how to Hiding Shell using PrependMigrate - Metasploit

In this article, you will get to know about the strength of mfsvenom along with PrependMigrate. You will also learn how to migrate the created payload into processes currently running on the targeted machine so, the victim unable to find the malicious file. It is very important to migrate your backdoor payload because if the target is alerted and decides to take measures to kill the process then, your session will also get killed. Therefore, an attacker must do this as soon as the session opens.

Table of Content

  • Basic Terminologies
    • Metasploit Framework
    • MSFvenom
    • PrependMigrate
  • Hiding shell with PrependMigrate
    • With MSFvenom.
    • Without MSFvenom.
Basic Terminologies
Metasploit Framework
Metasploit Framework, an open-source tool for developing and executing exploit code against a remote target machine.
Steps for exploiting a system using the Framework include:
  • Choosing and configuring an exploit
  • Checking whether the intended target system is susceptible to the chosen exploit
  • Choosing and configuring a payload
  • Choosing the encoding technique
  • Executing the exploit.
This modular approach – allowing the combination of any exploit with any payload – is the major advantage of the Framework. It facilitates the tasks of attackers, exploits writers, and payload writers. 

Msfvenom

MSFvenom is a combination of Msfpayload and Msfencode, putting both of these tools into a single Framework instance. It is used to generate and encode various types of payload that are available in the Metasploit Framework. The advantages of msfvenom are:
  • One single tool
  • Standardized command-line options
  • Increased speed

PrependMigrate

PrependMigrate is an option that allows us to link our session with an ongoing process on the target system. It can also transfer a session by linking it from one process to another. It comes handy as it is difficult for the target to find the malicious process so it becomes paramount for the attacker to cover their tracks.
Configurations used in Practical
Attacker:
    OS: Kali Linux
    IP: 192.168.1.107
Target:
      OS: Windows 10
      IP: 192.168.1.104

First Method

Let’s start the game of conceal and seek. You have to conceal to save yourself and let the target try to find you.
Starting with MSFvenom we will be creating a malicious executable named raj.exe and conceal the generated executable behind a process named explorer.exe (you can choose any process running on task manager) by PrependMigrate process.

Next, we will be loading the Metasploit framework on Kali Linux by using the msfconsole keyword. Then set the following options to enable our handler:

Now, we will send the payload to the target machine and run the executable on the Target Machine. This will generate a meterpreter session which will be captured by the listener we created earlier. You can access the target system but if the target acknowledges that the system is compromised; then they can take security measures to end your session. To escape from this situation, the attacker’s first responsibility is to conceal the executable payload behind the process so the victim cannot identify it in any way possible.
Use the following ps command to check the processes that are running presently and filter with the raj.exe
 The process ID (PID) of raj.exe i.e. 4848 as shown in the process list and if the victim kills the raj.exe i.e. 4848 PID then the running process will end. Thus, ending our session with a simple command:
But you do not need to worry as PrependMigrate saves the day by letting us conceal raj.exe behind the explorer.exe and you will be at an advantage as your meterpreter session is still running. Even after the system reboots, the Meterpreter on the victim system attempts to connect to us every 5 seconds until it has successfully opened a session for us. And you can use the sysinfo command to confirm that the session is still up and running.

Second Method

The Second way of hiding shells using the PrependMigrate but without using msfvenom. Here, the objective is the same as the earlier. We will start by opening the Metasploit Framework.
Then use the following set of commands to create your payload:

After the creation of malicious executable i.e. nisha.exe, we will create listener multi/handler using the following commands:
Using the ps command along with grep command we will get the PID of nisha .exe i.e.4128
(Note: PID stands for process id, which means the identification number for currently running process in memory. PPID stands for Parent Process Id, which means the parent process is responsible for creating the child (current) process. Through parent Process, the child process will be created.)
Now we try ourselves to kill the nisha.exe process to get conceal from the victim with the following command:
But still, you have a victim’s session which means nisha.exe migrates into new process id of explorer.exe. And you can use the sysinfo command to confirm that the session is still up and running.

Conclusion
This is how one conceals themselves. The purpose of this article is to serve both the blue team and the red team as one should be aware of how to locate and eliminate the attacker as well as how to conceal yourself when you are on the other side of the line.
Author: Nisha Sharma is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

Multiple Ways to Install Kali

In this article, we will learn how to open the magic box of ethical hacking. Can you guess the name of that box? Ok, I tell you the name is KALI the magic box of ethical hacking. Through this article, you will learn the installation of Kali  Linux on different platforms along with the features.

Table of Content

  • Introduction of kali Linux
  • Features of kali Linux
  • Prerequsities for kali Linux installtion
  • Kali installation on VM (Virtual machine)
  • Kali installation on Virtual Box
  • Kali installation on AWS
  • Kali installation on Respberry pi

Introduction of Kali Linux

“The quieter you become, the more can to hear”—Kali Linux
As per my definition, Kali Linux is a magic box that contains multiple magic tools to play the magic. In technical terms, Kali Linux is an open-source, Debian based Linux distribution mainly for penetration testing, security auditing, computer Forensic, Security research, etc. it contains over 600 tools of information gathering(Amap, arp-scan, APT2, etc.), vulnerability analysis (Nmap, sqlmap, BBQSQL, etc., ), wireless attack( Airbase-ng, Air crack-ng, airplay-ng, etc.), web applications(BrupSuite, zaproxy, Web Scarab), exploitation (Metasploit, Armitage, crackle), forensics (DFF, Capstone, Binwalk, etc.), etc.
It is developed, maintained and funded by Offensive Security, a leading information security training company.

Features of Kali Linux

Free of cost –it is completely free of cost, you will never have to pay for it. All the development source code are freely available to you.
Over 600 tools available for different functionality e.g computer forensics, penetration testing, etc
Completely customizable – it is easy to customize based on your needs and preferences.
Usable on a wide range of ARM devices.

Prerequisites for Kali Linux Installation

Kali OS software package required a minimum of 10 GB hard disk space for installation.
  •        Minimum 512MB Ram is required for i386 and amd64 architectures.
  •        A bootable CD-DVD Drive or a USB stick.
Give me six hours to chop down a tree and I will spend the first for four sharpening the axe.—Abraham Lincoln

Installation of Kali on Vmware

Vmware Workstation enables users to set up virtual machines on a single physical machine and use them simultaneously along with the actual machine. A Virtual machine can be downloaded from www.vmware.com.
Download kali from  http://kali.org/downloads/ 64 bit or 32 bit as per your computer capability.

Click on create a new virtual machine by selecting the Installer disc image file (ISO), and review the configured virtual machine and then powered on the created kali virtual machine.
 At the boot menu, many options are available so I am going to describe all boot menu options briefly:
Live (amd64)
Probably the one you’re searching for. This one will boot you into Kali, but only in the Live mode. That means, that when you terminate/shutdown your laptop everything you’ve saved/edited in Kali is lost. So if you make a file on your desktop, that file will be lost when you restart.
This is possible because Kali only writes to RAM and not your HDD.
Live (forensic mode)
This is a special and interesting mode. In this mode, the internal HDD is never touched, and the auto-mounting of devices is disabled. You’ll use this when performing forensics on a device (e.g. recovering sensitive files, getting evidence in crime scenes.)
Live USB Persistence
Use this if you want to install Kali on the USB you booted from, this way you can save what you’ve done, etc. If you now place a file on your desktop, it’s saved on your USB and is again accessible when you boot from it.
Live USB Encrypted Persistence
Same as above. Alone with this option, your USB is also encrypted with LUKS. If you choose USB Persistence, choose this one!
(Graphical) Install                                                                                        
If you want to install it on your HDD.
Install with speech synthesis
Install it, the text from the installation-menu is read out to you
But through the down arrow key, you can select Graphical install.

After selection of Graphical install, you will get the multiple next windows of
Preferred language selection- English (select as per your choice) then click continue
Location – United States (select as per your choice) click continue
Standard keymap –  American English (select as per your choice) click on continue
On the next screen you will ask to configure the network, select Do not configure the network at this time and hit the continue.
Now in a single word, you can provide the hostname e.g. Kali (any name as per your choice). Then click on continue.

