Posts

Showing posts from March, 2018

MS17-010 Vulnerability - New EternalRomance / EternalSynergy / EternalChampion SMB modules for Metasploit - Exploit Windows2012R2 and Windows2016

Image
In the previous post , we covered the two new MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Command/Code Execution modules that Metasploit released last month: auxiliary/admin/smb/ms17_010_command  and exploit/windows/smb/ms17_010_psexec One of the cool features for the new modules is that they are supposed to work with all Microsoft OS versions post-Windows 2000. Check this message on Twitter from zerosum0x0 - one of the modules' authors. Therefore, I wanted to test the new modules with newer Microsoft OS Server versions like Windows 2012 R2 and Windows 2016. As you will see in the video below, exploiting Windows 2012 R2 and Windows 2016 is similar to exploiting Windows 10. We will need non-admin user credentials in order to exploit successfully, because by default no named pipes are available when connecting anonymously. For learning purposes, I attempted to use the modules without specifying the credentials and I got the following error:

MS17-010 Vulnerability - New EternalRomance / EternalSynergy / EternalChampion SMB modules for Metasploit - Exploiting Windows10 and Windows2008R2

Image
Until early last month, Metasploit had only two modules related to the MS17-010 SMB vulnerability. The first module:  auxiliary/scanner/smb/smb_ms17_010 , is a scanner for detecting the MS17-010 vulnerability. We covered this module in a  previous post . The second module: exploit/windows/smb/ms17_010_eternalblue , is the MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption exploit. We also covered this exploit previously in a post here . The EternalBlue exploit was designed to work with Windows 7 and Windows Server 2008 R2 target computers, which is quite restrictive from an OS point of view. We also discussed previously the MS17-010  DoublePulsar exploit  which can be used with more  OSes; but this module doesn't come by default with Metasploit and it has to be downloaded and installed separately . Fortunately, last month Metasploit has released two long awaited new modules in relation to the MS17-010 vulnerability: auxiliary/admin/smb/ms17_010_command  and  explo

Quick Meterpreter and Metasploit tutorial - Stealing hashes and passwords, Keyloggers, Webcams and other post-exploitation modules

Image
I thought that it would be useful, for some readers, if we review some of the most commonly used post-exploitation commands in Meterpreter and Metasploit. This is the second video and we will discuss about stealing hashes and passwords, using keyloggers, accessing webcams and invoking other post-exploitation modules. The first part of this tutorial can be found here: Quick Meterpreter and Metasploit tutorial - Core, System, Networking and File System usual commands LAB details - VM names and IP addresses Kali6 (Kali Linux, attacker VM): 192.168.254.142 W7x64-1 (Windows 7, target VM): 192.168.254.70 W2008R21 (Windows 2008R2, Domain Controller): 192.168.254.99 Domain name: TESTLAB3 Domain users credentials: Administrator / P@ssw0rd testuser1 / P@ssword1 testuser2 / P@ssword1 Local Administrator on W7x64-1 credentials: WinLocalAdmin / P@ssw0rd Exploitation process The Windows 7 test machine is affected by the MS17-010 vulnerability. For exploitation, we will foll

Quick Meterpreter and Metasploit tutorial - Core, System, Networking and File System usual commands

Image
I thought that it would be useful, for some readers, if we review some of the most commonly used post-exploitation commands in Meterpreter and Metasploit. In this first video, we will discuss the Core, System, Networking and File System commands. LAB details - VM names and IP addresses Kali6 (Kali Linux, attacker VM): 192.168.254.142 W7x64-1 (Windows 7, target VM): 192.168.254.70 W2008R21 (Windows 2008R2, Domain Controller): 192.168.254.99 Domain name: TESTLAB3 Exploitation process The Windows 7 test machine is affected by the MS17-010 vulnerability. For exploitation, we will follow the steps detailed in the previous post: MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit Core and System commands We will start with Core and System commands and obviously the first command should be ... HELP !  :-) 1. help See below the help output for the Core and System commands: 2. sysinfo Use "sysinfo" in order to get essential infor