Re: Create PAYLOAD for windows/x64/meterpreter/reverse_tcp_dns

["i.am iovi" <who.is.iovi () gmail com>]

Some meterpreter features not working, eg: getsystem








On Wed, Sep 8, 2010 at 6:26 PM, <framework-request () spool metasploit com>wrote:

> Send framework mailing list submissions to
>        framework () spool metasploit com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://mail.metasploit.com/mailman/listinfo/framework
> or, via email, send a message with subject or body 'help' to
>        framework-request () spool metasploit com
>
> You can reach the person managing the list at
>        framework-owner () spool metasploit com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of framework digest..."
>
>
> Today's Topics:
>
>   1. Re: anyone tested killav? (Jonathan Cran)
>   2. Re: Simple script to swap hashes in SAM .. (John Nash)
>   3. Re: Create PAYLOAD        for
>      windows/x64/meterpreter/reverse_tcp_dns (HD Moore)
>   4. Re: What is the output of msfpayload in C format (eski mo)
>   5. Re: anyone tested killav? (Spring Systems)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 7 Sep 2010 23:10:30 -0500
> From: Jonathan Cran <jcran () 0x0e org>
> To: John Nash <rootsecurityfreak () gmail com>
> Cc: "framework () spool metasploit com" <framework () spool metasploit com>
> Subject: Re: [framework] anyone tested killav?
> Message-ID:
>        <AANLkTi=Tw_z4GRzeiPFukTa877FdGFpKYtVMGcaVBCns () mail gmail com>
> Content-Type: text/plain; charset="utf-8"
>
> On Tue, Sep 7, 2010 at 11:01 PM, John Nash <rootsecurityfreak () gmail com
> > wrote:
>
> > Sure, let me dig a bit deeper and get back on this.
>
>
> As the others mentioned, make sure you're SYSTEM. Then try disabling the
> AV-specific services before running the killav script.  "sc stop [service]"
> is your friend.  The script could probably be easily extended to take this
> step. Feel free to implement, or shoot the service names back to the list &
> i'll get it implemented.
>
> Cheers!
>
> jcran
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://mail.metasploit.com/pipermail/framework/attachments/20100907/c4e6dfb0/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Wed, 8 Sep 2010 09:42:17 +0530
> From: John Nash <rootsecurityfreak () gmail com>
> To: Carlos Perez <carlos_perez () darkoperator com>
> Cc: "framework () spool metasploit com" <framework () spool metasploit com>
> Subject: Re: [framework] Simple script to swap hashes in SAM ..
> Message-ID:
>        <AANLkTi=GDTZ73=kn0=ivYCb_FjNJMcNE37MYaUw+qjPp () mail gmail com<ivYCb_FjNJMcNE37MYaUw%2BqjPp () mail gmail 
> com>
> >
> Content-Type: text/plain; charset="iso-8859-1"
>
> Carlos,
>
> maybe this is a n00b question but when i swap the hashes, this should have
> the same effect as a legitimate password change, right?
> If so, then when we change passwords the legit. way, no such issue crops
> up.
>
> jn
>
> On Tue, Sep 7, 2010 at 9:26 PM, Carlos Perez
> <carlos_perez () darkoperator com>wrote:
>
> > The only problem I see with this is breaking the account you modify, if
> > services are using this account it will break those services practically
> > creating a DoS on the service, this could be a pain point specially
> > depending the ROE's that might be in place during the pentest.
> >
> > Sent from my iPhone
> >
> > On Sep 7, 2010, at 10:23 AM, John Nash <rootsecurityfreak () gmail com>
> > wrote:
> >
> > I had proposed creation of a new user as an option, and the "clearev" can
> > clear the event logs ... but overall creation of a new user is a messy
> > affair.
> > This would definitely be the last resort .... but i am just curious if
> what
> > i am proposing would work, theoretically to begin with?
> >
> > On Tue, Sep 7, 2010 at 7:49 PM, ricky-lee birtles <<
> mr.r.birtles () gmail com>
> > mr.r.birtles () gmail com> wrote:
> >
> > > If i remember correctly ( not at my home laptop to check ) I do
> > > believe metasploit offers a script to delete event logs. Could you not
> > > add a new account. Record the login. Then remove the account and
> > > finally clean out the account creation and login events?
> > >
> > > Regards,
> > > -- Mr R Birtles
> > >
> > >
> > >
> > > On 7 September 2010 15:13, John Nash < <rootsecurityfreak () gmail com>
> > > rootsecurityfreak () gmail com> wrote:
> > > > i am targeting a local account right now ...
> > > > yes, it's for a pentest. Have broken in but wanted to take a video of
> me
> > > > logging in as admin ... but ensuring that the admin never knows or
> > > suspects
> > > > till he sees the final report + vid  :)
> > > >
> > > >
> > > > On Tue, Sep 7, 2010 at 7:39 PM, Craig Freyman <<
> craigfreyman () gmail com>
> > > craigfreyman () gmail com>
> > > > wrote:
> > > > > If its an Active Directory environment I dont think it would work
> since
> > > > > the password hashes are also stored with the user account unless
> you're
> > > > > trying to use a local account. Is this for a pentest?
> > > > >
> > > > > On Tue, Sep 7, 2010 at 8:03 AM, John Nash <<
> rootsecurityfreak () gmail com>
> > > rootsecurityfreak () gmail com>
> > > > > wrote:
> > > > > > Craig,
> > > > > > I am not trying to crack the hash.
> > > > > > Quick breakdown:
> > > > > > 1. I will generate hashes for a given password locally
> > > > > > 2. I will backup the hashes in the SAM for the admin account on the
> > > > > > victim
> > > > > > 3. I will replace the hashes in the SAM file on the victim  with the
> > > one
> > > > > > i have generated in (1)
> > > > > > 4. I will login as admin and do what i want (i know the pass for the
> > > new
> > > > > > hashes stored)
> > > > > > 5. Restore the original hashes which i backed up in (2)
> > > > > > 6. now when the admin is back he can login without issues
> > > > > > would this work?
> > > > > >
> > > > > >
> > > > > > On Tue, Sep 7, 2010 at 7:28 PM, Craig Freyman <<
> craigfreyman () gmail com>
> > > craigfreyman () gmail com>
> > > > > > wrote:
> > > > > > > I dont know, I doubt it.
> > > > > > > Have you tried running your hash through something
> > > > > > > like  <http://www.lmcrack.com/index.php>
> > > http://www.lmcrack.com/index.php ?
> > > > > > > On Tue, Sep 7, 2010 at 7:56 AM, John Nash <<
> rootsecurityfreak () gmail com>
> > > rootsecurityfreak () gmail com>
> > > > > > > wrote:
> > > > > > > > the OS is win 2003 server  ... i know i can run a keylogger after
> > > > > > > > attaching to winlogon.exe or some other process attached to the
> > > winlogon
> > > > > > > > desktop in winsta0
> > > > > > > > but waiting for an admin may take too long ...
> > > > > > > > would the solution i am proposing work? if it does, wait time is
> > > almost
> > > > > > > > 0.
> > > > > > > >
> > > > > > > >
> > > > > > > > On Tue, Sep 7, 2010 at 7:20 PM, Craig Freyman <<
> craigfreyman () gmail com>
> > > craigfreyman () gmail com>
> > > > > > > > wrote:
> > > > > > > > > What is the OS of the box you popped? Do you already have
> > > meterpreter?
> > > > > > > > > Did you try running a simple keylogger to have the Admin give the
> > > password
> > > > > > > > > right to you?
> > > > > > > > >
> > > > > > > > > On Tue, Sep 7, 2010 at 3:18 AM, John Nash
> > > > > > > > > < <rootsecurityfreak () gmail com>rootsecurityfreak () gmail com>
> wrote:
> > > > > > > > > > Hello List,
> > > > > > > > > > While trying some post exploitation, one of the major issues i
> > > guess
> > > > > > > > > > is to login to the system as a user over rdp.
> > > > > > > > > > We can do this in a couple of ways:
> > > > > > > > > >
> > > > > > > > > > create a new user <--- will create alarms
> > > > > > > > > > change the password of existing user
> > > > > > > > > >
> > > > > > > > > > in case of (2) i was wondering would it be possible to just swap
> > > the
> > > > > > > > > > existing hash with a new one (we now the password which hashes
> to
> > > this one)
> > > > > > > > > > .... then do all we need to on the remote system ....
> > > > > > > > > > then just replace the old hash for the original password back
> into
> > > > > > > > > > the SAM.
> > > > > > > > > > Is there any reason why this should not be possible? If yes, a
> > > > > > > > > > meterepreter script could do this job very easily ....
> > > > > > > > > > thoughts?