Set the password for the root account. Don’t forget the password you have set for the root account otherwise you have to install kali again.

On the next screen, select the time zone and click continue.

Kali detects the disk partitions. Select guided-use entire disk then click continue.


Installer confirms that partition you are going to use. Click continue.


Select the All files in one partition and click on continue.

Selection of disk partition has been done, you can see the overview of partition disk you currently configured, and select the Finish partitioning and write changes to disk. After that click on continue.

Click on yes to make the changes to disk as per the selected partition changes. Then click on continue.

After partition, now Kali will start installing, you have to around 30 minutes for installation.
After Kali installation, on the next screen, you will get the network mirror option. You need to select No and click on continue.

You get the option to install the GRUB boot loader as it should be safe to install it to the master boot record of your first hard drive. Select yes and click on continue.

Select the boot loader device for GRUB installation. Select /dev/sda and click Continue.

Now you will see the installation complete dialog box. Click to continue to finalize the installation and wait for the VM to reboot. After reboot, you will see the login screen. Log in with your username or root user and provide your password. You will then see the Kali Linux desktop.

Once the VM reboots, you will see the Kali Linux login screen.

Login with username: root, Password: toor, what you entered during the installation process earlier.
 
Successfully, Kali installation has been done, now you can start working on Kali Linux.

Installation of Kali Linux on Virtual Box

VirtualBox is a software system for virtualizing the x86 computing design. It acts as a hypervisor, making a VM (virtual machine) within which the user will run another OS (operating system).
The OS within which VirtualBox runs is named the “host” OS. The OS running within the VM is named the “guest” OS. VirtualBox supports Windows, Linux, or macOS as its host OS.
 If you have already got put in VirtualBox then well smart otherwise install the newest version and install it from https://www.virtualbox.org/wiki/Downloads.
Prerequisites
  • VirtualBox installed in your Linux system
  • the image of Kali Linux present in your system
  • at least 4GB of RAM
  • at least 20-30GB of free disk space
  • network to have a system updated
  • a processor with the virtualization features enabled (often activated by default)
In virtualization, the guest OS is the virtualized system (so our Kali Linux) and the host OS is our Linux system. You can summarize the configuration that was created by you. Then launch the installation  click on the green arrow button to start .

On the next screen, you will see the installer options, select Graphical install.

After the selection of Graphical install, you have to follow all the steps the same as you have done at the time of installation of Kali Linux on VMware.

Installation of Kali Linux On AWS

Amazon Web Services (AWS) is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis. In aggregate, these cloud computing web services provide a set of primitive abstract technical infrastructure and distributed computing building blocks and tools. One of these services is Amazon Elastic Compute Cloud, which allows users to have at their disposal a virtual cluster of computers, available all the time, through the Internet.
For more detail description refer https://en.wikipedia.org/wiki/Amazon_Web_Services.
Prerequisites
  • An Aws account
  • Minimum 2 GB RAM (to run Metasploit)
Login to  https://aws.amazon.com/console/ to navigate web services. From the compute services, select EC2 (Elastic Compute Cloud) and click on Launch Instance.


Click on AWS Marketplace, to search  the AMI (Machine Image of Kali Linux)

In the search, tab writes Kali Linux, to the Kali AMI  and then click on select.

After selection, you can see the summary of all the instances types, software, amount available for Kali Linux. (As per your requirement you can choose, also free tier instance is also available).Then click on continue.

Now you can choose instance type as per your budget, you can select t2micro along with vcpu 1,2.5GHz, Intel Xeon Family,1GiB memory, EBS only). But to run the Metasploit to need minimum of 2 GB RAM, you can opt t2 small or t2 medium.

Review the selected instance and click on the launch.

Here, you need to create a new key pair and give a name to the key . Click on download key pair as you will not be able to download the file again after it’s created. Then click on Launch Instances.

Save the Downloaded .pem file.

Click on Launch Instances

After Launch instance, you can see the instance is running even you can provide the name to your created instance. Click on connect to get access to SSH with other information on public DNS.


For a Linux user:

You can access the Kali AWS from a linux machine. Set the permissions and connect the SSH server:
Login with username ec2-user.

For Window Users:

Open the puttygen and load the previously downloaded private key to convert it into a putty supported format.


Save the private key and close the Puttygen program. Open the Putty program to connect it with Kali Linux, in hostname put the public DNS details and load the private key in the Auth tab under the SSh navigation.
Then click on open


Login with username ec2-user and your kali Linux from the cloud is ready. As this is minimal installation, to get all the tools run the command apt-get install kali-linux-full
Note: You should not go over the usage limit otherwise you will be charged and need to pay the bill.

Installation of Kali on Raspberry Pi

The Raspberry Pi is a low-cost, credit-card-sized ARM computer. Despite being a good bit less powerful than a laptop or desktop PC, its affordability makes it an excellent option for a tiny Linux system and it can do far more than act as a media hub.
The Raspberry Pi provides an SD card slot for mass storage and will attempt to boot off that device when the board is powered on.

By default, the Kali Linux Raspberry Pi image has been streamlined with the minimum tools, similar to all the other ARM images. If you wish to upgrade the installation to a standard desktop installation, you can include the extra tools by installing the kali-Linux-full meta-package.
For more details please refer https://github.com/thehackingsage/HackPi.
Prerequisites
  • Kali Linux Raspberry 2,3, 4 ARM images.
  • SD card (minimum size 8 GB but can use 16GB 0r even 32 Gb)
  • Bootable Kali
First, download the Kali Linux 2 or more image file for a raspberry file from the https://www.offensive-security.com/kali-linux-arm-images/#1493408272250-e17e9049-9ce8.
I need to write it to the SD card. Choose the Kali Linux ISO file to be imaged with “select image” and verify that the USB drive to be overwritten is the correct one. Click the “Flash!” button once ready.
Once Etcher alerts you that the image has been flashed, you can safely remove the USB drive and proceed to boot into Kali with it.
Now, you can have a plugged raspberry pi device with the bootable SD card into the monitor. After powering up the raspberry pi 3 b, it will go through a bootup process and the screen will go blank for a few seconds.
For the final step, a login prompt will appear asking for a username and a password. The default should be ‘root’ and ‘toor’ respectively.
Thank you
Author: Nisha Sharma is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

In Plain Sight:1: Vulnhub Walkthrough

In today’s article, we will face an Intermediate challenge. Introducing the In Plain Sight:1 virtual machine, created by “bzyo_” and is available on Vulnhub. This is another Capture the Flag challenge where we have to escalate privileges to find the root flag to complete the challenge.
Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

  • Network Scanning
    • netdiscover
    • nmap port scan
  • Enumeration
    • FTP Enumeration
    • Browsing HTTP Service
    • Enumerating the wordpress
  • Exploitation
    • Get a meterpreter session
  • Post Exploitation
    • Reading passwords from file
    • Login into MySQL to find hashes
    • Using john to crack the hashes
  • Privilege Escalation
    • Using su command
    • Finding password
    • Checking for SUID

Walkthrough

Network Scanning

The first step is to identify the target. So, to identify our target we will use the following command:

Now we will use Nmap to gain information about the open ports and the services running on the target machine and for this, type the following command :

From the nmap scan, we can see that Port 21, 22, 80 are open, it means we have the FTP, SSH and HTTP services running simultaneously. Firstly, let’s try enumeration with an anonymous login on FTP.

After logging in anonymously, we can see that there is a file todo.txt. Download this file using the get command. The content of todo.txt file doesn’t seem to be useful. You can read the file by using cat command.
As FTP wasn’t useful to us, we can now browse the website to see if we can find some information. And for this, open the IP address in our browser.

This is an Apache2 Ubuntu Default page but after exploring it carefully we can see a line hinting to “/var/www/html/index.htnl”. So, let’s explore this page.

This page looks like a normal page but when we click anywhere on the page then it will lead us to the following new webpage :

As we can see that this webpage lets you upload any image. So here we tried to upload the image and we succeed but when we try to upload a .php file the webpage give us an error. Upon exploring more, the URL of the webpage caught our attention and you can see that it looks like a hash so we copied it and tried to crack it by using the john.

It was “goodluck”. At this point, we were just being trolled.
We then tried to upload a simple .php file and when uploading a .php file we come across the following error :

But this error leads us to a new page “upload.php”. Let’s check the source code of this page.

Yes! There is a comment at the end of the source code. And this is a base64 encoded text, so let’s try to decode it by using the following command :

When the text is decoded, it looks like a directory or a webpage. But before exploring it let’s see if there are more pages or not. Hence, use dirbuster.

There are many pages and as the result shows us that CMS is wordpress, therefore, we can use wpscan to plow through the two specified pages that mentions wordpress. And for that use the following command :

Similarly, let’s enumerate the other page.

As you can see in the above image there are three users. And we have their usernames, we can simply use bruteforce to find their respective passwords and for that type :

Alas, we couldn’t find any password but not to worry as we can run the same command for the other page, let’s try it by typing :

And so, we finally found the password for the user admin. So now, let’s try to upload a shell using msfconsole. And through Metasploit we will use exploit/unix/webapp/wp_admin_shell_upload.

Once the exploit is initiated, type the set of following commands :

As you can see, we are successful in getting our session, let’s move onto shell of the target system and for that type shell and hit enter. And the next thing you know is you are in the shell of the target system. Now to get a proper authenticated session of shell type the following command :

As we have managed to get a shell. So now, we will explore the system more to find some useful files.

Upon changing the directory, we found wp-config.php. as it is a config file, there’s bound to be useful information. Thus, we will try to read it’s content using the cat command :

These credentials are of MySQL as you can see the prefix DB used which probably stands for the database. So, we can try to login into mysql using these credentials and therefore, use the following commands :

Yes, we are in! Let’s try and explore it further.

We found a database “sodevwp” and hence, to change the database type :

Once the above commands are used successfully, you will find the following two hashes :
$P$BD/ZmfBIhgjHKtkLpPKfhr2t5EDgZA. (for user admin)
$P$B3halPOgh4jqI1tDelkv5TGAHnaOC01 (for user mike)

We will now use john the riper with rockyou wordlist to crack these hashes and for that type :

As you can see in the image above that we found our passwords to the two major users and those are :
admin:admin1
mike: skuxdelux
Now, try and switch the user to mike and you can observe in the image below that you can successfully do that; which means cracking the passwords was successful.

Let’s move on for privilege escalation. Now, when you change your directory to /home and there you found a new user “joe”
And without wasting any time we traversed through etc/passwd.

With etc/passwd we found out that password to ‘joe’ is SmashMouthNoThanks. So now, let’s switch the user to joe with the foretold password.

And just like that, we have access to the user ‘joe’.
Now to move forward the only thing we have to do is to get the last flag of the target. And to get it we check for SUID using the command find. -perm /4000. Before executing this command, we will change our directory to “/” and after running the command we find the following useful binaries.

And in /bwrap we found our last flag which you can observe from the image below :

Read the flag using cat command as shown in the image below :

VOILA!! We have completed the challenge.
Author: Yash Saxena an undergraduate student pursuing B. Tech in Computer science and engineering with a specialization in cybersecurity and forensics from DIT University, Dehradun. Contact here.

Windows for Pentester: Certutil

In this article, we are going to describe the utility of Certutil tool and how vital it is in Windows Penetration Testing.

TL; DR

Certutil is a preinstalled tool on Windows OS that can be used to download malicious files and evade Antivirus. It is one of the Living Off Land (LOL) Binaries.

Disclaimer

The main objective of publishing the series of “Windows for Pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any Pentester while solving CTF challenges or OSCP labs which are based on Windows Operating System. Here, we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any kind of programs/binaries/files & etc.”

