Metasploit (part 6) msfvenom

00:04

Okay, Now let's look at our last example for a menace plate basics on. We can move on to actually penetration, testing our targets.

00:13

We want you to tool called a message venom. We're going to build a standalone payload.

00:18

This example. So it was a rhythm is an encapsulation of two different medicine boy tools. If we go to the user, share medicinally dash framework again

00:29

and see or menace wait tools accusing miss if update

00:34

it was says Council must see alive for years I must have been on

00:38

and we also see MSF payload and ESA in code. So immersive payload builds a standalone payload so we can use the maddest white payload system to make various kinds of payloads like we make execute a bles. We can make Rochelle Co to drop into an exploit which will do an exploit development

00:56

and we can run it through a myself in code in code will, as the name implies, encode the payload

01:03

who it will

01:03

used various encoders. We saw one Chicago and I already on it will encode the payload, get riveting bad characters, and pra penned a decoder who can decode itself back into its original form once that thin memory that's being executed was a venom that we're going to use. This encapsulates those two tools

01:23

into one, so we could just use one tool.

01:26

If you do, just must've payload, and I must have been code before. You can continue to use them

01:32

if that's what you're familiar with. But I'm going to use him. It's often, um,

01:37

all right, so we can do it. Must've been, um, Dash H for health

01:46

and I will show us our help momentarily. Here we go. We're not going to use all of these here. We're going to see it. Must've been, um, a few times in this class. We will use it for making shell code and exploit development.

01:57

And we will use it

02:00

a few other times. That may be helpful in our contest. We may find some places we might want to upload something, for instance,

02:07

and we may also use it during avoiding anti virus. No, a few different times will come up from space and bad characters, for instance, will use those during exploit development. Need to set in a certain amount of space in memory. And there'll be bad characters we need to avoid. Based on what particle? We're talking to you. That was my very

02:29

we can set a specific encoder

02:31

like That's psychotic and I and coder we don't need that here was going to do a very simple example of making a malicious execute herbal

02:40

kind of run off the screen. Here at the top, we have dash p for the payload, considered a specific payload. We can also list out the halos with Dash L.

02:50

There's some other options as well. Like docile will show us the options Dodge X. We can actually put it inside of another executed bles. We put our payload inside of inexcusable. Use it along with this dash K option, which the payload in a separate thread. If the user runs this

03:07

execute herbal, it'll look like the original one. It'll still function normally, but it will have this

03:12

extra functionality of our payload.

03:15

So be useful for making a Trojan.

03:19

So when I see that later on,

03:21

all right, so let's do. For our example, I want to set the payload as Windows interpreter Reverse TC piece that is the default payload for our most of our windows exploits. So If you don't set a payload on Windows, exploit. This is probably what you'll get,

03:37

so we want Dash P Windows. Last interpreter sized Reverse Underscore. TCP Again. My interpreter is medicine Wade. Special payloads. It has additional functionality on top of just a regular command shell. We'll use it extensively in this class, but we haven't really seen it yet. He dashed over the options

03:57

Can. We haven't seen this one's. We're not sure what the options are going to be.

04:02

Give it a second to load.

04:04

There's going to have to ask on the sly.

04:10

All right, so usual suspects for verse payload L host and L Port. We need to tell it who to call back to.

04:18

Unlike MSF cli, we want to specify our options like this. So we would say L host equals on the I P address or Callie Yuzhin I p. Config.

04:30

To find out if you need to make sure your I P addresses are correct, they're not. Then

04:35

we will have some problems. L host equals I P address for Callie, and you can also change l court as well from the default for 44 for an available port will work.

04:46

Now we need the four match that's gonna be dash if we come back.

04:50

Appear

04:53

does f for format that says, you know Daz Daz helped ash formats.

04:59

You find out what our format available formats are so does Does help the formats.

05:10

Well, show us all the available for months.

05:15

We want to make it execute a bill. Here we have some other options as well. Like l steal Ellis p B b A power shell war on. We also can have it

05:27

put out Raul Shell code informs that work with the syntax of various programming languages. When we do exploit development will be working with python who use this python format for our shell code. But for now, we just want the XY So dash f for format

05:43

and e x e. We don't need to set any bad characters. This best find the space you're specifying encoder? Here we

05:48

basically just want to make it execute a ble that when the user runs, it just runs this window's interpreter. Reverse TCP payload. So there won't be in a graphical user interface. It will just send the shell back to us with the reverse connection that will be my interpreter.

06:02

All right, so let's put it into a file. All this call it an interpreter. You see, we do need to put it in a file. If we don't just write it to the screen, which is useful for shell code, but not very useful for executed bols.

06:16

It will generate this payload and put it in the trip. Richard Doty etc.

06:25

We'll take just a minute to finish.

06:30

And that complains that we didn't set a platform, but it grabs windows from the payloads and went with the architecture describes x 86 it doesn't have any occurs, but doesn't even include us. It doesn't matter.

06:42

Who do you want to do is copy this file

06:46

to bar the reader VW. That is the default location where the Apache Web server serves pages from

06:54

that is copies that file there. Would you need to make sure the Apache web server started? It does not start up by the fault. When you turn on Kelly who do service. Ah, Patty to and then start already running here may not be.

07:11

What if I come over to X pee wee? In this case, we're just going to

07:16

download the file. We're going to play the user,

07:21

so we will only do social engineering. Look at other ways of getting a user to run something on our behalf.

