Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

HTTPS cert scanning differences between Metasploit and Nmap

Metasploit has auxiliary modules dedicated to HTTPS cert and SSL scanning. I was interest to compare this Metasploit module with Nmap ssl-cert NSE script.

I decided to scan a /24 rang, how represent 255 IP addresses with the 2 tools, compare the results and the time to do these scans.

Metasploit

By default, the Metasploit “scanner/http/cert auxiliary” module is configured with 50 threads, you can if you want increase the number of thread  by setting the THREADS option. We have set THREADS to 256. We have also decrease the ConnectTimeout advanced configuration option to 1 second, and set the SHOWALL option to true in order to get issuers and times.

Metasploit suggest to use this auxiliary module in the console than with the cli.

Cli testing

time sudo msfcli scanner/http/cert ConnectTimeout=1 SHOWALL=true THREADS=256 RHOSTS=xxx.xxx.xxx.xxx/24 E

Metasploit, between the cli, has take around 14 seconds to scan all the 255 IP addresses, and return us 9 responses.

Console testing

Metasploit, between the console, has take around 5 seconds to scan all the 255 IP addresses, and return us 9 responses.

Example of output :

[+] xxx.xxx.xxx.xxx – ‘toto.sploit.com’ : /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
[-] xxx.xxx.xxx.xxx – ‘toto.sploit.com’ : ‘Sat Jan 01 00:00:00 UTC 2000’ – ‘Sat Jan 01 00:00:00 UTC 2000′ (EXPIRED)’

With the console, or the cli, we have some strange behaviors on certificates times how should, normally, announce if the certificate is expired or not, all the 9 certificates are expired with this kind of output : ‘Sat Jan 01 00:00:00 UTC 2000′ – ‘Sat Jan 01 00:00:00 UTC 2000’ (EXPIRED)‘.

By switching the SSLVersion advanced option from SSL3 to SSL2, I discovered one more certificate. So Metasploit cert scanner discover a total of 10 certificates on 11.

Nmap

With Nmap, the following command will permit you to scan the https cert. The amount of information printed about the certificate depends on the verbosity level. With no extra verbosity, the script prints the validity period and the commonName, organizationName, stateOrProvinceName, and countryName of the subject.

time sudo nmap –script=ssl-cert -PN -T4 -p 443 -oN xxx.xxx.xxx.xxx-255_ssl_cert.txt xxx.xxx.xxx.xxx/24

Nmap has take around 11 seconds to scan all the 255 IP addresses, and return us only 11 responses.

Example of output :

Nmap scan report for toto.sploit.com (xxx.xxx.xxx.xxx)
Host is up (0.14s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=toto.sploit.com/organizationName=Sploit Inc./stateOrProvinceName=Luna/countryName=EU
| Issuer: commonName=UTN-USERFirst-Hardware/organizationName=The USERTRUST Network/stateOrProvinceName=UT/countryName=US
| Not valid before: 2007-10-22 00:00:00
| Not valid after:  2010-10-21 23:59:59
| MD5:   661a 63d2 1554 e5cc 250c 8991 ae34 56ce
|_SHA-1: e3e9 1fc1 6843 3b9b d686 e9ea fec2 6c2b ac01 afa3

There is surely a bug in the Metasploit auxiliary module on the certification expiration check.

A single Nmap NSE script, provide you more information’s on the certificate (MD5, cipher and details of the ssl-cert). In order to have the same information’s with Metasploit you need to execute another auxiliary module “scanner/http/ssl“. This other module will also scan the 255 IP addresses in around 5 seconds, but will still return 10 responses. They’re is still a missing certificate how is an SSL3 version.

With Nmap NSE script you don’t have to switch between the SSL versions to discover all the SSL certs.

Update : The Metasploit cert auxiliary scanner module times has been corrected and now the cert times informations are effectives, but still discover 10 certificates on 11.

MS10-046 : Microsoft Windows Shell LNK Execution

Since the 19 July, the Rapid 7 Metasploit team has release an exploit module for Windows Shell LNK exploit MSA-2286198, aka CVE-2010-2568. Actually the exploitation of this vulnerability is not widely exploited, but the situation could change rapidly soon. As you surely know, SANS ISC has increase his threat warning level to yellow over this vulnerability.

We have successfully test the exploit on Windows XP Pro SP3 fully patched.

Here bellow a video we have done, to demonstrate how it is easy to exploit this vulnerability with Metasploit.

[youtube rYrXDJfVLJ0]

CVE-2010-1297 : Adobe Flash Player newfunction Invalid Pointer Use

Since yesterday, the Rapid 7 Metasploit team has release an exploit module for Adobe Flash exploit APSA10-01, aka CVE-2010-1297.

The vulnerability affects Adobe Flash 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris, but also Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX. This vulnerability could crash or allow an attacker to take control of the affected system.

So, as I understand, all Internet could own all Internet, a big party in perspective. How is not using Flash ?

The actual attack transmission vector is done between a crafted PDF file embedding a vulnerable Flash animation. So, if you are downloading these kind of PDFs from Internet, or open emails with attached PDF, and open it with Adobe Reader you could be owned.

We have successfully test the exploit with Adobe Reader 9.3.0 on Internet Explorer 8, Safari 5.

