VPN Pivot Test for Metasploit Pro

Penetration testing software only shows its true capabilities on actual engagements. However, you cannot race a car before you’ve ever sat in the driver’s seat. That’s why in this article I’d like to show you how to set up a test environment for VPN pivoting, a Metasploit Pro feature for intermediate and advanced users recently described in this post.

VPN Pivoting is one of the best but also most elusive features in Metasploit Pro. It enables users to route traffic through an exploited host to a different network. A TUN/TAP adaptor activates on the Metasploit Pro machine, showing no trace of a new network adapter on the exploited host.

How does it work? VPN pivoting installs hooks at the kernel level of the target system without making any permanent or persistent change to the OS. In layman’s terms, it gives the Metasploit Pro machine an IP address on the network of the exploited host. The use case is pretty cool, but we’ll get into that later.

You will need:

  • A copy of Metasploit Pro (download trial version if you don’t have a license)
  • Some form of virtualization technology (I use VMware Workstation)
  • Two or more vulnerable VMs (at least one Windows because VPN pivoting currently only works on a Windows target)
  • A can-do attitude

Pivoting enables you to jump from one network segment to another. This requires that one target machine has two network adapters, constituting a bridge between the network segments for you to exploit. In my example, I’m using three virtual machines:

  • Metasploit Pro machine (external network)
  • Windows Server 2003 (two network cards, one internal IP, one external IP )
  • Windows XP (internal network )

We want to simulate an external penetration test where we exploit the Windows Server 2003 and then pivot into the internal network to exploit the Windows XP machine. If you can get a session on this machine, you can pivot to gain access to the private network. To simulate this we need one device that has both a public and private IP, and one device that just has a private IP.

I find it easiest to use VMware’s Virtual Network Editor in the Edit menu to configure the VMnet adapters.  You can add up to 8 network interfaces in VMware Workstation, but we’ll only need 2. I chose VMNet1 and VMNet2. If you already have those reserved for something else, just substitute some of the additional adaptors for this use case. Set up the Metasploit Pro machine on vmnet1:

Virtual network adapter Vmnet1 (external network)
Host-only (connect VMs internally in a private network) Yes
Connect a host virtual adapter to this network No
Use local DHCP service to distribute IP addresses to VMs Yes
Subnet IP 192.168.187.0
Subnet mask 255.255.255.0

Windows Server 2003 networking as follows:

Virtual network adapter Vmnet1 (external network) Vmnet2 (internal network)
Host-only (connect VMs internally in a private network) Yes Yes
Connect a host virtual adapter to this network Yes No
Use local DHCP service to distribute IP addresses to VMs Yes Yes
Subnet 192.168.187.0 172.16.255.0
Subnet mask 255.255.255.0 255.255.255.0

Setting up the Windows XP machine is much easier because it only needs one network adapter (vnmnet2):

Virtual network adapter Vmnet2 (internal network)
Host-only (connect VMs internally in a private network) Yes
Connect a host virtual adapter to this network No
Use local DHCP service to distribute IP addresses to VMs Yes
Subnet IP 172.16.255.0
Subnet mask 255.255.255.0

Once completed, your setup should look like this:

Now that we’ve done the heavy lifting, it’s time to have some fun:

  1. Use Metasploit Pro to discover the Windows Server 2003 machine’s external IP address.
  2. Exploit the host to get a session.
  3. Click on Create VPN Pivot from Sessions dialog. This option is only enabled if the shelled machine has a second IP address in a network segment that’s not directly accessible by Metasploit Pro.
  4. Choose the 172.16.255.x network. (VMware’s local DHCP service should automatically give you an IP address, if not just specify one manually).
  5. At this point, the layer 2 traffic from the Metasploit Pro machine is routed into the internal network. It’s very much like you just connected to the target’s corporate VPN, hence the name VPN pivoting.  Unlike other, proxy-based pivoting technologies, Metasploit Pro doesn’t have any networking limitations, so you could also use a vulnerability scanner, such as NeXpose, to carry out an advanced discovery.

  6. Run another discovery specifying the 172.16.255.0/24 network.
  7. Have your face melt when you see that the Windows XP machine appears in your hosts list! Huzzah!

Take some time to browse around the Windows 2003 server – you won’t find a trace of the pivot. Essentially, you are now performing an internal penetration test from the outside. Pretty incredible, right?

Network Trouble in the world of VMWare

Hey gang.

In the midst of all my testing and what not, the network goes down all the time in my various VM’s. Being lazy, I couldn’t stand having to manually restart the network every time I changed something. Last week when I was in Austin jcran showed me the value of keyboard shortcuts in Linux. Because I couldn’t be bothered to even click a button to open a terminal, he showed me how he mapped it to Alt-F3, which is awesome. After that I thought it couldn’t be that hard to restart the network with the same idea.

First off, I wrote a little script:

I knew the pesky terminal command I needed to run was:

sudo /etc/init.d/networking restart

So instead of having to open a terminal to do this every time, I now had a script to do it for me. I saved this script as network_restart.sh to my /home directory.

Next I went to my keyboard shortcuts:

From here, I created a new shortcut.

I made the name of my shortcut network_restart.

For the shortcut link, I put:

/home/<my home folder>/network_restart.sh

Now that I had my shortcut saved, I clicked on where it says “disabled” and typed:

Ctrl Alt Home


Now my script was mapped to the Ctrl Alt Home shortcut. You can map it to whatever you want, just make sure it isn’t already mapped to something else.

Social Engineering with Metasploit Pro!

Skill level: Novice

What you need:

– Light html editing skills
– Some place to host a file
– Can-do attitude

Since it’s release last month (and before during beta) I have been mucking about with some of the more advanced features included in Metasploit Professional. Being a deviant (in a past life), the most logical place to go first would be social engineering.

Today we are going to create a 3 pronged social engineering campaign leveraging Microsoft’s LiveMeeting as a platform. You can use whatever input floats your boat, but it’s best to use something that requires a local download of some sort. Pro provides a great framework for real-world web and email phishing, as well as a platform for security awareness training internally. Creation of the overall engagement is very straightforward in Pro, but there are a few extra things you can do to make it far more effective. I’ve created an example of how to use this functionality.

I started off by creating a new project. For those of you not familiar with Pro, it will look alien to you at first. A GUI-based Metasploit? I Say! Blasphemous! Unheard of!

Meh, stick with me…

If you’ve seen Metasploit Express before then this won’t look quite so radical, but you will notice a few new tabs across the top =].

Before I got started with the Campaign, there were a few prerequisites I needed to get out of the way. In order to run an email phishing campaign, I first needed an open relay to send my emails through so they could look like they were coming from LiveMeeting and not me. There are lots of open relays available on the internet (here’s a list I got from a buddy, unverified and some are blacklisted) but best practice is to get one from your ISP or create a little sendmail server yourself, which is what I did. I had heard many horror stories about how difficult Sendmail could be to configure correctly, but  I didn’t have any trouble with this instance. Easiest way to do it, pick a linux box (it can be the same one running Metasploit if you want) and run this command from a root terminal:

root@pracpwn:~# apt-get install sendmail

This will install the sendmail server and start it, this will be our open relay. Next, I needed a way to manage it because I sure as hell wasn’t doing it by command line. So. I got webmin from here(webmin.com). I have a Debian distro (Ubuntu 10.04) so i grabbed the Debian package. Once I got that installed, I browsed to:

<ip where you installed webmin and sendmail>:10000

If everything installed correctly, you will get a prompt that looks like this:

I Logged in using the credentials I use to log into my machine.

Next, I took off all the security to actually make my relay open. After all was said and done I went back and turned on a few aspects like authentication, SSL, etc but to get started I find it’s best to just get it working first =]. To do that I opened up the sendmail settings and turned everything to just run on port 25.

From here, click on Network Ports and check the default radio button as shown:

Save it, and now we’re ready to get into Metasploit Pro!

I then created a new Campaign. Once created, I choose all 3 types: Web, Email, and USB with this config:

Doesn’t really matter what you call the project, but I wanted to match the filename and from address as closely as possible to what a victim would be expecting. From here, I just clicked save and moved on to the web config.

This part was ridiculously easy. All I did was browse to my livemeeting login page (or your target page of choice), copy the page source and paste it into the HTML field. I have done this for several pages, and Pro is very consistent at being able to render these properly. For more advanced pwnage, you can also go in and modify the code to harvest usernames and passwords as well as make one of the buttons download a payload. By default, Pro starts a browser exploit onslaught as soon as the victim browses to this page. Of course, we don’t even need a web template if we can get it done with an email template.

I applied the same concept to my email template config as my web… grabbed an outlook invite with livemeeting info, copied the html from the invite and pasted it into the HTML field.

(Note: for calendar invites, outlook doesn’t let you copy the html directly so I copied the contents of the email and pasted them into NVU first (open source html editor). From there I converted the email to html and copied the html from there back into Pro).

From here I looked through the html for the link to the actual livemeeting (mine was called “Click to Join LiveMeeting”). I took note of this location and hit save.

Next was the list of email addresses. I didn’t have one at the time, so I just put in my gmail address as a test to make sure it works.

Now back at the main campaign page, I had everything set up. The only question was what to do with my new executable, so I decided to make my email template a little more potent. I created a directory structure on one of my hosted servers (livemeeting/meetings) and uploaded my executable to it so that it’s always available. The directory structure wasn’t necessary, but it makes the download look a little more authentic. Then I dug back into my email template config.

Remembering where my link was, I changed the href from the livemeeting site to re-direct to my executable for it to download. Since I named it “launch.exe”, it looks very similar to the “launch.rtc” file downloaded automatically by LiveMeeting. It doesn’t look exactly the same, but you’d be surprised how many ppl don’t really pay attention =].

So now I save that, enter my email addresses, run the campaign, sit back and wait for the sessions! Huzzah!

Keep in mind this is a very basic setup for social engineering, there are many other cool things you can do with this functionality combined with other technologies both in and out of Metasploit that I will write up when I have some time. Until then, enjoy!

Welcome

Posted on 10/22/2010, 11:57 am By

No comments yet Categories: Uncategorized

Previous Page