Metasploit Shellcode Injection Module is a Metasploit module which as its name suggests, injects shellcode into the target Windows system on which we already have access. In our previous article, we have learnt what is shellcode and how it is created. Shellcode is a bit assembly code or machine language. Shellcode plays a very important role in cyber security. Typically shellcode is used in offensive penetration testing.
Let’ s see how this module works. Get a meterpreter session on a Windows system. After getting a meterpreter session, Background the current session and load the post windows shellcode inject module as shown below.
We will use Donut tool to create a shellcode of the mimikatz program. Mimikatz is a tool that is used to experiment with Windows security. Its known to extract plaintext passwords and kerberos tickets from memory. It can also perform pass-the-hash, pass-the-ticket or build Golden tickets.
Set the SESSION ID and other options given below.
Set the interactive option to TRUE otherwise you will not directly be taken to the mimikatz shell. Also set the correct target architecture.
After all the options are set, execute the module and you should directly interact with mimikatz.
That’s all about the Metasploit Shellcode Injection Module,
Donut shellcode generator is a tool that generates shellcode from VBScript, JScript, EXE, DLL files and DOTNET assemblies. Although there are many tools that can do this, Donut does this with position independent code that enables in-memory execution of the compiled assemblies. This compiled shellcode assembly can either be staged from a HTTP server or embedded directly in the file itself. After the compiled shellcode is loaded and executed in memory, the original reference is erased immediately to avoid memory scanners.
The features supported by the Donut generator are
Compression of the generated files with aPLib and LZNT1, Xpress, Xpress Huffman.
Using entropy for generation of strings 128-bit symmetric encryption of files.
Patching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP).
Patching command line for EXE files.
Patching exit-related API to avoid termination of host process.
What exactly is shellcode? Shellcode is a bit assembly code or machine language. Shellcode plays a very important role in cyber security. Typically shellcode is used in offensive penetration testing. In this article, let us learn about this awesome tool. This tool can be installed in Kali Linux by cloning it from Github as shown below. This will create a new directory named “Donut”
Navigating into the Donut directory, let’s create the shellcode of mimikatz.exe as shown.
Mimikatz.exe is a simple tool that is used to play with windows security. If you take this executable of Mimikatz into a Windows system, any antivirus or Windows Defender will detect this as malware. Just try it on your machine first before turning it into shellcode. It is found in Kali Linux. Here we copied it into the Donut folder. When we run above command, shellcode is created as a file named “loader.bin” in the same directory of Donut.
By default, Donut creates shellcode for x86 (32bit) and amd64 (64bit). To create only a x86 shellcode, the command is as shown below.
The “-b” option is used to set the shellcode’s behavior when faced with AMSI/WLDP. Anti Malware Scan Interface and Windows Lock Down Policy are security features. These both features help in defending against malware.
By default, Donut sets the shellcode to bypass AMSI/WLDP. By setting the “-b” option to “2” as shown in the above image, it can be set to ABORT once it encounters AMSI/WLDP. Setting “1 ” will do nothing. Entropy in general terms means the degree of randomness. It is used in malware to make detection of its code harder by Anti malware. This is called obfuscation. The more the entropy the least chances of detection of malware. Donut by default sets random names and al- so encrypts the shellcode to obfuscate the code from anti malware. It can be changed using the “-e” option. Setting it to “2” just sets random names to the payload and setting it to “1” does nothing.
Not just binaries, we can create different output formats with Donut although by default it creates a binary payload. The “-f” option is used to set different output formats. For example, set -ting “-f” option to “2” gives a base64 format. 3 creates C, 4 creates Ruby, 5 creates Python, 6 creates Powershell, 7 creates C# and 8 creates Hexadecimal shellcodes respectively.
The “-z” option is used to setting packing and compressing engines. Donut doesn’t use any compression by default. However it supports four compression engines. 2=aPLib, 3=LZNT1, 4=Xpress, 5=Xpress Huffman. Only the aPlib compressor works in Linux. Rest of them work in windows. Compression reduces the size of the payload whereas packing is used to avoid detection by anti malware.
We have seen that by default, Donut saves the payloads it creates in the same directory. The location as to where the payload is saved can be changed with the “-o” option.
That’s all about the Donut shellcode generator, readers. We will learn more about this tool and how it is used in real world ethical hacking.
In our previous article, we have seen how to exploit the rexec and remotelogin services running on ports 512 and 513 of our target Metasploitable 2 system. In this article, we will be hacking proftpd on port 2121 and the service running on port 1524 which are next in the Nmap scan report as shown below. On running a verbose scan, we can see that the service running on port 1524 is Metasploitable Root shell.
What is this Root shell? In our Metasploitable Tutorials, we have seen a number of ways to gain a shell or meterpreter session on the target system. But those shells were obtained by hacking some software present on the system. This shell is deliberately left on the system. But why would someone leave a shell deliberately on a system? In cyber security, there is a concept called trapdoors or backdoors. As soon as hackers gain access to a system by hacking something on it, they plant an easy and quick method to once again come back into the system. This is known as trapdoor or backdoor.
The shell on port 1524 is a shell like that. Usually to prevent other hackers from gaining access to the system through their backdoor they use protection like passwords etc. Here it seems the hacker forgot to secure it. Normally backdoors like these are enabled on some common ports which evoke less suspicion from cyber security personnel. But how do we gain access to this shell? Although there are a number of ways to do this, the easiest way is telnet. Open telnet and telnet to the port 1524 as shown below. As you can see highlighted below, we got a shell with Root access without doing much.
Try out some linux commands to verify we got a shell with some interaction.
As you can see in the above image, we have shell with ROOT privileges. We can even change the target system’s password now. Now let’s move on to hacking ProFTPd. Verbose scan has reported that a FTP server named ProFTPd server version 1.3.1 is running on port 2121. I googled for any vulnerabilities present in the particular version but got none. If you remember, we already hacked one FTP server running on port 21. I used banner grabbing method of telnet (we showed you in detail about this method in of our Hackercool magazine) to see if the service will reveal any more information about itself. It gave nothing except the usual one.
The usual banner grabbing was not working. But maybe we don’t require a banner.We already have it. So this time, I just tried to connect to the service using telnet (although you can also use FTP for this). When “Escape character is ‘^]’ ” message is displayed, I type command “help”. As expected, it gives me all the commands that can be used. So it seems we already have access to the target server.
To confirm this, I tried one command. It prompted me for username and password. But thanks to an excellent phase of enumeration we performed, we already have the username and password. I decided to try the username/password msfadmin/msfadmin. Voila, it worked and we have access to the system now. Typing PWD command gives me the confirmation that I am inside the system. That’s all with hacking ProFTPd.
Hello aspiring hackers. Today we will learn about Linux Configuration Enumeration POST Exploit. After getting a successful meterpreter session on the target Linux system (as shown here or here), the next logical step is to perform some enumeration on the target Linux machine. Metasploit has many POST exploits corresponding to Linux enumeration.
The first module we will see is Linux configuration enumeration. The enum_configs module is used to collect information from the configuration files found of applications commonly installed in the system. These applications may include Apache, Nginx, Snort, MySQL, Samba, Sendmail, sysctl, cups, lampp and SNMP etc. This POST module searches for a config file in the application’s default path and if the application exists on the target system, the module will download the files and store it.
If the application doesn’t exist or the config file is moved from its default location, this module will display the “file not found” message. (Just like any POST exploit or as shown in the shell_to_meterpreter exploit, we need to background the current session and load the POST module as shown above. Then set the session id and run the exploit). Here is the enum configs module in action as shown below.
Hello aspiring hackers. In this howto we will learn about WordPress Mobile Detector Plugin upload and execute module .WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. It is very popular not only for the ease with which a website can be set up using it, but also how simply multiple plugins and themes can be added in it to give extended functionality without much hassle. But these plugins can pose a high security risk if not properly coded.
One such plugin is WordPress Mobile Detector. This plugin is used to display content on WordPress sites in a format suitable for phones and tablet devices. This plugin is used mostly by business users. Version 3.5 of this plugin is affected with file upload vulnerability. A hacker can upload malicious arbitrary files and execute them.
Let us see how this module works. Load the module and check the options it requires as shown below.
