after that i will exploit the windows via software warftp using metasploit. so open metasploit.
and search warftp.
here i use warftpd_165_user then show option to see what should we fill...
then set RPORT and PAYLOAD
here i use payload meterpreter bind tcp
then choose target and exploit it.
after we got the meterpreter, type ps to see the process....
so it's time to capture the memory on windows..
here i use the Forensic toolkit imager.
then capture the memory.
and after we capture the memory, copy it into backtrack on folder /var/www/ptk/images/
then running the volatility tools or ptk tools (on menu forensics --> RAM forensics tools --> ptk), whatever you want.
here i use volatility tool. then use the plugin pslist to see the process.
so we can see all process that are running on win xp (such as firefox, cmd, warftp, mmplayer, vuplayer, taskmanager, etc)
then, try to check the connctions.
based on the picture above, we can see that there are some connection include remote connection from ip 192.168.56.1 via port 4444. so we can conclude that there was a computer with ip 192.168.56.1 that's being remote the computer via port 4444.
No comments:
Post a Comment