PowerShell Exploit Using SEToolkit

July 10, 2015 | Views: 6912

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

PowerShell Exploit Using SEToolkit

In this tutorial, I’m going to show you how you can compromise any Windows computer that has PowerShell installed on it.

The scope of this tutorial is to:

  1. Show you how to open a Meterpreter session on a victim’s computer.
  2. Help you understand what’s happening with the code, so that you can bump your knowledge level up and hopefully get yourself out of Script Kiddie status.
  3. Help you understand how to protect/defend your systems against this type of attack.

What the scope of this tutorial is NOT:

  1. Teach you how to install Kali Linux
  2. Teach you how to set up a virtual lab for practice (though I may add a tutorial on this at some point.)
  3. Show you how to social engineer someone’s password
  4. How to do post-exploitation hacking or how to use Metasploit

 

DISCLAIMER: The point of this tutorial is to be informational, and helpful to improve your skills. Do not use this on a machine that you don’t have permission to hack. I’m not responsible for anything you do with this information, including using information to harm people, their property or their data. Use this information wisely.

Okay, sorry about the whole “You’re responsible for everything, I’m not responsible for nothing” speech. I mean to make these tutorials fun to read and enjoyable. Hopefully, You don’t feel like banging your head because you already understand this concept.

If enough requests come in about wanting another specific tutorial, then I’ll make time to do one.

Enough of the boring stuff, on to hacking!

 

Section 1

Prerequisites:

1. Kali Linux – an incredibly powerful/popular Linux distribution meant for penetration testing.

2. SEToolkit – Social Engineering Toolkit, a framework that makes it incredibly easy to set up social engineering attacks. I highly recommend becoming very familiar with this.

3. Metasploit and Nmap installed – These come with Kali, but if you need to install them, go to their websites and get cracking.

4. Your victim’s username/password. There are a million tutorials on how to do this. Yet, none of them incredibly proficient, mainly because there isn’t any one way to do this. I’m going to be using a virtual machine (VM) in which I already know the username and password. Obtaining this is outside of the scope of this guide.

5. Your victims computer must be Windows Vista or higher. This is because we are going to be using PowerShell, and it comes installed on these machines.

 

Theory:

Okay, so I really believe in understanding the theory behind what we are trying to do. I started being interested in hacking and computer security from a young age, and I was always frustrated that anyone who made a guide, did it with so little explanation of what they were doing and why, that I decided if I ever made tutorials, I would be very thorough in explaining the theory, with that being said, what we are trying to accomplish is:

1. Though SEToolkit, we use our victim’s username and password to create a remote Meterpreter session on their machine. Meterpreter is special type of connection that gives us a lot of power over them. We can do things like:

  • Disable their mouse and keyboard
  • Run a remote key logger
  • See through their webcam (if it’s attached)
  • And much, much more!

2. Using PowerShell, we can run all of our commands in memory. What this means, is that we can evade Antivirus software. Antivirus software looks through any file that is written to the hard disk. If any program is run in memory, it can bypass Antivirus software. Please note, that this doesn’t guarantee that it will bypass it. Some Antivirus software is capable of detecting this. But they are usually very expensive and highly unlikely to be on the victim’s machine. We can further obfuscate our attack by ‘encrypting’ it in base64. (I say encrypting, but it’s not a true encryption, if you want to understand more, google it.)

 

Section 2

Boot into Kali and open a terminal, type in the command:

service postgresql start

service metasploit start

These aren’t truly necessary, but it’s a good habit to get into if you are going to be using Metasploit. Now, I’m going to be using a VM for my victim. The VM is a Windows Server 2012 R2, but it should be the same principle for most machines.

Right-click – “view image” for larger view

 

Go to the top menu and navigate to Kali Linux -> Exploitation Tools -> Social Engineering Toolkit -> SEToolkit

Now, type in 2 and then Enter, to go to the Fast-Track Penetration Testing platform. Then type in 6, then Enter.

You should have a prompt asking for the IP Address of the victim’s computer.

Press SHIFT + CTRL + T to open up another terminal and type ifconfig. You should see an output of all the interfaces your computer is using and the networks you’re currently connected to.

Since I’m using a VM, I’ve set up all my VM’s to be on the same network. They’re on the 192.168.56.0/24 network (the “/24” is a special notation for identifying the subnet mask. Basically the “/24” means that the only possible IP address this network can use is 192.168.56.1 – 192.168.56.254. For more information, you may need to Google “CIDR Notation Networking”. Hopefully that helps you out.)

Note: This information will most likely be different from yours. The important thing is that you’re connected to the same network as the victim.

Be sure to note what your IP Address is. You can find it by looking at the right interface in the “inet address:” section. My IP Address is 192.168.56.101.

Perform an Nmap scan of the network by typing:

nmap <<Your network here>> for me, I will type: nmap 192.168.56.0/24

From output, it said that the victim machine is at 192.168.56.103.

Switch back to the terminal with SEToolkit running, and type in the ip address.

Type in the victim’s username. NOTE: Spelling and spacing is important. You must spell it correctly. If there’s a space between the name (i.e. John Smith), then type that name EXACTLY as it is.

For me, the username is: Administrator.

You should see the prompt for the password. Type it in. If you have managed to find the hash, you can put that in here as well. (This is called passing-the-hash.)

You can type in the domain name, but I’ve never needed this. Press Enter to continue.

Press Enter again for the default Thread count (Threads are how many background processes you want to run. The more threads, the faster the job gets done, but the more CPU processing they take up.) Unless your computer is super slow, the default shouldn’t be a problem.

Okay, this is where you enter YOUR IP Address. If you don’t have it, type ifconfig to find it.

Press Enter for the default port. If you leave it 443, then it appears to be HTTPS traffic, which keeps the attack even more discrete. (Note: This does not make it impossible to track.)

 

Section 3

Success!

If you’ve followed the tutorial up to this point, you should see a meterpreter session opened up on your machine. You may have to wait for a few seconds, but it should come up. If not, then go back and make sure you input everything correctly into SEToolkit.

To interact with this session, type:

Sessions –i  1

Have fun!

 

Section 4

More Information

If you want to know more about all of these tools and techniques, I recommend that you spend some time reading this tutorial and googling anything you don’t know.

To learn more about meterpreter, Google: Meterpreter post exploitation tutorial

 

Summary

I may add another tutorial at some future point.

Please, please, please let me know what you are interested in. I’m still learning myself, and I’m still learning to write tutorials. Thank you for reading my work.

If you’d like to post my tutorial somewhere, I’m totally okay with it as long as you give me credit. Thanks!

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
4 Comments
  1. Exquisitely perfect, thanks man.

  2. nicely done. so which distro do you use to hack with. i did use kali but ive been loving Parrot security, just has everything.

  3. @Andranik sahakyan – It could be a lot of things. I would first check for any typo’s especially in the password and username. Also check if you are trying to access a local user account or a domain account. If all of that is correct, is the target operating system windows 10? I have never tested in on those and although theoretically it should still be vulnerable, I have never personally tested it.

    The reason why you aren’t getting anything is because the target machine isn’t connecting back to you. This could mean that the payload is never being executed but It’s more likely that this could be a networking issue. Is the target machine firewalled off from you?

    Check each of those things and good luck!

  4. The module executes for me and the last thing it says is:

    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

    But the stage is never sent and the session does not open. Any ideas why?
    Thank you.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel