Latest Change 29/10/2016:
+ NO-IP_privilege_scalation.rb – ‘Unquoted Service Path Privilege Escalation’
+ PDF_complete_corporate_edition.rb – ‘Unquoted Service Path Privilege Escalation’
+ deploy_service_payload.rb – deploy_service_payload.rb uploads your payload.exe to target system (DEPLOY_PATH) and creates a service pointing to it (SERVICE_NAME).
+ persist_priv_Wsearch.rb – This post-exploitation module requires a meterpreter session to be able to upload/inject our payload.exe into WSearch (windows search) service.
:[ Auxiliary Module History ]:
As metasploit framework long time user i realized that in actual database does not exist any module that cover your tracks efficiently (in a forensic breach investigation) after a successfully exploitation. Looking at the actual database we can only find two ‘meterpreter’ modules that help us in your task: ‘clearev’ that clears the Applications, System and Security logs on a Window system (eventviewer) and ‘timestomp’ to manipulate the MACE (Modified, Accessed, Changed) times of a file/appl (Window system)…
CleanTracks.rb auxiliary as writen to work in post-exploitation (after the target gets exploited and a meterpreter session pops up), it rellys on policies registry keys and cmd commands (remote executed by auxiliary) to cover footprints left in target system.
this module needs a meterpreter session open to cover, your fingerprints in target system after a sucessfully exploitation, it rellys on registry keys and cmd commands to achieve that goal. “Also we can set more than one option to run simultaneously”
stage1: prevents the creation of data in target system by adding registry policie keys into target regedit, this module should be run just after a sucessfully exploitation.
stage2: clear temp/prefetch folders, flushdns cache, clear eventlogs this module should be run befor leaving the current session also we can only use stage2 without runing stage1 but it will be more uneffective that runing the two stages separately.
getsys: getpriv msf module to elevate current session to authority/system, its advice to run it before running any of the stages describe above
(stage1 and stage2) logoff: logoff target machine (optional, more effective).
git clone git://git.code.sf.net/p/msf-auxiliarys/msf-auxiliarys msf-auxiliarys-msf-auxiliarys
Ubuntu Path example:
sudo cp PDF_complete_corporate_edition.rb /opt/metasploit-framework/embedded/framework/modules/auxiliary/pdf/PDF_complete_corporate_edition.rb
sudo cp NO-IP_privilege_scalation.rb /opt/metasploit-framework/embedded/framework/modules/post/windows/NO-IP_privilege_scalation.rb
Debian/Kali Path Example:
-- my-auxiliary.rb - install path (kali linux)
-- Cleantracks.rb - install path (kali linux)
msf > reload_all
-- msf > use post/windows/NO-IP_privilege_scalation
-- msf post(my-auxiliary) > info
-- msf post(my-auxiliary) > show options
-- msf post(my-auxiliary) > set <option(s)>
-- msf post(my-auxiliary) > exploit