(PROBLEM) Pentesting scenario - php/meterpreter to windows/meterpreter
Hi,
I testing the following scenario at the moment: Windows XP SP3, full update, firewall built in, newest NOD 32 Antivirus updated.
Standard payloady from Metasploit, they are being detected by NOD 32, however I managed to establish fully transparent sessions through php/meterpreter/reverse_tcp - how I did it - I would like to describe it later - it will be part bigger tutoriala. In short I used php meterpreter the same as windows meterpreter - everything in one executable file.
Here stairs are beginning. Php meterpreter has the very limited functionality. I would like to do small brainstorm. How now to get full sessions through target windows/meterpreter or hmm other payload??? Perhaps other ideas for total taking over the test machine?
NOD 32 - still fully working
He has functions self defence - the ekrn.exe process as well as files are being protected, even log on the administrator doesn't have permissions to turning the process off.
PHP/METERPRETER has the following functionalities:
- stdapi:filesystem commands: ls, rm, pwd, cd, upload, download, cat, edit
- stdapi:system commands: ps, kill, execute*, getpid, getuid, sysinfo
- stdapi:network commands: portfwd
- msfconsole commands: route
I am inviting to commentaries.
Best Regards
P.S. sorry for my weak English.
Re: (PROBLEM) Pentesting scenario - php/meterpreter to windows/meterpreter
Have you considered trying to upload another payload via php session, maybe with the payload backdoored to a legitimate windows executable? Or using some other encoding type to bypass the AV and establish a full session.
Another thing you might want to give a try would be a java payload perhaps? Although I don't know if you have java installed.
If you cannot kill the AV process as admin, I would think the only approaches would be: Encoding to bypass or privilege escalate to kill it (which may be difficult with your limited PHP functionality).
Re: (PROBLEM) Pentesting scenario - php/meterpreter to windows/meterpreter
Quote:
Originally Posted by
num3r
Hi,
I testing the following scenario at the moment: Windows XP SP3, full update, firewall built in, newest NOD 32 Antivirus updated.
Standard payloady from Metasploit, they are being detected by NOD 32, however I managed to establish fully transparent sessions through php/meterpreter/reverse_tcp - how I did it -
Or you could obfuscate the payload via the built in metasploit encoders.
