Hacking with Metasploit - VERITAS

Docs that have proven to be a staple in understanding computer/network security. This is not an inclusive forum and nothing ipublished will tell you how to 0wn someone, these docs will help you understand how you got 0wnd.
Post Reply
User avatar
silas
Sargeant at Arms
Posts: 268
Joined: Sat May 27, 2006 8:57 pm
Location: ./scapy

Hacking with Metasploit - VERITAS

Post by silas » Thu Oct 05, 2006 8:19 pm

VERITAS Remote File Access Exploit
------------------------------------------------

This vulnerability exploits a flaw in VERITAS Backup Exec in order to access and copy files from a remote machine.

Intent:

To get sensitive information about and from the victim host to use in a successful hack. Employ this solution when you cannot directly enumerate users and shares or have not gotten into the network yet. You can also perform various other things like buffer overflows and SQL injections to get into the network, this tutorial will focus on the VERITAS exploit. This is NOT the complete hack, just part of it. This exploit will NOT give you direct admin rights. It is only useful in gathering information about your target. The information gathered can then be used to gain admin rights.

Ingredients:

Computer
Metasploit Framework or 3 (if you got it to work  )
Local access to network
Windows Server with Backup Exec Windows 10.0 and below
NTBKUP.exe ( http://www.fpns.net/willy/msbackup.htm )
Time and patience

Introduction:

On recent engagements I have wondered if all businesses had certain software commonalities. Every institution is dramatically different from the next. But they all perform the same basic functions: cater to customers. What is needed for the most part in every environment is an Operating System (obviously), but what else? I am writing this tutorial to accommodate everyone from newbie to super hax0r, so please bear with me if you find fundamental information and steps. The main purpose of my quest is to determine if certain vulnerabilities exist in all environments. That statement is pretty vague and compiles every single software aspect from every single enterprise. So I decided to narrow my search in hopes of finding a viable solution.

Most, if not all, companies have to employ some type of backup mechanism (they also use database and email solutions, but I will focus on backup solutions); whether it is an enterprise-grade solution like Alteris, BrightStor, or VERITAS; or an OS-based solution, like Windows Backup Utility. What makes this a great asset, is that most companies do not like to patch their system backup software. Most of the problems that need attention are the Operating Systems or other mission-critical applications like Microsoft Office, Symantec, and Webroot. Usually the backup software and database software are neglected.

Getting Started:

Make sure that you have installed Metasploit and know that it working. Also go to the aforementioned website to download the utility NTBKUP.exe. The data that is retrieved from the remote host will be saved in an “.mft” format. The NTBKUP.exe program will not work unless the file has that extension. On that webpage you can also download other versions of the program. It is very small and very useful. Once you have downloaded the program, play around with it for a little. Understand what the parameters are and how it should be used. The main command that I use with it is:

Code: Select all

 C:\> ntbkup “filename.mft” -x 
The ‘-x’ parameter indicates a filter. By default, the filter is “unconditional” and it will extract all data. The ‘.mft’ format is a compressed backup file.

The first order of business is to determine if your intended victim meets our requirements. It needs to be a Windows Server with Backup Exec installed and running on it. Ninety-nine percent of all companies that I have visited are using Windows in either a native or mixed mode so this should not be a problem. This initial step is unattainable if you have not already scanned the host or know from some other means (shoulder-surfing, social engineering, or a good guess) that the victim is using Backup Exec. The TCP port number that VERITAS Backup Exec uses is 6106. You can verify this by using an Nmap or Nessus scan.

Once you find that this port is open and discover that the victim host is vulnerable to the exploit, open Metasploit. You can either use the MSFConsole or MSFWeb. I prefer the Web interface because it easier for me. I will detail the instructions for the MSFWeb for the rest of the tutorial.

1. From the drop-down list choose the app::veritas selection.
2. Select the Veritas Backup Exec Windows Remote File Access.
3. Select the 0 - Veritas Remote File Access (default) link.
4. Enter in your local IP address in the LHOST field (duh!)
5. Enter the path for where the remote data will be copied to in the LPATH field. Make sure that you specify the file name with the “.mft” extension. Very important. I usually specify “C:\file.mft”.
6. Leave the LPORT field at its default setting: 44444.
7. Enter in the victim’s IP address in the RHOST field.
8. The RPATH is the file path on the remote machine. Here is where your knowledge of file and folder structure will come into play. I will discuss this step in greater detail and also give you some examples a little bit later.
9. Leave the RPORT value to its default setting: 10000.

