METASPLOIT - Windows XP - Altering content and MACE timestamp of files remotely

WINDOWS XP - REMOTE ALTERATION OF FILE CONTENT AND MAC TIMESTAMPS 

- Layout for this exercise:




- One of the interesting post exploitation attacks that Meterpreter can help to perform is altering content and MAC (Modified - Accessed - Created) timestamp of files on the victim's machine. 


- Let's create a new folder called HELLO on the victim:




- Moving inside the folder:




- Meterpreter execute command runs diverse actions, for instance cmd.exe, which spawns a remote shell:





- A new text file is created inside that folder, and some content is added:




- Checking the existence and content of the new text file on the victim :




- Exiting the cmd on Meterpreter:



- The text file is downloaded on the attacker's side to be altered:




- Checking its current content:




- Opening the text file, its content is altered on the attacker's machine:




- Uploading the already altered text file from the attacker to the original folder on the victim:






- The attack has been successful, as can be proved checking on the victim's side the altered content of the text file. 




- Finally, let's alter the MACE attributes of the text file. The current values:




- Meterpreter timestomp command provides some options to alter the MACE attributes. For instance -b option blank the attributes, altering them to random values:

METASPLOIT - Windows XP - Scraper / Winenum

WINDOWS XP - SCRAPER / WINENUM

- Layout for this exercise:




- The scraper script grabs information about the whole victim's system, including the entire registry. Its main advantage is that the attacker can achieve information just with one command:





- The output of scrape is stored on diferents files, both of .txt and .reg type:




- For instance, hashes.txt:




- users.txt:




- Another similar script is winenum:

























- Output from Winenum is stored on different files:





- For instance, ipconfig_all.txt shows info about network characteristics of the victim:





- Also, arp__a.txt maps IP addresses with Physical addresses:

METASPLOIT - Windows XP - Meterpreter

WINDOWS XP - METERPRETER

- Layout for this exercise:

- Metasploit provides the module ms08_067_netapi  that exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. Both Windows XP and 2003 targets are potential victims of successful exploitation attacks.

https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi

https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

- Let's use ms08_067_netapi exploit against a XP machine:

- Required options:

- Setting the victim's IP:

- Now, the METERPRETER payload is going to be used with the purpose of achieving broad and deep post exploitation. Meterpreter works by injecting into victim's memory DLLs and native shared objetcs. One of the advantage of Meterpreter is that it doesn't create files on the victim, and also all communication between victim and attacker is encrypted.

- The use of reverse_tcp ensures that the victim connects back establishing the Meterpreter session:

- Required options:

- Setting the local host with the attacker's IP:

- Launching the exploit the result is the creation of a meterpreter session:

- From the meterpreter command line, several commands give the attacker valuable information about the victim. Let's see some of them.

- Getting information about the victim's machine:

- Getting information about the current user (Local System Account authority):

- Also, a shell or command line interface:

METASPLOIT - Windows XP - Adding users remotely

WINDOWS XP - ADDING USERS REMOTELY

- Layout for this exercise:

- One of the possible actions to be performed after explotaition is adding a user remotely on the victim's system. In our example, there are only two users before the attack at the XP machine: 

- Now, once XP has been exploited, the windows/adduser payload is set with the goal to add a new user:

- Required options for this payload are both the username (USER) and the password (PASS):

- Setting the username (pirate):

- Setting the password (1Metapirate):

- Launching the exploit:

- As a result, the new user "pirate" has been created at the victim's User Accounts:

METASPLOIT - Windows XP - Creating files remotely

WINDOWS XP - CREATING FILES REMOTELY

- Layout of this exercise:




- Another interesting exercise is to create files remotely. Let's see what is the content of C:\ at the victim, before the attack:





- Now, from the attacker's console, a text file is created remotely on C:\. Let's call it TestFile, also adding some content::

- Automatically, the new file is created on the victim's machine:

- The content of the file:

- Finally, the file can be removed remotely:

METASPLOIT - Windows XP - Remote network information

WINDOWS XP - REMOTE NETWORK INFORMATION

- Layout for this exercise:

- Once the system have been exploited, several post explotaition actions can be performed. For instance, learning remotely about network characteristics like IP, subnet mask and default gateway:

- netstat command informs about established connections with the victim:

- The information achieved by the attacker is identical as is the same information would have been got at the victim's machine:

- Of course, running netstat on the attacker's machines output symmetric information:

- Also, the routing table of the victim can be printed: