document are applied.
B
ackTrack is a distribution based on the Debi-an GNU/Linux distribution aimed at digital forensics andpenetration testing use.it is named after backtracking, a search algorithm. The current version is BackTrack 5 R3. now based on Ubuntu 10.04 (Lucid) LTS, which is itself is based on Debian. [1]The BackTrack distribution originated from the merger of two formerly competing distributions which focused on penetration testing:
• WHAX: a Slax based Linux distribution devel-oped by Mati Aharoni, a security consultant.
Earlier versions of WHAX were called Whoppix and were based on Knoppix.
• Auditor Security Collection: a Live CD based on Knoppix developed by Max Moser which included over 300 tools organized in a user-friendly hierarchy.
The overlap with Auditor and WHAX in purpose and in their collection of tools partly led to the merger. [1]
With this introduction in mind, and also its popu-larity, BackTrack has become one of the top secu-rity tool which is used by both hackers and system administration. The simplicity of use and also won-derful collection of tools, has made it more popu-lar and powerful of course. In this short tutorial of BackTrack, we will get to know an exploiting frame-work called Metasploit; which was created by great
HD Moore. Metasploit itself has a standalone ver-sion, “Metasploit Framework” which is used by pros.
BackTrack includes Metasploit too, but it doesn’t get updated with new modules, e.g. “Exploit Module”. At first we go through basic, yet main, definitions and parts inside of Metasploit. Our amigo has lots of fea-tures that could not be covered completely here; So we focus on the two big brothers: Payload & Meter-preter. Then we will practice one trick or two.
A payload is the piece of software that lets you control a computer system after it’s been exploited.
The payload is typically attached to and delivered by the exploit. Just imagine an exploit that carries the payload in its backpack when it breaks into the system and then leaves the backpack there. Yes, it’s a corny description, but you get the picture.[3]
There are three different types of payload module types in Metasploit: Singles, Stagers, and Stages.
These different types allow for a great deal of ver-satility and can be useful across numerous types of scenarios. Whether or not a payload is staged, is represented by ‘/’ in the payload name. For exam-ple, windows/shell_bind_tcp is a single payload, with no stage whereas windows/shell/bind_tcp
consists of a stager (bind_tcp) and a stage (shell).
Singles
Singles are payloads that are self-contained and completely standalone. A Single payload can be something as simple as adding a user to the target system or running calc.exe.
Stagers
Stagers setup a network connection between the attacker and victim and are designed to be small and reliable. It is difficult to always do both of these well so the result is multiple similar stagers.
Metasploit will use the best one when it can and fall back to a less-preferred one when necessary.
Windows NX vs NO-NX Stagers
• Reliability issue for NX CPUs and DEP
• NX stagers are bigger (VirtualAlloc)
• Default is now NX + Win7 compatible
Stages
Stages are payload components that are down-loaded by Stagers modules. The various payload stages provide advanced features with no size lim-its such as Meterpreter, VNC Injection, and the iPhone ‘ipwn’ Shell. Payload stages automatically use ‘middle stagers’
• A single recv() fails with large payloads
• The stager receives the middle stager
• The middle stager then performs a full download
• Also better for RWX [4]
Metasploit’s most popular payload is called Meter-preter, which enables you to do all sorts of funky stuff on the target system. For example, you can upload and download files from the system, take screen-shots, and collect password hashes. You can even take over the screen, mouse, and keyboard to fully control the computer. Meterpreter, short for The Me-ta-Interpreter is an advanced payload that is includ-ed in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assem-bly. The way that it accomplishes this is by allow-ing developers to write their own extensions in the form of shared object (DLL) files that can be upload-ed and injectupload-ed into a running process on a target computer after exploitation has occurred. Meterpret-er and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of stan-dard Anti-Virus detection. Aside from ease of detec-tion, it is common for daemons to run in what is re-ferred to as a chrooted environment. This term de-scribes the action of changing the logical root direc-tory for an application which is accomplished by call-ing chroot on UNIX derivatives. When an application is running in a chrooted environment it is intended that it be impossible for the application to reference files and directories that exist above the pseudo-root directory. Since the command interpreter
typical-ly exists in a directory that is outside of the scope of the directory that an application would chroot to, the execution of the command interpreter becomes im-possible. Lastly, the command interpreter is limited to the set of commands that it has access to, both inter-nal and exterinter-nal. The set of exterinter-nal commands that may or may not exist on a machine leads to issues with automation and presents problems with flexibil-ity, not to mention being tied to one specific platform or command interpreter in most cases. These three problems illustrate some of the down-sides to relying on a native command interpreter and come to form the primary reasons for implementing the topic of this document: Meterpreter. To that point, meterpret-er is capable of avoiding these three issues due to the way it has been implemented. Firstly, meterpret-er is able to avoid the creation of a new process be-cause it executes in the context of the process that is exploited. Furthermore, the meterpreter extensions, and the meterpreter server itself, are all executed en-tirely from memory using the technique described in Remote Library Injection. The fact that meterpreter runs in the context of the exploited process also al-lows it to avoid issues with chroot because it does not have to create a new process. In some cases the application being exploited can even continue to run after meterpreter has been injected. Finally, and per-haps the best feature of all, meterpreter allows for incredible control and automation when it comes to writing extensions. Server extensions can be written in any language that can have code distributed as a shared object (DLL) form. This fact makes it no lon-ger necessary to implement specially purposed po-sition independent code in what typically requires a low-level language such as assembly. Aside from solving these three issues, meterpreter also provides a default set of commands to illustrate some of the capabilities of the extension system. For instance, one of the extensions, Fs, allows for uploading and downloading files to and from the remote machine.