Stealing Data:

Now that we have set up Metasploit the way we want it, we have to determine what information we want to retrieve. Options to consider are which OS we are working with. Is it Windows NT, Windows 2000, Windows XP, Windows 2003 server? Most of the differences that you are going to come across will be with NT and 2000 versus the newer versions. The reason why is because on a default install, the %windir% is /WINNT (Windows NT and Windows 2000), and on the newer versions it is /Windows. While this is not a huge complex difference, it can make all the difference when the remote host refuses your connection because you went after the wrong file path and you can no longer extract the precious files. From your initial scan, you should be able to determine what OS you are working with. I have used this exploit on all the above Windows versions with success.

Since you cannot directly own a box by just stealing files, we have to find files that are interesting and that would aid us in our endeavor. Being creative will help you out during this step. One warning, you cannot use environment variables like %systemroot%, %windir%, or %computername%. You have explicitly specify which files you would like. My initial response was to go after C:\Windows\System32\Config\. That was a dead end, when extracting files, the files still adhere to there default attributes. The important files in that directory are being used by the OS, so you will not be able to retrieve them. Do not lose heart, there is still hope.

*****Warning********

If you try to get too many files at once, make sure it is the exact path that you want. The server/service may get suspicious and refuse any further connections. Although you can bypass this by spoofing your IP address or MAC address; you still may have to wait a couple of minutes for the server to reopen the socket connections.

Below are some examples of files paths that would prove to be fruitful:

Code: Select all

 C:\Windows or WINNT\Repair\*.* 
This location contains the back up the SAM and SYSTEM files (among others). Once extracted, pass these files to Cain or your favorite password cracker, and you should have a password in a couple of hours with brute forcing or a couple of minutes with a good dictionary file. Alternatively, buy a set of rainbow tables from Rainbowtables.net and the password should be cracked in a couple of seconds (that was not advertisement :D ).

Code: Select all

 C:\Boot.ini 
This location contains the boot information for the system. If you could not specifically identify which version of Windows you are working with, this file will show you which one it is.

Code: Select all

 C:\*.* 
Even though this exploit does not support using environment variables in the path, you can still use the wildcard character. Also, the above string will not grab all the files from the C drive (way too much!). However, it will list the directory structure of the hard drive. This is very good for information gathering. You can see how the victim has organized their hard drive.

Code: Select all

 D:\*.* 
Using the same information as above is still applicable. However, many admins store their user directories on the ‘D’ drive. This is will narrow down what folders and files you specifically want to go after.

Code: Select all

 C:\WINNT\SYSVOL\sysvol\DOMAIN_NAME\SCRIPTS\*.* 
This is one of my favorites. When you input this path, the exploit will grab the batch and login scripts from the machine. Many admins leave passwords in these files to ease drive mapping. While this is a bad practice, it is good for us.  Make sure that you include the Fully Qualified Domain Name (FQDN). Example: instead of “contoso”, use “contoso.com”.

Code: Select all

 c:\program files\exchsrvr\bin\*.* 
Understanding exactly what server and/or programs you are dealing with will only help you. You can never have too much information on your victim. The above string is the location to the Exchange directory.

The more you know about file paths, the better. You can also use paths for SQL, Word, Access, My Documents, etc…

Pressing the Exploit Button:

Once the correct data is in the appropriate fields, press the awesome exploit button. A couple of things can happen. You can either see connection refused, the message “trying to connect, waiting 15 seconds”, or transferring bytes (: . The connection refused message means that you should change your IP address or wait a couple of minutes and try again. Waiting 15 seconds indicates that the host is not running VERITAS or some other unknown error. Transferring bytes (: is the ideal message that we want. Now ff you take a look at your extracted file, notice the file size. If the files size is 0 bytes or 32 bytes, something went wrong. This usually indicates that the path used was incorrect or that the program could not find the file. I have seen some instances when extracting 32 byte files that have completed successfully, so you might lucky.

Extracting Data:

Before proceeding, let’s do a little recap. By now you should have installed Metasploit and ntbkup.exe. You should have connected to the victim network (be onsite), navigated to the correct VERITAS exploit, and inputted the pertinent information. Now your data should be in the location that you specified.

