Hacking with Metasploit - VERITAS

2 replies [Last post]
jacksold
Offline
Neophyte
Joined: 2016/07/04

VERITAS Remote File Access Exploit
------------------------------------------------

This vulnerability exploits a flaw in VERITAS Backup Exec in order to access and copy files from a remote machine.

Intent:

To get sensitive information about and from the victim host to use in a successful hack. Employ this solution when you cannot directly enumerate users and shares or have not gotten into the network yet. You can also perform various other things like buffer overflows and SQL injections to get into the network, this tutorial will focus on the VERITAS exploit. This is NOT the complete hack, just part of it. This exploit will NOT give you direct admin rights. It is only useful in gathering information about your target. The information gathered can then be used to gain admin rights.

Ingredients:

Computer
Metasploit Framework or 3 (if you got it to work  )
Local access to network
Windows Server with Backup Exec Windows 10.0 and below
NTBKUP.exe ( http://www.fpns.net/willy/msbackup.htm )
Time and patience

Introduction:

On recent engagements I have wondered if all businesses had certain software commonalities. Every institution is dramatically different from the next. But they all perform the same basic functions: cater to customers. What is needed for the most part in every environment is an Operating System (obviously), but what else? I am writing this tutorial to accommodate everyone from newbie to super hax0r, so please bear with me if you find fundamental information and steps. The main purpose of my quest is to determine if certain vulnerabilities exist in all environments. That statement is pretty vague and compiles every single software aspect from every single enterprise. So I decided to narrow my search in hopes of finding a viable solution.

Most, if not all, companies have to employ some type of backup mechanism (they also use database and email solutions, but I will focus on backup solutions); whether it is an enterprise-grade solution like Alteris, BrightStor, or VERITAS; or an OS-based solution, like Windows Backup Utility. What makes this a great asset, is that most companies do not like to patch their system backup software. Most of the problems that need attention are the Operating Systems or other mission-critical applications like Microsoft Office, Symantec, and Webroot. Usually the backup software and database software are neglected.

Getting Started:

Make sure that you have installed Metasploit and know that it working. Also go to the aforementioned website to download the utility NTBKUP.exe. The data that is retrieved from the remote host will be saved in an “.mft” format. The NTBKUP.exe program will not work unless the file has that extension. On that webpage you can also download other versions of the program. It is very small and very useful. Once you have downloaded the program, play around with it for a little. Understand what the parameters are and how it should be used. The main command that I use with it is:

CODE: SELECT ALL
C:\> ntbkup “filename.mft” -x

The ‘-x’ parameter indicates a filter. By default, the filter is “unconditional” and it will extract all data. The ‘.mft’ format is a compressed backup file.

The first order of business is to determine if your intended victim meets our requirements. It needs to be a Windows Server with Backup Exec installed and running on it. Ninety-nine percent of all companies that I have visited are using Windows in either a native or mixed mode so this should not be a problem. This initial step is unattainable if you have not already scanned the host or know from some other means (shoulder-surfing, social engineering, or a good guess) that the victim is using Backup Exec. The TCP port number that VERITAS Backup Exec uses is 6106. You can verify this by using an Nmap or Nessus scan.

Once you find that this port is open and discover that the victim host is vulnerable to the exploit, open Metasploit. You can either use the MSFConsole or MSFWeb. I prefer the Web interface because it easier for me. I will detail the instructions for the MSFWeb for the rest of the tutorial.

1. From the drop-down list choose the app::veritas selection.
2. Select the Veritas Backup Exec Windows Remote File Access.
3. Select the 0 - Veritas Remote File Access (default) link.
4. Enter in your local IP address in the LHOST field (duh!)
5. Enter the path for where the remote data will be copied to in the LPATH field. Make sure that you specify the file name with the “.mft” extension. Very important. I usually specify “C:\file.mft”.
6. Leave the LPORT field at its default setting: 44444.
7. Enter in the victim’s IP address in the RHOST field.
8. The RPATH is the file path on the remote machine. Here is where your knowledge of file and folder structure will come into play. I will discuss this step in greater detail and also give you some examples a little bit later.
9. Leave the RPORT value to its default setting: 10000.

Stealing Data:

Now that we have set up Metasploit the way we want it, we have to determine what information we want to retrieve. Options to consider are which OS we are working with. Is it Windows NT, Windows 2000, Windows XP, Windows 2003 server? Most of the differences that you are going to come across will be with NT and 2000 versus the newer versions. The reason why is because on a default install, the %windir% is /WINNT (Windows NT and Windows 2000), and on the newer versions it is /Windows. While this is not a huge complex difference, it can make all the difference when the remote host refuses your connection because you went after the wrong file path and you can no longer extract the precious files. From your initial scan, you should be able to determine what OS you are working with. I have used this exploit on all the above Windows versions with success.

