When you first step on a machine, you want to determine quickly if you are just a user or an administrator. Meterpreter doesn’t have a way to quickly check this. You could drop to a shell, check the local users group “Adminitrators”, and check your user, and correlate any groups that are shared between the outputs. You could do ‘getsystem’ and if one works other than Kitrap0d. You could also just do a ‘ps’ and notice that you can see ‘SYSTEM’ processes.
Exploit modules inside of metasploit don’t have the ability to run on multiple hosts with one swing of the bat. So I created some code to facilitate that. It’s really not much but there are some really juicy pieces of knowledge I learned on the way here. // The following is a resource file, but instead of just giving you something to download or straight copy and paste, I’ve broken it up into sections.
Ask any developer and they will tell you that the age of a project is not calculated in calendar time, but in worker hours or “commits” to a project. The Metasploit Framework hit 10,000 today. With the project dating back to 2003, much before the official “Revision 1” happened, there have been a lot of changes. Going from the initial incarnation as a network “game” written in perl to the world largest ruby project, the framework has seen it’s fair share of blood, sweat, and tears.
Back in 2009 the “ikee” rick-rolling worm went around the iPhone world via the password of ‘alpine’ on the root account. You are now warned to change your root password when you pop into Cydia and Rock the first time. But this thing just wont stay down. If you have jailbroken your iPad you might want to check out a little file called “master.passwd”. In it, there is another user called ‘mobile’ which has been pointed out since 2008 (here) on the iPhone as another account to change the password of.
Ever set up a multi/handler and get an odd IP hitting it? Probably forgot about it as internet chatter? Think again, you might have just been caught AV Tracker - http://avtracker.info/ is a site that tracks the different IP addresses, hostnames, computer names and user agents that AV and other “Submit-your-malware-here” drop boxes use. Peter Kleissner and his team provide ranges that the hosts use a dynamic text file with the IP addresses listed if you want to add it to some auto updating block list a line by line IPTABLES block config and even C code to add into your binary to make sure it doesn’t talk out from one of those addresses (I could be reading it wrong, still a beginner in C) The team has been criticized a lot by AV vendors, enough so the took down the site in January of this year.
Metasploit’s Railgun is awesome, but getting things to work correctly can be a pain. Here are some of the resources that have helped me out: System Error Codes.aspx”) - This is hands down the best resource you have, it will tell you what that stupid “5” or “1314” means in your return value. Keep this tab open to circumvent crazed bovine attacks. theForger’s Win32 API Programming Tutorial - A really good place to start when you are getting to know the Windows API and the frustrations that come along with it.
Back on June 13th, “Patrick HVE” released RAILGUN: http://mail.metasploit.com/pipermail/framework/2010-June/006382.html And it was merged into the the Metasploit trunk with 9709, 9710, 9711 and 9712: http://www.metasploit.com/redmine/projects/framework/repository/revisions/9712 Basically what this allows you to do is make Windows API calls from Meterpreter without compiling your own DLL. It currently supports a number of Windows API dlls: iphlpapi ws2_32 kernel32 ntdll user32 advapi32 (You can find out exactly what functions are available by default in the api.
Certainly nothing to fuss over, but I’ve had a fascination with setting my target’s wallpaper as sort of a calling card for years now. I’ve been able to set the registry key (HKCUControl PanelDesktopWallpaper), but until recently I didn’t know how to get it to refresh so that it displayed without forcing the user to log out… First, is the most important part, selection of the wallpaper. This is my first selection:
I was recently approached by savant, who told me that a bunch of my Twitpics had geo location in them. Larry Pesce from PaulDotCom has been doing research in this field for a while and each time he brings it up I casually checked a couple of my twitpics and came up empty handed. But, he gave me exact references, so I went to Twitpic to check them out for myself.
*WARNING* if you use fgdump like I did, it extracts pwdump to %TEMP% at run time, which is detected by AV. First of all, I was floored when this worked. Really AV? It’s that easy? Really? So here is the break down, go get “Resource Hacker“… You’re almost done. Only 3 steps left. (1 of which is optional) I started with fgdump, a well known hashdumping/pwdump tool. It’s detected by 80% of all AVs and by all the top 10.