No results with Google Chrome 5.0.375.70 and Firefox 3.5.9.

With Foxit Reader the PDF is not lunching the Flash animation, so the exploit is not working.

Adobe has release updates for Flash Player, APSB10-14, so don’t hesitate to update your browsers add-ons.

Here under a video we have done, to demonstrate how it is easy to exploit this vulnerability with Metasploit.

[youtube JW7B8aZsT88]

Anonymous FTP scanning differences between Metasploit and Nmap

Metasploit has a auxiliary module dedicated to anonymous FTP scanning. I was interest to compare this Metasploit module with Nmap ftp-anon NSE script.

I decided to scan a /19 rang, how represent 8192 IP addresses with the 2 tools, compare the results and the time to do these scans.

    Metasploit

    Just play with Metasploit cli to have the possibility, without configuring the Metasploit database, to measure the needed time to do the complete scan.
    time ./msfcli auxiliary/scanner/ftp/anonymous ConnectTimeout=1 FTPTimeout=1 RHOSTS=xxx.xxx.xxx.0/19 E
    By default, the Metasploit ftp_anonymous auxiliary module is single threaded, you can if you want increase the number of thread  by setting the THREADS variable. We will not change this default configuration, cause Nmap is single threaded.  But we will decrease the ConnectTimeout and FTPTimeout advanced configuration to 1 second.
    Metasploit has take around 75 minutes to scan all the 8192 IP addresses, and return us 35 anonymous FTP.
    With 256 threads, to be fair ^^, Metasploit scans the 8192 IP addresses in 1 minute 27seconds. (LOL)
    We had these kinds of results :
    [*] aaa.aaa.aaa.aaa:21 Anonymous READ (220 aaa.aaa.aaa.aaa FTP server ready)
    [*] Scanned 4075 of 8192 hosts (050% complete)
    [*] Auxiliary module execution completed
    [*] bbb.bbb.bbb.bbb:21 Anonymous READ/WRITE (220 Welcome to my FTP Server)
    [*] Scanned 5045 of 8192 hosts (060% complete)
    [*] Auxiliary module execution completed
    To test if the anonymous FTP is writable, Metasploit try to create a directory with the MKD command, and if the creation is successful, this directory is directly deleted by the RMD command. If the anonymous FTP is not writable, then he is logically only readable 🙂 In addition Metasploit will also grab the FTP banners of the anonymous FTP server.

    Nmap

    With Nmap, the following command will permit you to scan anonymous FTP, grab the banner and fingerprint the service, but will not test for you if the anonymous FTP is writable or not.
    time sudo nmap -p21 -n -sC -sV –script=banner –script=ftp-anon xxx.xxx.xxx.0/19
    Nmap has take around 20 minutes to scan all the 8192 IP addresses, and return us only 11 anonymous FTP.
    We has these kinds of results :
    Nmap scan report for aaa.aaa.aaa.aaa
    Host is up (0.026s latency).
    PORT   STATE SERVICE VERSION
    21/tcp open  ftp     ProFTPD
    |_banner: 220 aaa.aaa.aaa.aaa FTP server ready
    |_ftp-anon: Anonymous FTP login allowed
    Service Info: Host: aaa.aaa.aaa.aaa; OS: Unix
    Nmap scan report for bbb.bbb.bbb.bbb
    Host is up (0.027s latency).
    PORT   STATE SERVICE VERSION
    21/tcp open  ftp
    |_banner: 220 Welcome to my FTP Server
    |_ftp-anon: Anonymous FTP login allowed
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
    SF-Port21-TCP:V=5.21%I=7%D=5/16%Time=4BF05218%P=i386-apple-darwin9.8.0%r(N
    SF:ULL,1E,”220\x20Welcome\x20to\x20my\x20FTP\x20Server\r\n”)%r(GenericLine
    SF:s,33,”220\x20Welcome\x20to\x20my\x20FTP\x20Server\r\n500\x20Unknown\x20
    SF:Command\r\n”)%r(Help,33,”220\x20Welcome\x20to\x20my\x20FTP\x20Server\r\
    SF:n500\x20Unknown\x20Command\r\n”)%r(SMBProgNeg,33,”220\x20Welcome\x20to\
    SF:x20my\x20FTP\x20Server\r\n500\x20Unknown\x20Command\r\n”);
    Service Info: Host: my
    We have test 2 times the complete scans with Metasploit and Nmap, and we got the same results. What is surprising is the difference between the number of anonymous FTP detected by Metasploit (and verified by hand later) and the results of Nmap.
    As suggested by Ron Bowes, I tested a different approach for the Nmap anon-ftp scanning, to increase the time optimization.
    First test with :
    time sudo nmap -p21 -PS -n –script=ftp-anon xxx.xxx.xxx.0/19
    Nmap has finish the scan in 6 minutes and 20 seconds, still more than Metasploit, but no more 20 minutes.
    Second test with :
    time sudo nmap -p21 -PS -n -T4 –script=ftp-anon xxx.xxx.xxx.0/19
    Nmap has finish the scan in 6 minutes and 35 seconds, the -T4 option doesn’t has change anything in term of performances.
    Ron has also confirm that nmap anon-ftp LUA script is missing some anonymous FTP, and this randomly.