Part 2 - Embedding Meterpreter in exe

Video Activity

This lesson covers embedding meterpreter in exe. Participants receive step by step instructions in how to embed a meterpreter payload into a binary file within the victim's system. This is done by downloading notepad.exe and using a series of commands to generate a payload which allows exploitation outside the framework.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

This lesson covers embedding meterpreter in exe. Participants receive step by step instructions in how to embed a meterpreter payload into a binary file within the victim's system. This is done by downloading notepad.exe and using a series of commands to generate a payload which allows exploitation outside the framework.

Video Transcription
00:03
>> This next section, what I'm going to do is show how to
00:03
embed a meterpreter payload into a binary file.
00:03
In this case, from a Windows
00:03
victim system that we've already been
00:03
exploiting throughout these various modules.
00:03
I'm already connected [NOISE] to my victim system.
00:03
I am an administrator,
00:03
although I do want to use my system account
00:03
and I'm still using the bypass UAC
00:03
exploit that we looked at earlier for that.
00:03
What is my current directory?
00:03
Good. What I'm going to do is
00:03
>> change my local directory.
00:03
>> Actually, the local directory is a set already.
00:03
I'm not going to change that from here.
00:03
What I'm going to do though is download notepad.exe.
00:03
I downloaded earlier, so it's saying it skipped it,
00:03
but you see how that works,
00:03
I just tell it where I want to download a file from,
00:03
and then the current directory where the file exists.
00:03
I could check that by doing LS note with a wildcard.
00:03
The file size will change when we do this.
00:03
You have to be careful to make sure that you
00:03
don't get that notice by the victim system,
00:03
but that's really something
00:03
that's a little bit beyond your control.
00:03
Let's clear this. Now what we're going to do,
00:03
we should be in the root directory,
00:03
and I should have my notepad file here, and I do.
00:03
I'm going to run the MSFVenom command.
00:03
I used this before to generate a payload that will
00:03
allow me to run the exploit outside the framework.
00:03
My architecture is x86 because this is a 32-bit system.
00:03
Platform is Windows.
00:03
The executable is in my current directory, notepad.exe.
00:03
I'm going to keep the template the same by using
00:03
-k. The payload is
00:03
going to be windows/meterpreter/reverse_tcp.
00:03
My local host,
00:03
and local port, we'll go with 443 for this.
00:03
I can use the default encoder,
00:03
which is a shikata ga nai,
00:03
but I'll specify here anyway,
00:03
so we can just get used to seeing that being typed in.
00:03
I'm going to encode it three times.
00:03
Again, this is done so that you can make
00:03
your new executable less
00:03
likely to be detected by the victims antivirus.
00:03
I'm going to exclude null bytes,
00:03
since that's usually useful for Windows programs.
00:03
Putting it into the exe format.
00:03
It runs on a Windows system, and then I tell
00:03
it my new file name,
00:03
and I'll just call this new-notepad.
00:03
You might think about renaming an original file,
00:03
overwriting the original notepad, for instance,
00:03
I don't want to do that for this particular example,
00:03
but you have to pick
00:03
your new binary name
00:03
carefully so that it doesn't arouse suspicion,
00:03
and is likely to actually be used by the victim.
00:03
This takes a few moments.
00:03
It tells me that my new file's here.
00:03
Notice that the size jumped quite a bit.
00:03
It was 170 something k before.
00:03
Other is 179k, now one up to 317.
00:03
Back in the Metasploit, or my meterpreter shell,
00:03
I'm going to go to the user's desktop.
00:03
Helps if you use the correct slash.
00:03
Sometimes switching back, and forth between Windows
00:03
and Linux can be a little bit confusing.
00:03
Now that I'm in the user's desktop,
00:03
I'm going to upload my new notepad.
00:03
Now that file exists on the victim system.
00:03
We can see there it is.
00:03
People use notepad pretty regularly,
00:03
it's a good file to try to infect.
00:03
You could try other things. You could try to
00:03
infect the calculator file.
00:03
That one's got some protections on it,
00:03
because it is a common file for infection,
00:03
so might be a little bit trickier to do that one,
00:03
but no pebble work just fine.
00:03
What I'm going to do now is exit from
00:03
my meterpreter shell to shell that
00:03
>> I can get all the way
00:03
>> back in with this technique.
00:03
I'm starting up my Metasploit console.
00:03
If you remember the payload was the,
00:03
sorry, I'm doing the wrong thing.
00:03
I need to set up the handler.
00:03
I will check my options.
00:03
I need to change my local port to 443, because
00:03
that's what I encoded the meterpreter payload with.
00:03
But the local host still looks good.
00:03
I'm going go ahead and run the payload,
00:03
run the handler, and here,
00:03
I'm going to go ahead, and run new notepad.
00:03
Again, put this somewhere
00:03
>> where you think that the user,
00:03
>> the victim will actually run the program for you.
00:03
As we can see here, it opened up my shell.
00:03
Now, all I need to do is have the handler
00:03
running on the attacker system.
00:03
I should be running as administrator because that's
00:03
the user account where the payload was executed from.
00:03
As a review, once I am logged in as administrator,
00:03
I can background this process.
00:03
I can then use the bypass UAC.
00:03
I will show my options
00:03
because I need to change my session.
00:03
Actually, the session is already
00:03
set to one, so that's good.
00:03
You have to make sure you
00:03
>> have the right session number,
00:03
>> as I've pointed out previously.
00:03
Now it looks correct.
00:03
Now I can run the exploit
00:03
and bypassing UAC on the victim system.
00:03
I've got my second meterpreter shell
00:03
now, and I can just run get
00:03
system and get UID to
00:03
verify that I am now system again. This is fantastic.
00:03
That means I can have the listener
00:03
running anytime the user,
00:03
the victim of the pen testing executes notepad.
00:03
In this case, I can get
00:03
a shell for meterpreter, and then I can escalate
00:03
my privilege level to
00:03
system just as easily as we see here.
00:03
See you in the next section. Thank you.
Up Next