Open up your command prompt. Navigate to the location that you downloaded Ntbkup.exe to and run the command specifying your “.mft” file as a parameter. I usually do not specify a destination folder for the information that is extracting. I keep ntbkup.exe and the .mft files in the same directory. When you run the command you should see some information about memory and file addresses; that is normal. The files that are extracted are restored in their native format.

Once you have the files that you need. Use them as you so desire. I particularly like using the backup SAM and SYSTEM files, and the batch and logon scripts. This information gives you insight into the network. Even if the information gathered does not contain passwords, user credentials, or other access information; you still have some good information.

If the ntbkup does not run correctly, make sure that, of course, your typing is correct. Also, check to make sure that the correct parameters were used. Lastly, verify the location of your file and make that it has an .mft extension.

Conclusion:

This exploit is easy to use and the possibilities are up to the user. There should be no trace that you neither extracting the files nor connected to the server or host. The only event that would be logged would be that the Backup Exec service was running. If you run into problems, try and try again. Select a new IP or spoof your IP and MAC address.

Remember: No network is unhackable.

References:

http://www.securityfocus.com/bid/14551/
http://downloads.securityfocus.com/vuln ... ec_dump.pm
http://metasploit.com/projects/Framework/
http://www.fpns.net/willy/msbackup.htm
Knowledge is potential,
Application is kinetic.

User avatar
Ramius
The Evil Clown
Posts: 1714
Joined: Fri Mar 26, 2004 8:47 pm
Contact:

Post by Ramius » Sun Oct 08, 2006 7:27 pm

Nice tut Silas. Very useful in the pen testing world.
RIF - Reading is Fundamental
Hacking is a process, not a product
Http://www.rainbowtables.net

tripleboc
n00b
Posts: 1
Joined: Fri Dec 08, 2006 11:46 am

Post by tripleboc » Fri Dec 08, 2006 11:50 am

Just wanted to thank you for writing this up. I ran into this exact exploit during a pen-test and was having trouble with ntbkup. This cleared it right up for me.

Thanks,
tripleboc

naman
n00b
Posts: 2
Joined: Fri Jun 01, 2012 6:56 am

Re: Hacking with Metasploit - VERITAS

Post by naman » Wed Jun 06, 2012 4:51 am

hi guys!
as we know that metasploit is n0 1 tool for pentesting , its mandatory to know about it if you want to grow in security field. tutorial is nice . i found a lots of videos and demo on metasploit. all these video covers complete course on metasploit
http://www.securitytube.net/groups?oper ... groupId=10

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Hacking with Metasploit - VERITAS

Post by Cool_Fire » Fri Jun 08, 2012 10:15 am

It's only as important as you want it to be. You can do without it altogether, but it does simplify some things. Having said that, it's probably not what you'd want to start with. The more bare essentials you start the better you'll understand what's going on when you do work with metasploit. If you just use metaspoit from the word go, you'll run the risk of just learning how to use metasploit rather than learning how to exploit things.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

riverph
n00b
Posts: 2
Joined: Sat Jun 14, 2014 11:41 pm

Re: Hacking with Metasploit - VERITAS

Post by riverph » Sat Jun 14, 2014 11:51 pm

I see two reasons you would want to start with Metasploit:
  • 1. It's like getting into development using libraries instead of writing everything from scratch. You get the idea of what's possible and already done, then you only only research the exploit, get into nuts and bolts when your needs no longer fit.
    2. What does it matter what you use if you get the results either way. And Metasploit's probably the quicker way.
But I might not be the one to talk. I have done exactly zero exploiting in my life.

P.S. Hello everyone, it's my first post here. I checked your public insomnia247 directory, Cool_Fire, found the "Hackers (1995)" screenshots, watched it and loved it. Also the Angry Beavers episode :)

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Hacking with Metasploit - VERITAS

Post by Cool_Fire » Mon Jun 16, 2014 5:04 am

I agree to some extent. It'd be easier and faster to get a known exploit to work with metasploit. ... (here it comes) ... However! In my opinion this sort of abstracts away what's really going on. You'll never learn how it actually all works under the hood which means you'll never be able to do anything other than just run exploits other people wrote. If that's all you need then there's certainly no problem but if you want to go beyond that it's quite useful to learn how it really all works and how to do it and then later make your life simpler by doing a bunch of it with metasploit.
This also means you'll have a really solid idea of what will work and what will not rather than just blindly poking at buttons in the dark and hoping one of them gives you a shell.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

Post Reply