.

metasploit

<<

viruz

Jr. Member
Jr. Member

Posts: 50

Joined: Sun Jan 11, 2009 9:08 pm

Post Thu May 28, 2009 3:04 pm

metasploit

i am having a little trouble with metasploit, i tried to penetrate my windows xp box with the RPC exploit code and after a successful connection using meterpreter, all it could do was say connection reset by peer, like below, what could be the cause of this problem, anyone with ideas please?

*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.*.*:52376 -> 192.168.*.*:27991)
[-] Exploit failed: Connection reset by peer
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu May 28, 2009 4:28 pm

Re: metasploit

Any firewall or A/V products running on the victim's box?  It could be that something you are doing is setting of a signature. 

After you run the exploit and get this error, see if you can list the sessions and then choose one to interact with:

sessions -l (will list sessions)
sessions -i x (x is the number of the session you want to interact with)
~~~~~~~~~~~~~~
Ketchup
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Thu May 28, 2009 5:45 pm

Re: metasploit

Are you using a stager payload?

I remember a while nack when playing around with metasploit that I could only get the exploit to work if I used a stager payload. I cant remember which ones are or arent stagerd now. I think it may say so in the payload description.

EDIT---

From the metasploit 3.2 changelog:
The Windows payload stagers have been updated to support targets with
NX CPU support. These stagers now allocate a read/write/exec segment of
memory for all payload downloads and execution.


Some more info on wikipedia about NX bit:
http://en.wikipedia.org/wiki/NX_bit
Last edited by ethicalhack3r on Thu May 28, 2009 5:52 pm, edited 1 time in total.
<<

viruz

Jr. Member
Jr. Member

Posts: 50

Joined: Sun Jan 11, 2009 9:08 pm

Post Thu May 28, 2009 6:20 pm

Re: metasploit

thanks for the advice, i actually ran the sessions -l command and it shows im connected to the target and when i run the execute -f cmd -H -c command, it returns me back to msf> i disactivated the firewalls and A/V running on the target system and i get the same result....also it does not give me the meterpreter box at all, thats another issue.

Also when i run another exploit compiled myself against the target using msrpc port, it tells me exploit failed and the next thing i will see on target screen is a generic problem and that system need to shutdown, so it shuts down the system rather than connect to it and give a live session.....the targer is a win xp sp2

Also now, i tried the framework2 and got the meterpreter session but cannot execute.

meterpreter> execute
Usage: execute -f file [ -a args ] [ -Hc ]
  -f <file>  The file name to execute
  -a <args>  The arguments to pass to the executable
  -H        Create the process hidden
  -c        Channelize the input and output
meterpreter> execute -f cmd -c
execute: Executing 'cmd'...
meterpreter>               

thats all i got
Last edited by viruz on Thu May 28, 2009 7:01 pm, edited 1 time in total.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu May 28, 2009 8:26 pm

Re: metasploit

That's weird.  If you compiled your own exploit, it's fairly natural for it to crash the process your targeting.  Sometimes the crash is not so controlled.  What happens when you do sessions -i 1?  Can you interact with the session?    What's your host OS for metasploit?
~~~~~~~~~~~~~~
Ketchup
<<

viruz

Jr. Member
Jr. Member

Posts: 50

Joined: Sun Jan 11, 2009 9:08 pm

Post Thu May 28, 2009 9:42 pm

Re: metasploit

i am using backtrack 3 final, and i run the metasploit on it also.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri May 29, 2009 7:22 am

Re: metasploit

viruz,  you aren't setting the LHOST option to the loopback address?  I did that a couple of times out of laziness and got similar result.  Unless someone has a better idea, at this point, I would looking to capturing packets via Wireshark on both sides while  you are running the exploit.  See what's happening when your connection gets reset.
~~~~~~~~~~~~~~
Ketchup
<<

viruz

Jr. Member
Jr. Member

Posts: 50

Joined: Sun Jan 11, 2009 9:08 pm

Post Fri May 29, 2009 10:07 am

Re: metasploit

thanks for the advice brother, i did set the LHOST, i will try again now and use the wireshark to sniff the packet to see what happens as u have said, i will let you know of the progress.
thanks alot.
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Fri May 29, 2009 10:13 am

Re: metasploit

Does the same thing happen if you try another exploit, say ms08-067?
twitter.com/timmedin | http://blog.securitywhole.com
<<

viruz

Jr. Member
Jr. Member

Posts: 50

Joined: Sun Jan 11, 2009 9:08 pm

Post Fri May 29, 2009 5:56 pm

Re: metasploit

actually i was using ms03-026, i think the problem is with the payload, i was using win32_bind_meterpreter before but changed to win32_reverse_meterpreter and it worked, gave me the meterpreter box and after successfully got the shell on the target machine. the issue is that the lib fails to load anytime i do use -m Process before, it gives an error and when i run it again it say lib already loaded, but today i run the command and it loaded the lib successfully without an error on first note, then i pwned the box, was able to upload PWump4 exe and dll and also nc exe and fully interact with the box, also used the vncinjectdll payload and gave me the full desktop access to the target, wow.

One question i have here is after pwning the box, using meterpreter, is there is way i can open port 3389 on the target so i can access it via RDP?

thanks for the advice
Last edited by viruz on Fri May 29, 2009 7:30 pm, edited 1 time in total.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri May 29, 2009 8:26 pm

Re: metasploit

It's just a few netsh commands to include an exception in the firewall rules and a reg command to enable the appropriate registry settings:
http://darkoperator.blogspot.com/2009/02/how-to-get-terminal-from-shell-in.html
~~~~~~~~~~~~~~
Ketchup
<<

