Wednesday, February 26, 2014

Metasploit MS08-067 getting stuck at "Attempting to trigger the vulnerability..."

According to Rapid7, MS08-067 "tends to give the most reliable shells on Windows 2003 Server and Windows XP". This is the bread and butter Metasploit module - if you have any experience with Metasploit at all, you've probably used it before.

However, sometimes it can give troubles.



1) Metasploit displays:
[*] Attempting to trigger the vulnerability...
and then returns a prompt. A normal Metasploit prompt, not a Meterpreter prompt like you wanted.


If you don't specify a payload with MS08-067, it automatically uses the "exploit/windows/meterpreter/reverse_tcp" payload. In other words, this is a Windows Meterpreter that will call back to your local computer. When Metasploit says that it is triggering the vulnerability, it is doing just that - the remote Meterpreter session is started. However, it times out, unable to reach your local computer, and you are returned to the Metasploit prompt.

The next step is to verify connectivity, so you ping the remote computer. And it works. So why can't it connect back to you?

The most likely reason is that you are behind a NAT. For example, it is very common to run Kali inside of a virtual machine using software such as VirtualBox. In such software, the networking is configured to use a NAT by default. Go into your virtual machine settings and change the networking to bridged mode, so that your Kali gets a "real" IP on the network.

If you aren't running your Kali in a VM, hopefully this gives you a clue about the connectivity issue. By default, Kali doesn't use iptables (the Linux firewall), so the problem may lie in the devices between you and the target, or even a firewall on the target itself.

In short, if you can create an inbound connection to a machine, it doesn't necessarily mean that the machine can create an outbound connection to you. Many switches, routers, and firewalls are configured to allow existing already-created TCP/IP connections pass both ways, but block new connections coming from a certain direction.

One other thing to try if you are still having problems is to use the "forward" Meterpreter payload instead of the reverse one.

set payload windows/meterpreter/bind_tcp

This payload isn't used by default because in general, it has a lesser chance of working. This is because most firewalls, in general, will restrict incoming traffic and allow outgoing traffic.



2) Metasploit displays:
Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (###.###.###.###:445).


"Port 445 was open a minute ago, and now it isn't. What the hell?"

Using the MS08-067 exploit has a tendency to "knock-over" the target. For example, if you run Kali in a VM and forget to enable bridged networking (see #1 above), the target will be unable to call back to you. But not only that, it will now reject all connections on port 445 until the system is restarted. Either find a way to restart the box, play the waiting game, or move on to a different target.

Saturday, February 1, 2014

Nullcon HackIM 2014 - Programming 300

I was messing around with Nullcon HackIM 2014 last week and I stumbled upon this little problem.
Given five positive integers A, B, C, D and E. It is required to perform a daunting task to compute a Key = Pow(A, Pow(B, Pow(C, Pow(D, Pow(E))))). Fortunately, Key is required to be mod a prime number P

Connect to Server to get A, B, C, D, E & P and Help the Sherlock Holmes to get the key.
You netcat to the server, and sure enough, get back a random question that is much too complicated for even a super computer to straight up calculate. The point of the problem is that since the key has to be mod of a prime number, you can use clever Euclidean mathematics in order to greatly simplify the brute-forcing involved. However, the best hackers know that you always go for the lowest hanging fruit first.

#!/usr/bin/python

import socket
import re
import sys
import urllib2

HOST = '23.23.190.204'
PORT = 2000

# connect to server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))

# get rid of welcome message
data = s.recv(1024)

while True:
	data = s.recv(1024)
	print "\nRecv:\n" + data
	match = re.search(r'What is (.+) \?', data)
	if match:
		equ = match.group(1)
		print "equ = " + equ
	else:
		print 'Regex did not match'
		sys.exit()

		
	# make replacements
	equ = equ.replace('(', '%28')
	equ = equ.replace(')', '%29')
	equ = equ.replace(' ', '+')
	equ = equ.replace('^', '%5E')
	
	print "visiting: " + "http://www.wolframalpha.com/input/?i=" + equ
	data = urllib2.urlopen("http://www.wolframalpha.com/input/?i=" + equ).read()
	match = re.search(r'context.jsonArray.popups.pod_0200.push\( {"stringified": "(\d+)"', data)
	if match:
		answer = match.group(1)
		print "answer = " + answer
	else:
		print 'Error with Wolfram =('
		sys.exit()

	# send answer
	s.send(str(answer) + "\n")

	# get rid of header message
	data = s.recv(1024)
	print data

It worked on the first try. =) Props to Derek for coming up with the idea.