This post highlights the possible options of picking the right payload, some tips to get around AVs, and the importance of what you do after getting the shell.Martin Bos: Alright, next thing you’ve got to do is, obviously, choose the payload (see image). I know this is more of my corporate slot. Obviously, we like to use Metasploit, because everything’s built in, the listeners are there, it’s easy peasy, I’m not trying to reinvent the wheel. The main things that we worry about are reverse connections. So, when you’re reverse-connecting outside of an organization, TCP is just really difficult. Organizations have egress filtering, IBS, IPS, and all kinds of stuff. So, TCP barely ever works anymore.
We like to look at HTTP and HTTPS, because those are always allowed outside of an organization. However, nowadays they’re getting a little bit more crafty, they’re doing stuff like binary packing inspection and that kind of thing over SSL; not very often, but sometimes they are.
So, generally we stick with HTTP and HTTPS, but recently we did a pentest for an organization that we knew had outbound egress filtering. We knew that their Adium 443 were being monitored with binary packing inspection, so we didn’t know how we were going to get on to the network. There is a newer payload in Metasploit called Reverse All-Port TCP. You basically give it a beginning port, and it tries every single one to get out of the network until it finds one. The difficult part about this is that you have to set up your reverse listener with IPtable rules so it forwards every single port to the one port that your Meterpreter shell is listening on.
That was the trick that we had to figure out, but we did have this working and we got out on port, like, 47000, something really obscure and ridiculous that they just missed somehow or whatever. But it worked. We got shells, that’s all that mattered.
And the last thing is obviously defeating AV. Everybody knows Metasploit gets wiped off the board by almost every AV out there. It does come with some encoders, they do help, but they’re not for AV obfuscation. So, then we run into stuff like custom packers, doing some binary obfuscation, and digitally signed binaries and applets.
We like to digitally sign all our stuff, because it’s so easy, Dave taught us how to do that.
Eric Milam: For $199 at GoDaddy you can get a certificate to sign all your stuff.Martin Bos: Another thing that we like to use, and this is super simple – we got a little bit, about 30 lines of bash right here, where we basically create an .exe with Metasploit, we do some set on some of the bad characters, we do some bite randomization in here, and then we come down and we just recompile it back into a C binary, and it comes out. We just call it a ‘backdoor .exe’ (see left-hand image). Just those little 30 lines of bash will make it around a whole bunch of AVs.
I’m not going to pick on Accuvant one, but you will see here in the demo, we got my Accuvant corporate Windows 7 VM here; we’re running the latest and the greatest: we got McAfee, and it’s ok, we’re good to go, we’re fully patched. Those 30 lines of bash – and the only AV that I’ve not been able to get around is that pesky Microsoft Security Essentials; we have some other ways to get around that, but other than that, that little bit of code works. It’s probably not going to work tomorrow after somebody sees this, but whatever.
Because we need to find data on our pentest, we need to find what the company uses to make money, because that’s what’s going to have impact on the CEO level people when you deliver your report. I don’t know a lot of CSOs that really understand: I compromised your domain controller and now I’m king of the kingdom. Well, that doesn’t really mean a whole lot, but if you get in there and you’re like: “Hey man, I broke into your Wendy’s and I accessed your secret sauce formula in the database and I’m selling it on the Chinese black market” – that creates an impact, right? What does the company use to make money?
Now we’ll try to demo this and put it all together. The first thing we’re going to do is we’re going to log in to our portal.
Eric Milam: One other thing that we like to do to create trust on the website is make it point out to a small piece, but it sometimes makes a difference. How many people know about favicons for websites? So, just going out and taking one of those logos and creating a favicon and making sure that it shows up – that’s always a good thing, just another layer of trust. Like we said, nothing revolutionary, but when you put all these little things together, it just keeps building on to the trust for you.
Martin Bos: And this is just a plain old Metasploit RC file, nothing revolutionary here, but I just want to show you all. One feature in Metasploit that we use on every single pentest is the spool feature which records every single thing that you do in the console; if you’re not using that and you’re on a pentest, you’re doing it wrong, because I can’t tell you how many times we had to go back and work through our spool file and prove to somebody that we didn’t tip over a domain – it wasn’t us, basically; or it was us. I always like to keep an accurate record of what we did.