Jump to content

My First (sort Of) Successful Pen-test

TuX^

By TuX^
in Security

 Share

Recommended Posts

TuX^ Newbie

TuX^

Posted
Posted

Hi guys,

It's me again. Just thought I'd let you know about my first half-successful pen-test on a windows 7 machine.

I used Metasploit to pull this one off. For the scenario, pretend I used social-engineering to get the login credentials (I didn't, it's my machine. It's certainly possible though)

From there I used the PSEXEC exploit to gain access to a reverse shell (Tested this a few times, sometimes it brings up a command prompt and other times it brings up a Meterpreter session..?)

In the Meterpreter shell I successfully migrated to explorer.exe and started the keylogger. Typed in a fake username and password in Notepad on the victim machine. Went back to BackTrack and dumped the contents of the logging. It worked!

Only problem is, I don't know how to get round the AV. Any ideas?

Kind regards,

TuX

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

Loads of ways, Meterpreter has a killav script that will try to kill it dead, if you can get RDP access you can go to the task bar and stop or pause it through the interface, you can use task manager, either in Meterpreter or windows and kill the process id, open control panel and services and stop or pause the service.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

Then you need to find a way to exploit the box while the AV is on, escalate the UAV privileges and make yourself system, then taskkill the av program. There are different methods of encoding to obfuscate your payloads so the anti-virus doesn't know them by signatures, but if it sees a generic packing of the payload, it might just kill it on heuristics, which technically is a good thing if the AV you are using is blocking the attacks. I thought meterpreter was supposed to hid everything in RAM and gave you the ability to encode it as well to obfuscate it. I'm not too familiar with how to do all that, but maybe search some vids or even check out both the Offsec MSF Wiki and Rel1k's site for demos.

http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training

http://www.secmaniac.com/movies/

First vid on Dave's site is about A/V evasion using javascript obfuscation.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted

As Digip pointed out, you can encode the payload to prevent it from being detected by the anti-virus.

Once encoded and to ensure it's completely stealthy, upload it to virustotal.com, and see how many AVs can successfully detected it.

If no AV has been able to detect it, then you have bypassed the AV filters. If not, encode it multiple times using different encoders, until its completely stealthy.

Link to comment
Share on other sites
TuX^ Newbie

TuX^

Posted
  • Author
Posted (edited)

Hi Infiltrator,

I was just using the Java Applet Attack method, and encoded it using a backdoored executable (The one that was recommended) and it was picked up. I was running Avast at the time. Where is the file to upload? I'll see what VirusTotal says about it.

Kind regards,

TuX

Edited by TuX^
Link to comment
Share on other sites
hexophrenic Newbie

hexophrenic

Posted
Posted

As Digip pointed out, you can encode the payload to prevent it from being detected by the anti-virus.

Once encoded and to ensure it's completely stealthy, upload it to virustotal.com, and see how many AVs can successfully detected it.

If no AV has been able to detect it, then you have bypassed the AV filters. If not, encode it multiple times using different encoders, until its completely stealthy.

This is another engine, often preferred by exploit writers:

http://vscan.novirusthanks.org/

The reason is the do not distribute sample checkbox...VirusTotal submits the samples for av vendors to better their signatures...for testing stuff, IMHO, there is no reason to provide av vendors with your own samples.

Of course virustotal offers scanning based on hashes, which is very handy for large executables/isos/whatever.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted

This is another engine, often preferred by exploit writers:

http://vscan.novirusthanks.org/

The reason is the do not distribute sample checkbox...VirusTotal submits the samples for av vendors to better their signatures...for testing stuff, IMHO, there is no reason to provide av vendors with your own samples.

Of course virustotal offers scanning based on hashes, which is very handy for large executables/isos/whatever.

Thank you for the information bro, I shall keep it mind for the future.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted

I'd upload the file to both sites if I had any clue where to find it :P

TuX

Have you encoded your payload yet?

Link to comment
Share on other sites
TuX^ Newbie

TuX^

Posted
  • Author
Posted

I encoded it when the SET asked me to, using a backdoored executable. Where is the encoded file stored before it attacks the victim?

