I testing the following scenario at the moment: Windows XP SP3, full update, firewall built in, newest NOD 32 Antivirus updated.
Standard payloady from Metasploit, they are being detected by NOD 32, however I managed to establish fully transparent sessions through php/meterpreter/reverse_tcp - how I did it - I would like to describe it later - it will be part bigger tutoriala. In short I used php meterpreter the same as windows meterpreter - everything in one executable file.
Here stairs are beginning. Php meterpreter has the very limited functionality. I would like to do small brainstorm. How now to get full sessions through target windows/meterpreter or hmm other payload??? Perhaps other ideas for total taking over the test machine?
NOD 32 - still fully working
He has functions self defence - the ekrn.exe process as well as files are being protected, even log on the administrator doesn't have permissions to turning the process off.
PHP/METERPRETER has the following functionalities:
- stdapi:filesystem commands: ls, rm, pwd, cd, upload, download, cat, edit
- stdapi:system commands: ps, kill, execute*, getpid, getuid, sysinfo
- stdapi:network commands: portfwd
- msfconsole commands: route
I am inviting to commentaries.
P.S. sorry for my weak English.