METASPLOIT - Windows XP - Aurora - Internet Explorer 6

WINDOWS XP - AURORA - INTERNET EXPLORER 6

- Layout for this exercise:




 
- Internet Explorer 6 suffers from a memory corruption flaw that can be exploited. This a client side attack, where the victim connects to a web server with the Internet Explorer 6 brower. Internet Explorer 6 holds a memory corruption flaw that can be exploited from a fake web server. This attack can be performed against old operating systems like Windows XP with no updated browsers. 

- Metasploit provides the module ms10_002_aurora to take advantage of this vulnerability:

  


- Required options for this exploit:




- The SRVPORT can be the usual TCP 80:




- The SRVHOST corresponds to the local host or web server's IP: 







- The URIPATH is the URL where the victim clicks for triggering the exploit. In this case, let's establish /:

- The exploit is run and the web server starts on the attacker side, waiting for a client to connect:

- From the client side, the victim XP connects to the web server:





- Then, a meterpreter session (1) is opened:









- Interacting with session 1, post exploitation can be done over the victim XP:

METASPLOIT - Windows XP - Altering content and MACE timestamp of files remotely

WINDOWS XP - REMOTE ALTERATION OF FILE CONTENT AND MAC TIMESTAMPS 

- Layout for this exercise:




- One of the interesting post exploitation attacks that Meterpreter can help to perform is altering content and MAC (Modified - Accessed - Created) timestamp of files on the victim's machine. 


- Let's create a new folder called HELLO on the victim:




- Moving inside the folder:




- Meterpreter execute command runs diverse actions, for instance cmd.exe, which spawns a remote shell:





- A new text file is created inside that folder, and some content is added:




- Checking the existence and content of the new text file on the victim :




- Exiting the cmd on Meterpreter:



- The text file is downloaded on the attacker's side to be altered:




- Checking its current content:




- Opening the text file, its content is altered on the attacker's machine:




- Uploading the already altered text file from the attacker to the original folder on the victim:






- The attack has been successful, as can be proved checking on the victim's side the altered content of the text file. 




- Finally, let's alter the MACE attributes of the text file. The current values:




- Meterpreter timestomp command provides some options to alter the MACE attributes. For instance -b option blank the attributes, altering them to random values:

METASPLOIT - Windows XP - Scraper / Winenum

WINDOWS XP - SCRAPER / WINENUM

- Layout for this exercise:




- The scraper script grabs information about the whole victim's system, including the entire registry. Its main advantage is that the attacker can achieve information just with one command:





- The output of scrape is stored on diferents files, both of .txt and .reg type:




- For instance, hashes.txt:




- users.txt:




- Another similar script is winenum:

























- Output from Winenum is stored on different files:





- For instance, ipconfig_all.txt shows info about network characteristics of the victim:





- Also, arp__a.txt maps IP addresses with Physical addresses:

METASPLOIT - Windows XP - Meterpreter

WINDOWS XP - METERPRETER

- Layout for this exercise:

- Metasploit provides the module ms08_067_netapi  that exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. Both Windows XP and 2003 targets are potential victims of successful exploitation attacks.

https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi

https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

- Let's use ms08_067_netapi exploit against a XP machine:

- Required options:

- Setting the victim's IP:

- Now, the METERPRETER payload is going to be used with the purpose of achieving broad and deep post exploitation. Meterpreter works by injecting into victim's memory DLLs and native shared objetcs. One of the advantage of Meterpreter is that it doesn't create files on the victim, and also all communication between victim and attacker is encrypted.

- The use of reverse_tcp ensures that the victim connects back establishing the Meterpreter session:

- Required options:

- Setting the local host with the attacker's IP:

- Launching the exploit the result is the creation of a meterpreter session:

- From the meterpreter command line, several commands give the attacker valuable information about the victim. Let's see some of them.

- Getting information about the victim's machine:

- Getting information about the current user (Local System Account authority):

- Also, a shell or command line interface: