Tag: meterpreter

Hiding in Plain Sight – Abusing Cloud Hosting

by on Mar.20, 2019, under Posts

Today I want to present an idea that I’m sure is not new but is something that should be on the minds of paranoid system admins and information security related folks.

It is safe to say that we as a society rely on and trust cloud hosting services, such as Amazon AWS, Microsoft Azure, Google Cloud Compute, Linode, etc. Seeing connections out to these services via netstat, firewall appliances or UTMs may be over looked or blindly trusted. This exercise is to demonstrate how to potentially exploit that trust in these services.

For this instance, I decided to use Google Cloud Compute, due to two factors: there’s a free trial period and connections out to Google in organizational or residential environments is very common from my experience. (As of this time, according to netmarketshare.com, the Google Chrome browser has 65% of the browser market share.)

Setting up a Debian Linux VM in Google Cloud Compute is a snap and you’ll want to make sure ports 80 and 443 are accessible for this exercise. Once your VM is up and going, you can connect to it via ssh within the cloud console. Some initial setup may be needed depending on your preferences. Once done with these matters, simply install Metasploit:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

Once Metasploit is downloaded and going, let’s impersonate Google’s SSL:

Thanks to: https://www.darkoperator.com/blog/2015/6/14/tip-meterpreter-ssl-certificate-validation

We can now backdoor a Google exe using the https reverse meterpreter payload that uses an impersonated Google SSL cert:

The next part (getting the payload on the victims system) will depend on creativity. For this case the AV evasion used in this method will not bypass most AV solutions but that is not the point of this exercise. (On a side note, AV evasion has become harder and harder.)

Now if you look at the generated exe on a Windows system, the PE looks pretty legit:

However, if you do run this executable, you will get an unknown publisher warning. So it’s not perfect but people do ignore this message.

As root, let’s setup the listener on the attackers end:


But before we run exploit -z -j, let’s add some more deception. You can use tools like httrack to essentially clone sites or web pages. The reason you may want port 80 forwarded to your VM is because you can setup a fake Google error page that redirects to Google and looks something like this:

Source code is available here: http://zitstif.no-ip.org/hideInCloud/index.txt

(Favicon.ico is located here:
https://www.google.com/favicon.ico )

That way if the victim/defender wants to connect to the IP address that the payload is connecting to, it appears to be a Google error page that simply redirects to Google.com.

For hosting the page, you have various options, but for something quick and dirty you could do this (as root):

Once the victim has ran the payload, for the most part, an average tech savvy end user or network administrator, the characteristics would look benign:

(tcpview)

The whois for the IP even says Google:

A quick view on Wireshark makes it look like this is normal as well:

If you set this payload to run automatically (via registry, shell:startup, etc), autoruns doesn’t flag it with a red color:

While this is happening, the attacker is granted with an SSL meterpreter session that in my humble opinion is pretty stealthy.

Is this method sound proof and perfect? By no means it is. UTMs and security network appliances that do SSL dissection and inspection would probably flag this, but it all depends on the target and what resources they have allocated toward defense.

There are some similar ideas for abusing cloud hosting service providers such as:
https://github.com/byt3bl33d3r/gcat

Leave a Comment :, , , , more...


Meterpreter script – rogueap.rb – Abusing Windows Virtual Wireless NIC Feature

by on Oct.08, 2011, under Meterpreter Scripts, Posts

I found myself inspired by Vivek Ramachandran‘s videos, I thought I would take the honor in creating the simple meterpreter script that basically does what you see in the third installation of the Swse Addendum videos.

When I watched the third video I thought to myself, “This shouldn’t be too difficult to do”. From my perception, I think that Vivek was kind of hinting that he might have wanted to see someone in the info-sec community create a meterpreter script that does what you see in this video. I was glad to do this. 🙂

For penetration testers, this script means that they can now more easily setup rogue wireless access points by utilizing this script, that utilizes the soft ap feature that is implemented into Windows 7 and Windows 2008.

If the victim computers are part of a Windows domain and have wireless NICs, by automating Metasploit with a pass-the-hash attack and using my script, one could essentially automate deploying a series of rogue ap points throughout a domain. This would be kind of like a network worm.

