METASPLOIT - Windows 7 - Keylogger

WINDOWS 7 - KEYLOGGER

- Layout for this exercise:

- Keyscan_start command starts the process of capturing keystrokes at the victim's machine:

- Now, let's suppose that a user at the victim's machine writes a set of characters, like for instance:

- The attacker can achieve all those characters just using the command keyscan_dump:

- Once the attack succesfully performed, the keyscan process can be stopped:

METASPLOIT - Windows 7 - Desktop screen grabbing

WINDOWS 7 - DESKTOP SCREEN GRABBING

- Layout for this exercise:

- Windows systems automatically create an interactive window station. When an interactive user logs on, the system associates the interactive window station with the user logon session. The system also creates the default input desktop for the interactive window station (WinSta0\Default). Processes started by the logged-on user are associated with the WinSta0\Default desktop. In other words, WinSta0 stations is used to interact with users:

- The command enumdesktops enumerates all accessible desktops:

- Checking that the active desktop is interactive:

- Loading espia extension from meterpreter:

- Then, screengrab command allows to grab a screenshot from active desktop at the victim's machine. The picture is saved under the path /root, receiving a .jpeg extension:

METASPLOIT - Windows 7 - Sniffing

WINDOWS 7 - SNIFFING

- Layout for this exercise:

- Metasploit provides the module sniffer, what be loaded from a meterpreter session:

- Checking how many interfaces are available for sniffing, let's take one with parameter "usable:true":

- The sniffing process starts on interface 2, allocating 10000 packets to the buffer:




- Some traffic is generated, for instance pinging from the attacker Kali to the victim Windows 7:




- Statistics of the sniffing process:




 - Captured packets can be dumped to a file with pcap format, for instance let's name it readable_with_wireshark.pcap:




- Stopping the sniffing process:

- From another console, captured packets can be read with Wireshark application:

- Wireshark shows all the traffic generated by the ping's between the attacker and the victim:

METASPLOIT - Windows 7 - Mimikatz

WINDOWS 7 - MIMIKATZ

- Layout for this exercise:

- Once Windows 7 has been exploited and taken over control, mimikatz extension can be loaded and used for dumping credentials.

- For instance, Digest Authentication passwords that have been cached can be retrieve with command wdigest:

METASPLOIT - Windows 7 - Remote Desktop Protocol - Weak passwords

WINDOWS 7 - REMOTE DESKTOP PROTOCOL - WEAK PASSWORDS

- Layout for this exercise:




- Under similar circumstances than the previous example, the victim Windows 7 allows remote connections at the RDP port TCP 3389, with the less secure option:

- The attacker scans the victim and detects that RDP port 3389 is open

- For the purpose of simplicity, let's create a couple of easy wordlists: UserList and PasswordList.

- With the help of both wordlists, ncrack discovers the credentials attacking the RDP port ,open on victim 192.168.1.14:

METASPLOIT - Windows 7 - Remote Desktop Protocol: Denial Of Service / Blue Screen

WINDOWS 7 - RDP - DoS - BLUE SCREEN

- Layout for this exercise:

- Remote Desktop Protocol (RDP) is a Microsoft protocol which provides a graphical interface for connecting to a computer through a network connection. RDP accepts connections at port TCP 3389

- Operating systems like Windows 7 offer three options for RDP, regarding security: Control Panel -> System and Security -> System -> Remote settings -> System Properties -> Remote:

- An attacker can detect that the RDP 3389/tcp port is open at the victim's computer:

- The less secure option allows any type of RDP connections, which is a vulnerability that can be taken advantage by exploiting it with the appropriate Metasploit module:

- Required options for this module are simple, just the victim's IP and the RDP port (3389):

- Running this module some crafted packets are sent to the victim:

- As a consequence a Denial Of Service attack results in a Blue Screen at the target machine:

- To avoid this DoS attack, the RDP service should be disabled by default:

- Also, the secure option with Network Level Authentication could be considered:

METASPLOIT - Windows 7 - Reverse Shell TCP Allports

WINDOWS 7 - REVERSE SHELL TCP ALLPORTS

- Layout for this process:

- So far we have considered blocking only some specific ports. However, in this case the OUTBOUND rule blocks a set or range of ports, for instance from 3000 to 6000:

- Now, reverse_tcp_allports payload is converted into an executable file. This module tries to connect back to the attacker on all possible TCP ports, from 1 to 65535. In this way, the payload will try sistematically to go port by port until it finds one open or allowed by the firewall.

- Later, we'll see the reason because LPORT is still 4444, although it is inside the range of blocked ports by the firewall.

- Checking that it is an executable file:

- Because all connections on 3000 to 6000 are going to be blocked by the firewall, the first allowed connection will be on port 6001. However, because the attacker does not know it, he tries to redirect connections to a well-known port like 4444. For achieving that goal Iptables can be used.

- First, all Iptables rules are cleared:

- Then, connections on the range 3000:6000 plus 6001 are redirected to local port 4444 (that is the reason because LPORT = 4444):

- The attacker sets up a handler exploit, waiting the connection from the victim:

- Also, a web server is running on the attacker side:

- The client or victim connects, downloads and runs the executable reverse_tcp_allports.exe:

- A meterpreter session is successfully achieved on the attacker side:

- It is interesting to compare netstat output from both sides. From the attacker perspective the connection is on local port 4444:

- On the other hand, from the victim's point of view, the connection comes from remote port 6001, as expected, because the ports from 3000 to 6000 are blocked by the firewall, and in that range only port 6001 was redirected towards port 4444 by Iptables: