Metasploit mailing list archives
Re: Create PAYLOAD for windows/x64/meterpreter/reverse_tcp_dns
From: "i.am iovi" <who.is.iovi () gmail com>
Date: Sat, 11 Sep 2010 20:01:33 +0930
Some meterpreter features not working, eg: getsystem On Wed, Sep 8, 2010 at 6:26 PM, <framework-request () spool metasploit com>wrote:
Send framework mailing list submissions to framework () spool metasploit com To subscribe or unsubscribe via the World Wide Web, visit https://mail.metasploit.com/mailman/listinfo/framework or, via email, send a message with subject or body 'help' to framework-request () spool metasploit com You can reach the person managing the list at framework-owner () spool metasploit com When replying, please edit your Subject line so it is more specific than "Re: Contents of framework digest..." Today's Topics: 1. Re: anyone tested killav? (Jonathan Cran) 2. Re: Simple script to swap hashes in SAM .. (John Nash) 3. Re: Create PAYLOAD for windows/x64/meterpreter/reverse_tcp_dns (HD Moore) 4. Re: What is the output of msfpayload in C format (eski mo) 5. Re: anyone tested killav? (Spring Systems) ---------------------------------------------------------------------- Message: 1 Date: Tue, 7 Sep 2010 23:10:30 -0500 From: Jonathan Cran <jcran () 0x0e org> To: John Nash <rootsecurityfreak () gmail com> Cc: "framework () spool metasploit com" <framework () spool metasploit com> Subject: Re: [framework] anyone tested killav? Message-ID: <AANLkTi=Tw_z4GRzeiPFukTa877FdGFpKYtVMGcaVBCns () mail gmail com> Content-Type: text/plain; charset="utf-8" On Tue, Sep 7, 2010 at 11:01 PM, John Nash <rootsecurityfreak () gmail comwrote:Sure, let me dig a bit deeper and get back on this.As the others mentioned, make sure you're SYSTEM. Then try disabling the AV-specific services before running the killav script. "sc stop [service]" is your friend. The script could probably be easily extended to take this step. Feel free to implement, or shoot the service names back to the list & i'll get it implemented. Cheers! jcran -------------- next part -------------- An HTML attachment was scrubbed... URL: < http://mail.metasploit.com/pipermail/framework/attachments/20100907/c4e6dfb0/attachment-0001.html------------------------------ Message: 2 Date: Wed, 8 Sep 2010 09:42:17 +0530 From: John Nash <rootsecurityfreak () gmail com> To: Carlos Perez <carlos_perez () darkoperator com> Cc: "framework () spool metasploit com" <framework () spool metasploit com> Subject: Re: [framework] Simple script to swap hashes in SAM .. Message-ID: <AANLkTi=GDTZ73=kn0=ivYCb_FjNJMcNE37MYaUw+qjPp () mail gmail com<ivYCb_FjNJMcNE37MYaUw%2BqjPp () mail gmail com>Content-Type: text/plain; charset="iso-8859-1" Carlos, maybe this is a n00b question but when i swap the hashes, this should have the same effect as a legitimate password change, right? If so, then when we change passwords the legit. way, no such issue crops up. jn On Tue, Sep 7, 2010 at 9:26 PM, Carlos Perez <carlos_perez () darkoperator com>wrote:The only problem I see with this is breaking the account you modify, if services are using this account it will break those services practically creating a DoS on the service, this could be a pain point specially depending the ROE's that might be in place during the pentest. Sent from my iPhone On Sep 7, 2010, at 10:23 AM, John Nash <rootsecurityfreak () gmail com> wrote: I had proposed creation of a new user as an option, and the "clearev" can clear the event logs ... but overall creation of a new user is a messy affair. This would definitely be the last resort .... but i am just curious ifwhati am proposing would work, theoretically to begin with? On Tue, Sep 7, 2010 at 7:49 PM, ricky-lee birtles <<mr.r.birtles () gmail com>mr.r.birtles () gmail com> wrote:If i remember correctly ( not at my home laptop to check ) I do believe metasploit offers a script to delete event logs. Could you not add a new account. Record