.

Finding the right exploit

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Jan 10, 2013 7:55 pm

Finding the right exploit

Hey,

I was working in a lab trying to pwn a given host, so I more or less did the following:

1) Ran nmap: May ports are open
2) Ran Nessus: MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check)
3) Metasploit: search MS08-067
4) Metasploit: use exploit/windows/smb/ms08_067_netapi

So this was pretty easy. This host was so full of holes that I could have probably used many other exploits (Nessus found 22 red ones...). But I then tried to figure out how Nessus was able to find this vulnerability and this is where I hit a wall...

I was able to easily find the OS and open ports like these:
  Code:
OS: Microsoft Windows 2000 SP3/SP4 or Windows XP SP1/SP2 (95%)

PORT     STATE SERVICE         VERSION
------------------------------------------------------------------
135/tcp  open  msrpc           Microsoft Windows RPC
139/tcp  open  netbios-ssn
443/tcp  open  https?
445/tcp  open  microsoft-ds    Microsoft Windows 2000 microsoft-ds
1031/tcp open  msrpc           Microsoft Windows RPC
1035/tcp open  msrpc           Microsoft Windows RPC
1037/tcp open  msrpc           Microsoft Windows RPC
...

Does this nmap output tells you something like: "That's obviously a ms08_067_netapi vulnerability that we have here!". For me, without Nessus, I would have never tried this exploit...

So what approach do you guys use? Do you have a set of very powerful exploits that you try at targets that simply match the OS and maybe a port? Or is there some voodoo that you can do to go from this nmap output to this exploit?

I found more details about it at http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi

I feel like a script kiddy now...  :-\
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Thu Jan 10, 2013 8:03 pm

Re: Finding the right exploit

I think the clues to try this exploit are the OS and that port 445 is open.

That Metasploit link you posted shows the OS in the vulnernable OS list.  Plus, the RHOST lines defaults to 445 [SMB service port.  (side question:  Is this port configurable if you're setting up the network in a production environment?)].

I'm not a pentester by day though, just from what I've gathered in my own lab awhile back when messing with that exploit.
Last edited by lorddicranius on Thu Jan 10, 2013 8:06 pm, edited 1 time in total.
GSEC, eCPPT, Sec+
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Thu Jan 10, 2013 8:44 pm

Re: Finding the right exploit

There are a few factors that a scanner looks for, but it breaks down to the following:

1) OS & version
2) OS language pack (on occasion)
3) Version of the application in question

Even if all three match a particular exploit, it may not work - there are ways to mitigate exploits from a defensive side.
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Jan 10, 2013 11:59 pm

Re: Finding the right exploit

Whenever I see 445 open and the box is XP ish... I always look for 08-067.

To know how the scanner checks for this particular vulnerability you can look at the details of the vulnerability to learn how its triggered. In this case, I cheated and looked at smb-check-vulns.nse, which is an nmap script.

On line 130 of the script you see "---Check if the server is patched for MS08-067. This is done by calling NetPathCompare with an -- illegal string. If the string is accepted, then the server is vulnerable; if it's rejected, then -- you're safe (for now). "

In the code you see what he does to check for 08-067 and it begins to makes sense...

-- Call netpathcanonicalize
-- status, netpathcanonicalize_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, "\\a", "\\test\\")

local path1 = "\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\..\\n"
local path2 = "\\n"
status, netpathcompare_result = msrpc.srvsvc_netpathcompare(smbstate, host.ip, path1, path2, 1, 0)

-- Stop the SMB session
msrpc.stop_smb(smbstate)

if(status == false) then
if(string.find(netpathcompare_result, "UNKNOWN_57") ~= nil) then
return true, INFECTED

elseif(string.find(netpathcompare_result, "INVALID_NAME") ~= nil) then
return true, PATCHED
else
return true, UNKNOWN, netpathcompare_result
end
end


return true, VULNERABLE
end
<<

azmatt

User avatar

Full Member
Full Member

Posts: 103

Joined: Sun Jul 29, 2012 2:11 pm

Post Fri Jan 11, 2013 12:16 am

Re: Finding the right exploit

Great question and answers.
GCFA, GCIH, GCIA, GWAPT, CISSP, CEH, GSEC
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Jan 11, 2013 7:30 am

Re: Finding the right exploit

Thank you for your answers, lorddicranius, Grendel and cd1zz!

@cd1zz: I have read the nse script and you are right, it is very obvious when you cheat!

From lorddicranius:
I think the clues to try this exploit are the OS and that port 445 is open.


From cd1zz:
Whenever I see 445 open and the box is XP ish... I always look for 08-067.


That's what I was thinking. If you don't have access to a vulnerability scanner, but only nmap without the .nse scripts, it's pretty tough to find an exploit unless you have already used it or seen it before.

In my original post, I mentioned:
This host was so full of holes that I could have probably used many other exploits (Nessus found 22 red ones...)


So let's say MS08-067 is patched and you can't use Nessus, OpenVAS, or any nmap scripts. The approach has to be that, based on experience, you would do like Grendel mentioned and first look at the OS, the open ports and the services fingerprints.

But still, for example, it's one thing to see that Apache 1.2.3 is running an find an exploit for it (quite easy), but in my example above, you have to know about it...

So here's what I will do from now on: use these vulnerability scanners in the lab and whenever I can to find the vulnerabilities, but instead of just running the corresponding exploit and forget about it, I will take very, very good notes and add it to my toolbox.

Again, other than when the service is very well documented (like in my Apache 1.2.3 example), I am just afraid of the times when I won't be able to use a scanner. Getting something like this:

  Code:
OS: Microsoft Windows 2003 SP2

PORT     STATE SERVICE         VERSION
------------------------------------------------------------------
1035/tcp open  msrpc           Microsoft Windows RPC


It will be tough to find the exploit I have never used...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Fri Jan 11, 2013 9:14 am

Re: Finding the right exploit

In my case in the lab I make sure the OS and version of the service in that port, and then I begin to look for the vulnerability and begin to test one by one.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Sun Jan 13, 2013 9:52 pm

Re: Finding the right exploit

I like the way you think H1t M0nk3y!  It's one thing to scan and assume but a whole other thing to test beyond that of the scanner.  Sometimes a scanner like Nessus may just guess at the vulnerability by factoring what it does know.  But other times it sends test data, I've personally seen this when I ran it against some public facing Web App servers.  I turned on the Web App Testing setting and then reviewed the results.  Basically it did the quick tests for XSS and SQLi where appropriate.  Not enough to break anything but, like nmap, just a quick sample request to see if the vulnerability exists.  Other results you see it makes its decision based on OS, service version etc.. 
Certs: GCWN
(@)Dewser
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Jan 15, 2013 10:48 pm

Re: Finding the right exploit

Then you're going to need to obtain as much information about the system and services as you can and do some research at the National Vulnerability Database, Open Source Vulnerability Database, ExploitDB, within Metasploit, Google, etc. You might not be able to pinpoint an exact match and will have to take a trial-and-error approach with several potential exploits.
The day you stop learning is the day you start becoming obsolete.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Jan 16, 2013 9:06 am

Re: Finding the right exploit

ajohnson wrote:Then you're going to need to obtain as much information about the system and services as you can and do some research

That's what I have been doing more lately.

ajohnson wrote:You might not be able to pinpoint an exact match and will have to take a trial-and-error approach with several potential exploits.

Yes, that's why very short contracts to perform pentests on many hosts requires vulnerability scanners. Otherwise, you need lots of experience (and there is always something new!) or lots of time...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software