Sunday, December 25, 2011

[Quick notes] Metasploit payload types

To start with, a vulnerability is a weakness in the target system which creates a security risk - that it can be exploited.


An exploit is a way, a piece of code that can trigger & take advantage of a vulnerability.
A payload is the actual component in the attack which 'do' things for an attacker.

Therefore, a payload must have at least 2 components in it:

1. Communications capability - set up communication channel for the attacker
2. Functionality - defines what all actions an attacker can perform

Metasploit provides 2 types of payloads:

1. Single / Stand-alone / Self-contained
2. Staged [Stager + Stage]

Here,

Stager = communication module
And
Stage = functionality

A full payload = Stager + Stage

Self-contained payloads have both Stager & Stage already bundled together. These payloads include all functionality to load itself into the memory, set up communication channel for the attacker, and lastly provide attacker with the environment & command capability to interact with the compromised system.

A few examples of single / self-contained payloads are:
exec -> runs a command
adduser -> creates a new local user and add it to local administrator group
shell_bind_tcp / shell_reverse_tcp -> sets up a standard TCP bind / reverse listener
In contrast to self-contained payloads, Staged payloads function in a slightly different manner.

A Staged payload constitutes of a Stager and a Stage. These 2 components are NOT bundled together. An attacker can specify a stager and a stage independently.

When a vulnerability is exploited successfully, the Stager component goes first as payload. The stager is responsible for uploading the Stage next, and to set up communications channel for the stage so that attacker can interact with it.

Let's look for Stagers and Stages in the Metasploit directories..

Java Stagers

ls /opt/msfo/msf3/modules/payloads/stagers/java/
bind_tcp.rb reverse_http.rb reverse_tcp.rb
ls -R /opt/msfo/msf3/modules/payloads/stagers/linux/

/opt/msfo/msf3/modules/payloads/stagers/linux/:
x64 x86
/opt/msfo/msf3/modules/payloads/stagers/linux/x64:

bind_tcp.rb reverse_tcp.rb
/opt/msfo/msf3/modules/payloads/stagers/linux/x86:

bind_ipv6_tcp.rb bind_tcp.rb find_tag.rb reverse_ipv6_tcp.rb reverse_tcp.rb
ls -R /opt/msfo/msf3/modules/payloads/stagers/windows/

/opt/msfo/msf3/modules/payloads/stagers/windows/:
bind_ipv6_tcp.rb reverse_http.rb reverse_ord_tcp.rb x64
bind_nonx_tcp.rb reverse_https.rb reverse_tcp_allports.rb
bind_tcp.rb reverse_ipv6_tcp.rb reverse_tcp_dns.rb
findtag_ord.rb reverse_nonx_tcp.rb reverse_tcp.rb
/opt/msfo/msf3/modules/payloads/stagers/windows/x64:

bind_tcp.rb reverse_tcp.rb

-> Notice that all these are setting up a communications channel.

Now looking for Stages:


ls /opt/msfo/msf3/modules/payloads/stages/

bsd bsdi java linux netware osx php windows
Java Stages

ls /opt/msfo/msf3/modules/payloads/stages/java/
meterpreter.rb shell.rb
OSX Stages

ls -R /opt/msfo/msf3/modules/payloads/stages/osx/
/opt/msfo/msf3/modules/payloads/stages/osx/:
armle ppc x86
/opt/msfo/msf3/modules/payloads/stages/osx/armle:

execute.rb shell.rb
/opt/msfo/msf3/modules/payloads/stages/osx/ppc:

shell.rb
/opt/msfo/msf3/modules/payloads/stages/osx/x86:

bundleinject.rb isight.rb vforkshell.rb
Windows Stages

ls -R /opt/msfo/msf3/modules/payloads/stages/windows/
/opt/msfo/msf3/modules/payloads/stages/windows/:

dllinject.rb patchupdllinject.rb shell.rb vncinject.rb
meterpreter.rb patchupmeterpreter.rb upexec.rb x64
/opt/msfo/msf3/modules/payloads/stages/windows/x64:

meterpreter.rb shell.rb vncinject.rb

-> All these modules provide functionality & interactive environments.

Saturday, December 24, 2011

[Quick Notes] Nmap TCP / UDP scanning

TCP Scanning:
Pretty straight...

1. TCP SYN sent
TCP SYN / ACK received
=> Target TCP Port is open
=> Nmap marks this result as 'Open'
2. TCP SYN sent
RST / ACK received
=> Target TCP port is closed
OR
=> Firewall blocked the request / response | i.e. we cannot reach that port at all
=> Nmap marks this result as 'Closed'
3. TCP SYN sent
ICMP Port unreachable received
=> A network / host firewall is blocking access to port
=> Nmap marks this result as 'Filtered'
4. TCP SYN sent
No Response received
=> Nmap resends SYN packet. If still nothing is received, then either port is closed or a network / host firewall is blocking our request packet.
=> Nmap marks this result as 'Filtered'

UDP scanning:

1. UDP datagram sent
Response received
=> Target UDP port is open
=> Nmap marks this result as 'Open'
2. UDP datagram sent
'ICMP Port Unreachable' received
=> Target UDP port is closed
OR
=> Firewall blocked the outbound response
For this scenario, Nmap checks if response is ICMP port unreachable Type 3, Code 3. If it is, then Nmap confirms that port is 'Closed'. For any other ICMP port unreachable errors - type 3, code 1, 2, 9, 10, or 13, Nmap will mark the port as 'Filtered'.
3. UDP datagram sent
No response received
This could be because of several reasons such as closed port, firewall blocking incoming UDP probe packet, firewall may be blocking outbound UDP response, or that the UDP port being probed could be expecting a data in order to respond back.
Specific to this scenario, where a UDP port may be looking for data in the incoming request packet, Nmap makes use of a handful of payloads. This payload is protocol specific like DNS 53, SNMP 161, rpc 111 etc. In response to these payloads, a relevant listening UDP port will send back a response. Therefore, the reliability of UDP scan results goes up.
=> Based on the response / no response, Nmap will mark this port as 'Open|Filtered'.

[Quick Notes] Nmap's way of probing targets

Reading up on Nmap. Thought of sharing this quick post.

Nmap probes a target before scanning it for open ports and services. Nmap address probing works as follows:-

For root / administrator users
-> If the attacker / scanning box is on the same subnet as the target, then nmap will only out ARP requests.

However if attacker sits on a different subnet than the target, then nmap will send
-> ICMP Echo Request
-> TCP SYN to port 443
-> TCP ACK to port 80
-> ICMP Timestamp Request [Type 13]
Note that Nmap sends out ALL 4 probe packets at once; it does not wait to receive response to ICMP Echo Request.

For non-root / non-administrative users
Nmap will simply start a 3-way handshake by sending
-> TCP SYN to port 80
-> TCP ACK to port 443
It does NOT send any ICMP packet.

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.