Metasploitable - your first training ground

Metasploitable is a VMWare based virtual machine running Ubuntu 8.04 server. A number of vulnerable services have been included, some of which are an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older version of mysql server. . . . → Read More: Metasploitable – your first training ground

Persistent Meterpreter over Reverse HTTPS

Botnet agents and malware go through inordinate lengths to hide their command and control traffic. From a penetration testing perspective, emulating these types of communication channels is possible, but often requires a custom toolkit to be deployed to the target. In this post I will walk through using the standard Metasploit Meterpreter payload as a persistent encrypted remote control tool. . . . → Read More: Persistent Meterpreter over Reverse HTTPS

Automate the Metasploit Console

The Metasploit Console (msfconsole) has uses the concept of resource files from a long time. A resource file is essentially a batch script for Metasploit which is used to automate common tasks. For example, if you create a resource script called ~/.msf3/msfconsole.rc, it will automatically load each time you start the msfconsole interface. This is a great way to automatically connect to a database and set common parameters (setg PAYLOAD, etc). . . . → Read More: Automate the Metasploit Console

Capturing Logon Credentials with Meterpreter

In the previous post, we described the keystroke sniffing capabilities of the Meterpreter payload. One of the key restrictions of this feature is that it can only sniff while running inside of a process with interactive access to the desktop. In the case of the MS08-067 exploit, we had to migrate into Explorer.exe in order to capture the logged-on user’s keystrokes. . . . → Read More: Capturing Logon Credentials with Meterpreter

Using Meterpreter For Remote Keystroke Sniffing

The development version of Metasploit now allows keystroke sniffing through Meterpreter sessions. This has been implemented as set of new commands for the stdapi extension of Meterpreter. This works with the help of the keyscan_start command, which spawns a new thread inside of the process where Meterpreter was injected and this thread in turn allocates a large 1Mb buffer to store captured keystrokes. . . . → Read More: Using Meterpreter For Remote Keystroke Sniffing

Automatic Routing Through New Subnets

Among the coolest features in metasploit is the ability to tunnel through a meterpreter session to the network on the other side. The route command in msfconsole sets this up but requires a bit of experience to get right. . . . → Read More: Automatic Routing Through New Subnets

Exploiting the Samba Symlink Traversal

Last night a video uploaded to Youtube, demonstrated a logic flaw in the Samba CIFS service. It was soon followed by a mailing list post. This bug allows any user with write access to a file share to create a symbolic link to the root filesystem, which allows access to any file on the system with the current users’ privileges. . . . → Read More: Exploiting the Samba Symlink Traversal

Postgres Fingerprinting

Many database servers provide version number, platform, and other salient details to just about anyone who asks, which makes very easy the fingerprinting of these applications. However, Postgres is a little bit shy with revealing such personal information about itself. The best way to determine the version of the Postgres datbase is to log in and execute a “select version()” query, but what if you don’t have the credentials? . . . → Read More: Postgres Fingerprinting