METASPLOIT - Windows 7 - Bypassing User Account Control

WINDOWS 7 - BYPASSING USER ACCOUNT CONTROL

- Layout for this exercise:




- Let's suppose we have a Windows 7 system already exploited:




- From Control Panel -> User Accounts and Family Safety -> User Accounts -> Change User Account Control Settings:




- In this case Windows 7 has got the User Account Control (UAC) set to Default level:








- Let's exploit the system with badblue_passthru:




- However, it is not possible to get total control over the system, due to the presence of the UAC:

- Post explotaition cannot be performed:




- To perform good exploitation of UAC, it is recommendable to use processes as much stable as possible. For instance, the current process is badblue.exe:










- It would be a good idea to migrate to a more stable process like explorer.exe:







- To start the process of bypassing UAC, in order to get total control over the victim, the current meterpreter session is put into background mode:

- At the moment, there is only 1 meterpreter session active:

- There is a good exploit to bypass the User Account Control:





- For this exploit, the active meterpreter session is a required option:

- So, session is set to 1:




- Also, reverse_tcp payload is used, with local host the attacker's IP:




- The exploit is launched, and a second meterpreter session is achieved as a result:




- Now, from this second meterpreter session Privilege Escalation is done with no problem. Getting control over the system with authority credentials:





- A good example of post exploitation is the command hashdump, which provides hashes of the passwords:

- Also, smart_hashdump dumps hashes on a file text, for further treatment for instance with John the Ripper:

METASPLOIT - Windows 7 - Exploitation

WINDOWS 7 - EXPLOITATION

- Layout for this exercise:





- Bad Blue es is File Sharing web service application available for Windows systems that allows users to share files.  

http://www.badblue.com/down.htm


- However, this application suffers from a vulnerability that can be exploited with a stack buffer overflow, affecting the PassThru functionality in ext.dll, for versions 2.72b and earlier:

https://www.exploit-db.com/exploits/16806/


- Once BadBlue downloaded, installed and accepted the License agreement, finally it is working on Windows 7, running on port TCP 80:





- The attacker detects that Bad Blue web server is running on victim's port 80:



















- Searching exploits for BadBlue into the Metasploit Framework:

- Let's try this exploit:






- Options for this exploit are simple:






















- The remote host is set to the victim's IP:





- The exploitation is successful:

METASPLOIT - Windows XP - Aurora - Internet Explorer 6

WINDOWS XP - AURORA - INTERNET EXPLORER 6

- Layout for this exercise:




 
- Internet Explorer 6 suffers from a memory corruption flaw that can be exploited. This a client side attack, where the victim connects to a web server with the Internet Explorer 6 brower. Internet Explorer 6 holds a memory corruption flaw that can be exploited from a fake web server. This attack can be performed against old operating systems like Windows XP with no updated browsers. 

- Metasploit provides the module ms10_002_aurora to take advantage of this vulnerability:

  


- Required options for this exploit:




- The SRVPORT can be the usual TCP 80:




- The SRVHOST corresponds to the local host or web server's IP: 







- The URIPATH is the URL where the victim clicks for triggering the exploit. In this case, let's establish /:

- The exploit is run and the web server starts on the attacker side, waiting for a client to connect:

- From the client side, the victim XP connects to the web server:





- Then, a meterpreter session (1) is opened:









- Interacting with session 1, post exploitation can be done over the victim XP:

METASPLOIT - Windows XP - Altering content and MACE timestamp of files remotely

WINDOWS XP - REMOTE ALTERATION OF FILE CONTENT AND MAC TIMESTAMPS 

- Layout for this exercise:




- One of the interesting post exploitation attacks that Meterpreter can help to perform is altering content and MAC (Modified - Accessed - Created) timestamp of files on the victim's machine. 


- Let's create a new folder called HELLO on the victim:




- Moving inside the folder:




- Meterpreter execute command runs diverse actions, for instance cmd.exe, which spawns a remote shell:





- A new text file is created inside that folder, and some content is added:




- Checking the existence and content of the new text file on the victim :




- Exiting the cmd on Meterpreter:



- The text file is downloaded on the attacker's side to be altered:




- Checking its current content:




- Opening the text file, its content is altered on the attacker's machine:




- Uploading the already altered text file from the attacker to the original folder on the victim:






- The attack has been successful, as can be proved checking on the victim's side the altered content of the text file. 




- Finally, let's alter the MACE attributes of the text file. The current values:




- Meterpreter timestomp command provides some options to alter the MACE attributes. For instance -b option blank the attributes, altering them to random values:

METASPLOIT - Windows XP - Scraper / Winenum

WINDOWS XP - SCRAPER / WINENUM

- Layout for this exercise:




- The scraper script grabs information about the whole victim's system, including the entire registry. Its main advantage is that the attacker can achieve information just with one command:





- The output of scrape is stored on diferents files, both of .txt and .reg type:




- For instance, hashes.txt:




- users.txt:




- Another similar script is winenum:

























- Output from Winenum is stored on different files:





- For instance, ipconfig_all.txt shows info about network characteristics of the victim:





- Also, arp__a.txt maps IP addresses with Physical addresses: