshake. All flags begin with a hyphen.
• -V Attempts to determine the version of the service on the port.
• -C Scan with default scripts.
• -O Detect operating system.
• -p- Scan all ports, if left out, nmap will scan the top 1000 ports. Often in labs I find that some services are run on non-defaults ports so a full scan is best.
• -v Always know what the tools are doing, verbose also allows me to start using the output before the scan has finished.
• -T4 Aggressive speed, speed ranged from 1 to 5, choose wisely.
• 16.64.101,140,182,199 IPv4 addresses, full address of the first IP address then the last octet for each address separated by a comma.
• -oA Output out results into .xml (Metasploit), .nmap (normal) and .gnmap (grepable)
• nmap_lab7_tcp Name of the file to be saved as. Choose a naming convention and stick to it.
• It can also be beneficial to apply -Pn to disable ping, -Pn does not ping scan therefore it assumes the host is alive and append –open to only display the open ports.
I also need to scan for services which use User Datagram Protocol (UDP). This often a very slow scan so I only scan for the top 50 services. Of course, these services could also have been placed on non-default ports so it can be wise to scan all ports but be prepared to wait a while for the output. TCP and UDP scans can be combined if scanning the same amount of ports.Some of the command is the same as TCP so I will explain the new syntax.
• --sU UDP port scan
• --top-ports=50 scan the top 50 UDP ports
Once my scans are complete, I want to be able to analyse the output. I can scroll through the above scan results or I can import the output into Metasploit so that it can be parsed using the search function.To do so, I need to start up Metasploit.
msfconsole
Then start the database.
msfdb run
There are a few ways of doing this, if the above method doesn’t work then use:
• systemctl start postgresql
• followed by: msfdb InIt
• check the database status using: db_status
Create a workspace using the command:
• workspace -a myworkspacename
I saved my output from the scan as oA nmap_lab7_tcp and oA nmap_lab7_udp. I want to import the .xml files into Metasploit using the following command.
and
This is a much cleaner method than having to scroll through the initial output, which I could do If I wish as I have the .nmap file saved. Nmap can also be used within Metasploit using the command db_nmap.
The output can now be searched, some helpful commands are:
• hosts
• services -p 1433 (change the port number to suit)
• notes
• notes 172.16.64.199 (change the IPv4 to suit)
• vulns
• loot
I can see there are several open ports leaving a nice choice of attack vectors available to me.
Let us see the vulnerabilities that nmap highlighted to us. I consult Google.com and I can see the system is vulnerable to Microsoft SQL Server Payload Execution and a Metasploit module exists, but I require credentials in order to use.
I begin the quest to find the credentials so that I can use the mssql_payload module.
search mssql
Once the module is selected, I use the command: info. This will tell me what the module does and what it’s requirements are. In order to run this module, I need to:
• set your hosts 172.16.64.199 Set the target IPv4 address.
• set pass_fIle /usr/share/wordlists/rockI.txt Choose a wordlist.
• set threads 16 16 is recommended with a max of 255. Higher the number, faster the scan.
• set stop_on_success true Stop when the correct password is found.
• options Check that I settings are correct
‘set’ is the command used to apply the succeeding name. A faster method is to type ‘set’ followed by a space then the first one or two letters of the name to be set, then press tab to auto fill. The name does not have to be typed in capitals.
‘sa’ is the default username for MSSQL, however I can use another wordlist in its place containing common usernames or use a carefully crafted list, I leave it as default for now.
There are other settings which I may want to look at too, take a look at each Name setting as see how it can be used to benefit your attack.
To initiate the module, I can either use the command ‘run’ or ‘exploit’.
This could take some time, get back to the nmap output and begin looking for other attack vectors on the other machines.
As we can see the password is found in the wordlist, you may be thinking that a password of such simplicity would not be used in real life, however you would be mistaken. Even if this word was not used, rockyou.txt has over 14 million words to try with some other wordlist reaching into the billions.
I now have the information I need to use the payload, which I established the server was vulnerable to.
Same as the previous module I need to set the target details use the ‘set’ command. Leave the payload as default, I will cover binds vs reverse and staged vs upstaged in another tutorial. When all names are complete, launch the exploit and smile.
If the exploit succeeds, I will be greeted with a meterpreter shell on the machine I attacked. There are several post exploitation techniques and other tools to use here which help to pivot and gain more information from the network. Often, authentication hashes are dumped at this stage, which can then be cracked or relayed, this is an interesting subject which I will save for another article.
At this stage all I wish to do is prove to the client that I am able to gain access to a machine, I can use the command ‘ifconfig’, as well as other commands, from the meterpreter shell, however it is better to upgrade to a Windows shell and use the command ‘ipconfig’.
Now I have proven I am on the machine; I want to know what privileges I have. Running the command ‘whoami’ shows that I am NT AUTHORITY; the most powerful account on Windows local. On a client assessment we would not stop as this stage as there is a great deal that can be done from such a privileged account.
A few after thoughts:
You may not find MSSQL on the network, if you do then great as you now have a tutorial for gaining a shell. Regardless of the services which you find on a network, the same methodology can be used in many other cases. Metasploit is a great tool which should be understood and used where necessary, it should be one of many and certainly not your primary tool as it can inhibit a thought process that all exploits must be acquired via Metasploit. It has its limitations too; it is effectively an automated exploitation process which does not require much understanding of what is going on in the background which can lead to problems.
Metasploit modules are written in Ruby, the same exploits can often be found by consulting Google.com or by using Searchsploit where you will sometimes find the exploit in Python. The gold standard of using readymade exploits is to not use Metasploit and adapt/ write exploits, often in python. That said, Metasploit is a great way to get on the learning path of exploitation.
I have mentioned just a small amount of commands available for the tools I used. When using a tool, it is a good opportunity to look at its help page. This is often done by typing the tool name in terminal followed by -h or –help, the man page can sometimes be found at the bottom of this output, alternately consult your favourite search engine.