Metasploit Roundup

Here’s a roundup of recent metasploit techniques:

Nessus Scanning through a Metasploit Meterpreter Session – []

Scenario: You are doing a penetration test. The client’s internet face is locked down pretty well. No services are exposed externally and only HTTP/HTTPS are allowed OUT of the corporate firewall. You email in a carefully crafted email with the meterpreter attacked. An accommodating users is more than happy to click your attachment giving you meterpreter access to their machine. Now what? How about using Nessus to scan all the services on their internal network? Here is a tutorial on how to do it.

metasploit getsystem command – []

meterpreter > use priv
Loading extension priv…success.
meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.

Safe, Reliable, Hash Dumping – []

The Metasploit Meterpreter has supported the “hashdump” command (through the Priv extension) since before version 3.0. The “hashdump” command is an in-memory version of the pwdump tool, but instead of loading a DLL into LSASS.exe, it allocates memory inside the process, injects raw assembly code, executes its via CreateRemoteThread, and then reads the captured hashes back out of memory. This avoids writing files to the drive and by the same token avoids being flagged by antivirus (AV) and intrusion prevention (HIPS) products.

Meterpreter Pivoting Improved – []

Metasploit is getting better every time I see the activity log. Meterpreter has been improving a lot lately, it is now encrypted, multithreaded, many obfuscation techniques against detection even from memory dumping and 64bit Windows support, one of the old feature that I was really looking forward to is a revamp of the Port Forward feature.

Metasploit PSEXEC scanner (via Perl) – []

Metasploit’s pexec module is one of my favorite modules. It does exactly what I need and it does it really well. One thing I wish that Metasploit had, is a scanner version of the psexec exploit module. So I decided to build my own with Perl.

Automating the Metasploit Console
– []

Monday, March 22, 2010
The Metasploit Console (msfconsole) has supported the concept of resource files for quite some time. A resource file is essentially a batch script for Metasploit; using these files you can automate common tasks. If you create a resource script called ~/.msf3/msfconsole.rc, it will automatically load each time you start the msfconsole interface. This is a great way to automatically connect to a database and set common parameters (setg PAYLOAD, etc). Until this morning, however, resource scripts were limited to simple console commands.

As of revision r8876, blocks of Ruby code can now be directly inserted into the resource scripts. This turns resource scripts into a generic automation platform for the Metasploit Framework.

Meterpreter Persistence

Comments are closed.