viruz

Jr. Member
Jr. Member

Posts: 50

Joined: Sun Jan 11, 2009 9:08 pm

Post Fri May 29, 2009 10:48 pm

Re: metasploit

Ketchup,
thanks alot for the tutorial, its quite interesting, my target box is a win xp nd i ran some of the commands on it but it said all are not recognised/invalid commands, except for ver, sc config termservice start= auto i know the net user etc... but all other commands could not work, dunno why though.... but the telnet command worked, just the RDP

Also i was thinking if it could be possible to pop up the internet explorer from the shell, i ran explorer.exe but nothing happened, but if i run the same explorer.exe while im sitting on the system it pops up the explorer page...what do you think may be wrong?
Last edited by viruz on Fri May 29, 2009 10:52 pm, edited 1 time in total.
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Fri May 29, 2009 11:14 pm

Re: metasploit

The netsh command is very powerful from the command line. You can open the port by just typing:
netsh firewall set portopening TCP 3389 RDP Enable

One important is piece is if you are doing a pen test you don't want to leave the system more vulnerable than it was, especially if it is internet facing. You can scope the firewall command to just allow connections from you
netsh firewall set portopening TCP 3389 RDP Enable Custom <your ip>

You can also use the parameter names just so you can be a little less careful with the order (same command as above)
netsh firewall set portopening protocol=TCP port=3389 name=RDP mode=ENABLE scope=CUSTOM addresses=<my ip>

reference: http://technet.microsoft.com/en-us/libr ... 90617.aspx

Make sure it is running by issuing the following command:
sc query termservice
If it isn't running you can start it:
sc start termservice

By default terminal services does not allow remote connections (but most admins turn it on). To allow remote connections use this command to change a setting in the registry:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

You can look at the options for the command by typing reg add /?
Last edited by timmedin on Fri May 29, 2009 11:16 pm, edited 1 time in total.
twitter.com/timmedin | http://blog.securitywhole.com
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Fri May 29, 2009 11:27 pm

Re: metasploit

viruz wrote:Also i was thinking if it could be possible to pop up the internet explorer from the shell, i ran explorer.exe but nothing happened, but if i run the same explorer.exe while im sitting on the system it pops up the explorer page...what do you think may be wrong?


If you run explorer.exe it will pop up an explorer window on the user's desktop, probably not what you want to do since that may alert the user that something funny is happening. What you are doing is starting the explorer process under the context of your current user (the user who had the browser open). There is no facility in windows to direct the GUI explorer window back to your machine. You could access an admin share (c$) and browse with the gui that way.

Most of what you are going to have to do will be via the command line, so you will have to work on your command line kung fu (blog.commandlinekungfu.com). Ed Skoudis has written on the subject and given a few presentations on command line kung fu. Core Security has a few of the webcasts archived, but I don't recall which ones off of the top of my head (they are all very good).

Most important, if you do RDP to the machine and it is a non-server version (XP or Vista) the current user will be kicked out of the current session which will really alert someone to a problem.
twitter.com/timmedin | http://blog.securitywhole.com
<<

viruz

Jr. Member
Jr. Member

Posts: 50

Joined: Sun Jan 11, 2009 9:08 pm

Post Fri May 29, 2009 11:45 pm

Re: metasploit

timmedin

I must really commend your efforts, really really great, i got the full scope now and i find ur post very helpful. thanks bro

one more thing,,,lol, if i use the win32_reverse_vncinject payload, after successful connect, it pops up a shell on the target machine and then present to me the vnc viewer,  i dont know of this is normal, also is there a way i can just upload a RAT server to the target and later connect to it view the viewer rather than RDP? and use it as a way of maintaining access?

answers will be really appreciated brothers.
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 3 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software