Metasploit

[bobbyb1980]

Hey guys. For like the past week or two I've been addicted to metasploit. At work we have a network of over 50 machines (I'm the unofficial tech guy) and I've been setting up a bunch of browser exploits, like the java applet attack and the aurora module and getting meterpreter shells - tons of fun! I also get a free pass to play around with spear phishing which is tons of fun and actually works!

I have a few questions for those of you more experienced in metasploit. After compromising one machine (over the internet) what I like to do is add that route to msfconsole so I can further explore the LAN from the internet. The logical next step, for me at least, is to map the network and then go after the router/switch. I'll see what kind it is, try to enumerate snmp info, search for known exploits, etc. I haven't done it yet but I'd like to try to bruteforce/dictionary attack the router via the compromised machine. The problem is I only have axx to a shell, the cli. Does anyone know any ways I can run hydra or a similar program form the cli? I don't know much about this stuff in Windows and it seems everything is GUI. Or perhaps there is a module within metasploit that I can use to do this?

My next question is about managing meterpreter shells. I'm using metasploit framework the free version and not the pro version. I have a dedicated server running a listener. I would like to know how I can setup the server with say a java applet attack, the victim goes there and I then get a meterpreter shell. The problem is that if I close this instance of the listener, the shell goes and doesn't come back. Does anyone know of any ways to manage meterpreter shells while being able to connect/disconnect at will (not background it)?

I hope this all makes sense.

[digip]

These should answer your question: http://seclists.org/metasploit/2010/q3/281

http://www.indepthdefense.com/2009/02/reverse-pivots-with-metasploit-how-not.html

However, you might be able to just upload nmap to one of the machines you pivot off of, and run them natively from there. Some AV will detect nmap and try to quarantine it, so be sure to shutdown AV on the compromised host, and make yourself elevated to system before trying any of this. Helps avoid UAC(If its a vista/7 machine you compromised). Once you are SYSTEM, you can shutdown AV, etc, and then upload nmap to the host and run nmap from there.

Edited December 14, 2011 by digip

[Mr-Protocol]

Good information here:

http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training

[bobbyb1980]

Hey digi and Mr. Protocol, thanks for those links. I've actually been reading the metasploit unleashed religiously for a month or so now. It's great literature.

Digi, I looked at your links. They seemed to be focused on getting a route setup so you can further explore the network. I can get the route setup fine. I can use modules such as a tcp scanner, SQL scanner, SMB login, etc perfectly fine, my access to the LAN from the internet is steady. I don't really need to install nmap to scan as I can just enumerate ARP info from the shell to get a picture of the LAN, or even do "netstat -nr" or "route PRINT" to get the local router IP. I haven't tried it but with a route setup in metasploit I should be able to do "db_nmap -PN -A -sS 192.168.0.0/24" to run nmap from the console as opposed to installing it on the victim machine.

So now that I have access to the network, I have my route setup, I want to try to brute force the router from the victim machine (where I have the original meterpreter shell). In theory a module should work to do this also, but I don't know which module to use. Can anyone recommend some fun stuff to do once inside the network?

The network is compromised of about 50 machines. My goal is to obtain complete access when/where I want to all machines. The only way I know to do this would be to brute force my way into the router and forward some ports so the machines will be accessible from the internet. Or does anyone know any other ways to achieve these goals?

[bobbyb1980]

Found the "http_login" module which brute forces http servers. Going to try it against the router authentication page and see what happens.

Anyone know any good ways of managing meterpreter shells (being able to connect/reconnect/disconnect easily)?

Has anyone used metasploit pro? How much was it and what difference were there?

Thanks guys.

[Mr-Protocol]

If I remember what HD Moore said in an interview, Armitage is a nice free GUI that is close to what Metasploit Pro offers.

[digip]

Digininja has a tool called rsyaba but not sure if it can be used through a pivot - http://www.digininja.org/projects/rsyaba.php Hydra will also work, but again, not sure if it works through a pivot point. Might be a module to make it work though.

[Infiltrator]

I haven't tried this before, but you could upload the Hydra .exe file to the exploited box and then try running it from a meterpreter shell and see if it works.

[bobbyb1980]

Hey fellas, thanks for the advice.