Another extension, Net, allows for dynamically cre-ating port forwards that are similar to SSH’s in that the port is forwarded locally on the client’s machine, through the established meterpreter connection, to a host on the server’s network. This enables the reaching hosts on the inside of the server’s network that might not be directly reachable from the client.
[5] Scenario: We need to find a Windows machine running SMB. Keep in mind that this vulnerability has been fixed by a patch and not in Service Pack(s); so don’t care about the service pack(s) versions of Win-dows machines, shown by Metasploit, and give all of them a shot. The IP addresses of test network is 192.168.250.0/24. We are going to use an exploit on Windows with the following, shortened, details:
EXPLOITING WITH METASPLOIT
Vendor Advisory ID: MS08-067
Vulnerability Type: Remote Code Execution CVE Reference: CVE-2008-4250
Risk Level: High
CVSSv2 Base Score: 10.0 (HIGH)
Metasploit Exploit ID: ms08_067_netapi Source: US-CERT/NIST
Description: This vulnerability is caused by an er-ror when processing malformed RPC (Remote Procedure Call) requests. The vulnerability is code execution type vulnerability. Attacker suc-cessfully exploiting this vulnerability can run code of his or hers choice in the affected machine. This vulnerability is caused due to overflow when han-dling malformed RPC requests. This enables ex-ecuting arbitrary code of the attacker. Technical-ly the vulnerability exists in the Server service. [2]
In simple words: RPC uses a flaw to bypass the authentication needed in SMB; hence, the SMB must be running (like when a user shares some-thing). SMB listens to TCP port 445. Now it’s show-time: We bring up Metasploit Framework, a.k.a msf, in BackTrack (Figure 1).
1. ‘cd’ to Metasploit Framework directory.
2. Then run the “msfconsole” script.
3. At the msf prompt “msf>” we call the exploit from its path with ‘use’.
4. From exploit prompt “msf exploit(ms08_067_
netapi) >”, we call scanner.
5. In the scanner prompt “msf auxiliary(smb_ver-sion) >”, we ‘set’ the remote host. As you can see, since we want to find an SMB running machine, we chose the entire subnet. Note: the remote host keyword, RHOST, has to be in capital letters.
6. (Optional but recommended)To increase the speed of search process, we ‘set’ the THREADS value to 20; default is 1.
7. Let the scanner ‘run’. The after result and steps are shown and described Figure 2. Who is qual-ified to be our prey? The host 192.168.250.20 seems good (Figure 3).
8. We load the exploit by ‘use’.
9. Then we ‘set’ the remote host, RHOST, IP ad-dress: 192.168.250.20
10. We need to define the application we want to use after exploitation, PAYLOAD.
11. We define our machine as local host, LHOST, with its IP address: 192.168.250.25
12. And ‘exploit’.
13. When we got “meterpreter >” prompt, it means we are done. To finish our job we run. ‘shell’
command and we will be welcomed by Win-dows prompt.
Foreword: Use your knowledge in ethical ways; at least try to!
VAHID SHOKO UHI, (MAR 2013)
I am an Information Security Consul-tant with more than a decade of expe-rience, mostly in Service Provider envi-ronments. My job focuses on Design-ing: Secure Networks, Managed Se-curity Service Provider (MSSP), SeSe-curity Operation Cen-ter (SOC),Research and Training. In addition being Securi-ty Consulting, I also am a System Administrator with great hands-on experience in Unix-family Operating Systems: So-laris, BSD and Linux. In my free time I write tutorial articles.
Figure 1. Metasploit in Backtrack
Figure 2. The results
Figure 3. Attacking the host
References
[1] www.wikipedia.com [2] www.securiteam.com [3] www.metasploit.com [4] www.offensive-security.com [5] skape- ‘Metasploit’s Meterpreter’
• Original Site of BackTrack: http://www.backtrack-linux.org
• Original Site of Metasploit: http://www.metasploit.com