The options this module requires are the remote host address (target address), the targeturi and the local host address (IP address of Kali Linux). The only thing that can go wrong in setting options is that of targeturi, the location where WordPress is installed. If you set it wrong, this module may not work. Check if the target is indeed running the vulnerable version of the plugin using the “check” command.
Execute the module using the “run” command. If everything went well, you should get a meterpreter shell on the target machine as shown below. You can see in the image below as to how this exploit works. This vulnerability is an arbitrary file upload vulnerability which allows hackers to upload any file into the target web server So this module first creates a malicious file, hosts it on a web server and uploads it into the target web server using this vulnerability.
We will be back with a new exploit next time. Until then, Goodbye.
In the previous howto, we have seen how to research about a vulnerability in the FTP service running on our target system and exploit it to gain a shell on that system. In this howto, we will see hacking the SSH service running on port 22. It can be seen that the target is running OPenSSH 4.7p1 SSH server.
I googled about the above mentioned version to find out if it had any vulnerabilities and exploits for those vulnerabilities. After an arduous search, I found one exploit but that seemed to be not working (Its not always a positive result in hacking).
Remember that we already gained a shell on the SSH server in one of our previous howtos. We did this using the credentials we obtained during enumeration of the target system. (This is why enumeration is so important). We used this credentials in a Metasploit SSH login module to get a shell on our target system.
This time we will see another way of gaining access to the SSH server using the same module. This SSH login module can also be used to brute force the credentials of the SSH server. Let’s see how it works. Load the module and check the required options.
In order to brute force the credentials, we need to specify a dictionary for cracking username- s and passwords in the similar fashion we set while using Hydra. We will use the same dictionary we have used while performing password cracking with Hydra.
I have set the same file for both username and passwords. To conserve time I have set the option “stop_on_success” to True. This option will stop the brute forcing if it finds even one login credential. I have set the “verbose” option also to TRUE. This module is normally used to brute force multiple SSH servers at once. That’s the reason it has “RHOSTS” option instead of “RHOST” option. Any how we can still set a single IP as target. All the options are shown as below.
After all the options are set, execute the exploit using the command “run”.
Once the password is cracked successfully, the module displays the credentials and automatically gives us a shell on the target system as shown in the above image. The available sessions can be viewed as shown below.
We can also login into the SSH server using the credentials we obtained prior as shown below.
Hello aspiring hackers. The exploit we will see today is a POST exploitation Metasploit exploit that performs Powershell enumeration in Windows. Windows PowerShell is a task automation and configuration management framework designed by Microsoft which consists of a command line shell and associated scripting language built on the .NET Framework and .NET Core.
PowerShell provides full access to COM and WMI, enabling administrators to perform administrative tasks on both local and remote Windows systems. Its same as a command line shell but powershell is more powerful than CMD. It is a very helpful tool for network asministrators. If used properly, it can also be used by hackers to the full potential.
But we need to know about the Powershell settings installed on the target system for this. This powershell enumeration module exactly does that for us. Let us see how this module works. Just like any Metasploit POST module, we need to have a valid meterpreter session to run this module. Background the current meterpreter session and load the powershell environment enumeration module as shown below. Type command “info” to view the information about this module as shown below.
Type command “show options” to view the options to be configured. Set the session ID of the meterpreter session we just sent to background and execute the module using command “run”.
As you can see in the image above, our module successfully completed powershell enumeration of the target machine. Powershell version 2.0 is installed on our target system an there are no powershell snap-ins are installed. It seems none of the users have powershell profiles.
Hello aspiring hackers. The module we will learn about today is the Git Submodule Command Execution Exploit. If you are a developer, cyber security enthusiast or at least a computer user, you should have definitely used (or heard about) Github. Git is an open source version control system developed by none other than the awesome Linus Trovalds (yes the same guy who created Linux).
It is a system designed to keep in touch with constant changes made to the code of software by developers. GitHub is a popular hub where developers store their projects and network with like minded people. Github stores information in a data structure called a repository. The particular module exploits a vulnerability in Git submodule.
