Metasploit Framework 3.2 Released
The new Metasploit Framework was released on the 19th November (yesterday). It has a massive change log with lots of tweaks and add ons. I will try and list the interesting ones here.
Version 3.2 includes exploit modules for recent Microsoft flaws, such
as MS08-041, MS08-053, MS08-059, MS08-067, MS08-068, and many more.
I think I may have to test my Windows 2000 box again and see if any of the above work.
The Windows payload stagers have been updated to support targets with
NX CPU support. These stagers now allocate a read/write/exec segment of
memory for all payload downloads and execution.
Staggered payloads are the only ones I could get working against Windows 2000.
This release includes a set of man-in-the-middle, authentication relay,
and authentication capture modules. These modules can be integrated with
a fake proxy (WPAD), a malicious access point (Karmetasploit), or basic
network traffic interception to gain access to client machines. These
modules tie together browser_autopwn, SMB relaying, and HTTP credential
and form capturing to pillage data from client systems.
Metasploit can now sniff traffic too!
Egypt’s new PHP payloads provide complete bind, reverse, and findsock
support for PHP web application exploits. If you are sick of C99 and R57
and looking to gain a “real” shell from one of the hundreds of RFI flaws
listed on milw0rm, the new PHP payloads work great against multiple
operating systems.
Will have to have play with this one!
The db_autopwn command has been revamped to support port-based limits,
regex-based module matching, and limits on the number of spawned jobs. The
end result is a way to quickly launch specific modules against a specific
set of target machines. These changes were suggested and implemented by
Marcell ‘SkyOut’ Dietl (Helith).
This is the feature used by Fast|Track, doesn’t mention an OS limitation, that would be the next logical step.
To download Metasploit Framework 3.2 click here.
To view the full change log click here.
Windows 2000 & Fast|Track
A couple of weeks ago I was going to test Fast|Track against a Windows 98 machine however I couldn’t get my wireless card to work on it. I finally got Windows 2000 with no patches or updates up and running. I installed Windows 2000 as according to many it’s quite a vulnerable OS.
Fast|Track is an automated tool that comes pre installed in BackTrack. It scans an ip address or range for open ports using NMap, once it has scanned the machine(s) it tries every exploit for the open ports found using NMap’s autopwn feature via Metasploit. It doesn’t take any notice of NMap’s OS discovery, so even if NMap discovers that the machine is running Windows 2000 with 100% accuracy (it didn’t), it will still try other OS exploits.
After Fast|Track had finished scanning and exploiting It gave me 4 active shell sessions that it had spawned from successful exploits.
Windows 2000 with no updates or patches was successfully exploited via the following vulnerabilities:
SMB:
MS06_040_netapi
MS05_039_pnp
MS04_011_lsass
DCERPC:
MS03_026_dcom
After playing around with the remote shells for a few minutes I decided to replicate my findings using Metasploit3 only. I managed to replicate them all using the windows/shell/reverse_tcp payload, I originally tried them with the generic/perl/reverse_shell payload however this did not work, it gave an error which I did not write down. While I was there I thought I would try Metasploit’s newish VNC reverse shell payload so I could have a visual representation of my Windows 2000 machine. In order to do this you have to start the built in VNC server in BackTrack, worked like a charm however the colour was a bit off and the connection was slow.
The moral of the story is to keep your systems updated and fully patched.
More info on Fast|Track.
More info on Metasploit.
P.S. I also tried Metasploit’s new MS08_067 RPC exploit however was unsuccessful.
Hacking Challenge: Linux Local Kernel Exploit ($5,000)
Digital Armaments October-November Hacking Challenge: 5,000$ Prize – Linux Local Kernel Vulnerabilities and Exploit
I. Details
Digital Armaments officially announce the launch of October-November hacking challenge.
The challenge starts on October 1. For the October-November Challenge, Digital Armaments will give a prize of 5,000$ for each submission that results in a Exploitable Vulnerability or Working Exploit for Local Linux Kernel. This should include example and documentation.The submission must be sent during the October/November months and be received by midnight EST on November 30, 2008. The 5,000$ PRIZE will be an extra added to the normal vulnerability payment (check the DACP scheme).
So it does pay to be hacker! I could buy a whole lot of McDonalds with $5000(~£3400)!
More info here.
nUbuntu – for the security aware
What is it?
nUbuntu is an Ubuntu live CD with all the desktop packages removed, like gnome, evolution, open office and most other packages which come installed in Ubuntu by default. It comes with many security packages pre installed and ready to use. It could be compared to other security live Cd’s like BackTrack or Auditor.
Where to get it?
http://www.nubuntu.org/downloads.php
How do you install it?
You can download the ISO image file, burn it to CD and boot it. What I chose to do was download the ISO image file and make a virtual machine image, so I could run it straight from my desktop as I do with BackTrack.
Here’s a guide on how to create a virtual machine from an ISO image file using VMWare:
http://www.howtoforge.com/create-vmware-machines-from-iso-files-without-burning-cds-dvds
What do I think?
It works well, had no problems while booting. I like the fact that all the fancy Ubuntu stuff has been taken out. As for the pre installed scripts and tools (which is what were most interested in), It doesnt have as many tools pre installed as BackTrack does, however it does have some tools which BackTrack doesn’t have. A couple of examples would be Wapiti, Nessus and Onesixtyone. It also has an option to install to HDD which BackTrack doesn’t have, but the point of a live CD is to boot from the CD, its always nice to have the option tho. I like the fact that BackTrack has FTP, VNC and other server software pre installed, nUbuntu doesnt. All in all I think i will be sticking with BackTrack for now, however I will be keeping a close eye on this one.
What do you think?
I don’t know! Download it and let me know!
For more info click here.
ATM’s running Windows 95
I was on my way to work some time last year when I saw an ATM with a DOS prompt on the screen. So I went over to have a look and took some pics on my mobile phone. The pictures I took revealed that the ATM was running Windows 95. Yes, you read right, Windows 95!!!
According to Secunia:
Windows 95 has 7 advisories with 3 of them unpatched. (As Microsoft doesn’t support Windows 95 anymore they will never be patched.)
As you can see Windows 95 is not a very safe OS to run, never mind on an ATM! Lets summarise the graphs above. 50% unpatched, 75% remotely and 50% system access.
So the question is, how safe is your money? Not very by the looks of it.
