Recently in Metasploit Category

Just had the first day of the Scottish Ruby Conference. The venue was awesome, there'll doubtless be lots of good pictures up on places like flickr in due course, but here's a couple I snapped with my Nokia n900. The three track rooms were the Conference Hall, the Great Hall and my personal favourite the "new" library.

The talks were interesting as always, personal highlight for me had to be Jim Weirich managing to go from particle physics to functional programming seamlessly in a single talk!

my talk was on breaking things with ruby and was a pretty quick look at the world of penetration testing and some of the cool projects (primarily Metasploit) which use ruby in this area. My slides can be found here and if people are interested in more information on the topics I covered here's some good linkage to start with.

Metasploit

The Main Metasploit Website . This is the best place to start. There's also a wiki and source code repository on their redmine site here

Metasploit Unleashed. This is a free training course from Offensive Security which offers a good place to start with Metasploit, and covers a lot more ground than I could today.

Blog-wise there's a couple of places I consistently find good information on Metasploit. Carnal0wnage's blog and the Dark Operator blogs have lots of posts on what can be done with Metasploit, as well as the Official Metasploit Blog of course.

Also on twitter following @hdmoore, @carnal0wnage and @egyp7 is a good place to start.

Lastly if anyone's looking for videos demonstrating Metasploit, there's quite a few on Security Tube amongst other places.

I thought I'd have a shot at writing a quick metasploit module as a good way to get to know the framework a bit better. I'm basing this on a project I did for my GSOC gold where I wrote a POC oracle security scanner in ruby called rorascanner. Seems like a good idea to move the checks I was doing there into a metasploit module.

At the moment its very rough and just basically carries out a series of SQL queries (based on mc's Oracle module) and dumps the results out to a file for later use. I thought it could be useful for people wanting to quickly get some data out of the database for later analysis (kinda' like winenum).

Anyway code is here . Any thoughts suggestions welcome :)

So More Oracle and Metasploit stuff tonight. as CG pointed out on the last post, most of this has been covered on his series of posts at the carnal0wnage blog (and lots more besides), this is just my working through the process for my own benefit and hopefully pointing out some of the potential things to think about as I go along....

ok so where I left off last time we'd got found our database, enumerated the SIDs and guessed a handily set default username/password (the infamous SCOTT/TIGER). So at this point we've got an account which can access the database, but now we need some more privileges...

4. Escalate privileges to get DBA level accessTo do this we're going to use the metasploit droptable_trigger module, which works slightly differently from some exploit modules in Metasploit as executing the code generates a file that you can then run against the database to elevate your privileges.

Setting this up is very simple

use auxiliary/admin/oracle/droptable_trigger 

Handily the default SQL command that gets run by this exploit is "grant DBA to SCOTT" which is exactly what we're looking for.

once we've run this module a .sql file is generated in the data/exploit directory. Probably the easiest way of running this is to use sqlplus, like so

sqlplus SCOTT/TIGER@[your_target_IP_here]/[your_target_SID_here] < msf.sql 

Assuming all goes well with the attack (from my experimentation with 10GR2 this one works fine) you can query the user_role_privs view in Oracle to confirm

SQL> select * from user_role_privs;

USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT DBA NO YES NO
SCOTT RESOURCE NO YES NO

It's worth noting that some of these Oracle modules (there's 9 in the current Metasploit svn versions) have required privilege levels (dbms_cdc_publish for example in a vanilla 10GR2 setup needs EXECUTE_CATALOG_ROLE to run which only SYS and users with the DBA role have...), so it's worth trying out several to fit different scenarios...

So here we are with DBA, which to be honest for a lot attackers is all that's needed. The data in the database is likely to be the "crown jewels" which the attackers looking for, but hey we can go further with the wonders of Metasploit and execute code on the underlying operating system...

5. Leverage Oracles functionality to get access to the underlying operating system So at the moment I don't see a metasploit option for doing this in *nix (there's a win32 command execution module on mc's page), however that's not a serious problem as it turns out the nice guys at Oracle provide ways to do this easily.

A quick google around revealed this paper from Oracle on command execution from a database user and from my running of it, it works fine (although requires creation of new database objects so best suited to an environment that can be rolled back easily...).

So there you go, from nothing to OS access in 5 easy steps, courtesy of Metasploit...

Todays fun with Metasploit is exploiting Oracle... There's lots of good information on this on the Carnal 0wnage blog and the metasploit page for mc.

First things first, we'll need the relevant ruby modules (dbi and oci8) installed and working for some of this.

dbi can be installed using the usual 'sudo gem install dbi' but oci8 has some more prerequisites and steps to get working. The best thing to do is follow the instructions here . As a note you'll probably want to add the LD_LIBRARY_PATH to your bash profile to avoid setting it manually every time you want to use it (in Ubuntu this can be done system wide in /etc/bash.bashrc)

Once you've done that it should be possible to make basic connections to oracle from ruby ok...

So on to what Metasploit can do for you in a test with Oracle systems.. This walkthrough is heavily based on this video here from shmoocon this year.

