Hack To Live – Live To Hack
A colleague @benpturner and I came up with this from an idea I had, it gives an Interactive PowerShell session from Metasploit, using newly developed Metasploit payloads.
Check out the blog post here for more information – https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit
Enjoy
Dave
The recent update to Metasploit Framework 4.10.1-dev, brought in some changes, but some stuff stopped working for me.
Firstly the new changes required me to copy my database.yml file into a newly created folder in the frameworks directory.
This is fixed simply by copying the existing database.yml file in to the new folder
cp /opt/framework/database.yml /opt/framework/config/database.yml
Another change simply stopped my custom msfconsole.rc file being loaded. I use the file to automatically load the pentest and nessus plugins by Carlos Perez ;https://github.com/darkoperator?tab=repositories
And to change the prompt in the console so it tells me my local ip address and how many sessions and jobs are running.
load pentest load nessus load history set PROMPT %blu%T %redS:%S %yelJ:%J %redIP:%L %grn msf
Anyway the way to make this load at run time is done by the following command;
msfconsole -r /root/.msf4/msfconsole.rc
Another issue has come to light today, which I’m not affected by, unless I just run
msfconsole or ./msfconsole
the newer version of metasploit requires a database to be setup and be running, you can bypass the error if you don’t want to have a database setup by running;
msfconsole
or as I do, use a small shell scriptlocated in /usr/local/bin, which takes care of starting and stopping thepostgresql server as required.
systemctl start postgresql cd /opt/framework< ./msfconsole -y database.yml -r /root/.msf4/msfconsole.rc systemctl stop postgresq exit
This should make things work as they previously did.
If your file and folder locations for the framework are different make sure you substitute them into the the commands.
This post is a kinda fix for a really great series of posts by Chris Gates (@carnalownage), he wrote a blog post about finding exposed web admin pages on a network using Metasploit’s database, Firefox and a plugin called Linky, read it here http://carnal0wnage.attackresearch.com/2012/04/from-low-to-pwned-1-exposed-services.html
Since the article was written Rapid7/Metasploit devs chose to change the way web services are listed in the database of Metasploit, they changed them from ‘http’, ‘https’ to just plain ‘www’.
Oops edit the http and https labels have reappeared ! The script still should work just alter the services command to include http and https
I was on an internal network test this week and wanted to look for exposed web admin pages so I had to modify the ruby script that Chris wrote, not rocket science but the thing works now.
Recently with the release of Metasploit 4.5 the developers changed they way the framework is updated, previously it used to be done via ‘svn’, but due to various reasons it has been changed to be updated via ‘git’.
Also the developers chose to change the ‘Community’ version somewhat, they removed a large chunk of code that was kinda duplicated, this and other changes has altered the update frequency of the framework. The Community version now only receives updated modules etc on a weekly basis as the updates are QA’ed in the same way the Pro version is. The Community version also has to be activated to allow it to be updated also.
There is a way still to allow developers, pentesters or guys who just want the latest version. It follows the the ‘old way’ were the framework shipped without the database, but with support to connect to one.
I’ll show you here how to set up the git version of the framework, I did this on my pentesting laptop which runs Arch Linux, but as the framework is written in ‘ruby’ it should follow the same for any distro.
First off we need to install git, if you don’t already have it installed
sudo pacman -S git
Continue reading “Installing Metasploit Framework GIT version”
Following on from the previous post, I’ve improved the MS08_067 scanner by removing the sledge-hammer approach, ie scan everything, to a more defined and controlled approach, ie get some hosts, work out if they might be a windows box and then scan.
Here is the script;
<ruby>
###########################################################
#Must set Global RHOSTS via setg RHOSTS xxx.xxx.xxx.xxx/xx#
###########################################################
#Check to see if RHOSTS is set Globally
if (framework.datastore['RHOSTS'] == nil)
print_line("Please set RHOSTS globally with this command setg RHOSTS xxx.xxx.xxx.xxx/xx...exiting")
return
end
#Populate the datastore with some Hosts
#######################################
#Setup NMAP Options
nmapopts = "-O -T 5"
run_single("db_nmap #{nmapopts} #{framework.datastore['RHOSTS']}")
#Remove RHOSTS
run_single("unsetg RHOSTS")
framework.db.workspace.hosts.each do |host|
host.services.each do |serv|
next if not serv.host
next if (serv.state != ServiceState::Open)
if (serv.name =~ /smb/ or serv.name =~ /microsoft-ds/ or serv.name =~ /netbios/ or serv.port == 445 or serv.port == 139 or serv.port == 137)
if(serv.port == 445)
run_single("use exploit/windows/smb/ms08_067_netapi")
run_single("set RHOST #{host.address}")
run_single("check")
end
end
end
end
</ruby>
Some changes to the way the resource script works, first we need to set the Global variable RHOSTS, this can be set via the ‘setg RHOSTS xxx.xxx.xxx.xxx/xx’ command.
Then we just fire up the resource script as before, but this time you will get a bunch of nmap output.
I used a db_nmap scan to populate the database
Then, if there are any Windows hosts on the network with the correct services listening, you will see this;
And the rest is down to you…Enjoy
Credit to the MSF guys, as a couple of lines of code were taken from the default resource scripts that ship with the framework and of course to @mubix for the initial rapid psexec script that this was based upon.
Today I’ve been messing around with Metasploit and came up with this, its not rocket science and uses a bit of code from another resource script written by @mubix, you can find it here http://www.room362.com/blog/2010/9/12/rapid-fire-psexec-for-metasploit.html
Any ways I thought why not try and write some resource scripts that look for ‘low hanging fruit’ to kinda speed up the pwnage on big network penetration tests.
The ms08_067 exploit module supports the ‘check’ function which we use to find our vulnerable hosts, there are more exploits with this function but not all.
Here’s the code its pretty self explanitory, just set the rhosts variable in the script.
################################################
# MS08_067 Vulnerability Checker Resource Script
################################################
use exploit/windows/smb/ms08_067_netapi
require 'rex/socket/range_walker'
#################################################
#Set rhosts to be network range you want to check
#################################################
rhosts = "192.168.0.0/24"
iplist = Rex::Socket::RangeWalker.new(rhosts)
iplist.each do |rhost|
self.run_single("set RHOST #{rhost}")
self.run_single("check")
end
Copy the code into a file called ms08_067_checker.rc and save it here /root/.msf4/scripts/resource or /yourusername/.msf4/scripts/resource, to be able to use it directly from msfconsole.
The resource script output is as below:
Unlucky…
Woot, we’re in luck.
The rest is simple, Happy hunting.
I wrote this metasploit post module to search and download files from compromised hosts.
Initial credit to @3vilJohn whose module inspired this. http://johnbabio.wordpress.com
It searches open Metasploit SESSIONS for file types Word, Excel, Pdf and user specified types.
It can enumerate and search specified drives too using a bit of Railgun Kung-Fu from Mubix, aka http://www.room362.com
You can set the dump location for the downloaded files and even attempt to elevate privileges with a Get_System function, useful for when you’re in as a un priv user.
Here’s some screenshots of it in action,
Continue reading “Metasploit POST Module – Interesting Documents Finder”
Recently on an internal Pentest, I needed to get a new user into the Domain Admins group, which I couldn’t manage to accomplish with the usual net localgroup group username /add /domain command, I had managed to add a user to the domain – daveisahacker – using net user daveisahacker Password123 /add /domain.
I really need to get a user into Domain Admin, and as I had a token impersonation of domain admin, but couldn’t sign on to a DC because I had no password.
So I thinks what about the Directory services commands – DSQUERY, DSMOD, and all of the other DS commands, I might be able to add a user to the Domain Admins group that way.
DSQUERY Command @ Technet
http://technet.microsoft.com/en-us/library/cc732952(WS.10).aspx
DSMOD Command @ Technet
http://technet.microsoft.com/en-us/library/cc732406(WS.10).aspx
So, OK lets have a look at these command and what to do with them.
Continue reading “Active Directory KungFu – Messing With Users & Computers”
After the first test of this exploit on my Windows XP Pro victim, I decided to try my hand at a Windows 7 victim.
So I fired up my fully patched Windows 7 Ultimate victim and browsed over to the exploit website and got……..blah no session.
Continue reading “ms11_xxx_ie_css_import – Windows 7 Session”
Recently I’ve been playing around with various methods for evading Anti Virus, when deploying a payload to a victim, either through Metasploit or other means.
It seems the AV vendors are targeting the standard Metasploit methods of encoding payloads, so we have to be a bit more devious to get the payload onto our victim.
What I’m not going to do tho is give you direct AV avoidance commands, I have not put any of these payloads through Virus Total – thats up to you, I’m just trying to show you how it is possible and you should experiment on your own systems and not someone else’s – after all it is illegal.
There are a few avenues I’m gonna explore in this post, from standard Metasploit encoding thro multi encoding payloads and IExpress.
pentest-n00b 