Table of Content

  • Introduction
    • What is certutil?
    • What is Living off Land?
    • Working with certutil?
    • What is Alternative Data Stream (ADS)?
  • Configurations used in Practical
  • Working with certutil
    • Encoding
    • Decoding
    • Hashing
    • Downloading
    • Reading Error Code
  • Penetration Testing using certutil
    • Compromising using Malicious Executable
    • Compromising with Encoded Malicious DLL
    • Compromising with Malicious Executable inside ADS
  • Mitigation
  • Conclusion

Introduction

What is Certutil?

Certutil is a CLI program that can be used to dump and display certificate authority (CA), configuration information, configures Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. It is installed as a part of Certificate Services.

What is Living off Land?

In simple words, it is an attack that works on the idea of using system tools as backdoors. File-less attack is another example of LOL attack. Attackers who use this tactic works with trusted, in most cases, preinstalled system tools to carry out their attack. Attackers use these tactics to hide their malicious activity in plain sight among the other general activity inside the network or system. As these kinds of attacks operate without triggering any alerts, it is almost impossible for investigators to determine who is behind the said malicious activity even if they discover it.

What is Alternative Data Stream (ADS)?

The NTFS file system consists of the ADS feature. This is an inconspicuous feature that was included, to provide compatibility with files in the Macintosh file system. ADS enable files to incorporate more than one stream of data. In any instance, each file consists of at least one data stream. This default data stream in Windows is recognized as :$DATA.
Windows Explorer can’t see what ADSs are in a file (or a way to erase them without actually discarding the original file) but they can be created and accessed with ease. Because they are challenging to detect, thus often used by hackers to hide files on machines that they’ve compromised. Executables in ADSs can be executed from the command line but without showing up in Windows Explorer.
Some of the CTF Challenges over HackTheBox where certutil can be used are:
Access, Arctic, BigHead, Conceal, Ethereal, Fighter, Giddy, Hackback, Jerry, Rabbit.

Configurations used in Practical

Attacker:
  • OS: Kali Linux 2019.4
  • IP:192.168.1.10
Target:
  • OS: Windows 10 (Build 18363)
  • IP: 192.168.1.11

Working with certutil

Practical #1: Encoding

Certutil contains an encode parameter. It could help to encode file content into Base64. This is a Windows equivalent to the base64 command in Linux.
When working with an executable file, we came across a scenario. In it, the uploading of the executable file was not smooth. We can use certutil to encode the executable file. Then transfer the encoded data, then decode it on the recipient machine.
In the following practical, we first created a text file named “file.txt” and wrote the “This is a plain text” line in it. We did this with Add-Content cmdlet in PowerShell. We can see that it worked when we checked the file using type command. To convert, we will use certutil with encode parameter. We will provide the text file and the file that it should write the encoded data.
Certutil adds two segments “BEGIN CERTIFICATE” and “END CERTIFICATE”. The converted contents of the file are between these two segments. We can check the encoded text using the type command.

We can use the parameter -encodehex to convert data into Hex encoded files.

Practical #2: Decoding

Certutil can decode the data encoded in Base64. Let’s show you a quick method from which you can decode the data. We will be using the file that we encoded in the previous practical. We will use certutil with -decode parameter. Then provide the encoded file and the file it should write the decoded data. We can check the decoded text using the type command.

We can use the parameter -decodehex to decode the Hex encoded files.

Practical #3: Hashing

Hashing means taking data and giving out an output string of a fixed length. Using the cryptography hashing algorithms — e.g., MD5, SHA-1, SHA-256, you can verify if two files are identical or not. The checksum is a hash value used for performing data integrity checks. It’s a kind of signature for a file. By comparing checksum, we can identify duplicate files.
Time to generate some hashes. We will use the file.txt we created earlier. First, we will generate the MD5 hash using certutil parameter -hashfile. With the parameter, file path and algorithm we can hash the file.

NOTE: While working with Systems like Windows 7, keep in mind that the hash algorithms are case-sensitive. Be sure to type, for example, “MD5”, not “md5”.

Practical #4: Downloading

In scenarios, where wget, BITSAdmin or any other convention method is blocked. Certutil can be used to download files from the internet. We will be downloading 7zip.exe from the 7zip server as shown in the image.
-URLCacheDisplay or delete URL cache entries
-splitSplit embedded ASN.1 element & Save to files
-fForce Overwrite

Practical #5: Reading Error Code

Suppose you got a system error code without any message. You don’t have any source to look up the meaning of the error. This is a common scenario. Certutil can help to look up the message text for system error codes.