Far too tired to be thinking about it now.

TuX

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted

I encoded it when the SET asked me to, using a backdoored executable. Where is the encoded file stored before it attacks the victim?

Far too tired to be thinking about it now.

TuX

See if its under /pentest/payloads/ directory.

Link to comment
Share on other sites
TuX^ Newbie

TuX^

Posted
  • Author
Posted

Hi Infiltrator, no it's not there.

Here's something weird.. I tried the Exploit on the machine I was testing all along with no luck, because the AV was running. BUT I also tried it on my machine (The one BackTrack is hosted from) and it worked, it bypassed the AV..

Any reasons why?

TuX

Link to comment
Share on other sites
TuX^ Newbie

TuX^

Posted
  • Author
Posted

Thanks Hexophrenic,

I'll check that out when I get a chance.

As for my payload SOMETIMES bypassing Avast, I still can't figure it out.. Both Windows 7 Pro..

Any ideas?

TuX

Link to comment
Share on other sites
hexophrenic Newbie

hexophrenic

Posted
Posted

You could try to re-run the exe through msfencode through some other encoder. Nesting the encoding several times can help improve its ability to evade anti-malware. Shikata ga nai was the best for quite some time, maybe taking a backdoor executable and running it through 10-15 iterations of shikata may help. Obviously everything you do to encode will slow the execution of said program, but with smallish exes and fast hardware, it will likely not be noticeable. Backdoor typically does a pretty good job by itself, though.

Some of the issues I have run into is with heuristics or behavioral based evaluation (ie sandboxing, etc.) in AV products do a really good job of catching bad stuff. However, most in-the-wild installs will not have this protection enabled because it can slow everything on the machine to a crawl. Have you uploaded your sample to any of the online virus scanning sites yet?

Link to comment
Share on other sites
TuX^ Newbie

TuX^

Posted
  • Author
Posted

Hi,

I went to the SET directory, and then SRC (Where I think the .exe is located) Can anyone tell me the filename? I found 1 .exe and a few .binary's in the child folders of SRC. None of which were flagged up by VirusTotal.

TuX

Link to comment
Share on other sites
hexophrenic Newbie

hexophrenic

Posted
Posted

src is where the exe "template" file is located. when is the last time you updated SET? what version are you using? in the SET directory, do an svn up (this is all assuming you are using BT4, which after reading back through the thread may not be a valid assumption).

Link to comment
Share on other sites
hexophrenic Newbie

hexophrenic

Posted
Posted

Trying to duplicate:

cd /pentest/exploits/SET

./set

4. Create payload and listener

2. Reverse meterpreter

16. Backdoor

port 31337

From console:

[-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds...

[-] Backdoor completed successfully. Payload is now hidden within a legit executable.

[*] UPX Encoding is set to ON, attempting to pack the executable with UPX encoding.

[*] Packing the executable with UPX, one moment.

[*] Your payload is now in the root directory of SET as msf.exe.

[*] Packing the executable with UPX, one moment.

[*] The payload can be found in the SET home directory.

That seems pretty clear where you should find it.

I did not start the listener since it is a test.

After exiting SET I ls and see msf.exe listed in /pentest/exploits/SET.

Do you see all of this as well or are you doing something different? Just trying to understand what you are seeing.

Link to comment
Share on other sites
TuX^ Newbie

TuX^

Posted
  • Author
Posted

Yeah, just figured that out. I see that now. I was trying to work out how to encode it again using msfencode (don't know args or syntax for it) just done a quick google search but didn't reveal an awful lot.

TuX

Link to comment
Share on other sites
TAPE Newbie

TAPE

Posted
Posted

Don't like plugging my own stuff ;) but the below post

may help you in trying out what kind of encodings can get

by some AV's.

As mentioned though, DON'T upload to VirusTotal for verification

if you want to be able to use a working encoding method in the

near future..

http://adaywithtape.blogspot.com/2010/05/creating-backdoored-exe-with-metasploit.html

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...