Step 4 – Maintaining access
For future use I can get the passwords hashes with the script hashdump:
run hashdump
The AV installed in my target machine don’t show alerts because meterpreter work only in memory, but the problem to stay in memory is…. if the user reboot machine I lose my session… and if the user load a Microsoft patch for this vulnerability…
Figure 29. Connecting with rdesktop
Figure 30. Log me in
Figure 31. Disabling AV
Figure 32. Meterpreter service
I lose my session forever… meterpreter has two way to maintain access, but for do this is necessary to put something to hard disk… and now the AV wins…try…
run metsvc (metsvc has some options, but in this case is not important…).
As you can see in Figure 21 meterpreter can’t cre- ate the service and if you go to target console you can see the AV popup…not good… (Figure 22).
Figure 33. Listening ports
Figure 34. Deleting user
Figure 35. Disabling RDP
Fail again… if you type run metsvc with –h you get the help and with run metsvc –r you can uninstall the service… with the AV is possible which a part of service get installed, is better to remove before continue with our experiments (Figure 24)…
With ps command you can show the AV processes… in my case the AV is Avast and the processes is AvastSvc and AvastUi, but you can’t stop this processes, today most AV protect their services from the stop, in a lot of product you can’t modify the reg keys for this services (Figure 25) … Ok… bypassing AV is too hard for me…I will try the second way (Figure 26):
run persistence
But the AV wins again… no way (Figure 27)…. Ok, forget the persistence for few moments…
now I want to get RDP access, for do this I need to
create new admin user:
load incognito with this extension I work with users and groups…
Add_user hacker Passw0rd I add a new user hacker with password Passw0rd
Add_localgroup_add administrators hacker and I put my new create user in the administrators group
Figure 36. Uninstalling metsvc
Figure 37. The target log verbosely
run getgui -e
I log on my target with rdesktop: if you re-tray now with run metsvc the service will install. And the default metsvc port 31337 Tcp is listening (Figure 32 and Figure 33).
If you scan the HD with your AV the meterpreter file was discovered and the name of services is too detectable…but this is a beginners article… stay tuned…;)
rdesktop 192.168.254.11 –k it (I use Italian keyboard)
And now I am logged on (Figure 30)… Now I will disable the AV, I will try the most trivial solution… from Windows XP GUI push right over AV icon and then disable for few minutes (Figure 31),
Figure 38. But now don’t log me
Figure 39. The log look better now
Figure 40. Yes, now look good
My first step for clearing track is to remove all which I have installed for disabling AV, from the GUI I open compmgmt.msc and I delete my user hacker (Figure 34).
After that I open “remote connection” and I remove the flag for enabling RDP (Figure 35).
Now I lose the connection with the system, from my meterpreter console I remove metsvc services with run metsvc -r (Figure 36).
Before closing my session still lack one thing, the log… just for your information this is the log of my target machine (Figure 37).
Mmmhhh, too much information….from meterpreter session I type clearev and all log will cleared (Figure 38).
If you look the log now you can see only Security Event ID 517 – the audit log was cleared NT AU- THORITY/SYSTEM (Figure 39) … and the other log contain nothing… and now you can go drink a nice cold beer… young hacker… but this is only the beginning... the second step is try to get session via client side attack (Figure 40)…
No comments:
Post a Comment