I'm going to try that module digininja wrote later today. I did however use the http_login module which seemed to be pretty functional. I wasn't able to crack the password but I think that was due to my dictionary file and not the module.

In my experience (which isn't that much!) all of the metasploit modules seem to work fine via routed console. I've had success with lots of diff modules, but I've read it can be problematic. Sometimes when I start a route through a meterpreter session the session will die, and I believe that's due to faulty routing. Apparently metasploit pro offers more options and flexibility when it comes to LAN attacks from the internet.

Regarding hydra.exe for mounting a brute force attack against the router from the compromised machine - I only have cli access. I can't use RDP because the router is going to block all requests when I try to connect (ports aren't forwarded). Anyone know how to get axx to the desktop gui from a shell or a way to run hydra from cli in windows?

[rsmudge]

@bobbyb1980 here are two videos that will help you out:

Armitage and Metasploit Training, part 5: Maneuver

This video will show you how to setup a pivot, scan through a pivot, and attack hosts through a pivot

Armitage and Metasploit Training, part 6: Team Tactics

This video will show you how to setup a remote server as a "shared" Metasploit host. You'll also learn how to use proxychains to route externals tools through a pivot.

The entire series if you're interested is at: http://www.ethicalhacker.net/content/view/379/1/

[Infiltrator]

Anyone know how to get axx to the desktop gui from a shell or a way to run hydra from cli in windows?

There is a CLI version of Hydra, I think this is one of the links

http://www.aldeid.com/wiki/Thc-hydra

http://www.darknet.org.uk/2007/02/thc-hydra-the-fast-and-flexible-network-login-hacking-tool/

Edited December 16, 2011 by Infiltrator

[bobbyb1980]

Hey Infiltrator, thanks for the links dude. I'm looking for hydra cli in windows though.

Awesome videos rsmudge. Personally I don't like armitage as all it does is slow down my machine and I feel more flexible in the msfconsole. However that second video really looks to be the answer to my questions. I'm trying to figure out a way to do it independent of armitage as I don't have GUI axx on my server. It also looks to be an extremely complicated setup but that's only more fun! Have you successfully done it? thanks again fellas

[Infiltrator]

Hey Infiltrator, thanks for the links dude. I'm looking for hydra cli in windows though.

This URL has the CLI version of Hydra,

http://www.darknet.org.uk/2007/02/thc-hydra-the-fast-and-flexible-network-login-hacking-tool/

You need to scroll down to where it says,

"IF you want the windows version you can grab this Cygwin version:"

And download this zip file, hydra-5.4-win.zip.

I tested it on my computer and it works, I can run the .exe from within DOS.

[bobbyb1980]

I didn't even see that, thanks dude!

[Infiltrator]

Don't know if anyone mentioned it but look into 'pass the hash'

I think what the OP is trying to do is brute force the router/switch by using Hydra.

How is "Pass the hash" going to help? Unless he wanted to gain access to another computer.

[bobbyb1980]

Yeah, I mentioned a few times before that I can use the smb module (pass the hash) fine, but thanks.

[bobbyb1980]

Yup it works! First I got a shell on a victim machine, then I used meterpreter to ul the file to system32 (only directory without spaces that actually works for me) then I ran it locally and viola!

[bobbyb1980]

Found an easy way to manage the meterpreter shells. Darren mentioned a program called 'screen' a few episodes back that allows you to put a terminal in the background. Now I can just use screen to put my meterpreter shells in the background, I can log out, then log back in and they're still there. w00t.

[Mr-Protocol]

Yup it works! First I got a shell on a victim machine, then I used meterpreter to ul the file to system32 (only directory without spaces that actually works for me) then I ran it locally and viola!

To navigate directories with spaces you need to use an escape character to use a space.

Say the directory is "My Documents"

You would need to cd My\ Documents

More info: http://en.wikipedia.org/wiki/Escape_character

There is a background feature built into metasploit.

http://www.offensive-security.com/metasploit-unleashed/Metasploit_Meterpreter_Basics command background

Or you can use ctrl+z

Example:

sessions -l ###will look blank after session is opened, type this to show sessions
sessions -l -v
sessions -i 1
shell
ctrl+z ###To Background