There's been another worm making its way around networks over the past couple months; it's called Morto. There are a few different variants of this worm, but the way it works and how it infects a machine is the same for each variant, by compromising a machine with a weak administrator account password via Remote Desktop(RDP). When I say weak, I mean weak. In fact there are only 30 passwords that this worm tries to use.
As always, we at Core Security get a lot of questions from our customers as to how to test for this with CORE IMPACT. So I thought it was best to write a blog post to explain how this is done. Below is a short video that will walk you through the process + step-by-step instructions for replicating the Morto worm with IMPACT.
Step-by-Step Instructions for Replicating the Morto Worm with CORE IMPACT Pro
1) Identify and fingerprint your target system or systems. The quickest way to do this is with the Network RPT Information Gathering Wizard.
2) CORE IMPACT actually provides several ways to test for Morto weaknesses, and to test MS Windows accounts in general, but the best approach in this case is by using the Dictionary Attack module.
Drag and drop this module over your target or target network. Your parameters window will need a few configuration changes. Change the Service setting to SMB, from SSH, expand the Logins option and enter “administrator” into the Username List field. In the Password File field click in the area under the Value header and click the ellipsis button[…] and select the morto password text file. You say you don’t have a Morto password text file? Here you go.
3) If your Dictionary Attack parameter window looks like the below screenshot, with your target(s) listed, you’re ready to run your test. Select OK and hold on tight.
4) If a valid username is found you will see the result, including the password, in the Module Output window for the Dictionary Attack module under each target IP address respectively.
Also, some of you might be wondering about locking out the administrator accounts on your Windows machines, but - fear not - this will NOT lock out your local administrator account.
While we're focused on testing for Morto susceptibility here, feel free to dig around the Dictionary Attack module a little more. You can see there are many different services you can brute force accounts for. Use the Dictionary Attack module on your other servers and services and check back on the blog for my next few posts on combining dictionary attacks to deploy agents and testing for privilege escalation vulnerabilities.
-- Anthony Alves, Sr. Systems Engineer