Git submodules allow users to attach an external repository inside another repository at a specific path. This vulnerability in the Git submodule can be exploited by an attacker who can change the URL of a sub- module in a repository. This URL in the submodule can be changed to point towards a malicious link.
This module is a local exploit and works on Git versions 2.7.5 and lower. Now let us see how this module works. Start Metasploit and load the exploit as shown below. Type command “show options” to see all the options we need for this module to run.
First, we need to configure the malicious Git server. Set the options : LHOST, git_uri and Iport options as shown below. The git_uri option sets the malicious git submodule. Use command “run” to start our Git server. As the user git clones from our URL, we will get a command session on the target.
Now we need to send this malicious Git url to our intended victims. Probably it should be set as a software to convince the users to clone into their machine. Here we are testing this on KaIi Linux 2016 machine which has the vulnerable version of Git installed. We need to instruct the user to update the submodule just cloned. Let us see what happens on the victim machine.
As this happens in our victim system, we will already get a command shell on our attacker system as shown below.
We can see the active sessions using the command “sessions”.
In the previous howto, we saw how information about the services running in the target system can help us in researching about them and finding vulnerabilities in those software. For example, imagine I am a black hat who performed a Nmap scan on the target (in this case, Metasploitable). The target has displayed so many banners of the services running.
Let us see if we can try out the FTP service at port 21 to get access to the system. Since I am a black hat, assume I have not performed any automated vulnerability scan. Following the process shown in the last howto, I google about vsftpd 2.3.4.
I got a lot of information about the FTP service at port 21. Vsftpd stands for very secure FTP daemon and the present version installed on Metasploitable 2 (1.e 2.3.4) has a backdoor installed inside it. It seems somebody uploaded a backdoor installed Vsftpd daemon to the site. This malicious version of vsftpd was available on the master site between June 30th 2011 and July 1st 2011. So our target might be using the malicious version. While searching for exploit on exploit database, I found a Metasploit exploit for this vulnerability. So I start Metasploit and search for the exploit. I found it after some time.
I loaded the module and checked its options using “show options” command.
The only option required is the IP address of our target to be specified in the RHOST option. I set the RHOST option and execute the exploit using the “run” command.
I successfully got a shell on the target system as shown in the image above. I try out some basic Linux commands. As this shell has root privileges (shown in the above image), I decided to have a look at the passwd file of the target. Here it is.
Since we have shell access, we can perform all tasks which we perform from the terminal of a Linux system. We can even shutdown the remote system but keep in mind that you will lose your access to the system.
Recently, we saw the Windows Fodhelper Privilege escalation exploit. Today we will learn about another Windows privilege escalation exploit that works on machines from Windows 7 to Windows 10. This exploit bypasses the User Account Control of the Windows and gives us system privileges. Its called Windows BypassUAC COMhijack exploit. How does it do this? Let us see.
COM stands for Component Object Model. It acts as a binary interface between various processes of different programming languages. In Windows, is is the basis for several other Microsoft technologies like OLE, OLE Automation, Browser Helper Object, ActiveX, COM+, DCOM, Windows shell, DirectX and Windows Runtime.
This module will bypass Windows UAC by creating COM handler registry entries in the Hive Key Current User hive. These created registry entries are referenced when certain high integrity processes are loaded which eventually results in the process of loading user controlled DLLs (as you already know DLLs are Dynamic Link Libraries).
These DLLs the exploit loads contain the payloads that result in elevated sessions. After the payload is invocated, registry key modifications this module makes are cleaned up. This module invokes the target binary via cmd.exe on the target. Therefore if cmd.exe access is restricted, this module will not run correctly.
Now let us see how this exploit works. As for every privilege escalation exploit, we need to already have a meterpreter session like the one we have here, here and here. Background the current meterpreter session and remember the session id. Search for the bypassuac_comhijack module as shown below.
Load the bypassuac_comhijack module as shown below and check its options by using the “show options” command as shown below.
Set the session id as shown below and execute the exploit using “run” command as shown below. If everything went right, we will have another meterpreter session as shown below.
Check the privileges using the “getuid” command. If you still don’t have system privileges, run command “getsystem” and even if it results in an error, check your privileges once again using command “getuid“. You should definitely have system privileges by now.