AdSense

Wednesday, June 8, 2016

METASPLOIT - Windows XP - Scraper / Winenum


WINDOWS XP - SCRAPER / WINENUM

 - Layout for this exercise:
- The scraper script grabs information about the whole victim's system, including the entire registry. Its main advantage is that the attacker can achieve information just with one command:



- The output of scrape is stored on diferents files, both of .txt and .reg type:


- For instance, hashes.txt:




- users.txt:
- Another similar script is winenum:

























 - Output from Winenum is stored on different files:





- For instance, ipconfig_all.txt shows info about network characteristics of the victim:





- Also, arp__a.txt maps IP addresses with Physical addresses:






Posted by at
Labels:

METASPLOIT - Windows XP - Meterpreter





WINDOWS XP - METERPRETER
- Layout for this exercise:


- Metasploit provides the module ms08_067_netapi  that exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. Both Windows XP and 2003 targets are potential victims of successful exploitation attacks.


Required options:



Setting the victim's IP:



Now, the METERPRETER payload is going to be used with the purpose of achieving broad and deep post exploitation. Meterpreter works by injecting into victim's memory DLLs and native shared objetcs. One of the advantage of Meterpreter is that it doesn't create files on the victim, and also all communication between victim and attacker is encrypted.


- The use of reverse_tcp ensures that the victim connects back establishing the Meterpreter session:



Required options:



- Setting the local host with the attacker's IP:



- Launching the exploit the result is the creation of a meterpreter session:













From the meterpreter command line, several commands give the attacker valuable information about the victim. Let's see some of them.

- Getting information about the victim's machine:










Getting information about the current user (Local System Account authority):



- Also, a shell or command line interface:





Posted by at
Labels:

METASPLOIT - Windows XP - Adding users remotely




WINDOWS XP - ADDING USERS REMOTELY

- Layout for this exercise:




- One of the possible actions to be performed after explotaition is adding a user remotely on the victim's system. In our example, there are only two users before the attack at the XP machine: 





- Now, once XP has been exploited, the windows/adduser payload is set with the goal to add a new user:



Required options for this payload are both the username (USER) and the password (PASS):



Setting the username (pirate):



Setting the password (1Metapirate):



Launching the exploit:



As a result, the new user "pirate" has been created at the victim's User Accounts:







Posted by at
Labels:

METASPLOIT - Windows XP - Creating files remotely



WINDOWS XP - CREATING FILES REMOTELY

- Layout of this exercise:




 Another interesting exercise is to create files remotely. Let's see what is the content of C:\ at the victim, before the attack:





Now, from the attacker's console, a text file is created remotely on C:\. Let's call it TestFile, also adding some content::




- Automatically, the new file is created on the victim's machine:





- The content of the file:




 - Finally, the file can be removed remotely:




Posted by at
Labels:

METASPLOIT - Windows XP - Remote network information



WINDOWS XP - REMOTE NETWORK INFORMATION


- Layout for this exercise:




- Once the system have been exploited, several post explotaition actions can be performed. For instance, learning remotely about network characteristics like IP, subnet mask and default gateway:




netstat command informs about established connections with the victim:



The information achieved by the attacker is identical as is the same information would have been got at the victim's machine:








- Of course, running netstat on the attacker's machines output symmetric information:






- Also, the routing table of the victim can be printed:




Posted by at
Labels:

METASPLOIT - Windows XP - Exploitation


WINDOWS XP - EXPLOITATION

 - Layout for this exercise:



- Metasploit allows to perform a port scan on a victim, similar to the usual scan with Nmap, using this auxiliary module:




 - Options for this auxiliary module:
- The remote host (RHOSTS) is the victim's IP, and in this case the range or ports to be scanned will be from 1 to 1000:








- The result of the scanning process is that 3 ports are open at the victim machine: 135, 139 and 445:
- To exploit the victim, Metasploit provides the ms03_026_dcom exploit, based on a well known Microsoft vulnerability. This module exploits a stack buffer overflow in the RPCSS service.

https://www.rapid7.com/db/modules/exploit/windows/dcerpc/ms03_026_dcom
- A required option for this exploit is the remote host's IP:


- Setting the RHOST or victim's IP:
- Also, a shell bind payload can be used, in order to achieve a remote shell from the victim:



- In this case, options for this payload are already established:



- The exploit is launched, and the successful result is the creation of a remote shell C:\WINDOWS\system32>



- Now, several post explotaition actions can be performed, as seen in next posts.

 


Posted by at
Labels:
Subscribe to: Posts (Atom)