One set of rough steps for converting "hmm there's an oracle system here" to "w00t I've got admin access to the server" might be

1. Discover the version of Oracle Running


2. Find out what the SID of the database is


3. Get valid credentials to the database


4. Escalate those credentials to DBA level access


5. Leverage Oracles functionality to get access to the underlying operating system


6. ...


7. Profit!!

Luckily Metasploit can help us with pretty much all of this....

1. Discover the version of Oracle running on the server This is very useful as it allows for targeting of exploits (no point in trying use an exploit for something that's been patched on the target).

From msfconsole

use auxiliary/scanner/oracle/tnslsnr_version 

set RHOSTS [your_target_ip_here]
run 

from this you should see something like

[*] Host 192.168.1.203 is running: Linux: Version 10.2.0.1.0 - Production

[*] Auxiliary module execution completed

which tells us we've got 10gR2 on Linux running.

2. Find out what the SID of the database is In order to connect to the database we're going to need to know what the SID is. Pre 10GR2 we could just use the metasploit sid_enum module (in auxiliary/scanner/oracle) to find this but after that we'll need to brute-force it. Not to worry there's a module for that too :)

As of 3.3-dev 6537 the sid_brute module doesn't appear to be included, but it can be downloaded from mc's page. For this module you'll also need a list of common SIDs for Oracle. One of those can be found on the Red Database Security site.

so once you've put the sid_brute module in the right place (I used modules/auxiliary/scanner/oracle) and your sid.txt file somewhere (I used the default from the module of data/exploits) you can do the following...

 use auxiliary/scanner/oracle/sid_brute

 set RHOST [your_target_ip_here]

and hopefully you'll get some output like

[*] Found SID 'ORCL' for host 192.168.1.203.

So we've now got the SID of the database, on to usernames and passwords.

3. Get valid credentials to the database Now Oracle databases are pretty notorious for having a wide range of default usernames and passwords installed on them. This isn't so true for modern releases but if your're running against older releases, it's well worth checking.

So to do this we'll need the brute_login metasploit module and a list of usernames and passwords. The module again can be found on mc's page and the canonical list of Oracle usernames and passwords is on Pete Finnigans site.

Also we'll need to get the oracle mixin at this point from here and copy that to lib/msf/core/exploit/ . Now at this point I was getting a module loading error but reading this and this led me to the idea of modifying the brute_login.rb file adding

require 'msf/core/exploit/oracle'

to the top of the file (just under the other requires) to get it all loaded up ok (also found out that a lot of this ground's been covered before but hey :) ! )

So with those saved in appropriate places (same as last time) we can see what's there

use auxiliary/scanner/oracle/brute_login 

 set RHOST [your_target_ip_here]
run

Now wtih any luck you'll get a file called oracle_success.log popping up in the data/exploits directory which will contain some entries like this

Found user/pass of: SCOTT/TIGER on 192.168.1.203...

which tells us the creds we need to make a valid connection and move on to the next stage.

So now we've got a valid account on the database, but it's not got that magic DBA level of privilege

Next time I'll follow-up on using metasploit to get down the OS

Been taking a look at another one of the newer Metasploit features tonight. WMAP is looking to integrate web application scanning functionality into Metasploit. There's a couple of good overviews Here, Here and Here

Getting it up and running is a little bit finicky at the moment, as you need to used a patched copy of ratproxy to collect the base URLs for the scanner (quick note is that my fairly new Ubuntu Intrepid install was missing libssl-dev which is a pre-requisite for compiling ratproxy so worth checking for if you get make errors when setting it up).

Once you've gathered URLs and fed them in to the database getting the scanner to start running is straightforward (examples in the links at the top so I won't go into it). From an initial look, some of the plugins seem to do some directory/file brute-forcing which can take ages to run, but if it's going on too long you can use CTRL-C to interrupt just that plug-in and Metasploit will catch the interrupt gracefully and move on to the next directory or plugin...

So another night of metasploitage, and some good additional info

Pivoting

• Good write-up on some of the challenges with pivoting


• Greate Demo video of using pivoting to attack a host indirectly


• Another good video demo of pivoting, but without the cool tunes :)

So I've been playing a bit with Metasploit over the holiday weekend (hey what are days off for..), and as usual when researching stuff, I've come across a load of links I don't want to lose track of, so I'll put them up here, may be useful to someone else as well..

I'll refrain from the really obvious linking to the project homepage, as if you're looking for metasploit links, I'd guess you've found it already :)

Pre-Exploitation Information

• Good set of examples for using msfpayload to create executable payloads


• More msfpayload information


• Interesting worked example of msfpayload setup on osx


• Interesting write-up on eval_php for for webserver compromise

Post-Exploitation (meterpreter and the like) Information

• Post on meterpreter usage. Has some interesting points on what can be done with Meterpreter.


• Interesting post on using meterpreter again Some information on using meterpreter scripts like killav to stop exploits being detected, and timestomp to make discovery harder.


• Article from the Metasploit wikibook on post-exploitation activities