Shell is only the Beginning

There is nothing that I hate more tan somebody breaking a beautiful Shell after hours of work and getting it to run on a target by running the wrong command or wrong option. Shell is not Terminal and this applies to both Windows and *nix hosts, so many commands that clear the screen, uses especial formatting or check for terminal id will break the shell and running the exploit again to gain shell again might kill the host or service causing you not to get it again or bringing down a target server of the client which is bad.  Let’s start by following a golden rule any command that start with ctrl and something like ctrl-c, ctrl-d or any other combination is a big no, no. So we have to be conscious when working in shell and when we put our finger in ctrl STOP!! And  remove our fingers from the key slowly!! I know I’m ranting but some recent situations reminded me that many people starting security do not know about this and many sources out there do not cover this basic skill. I love shell, even do I like Meterpreter there is something about a shell prompt that just bring butterflies to my stomach. One way to practice working in shell specially in windows is to use the wonderful tool of Netcat, we can make a netcat listener by running nc –l –p 4444 in a command prompt in windows o different terminal windows in a *nix system and in another run nc 127.0.0.1 4444 and now we have a shell where we can practice, in fact if you are going to experiment with a command during an engagement have this running in the background and test the commands locally on your machine so as not to risk breaking your hard earned shell on the target box.

Commands to avoid in Windows Shell are:

•          Certain switches in SC (Service Controller)
  
•          Wmic (in Meterpreter and using schdtasks are workarounds)
  
•          Powershell
  
•          Edit
  
•          ftp (There are ways to work around the limitation)
  
•          runas
  
•          more
  
•          telnet

Commands to avoid in Linux Shell are:

• Emacs
  
•  Vi
  
•  Top
  
•  More
  
•  Less (it will show the whole file, it will not paginate)
  
•  Su 
  
•  Sudo
  
•  Passwd
  
•  ssh
  
•  telnet
  
•  ftp
  

It has been confirmed by Muts that Backtrack4 will be a full distro and based on Ubuntu and the beta for the distribution will be out soon.
http://backtrack4.blogspot.com/

This will make the life of many penetration testers and consultants much easier, specially for keeping their machines up to date, specially since for many attacks and techniques one has to "Hack Naked" with out a firewall. I'm really looking forward to the beta so I can start updating my scripts for the new distribution.

Well guys 2 more of my scripts passed mustered and where committed to the Metasploit SVN, this scripts are:

• gettelnet- This script will enable telnet service on the target machine if it is running Windows 2003 or higher, in the case of Windows Vista and Windows 2008 that do not have the service installed by default the script will install the service and configure it to start automatically, in addition a username and password can be provided so that a local account with administrative privelages can be created and placed in the apropiate groups.
• remotewinenun - This script will run wmic command enumerating diferent settings from a target computer using the credential of the process under withc meterpreter is running under, a username and password can also be provided.
  

Today the Metasploit post-exploitation script I wrote where approved and commited in to Metasploit 3 for enumeration and attack from the compromised machine using Windows native tools for both enumeration and attack. The scripts are:

• Winenum - general windows enumeration script for gathering all kinds of information from windows host adapting the commands and informatio gathered to the version of windows where is ran at.
  
• Netenum - network enumeration script for performing basic network enumeration of the target enviroment. It will perform ping sweeps, hostname bruteforce, reverse lokkups on ranges and general DNS record enumeration.
• Winbf - it will perform loging brute force attacks against winown logins using dictionaries against a single login or a list of usernames. It will also enumerate the current windows account lockout and lenght policy so the user will be able to better tailor the attack.
  
• Getgui - script for enabling RDP and for creating an account adding it to the appropiate groups to be able to get Remote Desktop on the target machine.
  

I hope they are as usefull as the original ones have been for me in client engagements where I was limited by the rules of engagement dictated by some of my clients. Glad to give back to such a good project.