If you’re curious about automating Metasploit, please see:

http://dev.metasploit.com/redmine/projects/framework/repository/revisions/8878/entry/documentation/msfconsole_rc_ruby_example.rc

My script gives the end user the option if they want to install the meterpreter service on the victim computer. I thought that giving this option would be ideal for if the victim computer ends up rebooting. If you were just to deploy the soft AP and run a binding payload, the binding payload most likely wouldn’t survive a reboot.

The script is available here:

http://zitstif.no-ip.org/meterpreter/rogueap.rb

http://zitstif.no-ip.org/meterpreter/rogueap.txt

If you have any issues and you need help, feel free to contact me. Additionally, don’t hesitate to modify the script if you need/want to do so.

2 Comments :, , , , , , , , , , , , , , , , , , , , , , more...

Meterpreter script – stickykeys.rb

by on Jul.18, 2011, under Code, Meterpreter Scripts, Posts

http://zitstif.no-ip.org/meterpreter/stickykeys.txt

Through the past year or so, I’ve had some ideas for meterpreter scripts floating around in my head that I’ve been meaning to put to use. So this is my first unofficial meterpreter script for the Metasploit Framework.

The purpose of this script is to place a backdoor onto a Windows victim system. What it simply does is, copy cmd.exe over to sethc.exe. The sethc.exe program is the sticky keys program. To activate this program you just have to hit the shift key 5 times and sethc.exe will be executed.

While this can be useful for those who are disabled, there is also an abuse for this feature. If you have copied cmd.exe over to sethc.exe, you can then hit shift 5 times and be provided a shell.

If you’re at a log on prompt and if you have this backdoor placed, when you activate sethc.exe (instead of logging in) you get a shell with SYSTEM level privileges!

This may seem trivial, however if you’re doing a penetration test on a remote Windows system that is running remote desktop, this can be a deadly means for maintaining access. You can then use this as pivoting your way back into the system, even if the original means (say for instance http) is blocked by an IPS and/or firewall.

One truly beautiful facet about this method if you’re an attacker, is that cmd.exe renamed as sethc.exe did not trigger any responses from scanners on www.virustotal.com.

I’m planning on adding more to this script, but I just wanted to get this released for the time being. I also want to state that I just put this idea to use for the Metasploit project, this hack has been around for a while:

http://goo.gl/E40Oj

To install this, simply download the txt file, then change the extension to .rb and throw this file in the framework3/msf3/scripts/meterpreter/ directory.

#Update 7/20/2011

Issue Addressed: Switched all C:\\WINDOWS to %SYSTEMROOT% (Thanks Rod Macpherson )
BUG: On Nokia N900 with Ruby 1.8.7 (arm-linux-eabi), with Metasploit Framework version: svn r13268, I am receiving a compile error message at line 70. (Unexpected ‘)’ )
NOTE: I am not having this issue on Backtrack 5 32bit with Ruby 1.9.2dev (i686-linux)

Leave a Comment :, , , , , , , , , , , , , , more...

Updated Section and Other Matters

by on Jan.19, 2011, under Posts

I haven’t had much time or energy to work on my website due to work, having a more than usual social life (odd), and school. I’m gong to make an honest effort to keep this website up to date at a higher frequency than what I’ve been doing.

This post is mostly in regards to my reconnaissance websites section. I’ve updated it and organized the websites by category. I’ve also added a link Samy’s geolocation page, which is great for finding actual (or close) locations of AP points, thanks to Google doing ‘legal’ wardriving.

Also, I’m planning on obtaining a Nokia n900, which I plan to ‘weaponize’ it in an original manner, and I will post steps to doing so on my website. I also have some meterpreter script ideas that I’m planning on working on. Additionally to that, I have a meterpreter script that has been laying around that utilizes an old trick for maintaining access to a compromised server, that I will plan on posting for metasploit users to use.

Here’s to a new year in information security! What will 2011 bring? 🙂

More to come as usual..

1 Comment :, , , , , , , , , , , , , , , , , , , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!