the login. Then remove the account and finally clean out the account creation and login events? Regards, -- Mr R Birtles On 7 September 2010 15:13, John Nash < <rootsecurityfreak () gmail com> rootsecurityfreak () gmail com> wrote:i am targeting a local account right now ... yes, it's for a pentest. Have broken in but wanted to take a video ofmelogging in as admin ... but ensuring that the admin never knows orsuspectstill he sees the final report + vid :) On Tue, Sep 7, 2010 at 7:39 PM, Craig Freyman <<craigfreyman () gmail com>craigfreyman () gmail com>wrote:If its an Active Directory environment I dont think it would worksincethe password hashes are also stored with the user account unlessyou'retrying to use a local account. Is this for a pentest? On Tue, Sep 7, 2010 at 8:03 AM, John Nash <<rootsecurityfreak () gmail com>rootsecurityfreak () gmail com>wrote:Craig, I am not trying to crack the hash. Quick breakdown: 1. I will generate hashes for a given password locally 2. I will backup the hashes in the SAM for the admin account on the victim 3. I will replace the hashes in the SAM file on the victim with theonei have generated in (1) 4. I will login as admin and do what i want (i know the pass for thenewhashes stored) 5. Restore the original hashes which i backed up in (2) 6. now when the admin is back he can login without issues would this work? On Tue, Sep 7, 2010 at 7:28 PM, Craig Freyman <<craigfreyman () gmail com>craigfreyman () gmail com>wrote:I dont know, I doubt it. Have you tried running your hash through something like <http://www.lmcrack.com/index.php>http://www.lmcrack.com/index.php ?On Tue, Sep 7, 2010 at 7:56 AM, John Nash <<rootsecurityfreak () gmail com>rootsecurityfreak () gmail com>wrote:the OS is win 2003 server ... i know i can run a keylogger after attaching to winlogon.exe or some other process attached to thewinlogondesktop in winsta0 but waiting for an admin may take too long ... would the solution i am proposing work? if it does, wait time isalmost0. On Tue, Sep 7, 2010 at 7:20 PM, Craig Freyman <<craigfreyman () gmail com>craigfreyman () gmail com>wrote:What is the OS of the box you popped? Do you already havemeterpreter?Did you try running a simple keylogger to have the Admin give thepasswordright to you? On Tue, Sep 7, 2010 at 3:18 AM, John Nash < <rootsecurityfreak () gmail com>rootsecurityfreak () gmail com>wrote:Hello List, While trying some post exploitation, one of the major issues iguessis to login to the system as a user over rdp. We can do this in a couple of ways: create a new user <--- will create alarms change the password of existing user in case of (2) i was wondering would it be possible to just swaptheexisting hash with a new one (we now the password which hashestothis one).... then do all we need to on the remote system .... then just replace the old hash for the original password backintothe SAM. Is there any reason why this should not be possible? If yes, a meterepreter script could do this job very easily .... thoughts? Rgds, jn _______________________________________________ <https://mail.metasploit.com/mailman/listinfo/framework>https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ <https://mail.metasploit.com/mailman/listinfo/framework>https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-------------- next part -------------- An HTML attachment was scrubbed... URL: < http://mail.metasploit.com/pipermail/framework/attachments/20100908/2ff6de9f/attachment-0001.html------------------------------ Message: 3 Date: Tue, 07 Sep 2010 23:14:06 -0500 From: HD Moore <hdm () metasploit com> To: framework () spool metasploit com Subject: Re: [framework] Create PAYLOAD for windows/x64/meterpreter/reverse_tcp_dns Message-ID: <4C870D8E.4080409 () metasploit com> Content-Type: text/plain; charset=ISO-8859-1 On 9/7/2010 10:04 PM, i.am iovi wrote:when connecting to x64 system with windows/meterpreter/reverse_tcp_dns