Backdoor Demo
>> Once you have exploited a system, it's very important to maintain that level of access
as patches, firewalls and other fixes may occur over time.
These changes to an exploited system may prevent you
from using the same exploit at some point in the future.
To maintain persistence, we will be using the tool called Net Cat to create a back door.
In the Windows XP VM, I'll click Start, Run, type in msconfig and check out the Start Up tab.
The Start Up tab doesn't show any specific programs being launched automatically
as the system boots.
For now, that is.
Back in the meterpreter, this command uploads the Windows version of Net Cat.
NC dot exe to the compromised system.
Netcat is the PC PIP swiss army knife.
You can read from and write to networking connections using TCP or UDP.
Also, note the use of double backslashes in the windows path representing an escape character
and then the literal backslash character.
This command checks out what is set in one of the run keys
in the registry on the Windows XP system.
Values in this key represent programs that will run every time the system starts.
This command writes a value.
That's what the V represents here, value.
So the registry key we access in the previous step, dash d represents the data for the value.
Specifically, we are starting a Net Cat listener on port 5000 of the compromised system
so we can get back into the system with significantly less effort than before.
This will happen every time the Windows XP system boots.
The uppercase L option stands for listen harder.
Relisten on socket close.
The D option stands for detach from console, background mode.
And the P option stands for local port number.
Which in this case is 5000.
The E option specifies the inbound program to execute.
Which in this case is good old cmd dot exe.
A check of the key, value and data lets us know that we are good to go.
Before we test out our backdoor, we have one more thing to do.
As you might imagine pentesters and hackers want to cover tracks.
It's usually the last step in any attack.
In the Windows XP VM, let's examine Event Viewer.
[silence]
Do you see the log entries?
[silence]
In meterpreter after executing the clear ED command, the log entries are gone.
[silence]
Now, the logs of our specific activity are gone but this does scream out, "You've been hacked!"
As well as "This entry that was just added, that says, the audit log was cleared."
From meterpreter, let's reboot the Windows XP system.
[silence]
Now, let's open up a new terminal.
[silence]
And see if we can get in to the Windows XP system through our netcat backdoor listener.
We're going to specify a destination port of 5000.
Holy cow! Bam!
Just like that we are in the Windows XP system.
When we go back to the Windows XP VM and view the start of tab of ms config --
[silence]
What do we see?
That's our back door right there.
Armitage Demo
>> Let's take a look at Armitage, a GUI front-end for the Metasploit framework.
In Kali, we can click on the side-bar menu,
or go to applications, exploitation tools, Armitage.
I'm going to click connect, I'm going to click yes.
Don't worry, this connection-refused issue will shorty resolve itself.
Here we are in the GUI Armitage.
Hosts have already been discovered, including IP addresses and in some cases operating systems.
To run your own scans you'd go to hosts, Nmap Scan, and select one of these scans.
The lower pane using tabs represents what you would be typing
into the console if you were using this GUI.
Along with the corresponding output.
Furthermore you can type directly into this pane at the MSF prompt.
I'm going to click on the windows XP box
and in the left pane select exploit, Windows, SMB, ms08_067_netapi.
I can either drag and drop it on the windows XP box or double click it.
You'll notice the options and values are fully populated, I'm going to put a check
by "use a reverse connection" and click launch.
When the machine is owned, you'll see a red border with lightning.
Now I'm going to right click on the host, select Meterpreter one, interact, Meterpreter shell.
I could even open up a windows command lane interface as well.
Let's go back to Meterpreter.
[silence]
We're going to check out information on this post-exploitation module: enable RDP.
This module enables the remote desktop service RDP.
It provides the options to create an account and configure it to be a member
of the local administrators and remote desktop users group.
It can also forward the targets port 3389 TCP.
[silence]
We're going to run this post exploitation module adding in a couple of parameters.
Username equals hacker, password equals hacker.
Enabling remote desktop.
Setting terminal services service startup mode.
Setting user count for log on.
Adding user hacker with password hacker.
Adding user hacker to local group remote desktop users.
Hiding user from windows login screen.
Adding user hacker to local group administrators.
You can now log in with the created user.
Remember idle time?
It's been over three minutes since the Windows XP user has touched his keyboard.
That could prove to be very valuable information for what we're about to do.
I'm going to open up a terminal.
[silence]
And type in rdesktop.
"-U" for username, hacker.
"-P" for password, hacker.
And now the IP address of the XP box: 192, 168, 1, 105.
Do I want to take control away from the administrator?
Yeah. There's a message that's displaying for the administrator right now
that somebody wants to take control away from him.
But idle time let us know he's not there and it's only a matter
of seconds before XP gives us control.
There it goes.
Now we are logged on as hacker.
[silence]
We're no longer restricted by Meterpreter or the Windows command line interface
and we can freely interact with the Windows XP box that we've compromised through the GUI.
There's our hacker account
[silence]
Let's log off.
[silence]
Back in Meterpreter, for cleanup, execute Meterpreter resource file.
This is another great example of covering tracks.
We're going to run multi console command -r to run the commands in this text file.
And you can see some examples of covering tracks.
Successfully deleted hacker.
Back in the XP VM.
Hacker is gone.
136
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