Since you cannot directly own a box by just stealing files, we have to find files that are interesting and that would aid us in our endeavor. Being creative will help you out during this step. One warning, you cannot use environment variables like %systemroot%, %windir%, or %computername%. You have explicitly specify which files you would like. My initial response was to go after C:\Windows\System32\Config\. That was a dead end, when extracting files, the files still adhere to there default attributes. The important files in that directory are being used by the OS, so you will not be able to retrieve them. Do not lose heart, there is still hope.

*****Warning********

If you try to get too many files at once, make sure it is the exact path that you want. The server/service may get suspicious and refuse any further connections. Although you can bypass this by spoofing your IP address or MAC address; you still may have to wait a couple of minutes for the server to reopen the socket connections.

Below are some examples of files paths that would prove to be fruitful:

CODE: SELECT ALL
C:\Windows or WINNT\Repair\*.*

This location contains the back up the SAM and SYSTEM files (among others). Once extracted, pass these files to Cain or your favorite password cracker, and you should have a password in a couple of hours with brute forcing or a couple of minutes with a good dictionary file. Alternatively, buy a set of rainbow tables from Rainbowtables.net and the password should be cracked in a couple of seconds (that was not advertisement Laughing out loud ).

CODE: SELECT ALL
C:\Boot.ini

This location contains the boot information for the system. If you could not specifically identify which version of Windows you are working with, this file will show you which one it is.

CODE: SELECT ALL
C:\*.*

Even though this exploit does not support using environment variables in the path, you can still use the wildcard character. Also, the above string will not grab all the files from the C drive (way too much!). However, it will list the directory structure of the hard drive. This is very good for information gathering. You can see how the victim has organized their hard drive.

CODE: SELECT ALL
D:\*.*

Using the same information as above is still applicable. However, many admins store their user directories on the ‘D’ drive. This is will narrow down what folders and files you specifically want to go after.

CODE: SELECT ALL
C:\WINNT\SYSVOL\sysvol\DOMAIN_NAME\SCRIPTS\*.*

This is one of my favorites. When you input this path, the exploit will grab the batch and login scripts from the machine. Many admins leave passwords in these files to ease drive mapping. While this is a bad practice, it is good for us.  Make sure that you include the Fully Qualified Domain Name (FQDN). Example: instead of “contoso”, use “contoso.com”.

CODE: SELECT ALL
c:\program files\exchsrvr\bin\*.*

Understanding exactly what server and/or programs you are dealing with will only help you. You can never have too much information on your victim. The above string is the location to the Exchange directory.

The more you know about file paths, the better. You can also use paths for SQL, Word, Access, My Documents, etc…

Pressing the Exploit Button:

Once the correct data is in the appropriate fields, press the awesome exploit button. A couple of things can happen. You can either see connection refused, the message “trying to connect, waiting 15 seconds”, or transferring bytes (: . The connection refused message means that you should change your IP address or wait a couple of minutes and try again. Waiting 15 seconds indicates that the host is not running VERITAS or some other unknown error. Transferring bytes (: is the ideal message that we want. Now ff you take a look at your extracted file, notice the file size. If the files size is 0 bytes or 32 bytes, something went wrong. This usually indicates that the path used was incorrect or that the program could not find the file. I have seen some instances when extracting 32 byte files that have completed successfully, so you might lucky.

Extracting Data:

Before proceeding, let’s do a little recap. By now you should have installed Metasploit and ntbkup.exe. You should have connected to the victim network (be onsite), navigated to the correct VERITAS exploit, and inputted the pertinent information. Now your data should be in the location that you specified.

Open up your command prompt. Navigate to the location that you downloaded Ntbkup.exe to and run the command specifying your “.mft” file as a parameter. I usually do not specify a destination folder for the information that is extracting. I keep ntbkup.exe and the .mft files in the same directory. When you run the command you should see some information about memory and file addresses; that is normal. The files that are extracted are restored in their native format.

Once you have the files that you need. Use them as you so desire. I particularly like using the backup SAM and SYSTEM files, and the batch and logon scripts. This information gives you insight into the network. Even if the information gathered does not contain passwords, user credentials, or other access information; you still have some good information.

If the ntbkup does not run correctly, make sure that, of course, your typing is correct. Also, check to make sure that the correct parameters were used. Lastly, verify the location of your file and make that it has an .mft extension.

Conclusion:

This exploit is easy to use and the possibilities are up to the user. There should be no trace that you neither extracting the files nor connected to the server or host. The only event that would be logged would be that the Backup Exec service was running. If you run into problems, try and try again. Select a new IP or spoof your IP and MAC address.

Remember: No network is unhackable.

References:

http://www.securityfocus.com/bid/14551/
http://downloads.securityfocus.com/vuln ... ec_dump.pm
http://metasploit.com/projects/Framework/
http://www.fpns.net/willy/msbackup.htm
Knowledge is potential,
Application is kinetic.