Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Metasploit = tips, tricks, hashes and tokens

Metasploit is one of the many tools that can be used during a penetration test, and it actually consists of a whole suite of tools, that forms part of a complete attacking framework. Metasploit is not the best tool for every job during a penetration test. However it definitely has its place, and can be very handy if used appropriately.

For the purpose of this blog I will go through a scenario of steps that might be taken during a penetration test. I will purposely use only Metasploit, doing so trying to demonstrate the potential that Metaspliot has.

It is not sensible to rely exclusively on your tools during a penetration test... as they might be wrong from time to time.

It is good practice to try and verify your results and/or findings with another tool if possible. Naturally nothing beats manual verification, for example if a tool says anonymous FTP is possible, the best is to manually FTP to that host and make sure the tool is correct.

As an attack platform, I will be using Backtrack 5R2, which has Metasploit already installed. Also very important it comes with a postgresql database already setup, connected and ready to accept data.

The scope and target network for this penetration test scenario will be 192.168.3.0/24.

So, let's start off with some basics…

Open msfconsole, and check the database status.

11026_a4b81f63-0cd6-40ff-8007-e8242426e899

OK so let's talk about workspaces. In Metasploit workspaces are used as logical units for information. You can have different workspaces for different penetration tests or different locations of the penetration test. It is easy to import and export data between different workspaces.

10057_794d3ad4-a31f-49f9-be38-1abc2e509cc4

There are a couple of tables storing the data inside the workspaces like hosts, services, vulns, loot and notes. Information can be added into these tables manually, for example adding a host into the hosts table:

12170_dd5abe07-58e2-4555-b1fb-be06cab2b61a
And a service can also be added manually into the services table:

8373_26002023-1628-4d4f-afae-79904c827e8f

To populate these tables automatically, you can use db_nmap. You can also use your favorite scanning tool, export your results to an xml file, then import the xml file into the Metasploit database. This can be done with using the db_import inside mfsconsole; as you can see various tools are supported:

7878_0d07ac29-11d8-41cf-a96c-fa6126d24f9a
Let's start by doing a nmap scan:

12295_e3c8a54d-d69a-4c41-8b63-878e10e0dd76
Taking a look at the hosts table, you can see it contains the scan results:

8656_33aa6e5c-d209-4fc2-8b66-1a97dbedffb5
Taking a look at the services table, we can also display tables with only the fields we want to see:

10050_78e5ffad-e761-48c7-8fe4-83a6074593f9
Because we see so many Windows hosts, let's take a look at a auxilliary module, a smb version scanner:

10664_937ec04d-a916-4a22-965e-db0ef315ccc0
So we need to specify a target host, with the set command. But we will have to do the hosts one by one. This is one of the places where the metaplot database comes in very handy, we will add hosts from the services database with the port 445 as a file:

12258_e20db24e-3622-49e2-8526-c22e26a6c48d
After the scan is done we take a look at the services table:

8200_1c215960-a5e8-44a5-8ed8-f41e04021c21

So we have Windows 2003 hosts, only one host has service pack 1 installed. We have the names for the hosts and the Domain name is "TEST".

Other information I'm just guessing is TEST-EMEA-DC-01 is a domain controller and TEST-EMEA-DB-01 might be a database server.

OK, let's look at the potential database server:

9500_5ca3684b-cd89-4e9d-bc6c-dffbf6ae4e44

So one would assume mssql because it is a Windows host. But that by default runs on TCP port 1433 which is not present. I am going to take a shot in the dark and run a test for mssql:

9900_7156cc4c-9454-46e7-82b6-a6bb207a2c51
Seems like we have a winner:

12307_e47d50db-3238-4623-8da4-c24e7386f4c7

OK, there. It picked up a mssql instance. Running on port 1043, SQLEXPRESS.

It's running version 9.00.4035.00, and according to the build number it's Microsoft SQL 2005 SP3.

We peek into the services table, to see what changed:

12401_e8661ba6-9900-45b6-88ff-244a88aa849e

It added TCP port 1043 as mssql as well as UDP port 1433, this is the port that gave the real port for mssql away.

Now that we know there is a databse running and on what port, we can do a brute-force attack, using Metasploit yet again.