payload, many features wont run properly.Can you be more specific? ------------------------------ Message: 4 Date: Tue, 7 Sep 2010 21:37:34 -0700 From: eski mo <eskimo.ganges () gmail com> To: egypt () metasploit com, framework () spool metasploit com Subject: Re: [framework] What is the output of msfpayload in C format Message-ID: <AANLkTinkjU-Rtu4de0uJLQC80b5U5=6NhA7pirKuj6TR () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 Thanx for the info egypt, it indeed helped. I got two more query :- 1. How do i write code (between the connection of stage1 and passing of stage2 over stage1). something like look for a socket patter and then load the stage2 ?. Tried surfing msf directory , but no clue. 2. when i write a shell code ( any , for eg to get cmd prompt , take from exploit-db) inside a dll, and paste the dll for dll-hijack it doesnt run. but forensics show the dll is loaded ... Regards eskim0 On Tue, Sep 7, 2010 at 8:56 AM, <egypt () metasploit com> wrote:The first stage will not return, it executes the second stage. ?So your testing code does not need stage2 as that should come from the network. ?If you're using metasploit as the handler, it will be sent automatically based on your settings. ?If you're trying to build a client in C for handling the stage, it would have to send stage2 over the stage1 connection and then deal with whatever stage2 does (e.g. talk to a shell on the same socket). Hope this helped, egypt On Tue, Sep 7, 2010 at 12:13 AM, eski mo <eskimo.ganges () gmail com>wrote:I think i moved one step ahead , solution to my last query was that load stage1 ?then WAIT FOR REPLY FROM SERVER and then load stage2 .... the code goes likethis :- //////////// ?char stage1[] = " ...code .."; ?char stage2[] = " ...code.."; ? int (*func)(); ? func = (int (*)()) stage1; ?////// wait for server to be ready for stage2 ?////// what code will go here??? ? int (*func)(); ? func = (int (*)()) stage2; ?/////////// pointers plz guyz.... _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework------------------------------ Message: 5 Date: Wed, 8 Sep 2010 08:56:14 +0000 From: Spring Systems <korund () hotmail com> To: <rootsecurityfreak () gmail com>, <framework () spool metasploit com> Subject: Re: [framework] anyone tested killav? Message-ID: <BAY147-w3824D1D0D720BE84C9F1ADC6720 () phx gbl> Content-Type: text/plain; charset="iso-8859-1" One note: when killav kills antiviruses, does this cause popping Microsoft Security Center alert? If yes, does it possible extend script to disable this Microsoft Security Center alert? It should'nt be too difficult, seems? Date: Tue, 7 Sep 2010 23:50:18 +0530 From: rootsecurityfreak () gmail com To: framework () spool metasploit com Subject: [framework] anyone tested killav? I just tried it on a local setup with AVG 9 free edition and it is unable to kill the av processes. Checked the script and found that the latest version of AVG has many more processes loaded, so when killav kills some of them, i guess the watch dog process seems to bring them right back up. Anyone else notice the same issue? jn _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework -------------- next part -------------- An HTML attachment was scrubbed... URL: < http://mail.metasploit.com/pipermail/framework/attachments/20100908/22cc6786/attachment.html------------------------------ _______________________________________________ framework mailing list framework () spool metasploit com https://mail.metasploit.com/mailman/listinfo/framework End of framework Digest, Vol 32, Issue 17 *****************************************
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Create PAYLOAD for windows/x64/meterpreter/reverse_tcp_dns i.am iovi (Sep 07)
- Re: Create PAYLOAD for windows/x64/meterpreter/reverse_tcp_dns HD Moore (Sep 07)
- <Possible follow-ups>
- Re: Create PAYLOAD for windows/x64/meterpreter/reverse_tcp_dns i.am iovi (Sep 11)