> > > > > > > > > > Rgds,
> > > > > > > > > > jn
> > > > > > > > > > _______________________________________________
> > > > > > > > > > <https://mail.metasploit.com/mailman/listinfo/framework>
> > > https://mail.metasploit.com/mailman/listinfo/framework
> > > > > > > > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > <https://mail.metasploit.com/mailman/listinfo/framework>
> > > https://mail.metasploit.com/mailman/listinfo/framework
> > > >
> >
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://mail.metasploit.com/pipermail/framework/attachments/20100908/2ff6de9f/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 3
> Date: Tue, 07 Sep 2010 23:14:06 -0500
> From: HD Moore <hdm () metasploit com>
> To: framework () spool metasploit com
> Subject: Re: [framework] Create PAYLOAD for
>        windows/x64/meterpreter/reverse_tcp_dns
> Message-ID: <4C870D8E.4080409 () metasploit com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 9/7/2010 10:04 PM, i.am iovi wrote:
> > when connecting to x64 system with windows/meterpreter/reverse_tcp_dns
> > payload, many features wont run properly.
>
> Can you be more specific?
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 7 Sep 2010 21:37:34 -0700
> From: eski mo <eskimo.ganges () gmail com>
> To: egypt () metasploit com, framework () spool metasploit com
> Subject: Re: [framework] What is the output of msfpayload in C format
> Message-ID:
>        <AANLkTinkjU-Rtu4de0uJLQC80b5U5=6NhA7pirKuj6TR () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Thanx for the info egypt, it indeed helped. I got two more query :-
>
> 1. How do i write code (between the connection of stage1 and passing
> of stage2 over stage1). something like look for a socket patter and
> then load the stage2 ?.  Tried surfing msf directory , but no clue.
>
> 2. when i write a shell code ( any , for eg to get cmd prompt , take
> from exploit-db) inside a dll, and paste the dll for dll-hijack it
> doesnt run. but forensics show the dll is loaded ...
>
> Regards
> eskim0
>
> On Tue, Sep 7, 2010 at 8:56 AM,  <egypt () metasploit com> wrote:
> > The first stage will not return, it executes the second stage. ?So
> > your testing code does not need stage2 as that should come from the
> > network. ?If you're using metasploit as the handler, it will be sent
> > automatically based on your settings. ?If you're trying to build a
> > client in C for handling the stage, it would have to send stage2 over
> > the stage1 connection and then deal with whatever stage2 does (e.g.
> > talk to a shell on the same socket).
> >
> > Hope this helped,
> > egypt
> >
> > On Tue, Sep 7, 2010 at 12:13 AM, eski mo <eskimo.ganges () gmail com>
> wrote:
> > > I think i moved one step ahead , solution to my last query was that
> > > load stage1 ?then WAIT FOR REPLY FROM SERVER and then load stage2 ....
> > >
> > > the code goes likethis :-
> > >
> > > ////////////
> > > ?char stage1[] = " ...code ..";
> > > ?char stage2[] = " ...code..";
> > >
> > > ? int (*func)();
> > > ? func = (int (*)()) stage1;
> > >
> > > ?////// wait for server to be ready for stage2
> > > ?////// what code will go here???
> > >
> > > ? int (*func)();
> > > ? func = (int (*)()) stage2;
> > >
> > > ?///////////
> > >
> > > pointers plz guyz....
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 8 Sep 2010 08:56:14 +0000
> From: Spring Systems <korund () hotmail com>
> To: <rootsecurityfreak () gmail com>, <framework () spool metasploit com>
> Subject: Re: [framework] anyone tested killav?
> Message-ID: <BAY147-w3824D1D0D720BE84C9F1ADC6720 () phx gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> One note: when  killav kills antiviruses, does this cause popping Microsoft
> Security Center alert? If yes, does it possible extend script to disable
> this  Microsoft Security Center alert?
> It should'nt be too difficult, seems?
>
>
> Date: Tue, 7 Sep 2010 23:50:18 +0530
> From: rootsecurityfreak () gmail com
> To: framework () spool metasploit com
> Subject: [framework] anyone tested killav?
>
> I just tried it on a local setup with AVG 9 free edition and it is unable
> to kill the av processes.
> Checked the script and found that the latest version of AVG has many more
> processes loaded, so when killav kills some of them, i guess the watch dog
> process seems to bring them right back up.
>
> Anyone else notice the same issue?
> jn
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://mail.metasploit.com/pipermail/framework/attachments/20100908/22cc6786/attachment.html
> >
>
> ------------------------------
>
> _______________________________________________
> framework mailing list
> framework () spool metasploit com
> https://mail.metasploit.com/mailman/listinfo/framework
>
>
> End of framework Digest, Vol 32, Issue 17
> *****************************************
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework