Finding the right exploit

Viewing 9 reply threads
  • Author
    Posts
    • #8134
      caissyd
      Participant

      Hey,

      I was working in a lab trying to pwn a given host, so I more or less did the following:

      1) Ran nmap: May ports are open
      2) Ran Nessus: MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check)
      3) Metasploit: search MS08-067
      4) Metasploit: use exploit/windows/smb/ms08_067_netapi

      So this was pretty easy. This host was so full of holes that I could have probably used many other exploits (Nessus found 22 red ones…). But I then tried to figure out how Nessus was able to find this vulnerability and this is where I hit a wall…

      I was able to easily find the OS and open ports like these:


      OS: Microsoft Windows 2000 SP3/SP4 or Windows XP SP1/SP2 (95%)

      PORT    STATE SERVICE        VERSION
      135/tcp  open  msrpc          Microsoft Windows RPC
      139/tcp  open  netbios-ssn
      443/tcp  open  https?
      445/tcp  open  microsoft-ds    Microsoft Windows 2000 microsoft-ds
      1031/tcp open  msrpc          Microsoft Windows RPC
      1035/tcp open  msrpc          Microsoft Windows RPC
      1037/tcp open  msrpc          Microsoft Windows RPC
      ...

      Does this nmap output tells you something like: “That’s obviously a ms08_067_netapi vulnerability that we have here!”. For me, without Nessus, I would have never tried this exploit…

      So what approach do you guys use? Do you have a set of very powerful exploits that you try at targets that simply match the OS and maybe a port? Or is there some voodoo that you can do to go from this nmap output to this exploit?

      I found more details about it at http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi

      I feel like a script kiddy now…  :-

    • #51453
      lorddicranius
      Participant

      I think the clues to try this exploit are the OS and that port 445 is open.

      That Metasploit link you posted shows the OS in the vulnernable OS list.  Plus, the RHOST lines defaults to 445 [SMB service port.  (side question:  Is this port configurable if you’re setting up the network in a production environment?)].

      I’m not a pentester by day though, just from what I’ve gathered in my own lab awhile back when messing with that exploit.

    • #51454
      Grendel
      Participant

      There are a few factors that a scanner looks for, but it breaks down to the following:

      1) OS & version
      2) OS language pack (on occasion)
      3) Version of the application in question

      Even if all three match a particular exploit, it may not work – there are ways to mitigate exploits from a defensive side.

    • #51455
      cd1zz
      Participant

      Whenever I see 445 open and the box is XP ish… I always look for 08-067.

      To know how the scanner checks for this particular vulnerability you can look at the details of the vulnerability to learn how its triggered. In this case, I cheated and looked at smb-check-vulns.nse, which is an nmap script.

      On line 130 of the script you see “—Check if the server is patched for MS08-067. This is done by calling NetPathCompare with an — illegal string. If the string is accepted, then the server is vulnerable; if it’s rejected, then — you’re safe (for now). “

      In the code you see what he does to check for 08-067 and it begins to makes sense…

      — Call netpathcanonicalize
      — status, netpathcanonicalize_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, “\a”, “\test\”)

      local path1 = “\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\..\n”
      local path2 = “\n”
      status, netpathcompare_result = msrpc.srvsvc_netpathcompare(smbstate, host.ip, path1, path2, 1, 0)

      — Stop the SMB session
      msrpc.stop_smb(smbstate)

      if(status == false) then
      if(string.find(netpathcompare_result, “UNKNOWN_57”) ~= nil) then
      return true, INFECTED

      elseif(string.find(netpathcompare_result, “INVALID_NAME”) ~= nil) then
      return true, PATCHED
      else
      return true, UNKNOWN, netpathcompare_result
      end
      end

      return true, VULNERABLE
      end

    • #51456
      azmatt
      Participant

      Great question and answers.

    • #51457
      caissyd
      Participant

      Thank you for your answers, lorddicranius, Grendel and cd1zz!

      @cd1zz: I have read the nse script and you are right, it is very obvious when you cheat!

      From lorddicranius:

      I think the clues to try this exploit are the OS and that port 445 is open.

      From cd1zz:

      Whenever I see 445 open and the box is XP ish… I always look for 08-067.

      That’s what I was thinking. If you don’t have access to a vulnerability scanner, but only nmap without the .nse scripts, it’s pretty tough to find an exploit unless you have already used it or seen it before.

      In my original post, I mentioned:

      This host was so full of holes that I could have probably used many other exploits (Nessus found 22 red ones…)

      So let’s say MS08-067 is patched and you can’t use Nessus, OpenVAS, or any nmap scripts. The approach has to be that, based on experience, you would do like Grendel mentioned and first look at the OS, the open ports and the services fingerprints.

      But still, for example, it’s one thing to see that Apache 1.2.3 is running an find an exploit for it (quite easy), but in my example above, you have to know about it…

      So here’s what I will do from now on: use these vulnerability scanners in the lab and whenever I can to find the vulnerabilities, but instead of just running the corresponding exploit and forget about it, I will take very, very good notes and add it to my toolbox.

      Again, other than when the service is very well documented (like in my Apache 1.2.3 example), I am just afraid of the times when I won’t be able to use a scanner. Getting something like this:

      OS: Microsoft Windows 2003 SP2

      PORT     STATE SERVICE         VERSION
      1035/tcp open  msrpc           Microsoft Windows RPC

      It will be tough to find the exploit I have never used…

    • #51458
      impelse
      Participant

      In my case in the lab I make sure the OS and version of the service in that port, and then I begin to look for the vulnerability and begin to test one by one.

    • #51459
      Triban
      Participant

      I like the way you think H1t M0nk3y!  It’s one thing to scan and assume but a whole other thing to test beyond that of the scanner.  Sometimes a scanner like Nessus may just guess at the vulnerability by factoring what it does know.  But other times it sends test data, I’ve personally seen this when I ran it against some public facing Web App servers.  I turned on the Web App Testing setting and then reviewed the results.  Basically it did the quick tests for XSS and SQLi where appropriate.  Not enough to break anything but, like nmap, just a quick sample request to see if the vulnerability exists.  Other results you see it makes its decision based on OS, service version etc.. 

    • #51460
      dynamik
      Participant

      Then you’re going to need to obtain as much information about the system and services as you can and do some research at the National Vulnerability Database, Open Source Vulnerability Database, ExploitDB, within Metasploit, Google, etc. You might not be able to pinpoint an exact match and will have to take a trial-and-error approach with several potential exploits.

    • #51461
      caissyd
      Participant

      @ajohnson wrote:

      Then you’re going to need to obtain as much information about the system and services as you can and do some research

      That’s what I have been doing more lately.

      @ajohnson wrote:

      You might not be able to pinpoint an exact match and will have to take a trial-and-error approach with several potential exploits.

      Yes, that’s why very short contracts to perform pentests on many hosts requires vulnerability scanners. Otherwise, you need lots of experience (and there is always something new!) or lots of time…

Viewing 9 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?