10530_8ddd884b-9634-45e8-9d0b-0424137e5e02
We set the right RPORT and we are going to try the same password as the username:

10121_7b103428-01f7-4c96-ba8c-37959dcd743e
Then we run it, and succesfully find the password:

10563_8fa91f2e-7b87-4aff-8859-77a859114e0c

OK, we have the password. So this is our first credential. So we take a look at the creds table:

8791_3a5a9a91-ccf3-46f0-b81b-b8d7dae1ebdc

Exploit time:

11465_ba9e5a75-3433-4bf9-914c-26d11e6390e2
So we know the username, password and the port:

8828_3c2f96bd-d4c0-44ad-83ee-c3d0d3320828

Then we have a meterpreter shell:

7704_04c0693e-7ed2-4807-be57-661ecf61c1b5

Background that session. Then we look at the sessions, and we have 1 session:

7679_035baff7-6dd3-42b2-8a3c-e4da0b069b4c

Next I want to show you some post exploit modules

OK so we can use smart _hashdump to check for hashes. Set SESSIONS and GETSYSTEM parameters:

12300_e3fba7b2-9d13-45ea-9704-b117db05e33b
Then we run it:

11092_a86c05e7-eaba-4da9-badc-8dd8e486b4b1

OK so we have something in the loot table.

It got SYSTEM priviledges, and was able to get 2 hashes. It seems the true administrator account is "localadmin" seeing the RID is 500. So Adminstrator is just as dummy account.

So we look at the loot table because we haven't already:

8034_13ef15b8-986a-4992-bfcc-283c740fd316

So we look at creds, we have 3 already:

11859_ccf3df91-b0a4-47f4-97f1-275b32a261f6
We need to test to see if this local admin password is re-used on the other systems.

So we have erveything we need:

10881_9e128527-da62-40ca-a231-9b775636e015

First we add the hosts list, from the services table:

9833_6e233d1a-5291-46c2-9c1d-29bf0b76e15d

So we are not cracking the hash, we are going to simply passing the hash. We also set

USER_AS_PASS to false and BLANK_PASSWORDS to false:

12446_ea3827cc-03da-4fd0-bb7d-80845821469a

We see lots of successful, logins when we run it:

11198_ada7f442-92e1-4b1c-b92e-3eb464cd0af4

Loads more credentials found:

11692_c5a7f49b-35e6-4818-9f8c-b0681b25c047

So we have the local password for vulnerable Windows systems. We can use the psexec exploit, but you will have to do it one by one. In exploits you have a RHOST not a RHOSTS so you can't give it a list. I want to show you another thing you can use for automation - resource scripts.

With the help of various sources on the Internet, I put together this script. This script can be easily changed and more modules can be added to step through:

9520_5e128eb5-baf2-4167-9ebf-63ea17705fb8
We just do the psexec at the moment.

We can't run the resource yet, as by default the payload windows/meterpreter/reverse_tcp is used, the problem with that is the listening port can't be the same, so we use the windows/meterpreter/bind_tcp payload instead:

9664_65d826e3-e8b1-4e79-9a38-ce4838b8d421

Then we run my resource script:

11313_b2ce2ba5-b24f-4006-a89f-ee850b2bbd7b

We are left with 9 sessions, with the localadmin account:

8023_137c025c-fe92-47e8-a05c-66b7d96e7814

We then need to try and find some more hashes, now normally we have to do it manually again, by interacting with every session and dumping the hashes.

Instead we can use a post module credential collector. This post module will give us the hashes and also very importantly it will use incognito and look for domain tokens. But again the module needs to be run manually step by step on each session, unless we use another resource file…

12363_e729f00c-8215-4886-83a2-af5130aded73

Starts collecting hashes and tokens:

9542_5f4696a9-3c3a-4143-98d0-f787323888f4
Session 5 and session 6 seems to have some interesting domain tokens:

8630_329b3067-6fdb-4f09-888a-24d633ceff17

We manage to steal the token and now we have domain admin level access:

9100_4a3ade0a-59d6-41db-968c-c988cabfec65

This concludes the demonstration of Metasploit and some of its various components within.

Happy Metasploiting…

 

Latest SpiderLabs Blogs

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More

Tips for Optimizing Your Security Operations Framework

Building an effective Security Operations framework that provides the right balance of people, processes, and technologies can take years.

Read More