07:31

Let's not run it just yet.

07:33

We actually need to do something on the Cali side first. So far, we've run our exploits. Other enemies of console or a miss that cli. Actually, the first thing it does after we type exploit or biggie in the case of Emma's FC Ally is it sets up a payload handler based on one of our payload we chose. So we've tried to bind

07:53

Shell in a river shell, so it sets up different handlers

07:56

based on

07:58

what payload we choose.

08:00

But here, with him as a venom, we're not going to have a payloads handler set up automatically. So if we just go ahead and run that on the X P system, it'll run just fine. It's just there's nothing to catch it over here on the Cali side. There's no port listening for, um, interpreter connection.

08:16

We can't just using that carrot like we did during our Lennox section,

08:20

because that cat's not going to know how to finish the stage payload as well as its not going to know howto speaking interpreter.

08:28

So we are actually going to have to use medicine. Boyd, slow start up in most of console. We're going to use a special model called multi slash handler that is specifically designed to deal with this particular problem of catching incoming payloads.

08:45

Not

08:46

I need a handler that were launched outside of the framework. So in this case, who used it? Must've been, um, to create a standalone excusable on. We just need a handler to deal with its payload.

08:58

So multi handler will be ideal for that.

09:01

So, as usual, immersive council takes a little while to start. If you add more memory here being it will be faster. If we have that resource available encouraged, you just take advantage of it.

09:13

You won't have to sit here like me. There we go. So different. Ask you at this time.

09:18

We do it in Vaux on multi slash handler. It's full name is exploits large multi use flash handler,

09:26

but we can drop off the first part as usual.

09:28

So this model is a stub that provides all the features of the Medicis boy payload System Tau exploits that have been launched outside of the framework. Exactly what we need Some way to

09:41

handle our payload.

09:43

So let's use multi slosh handler.

09:50

Now we're in the context of

09:52

that handler. So if we show our options, basically it says nothing. So what we need to do is actually tell it what payload we want to handle. The handler will be different based on what payload we want.

10:03

In our case, we want Windows

10:05

Interpreter

10:07

Perverse underscore. TCP. So we wanted to come out exactly the same as what we set in in this film.

10:15

Who now, would you show options?

10:18

We see our options for Ritter. Pretty reverse TCP you get when you to set our options and again in

10:26

Ms of Consul was they set option to set, and then what? We want to save it. To show no option equals like we do in Imus of See Ally, or it was a venom.

10:37

Please shut the ice. The address of Callie here and you can run. I've configured right inside of a missive council. We don't have to exit out. We can exact commands right inside of MSF console.

10:50

Weaken. Sit. L host

10:54

Callie.

10:56

And we did set L port to 1234 Always the one I used for some reason for my examples,

11:05

we do need to set it to the same port here. Otherwise, our handler will be listening on their own port when his expert you will call back to port for four or it'll call back to a 1234 and we would be listening by default on 4444 But we wouldn't actually catch the incoming interpreter session who do need to set it

11:24

the same way that we can say exploit.

11:26

We don't automatically get a session here like we did with our exploits, where this time we're not dependent on any exploited all. It's just a payload. So we're instead expecting the user to run it for us, so we don't need any particular vulnerability.

11:41

We'll get into client sides and social engineering. We'll see a lot more of this that in some cases, even if the system is fully pat,

11:48

we just asked the user, Hey, can you exploit yourself for me? And unfortunately, more often than not, that will actually work

11:56

without too much trouble. So we'll see more of that a bit later on this kind of play the user in this case

12:03

and just come over here and click. Ron,

12:07

it's not signed. Who could, of course, sign it.

12:09

But let's be realistic. When Isis ever stopped anybody from running anything, we didn't click, run, and again, there's no gooey over here. It doesn't actually do anything.

12:20

Besides, we're on the payload. We could use that Dash X and does Kay Option and MSF venom, which we will do later on to make a Trojan. So it does actually do something on the window side. We did get him interpreter session here. If we come back to Mrs Consul on Callie

12:37

so we can say help get our basic commands. We are systems defecate. Do get you idea. Actually, we're not system. I lied with our

12:48

s 08067 We were system. It's We exploited the S and B server. Who are we instead? We are the user. Georgia. I'm currently logged in as the user. Georgia over here is that makes sense. Store just started this process. It's not system at all. Were, in fact, a user. We are on administrative user so we may have ways. We could perhaps

13:09

easily become system.

13:11

She, like our has dump options so we could try that. You get some password. Hash is that was easy

13:18

and

13:20

have things like Do Kilo gaining or take a picture, a screenshot

13:26

and drop into a shell. Encourage you to spend some time with mature Peter. We will use various interpreter commands. We just basically have the basics here. There are some other

13:39

interpreter commands we can use. We can load additional extension form interpreter. We can run post modules on it. We can run the interpreter scripts. We'll do all of that when we get into post exploitation, but I encourage you to spend some time in interpreter. Now, if you want to

13:54

before you go on to the next videos, it's it's pretty cool just to play with.

13:58

I encourage you to deviate from what I do. I'm just going to show a few examples of various things as we go through the course, so there'll be lots more you can do on your own, and I encourage you to do so

14:11

to get the most out of this class so that I thought were going to do for our basics of using medicine bullet

14:18

and we will come back to miss Split over and over throughout the class. So I just wanted to get the basics down and you come back to these videos so we don't have to keep going over the basics every time. We will use it pretty much in every module and the entire class.