NOTE: Certutil can perform many more functions related to CA Certificates but we will be focusing on Penetration Testing for now.

Penetration Testing using certutil

Practical #6: Compromising using Malicious Executable

During our initial assessment, we saw that the certutil was actively downloading files from the internet without any kind of verification or assessment. This is an instance that is part of the MITRE | ATT&CK Remote File Copy Tactic.
Certutil can be used to copy a file from one system to another to stage some attacking tools or other files throughout an attack. Files can also be transferred from an outer attacker-controlled system through a Command and Control Channel to bring tools or scripts into the target network to support Lateral Movement.
In the previous practical, we downloaded a file from a remote server. Let’s see how we can compromise a Windows System using a Malicious Executable.
We started our attack with Exploit Development. We used the msfvenom tool to generate a Payload for a Reverse TCP Connection to our attacker machine. We provided the msfvenom with the appropriate LHOST and LPORT. The format of the payload was set to an Executable(.exe) File. We named it “shell.exe”. After successful execution, the file was created in our “/root” directory. Now to transfer the newly generated we decided to use the HTTP Server generated by a Python One-liner.

Now that the payload is hosted on the server, before executing the payload on the Target Machine, we need to start a Listener on Attacker Machine to capture the meterpreter session that would be generated after the execution of the payload.

After successfully starting a listener on the Attacker, its time to move to Target Machine. Here, we have a PowerShell Terminal. We need to download the payload to this machine. We will use certutil to fetch it. Certutil will make two connections to the remote web server using two different User-Agents. They will be named “Microsoft-CryptoAPI” and “Certutil URL Agent”.
NOTE: During our assessment, we found that upon execution the above command an Access Denied Error is notified. Using -verifyCTL instead of -URLCache will let you bypass this error.
After the successful transfer of the Payload to Target Machine. We executed the payload as shown in the image.

We went back to our Attacker Machine to see that a meterpreter instance is generated and captured by our listener. We run sysinfo to see the details of the Target System.

We have successfully Compromised the Target Machine using a combination of Certutil and a Malicious Executable.

Practical #7: Compromising with Encoded Malicious DLL

As seen earlier Certutil encodes file content into Base64. This opens up a lot of possibilities. This is an instance that is part of MITRE | ATT&CK Deobfuscate/Decode Files or Information Tactic.
Attackers can use Obfuscated (Difficult to detect/find) Files to conceal evidence of an attack from the analysis. Afterward, they may Deobfuscate (Unhide) those files. This is where certutil comes into the picture. It can decode the data and help bypass Antivirus, IDS/IPS Software. Certutil can also be used to decode a portable executable file that has been hidden inside a certificate file.
Payloads may be compressed, archived, or encrypted to avoid detection. These payloads may be used with Obfuscated Files or Information during Initial Access or later to mitigate detection. Sometimes a user’s action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the attacker. Now onto our Practical.
We started our attack with Exploit Development. We used the msfvenom tool to generate a Payload for a Reverse TCP Connection to our attacker machine. We provided the msfvenom with the appropriate LHOST and LPORT. The format of the payload was set to a Dynamic-Link Library(.dll) File. We named it “dll.txt”. We can name it any other name which is less suspicious. We use the text file so that it doesn’t rise any unnecessary flags. After successful execution, the file was created in our “/root” directory. Now to transfer the newly generated we decided to use the HTTP Server generated by a Python One-liner.

Now that the payload is hosted on the server, before executing the payload on the Target Machine, we need to start a Listener on Attacker Machine to capture the meterpreter session that would be generated after the execution of the payload.

After successfully starting a listener on the Attacker, it times to move to Target Machine. Here, we have a PowerShell Terminal. We need to download the payload to this machine and we need to do this discreetly. We run certutil with a combination of URLCache and encode separated by the pipe (|). Now the file will be downloaded as a text file and gets encoded as another text file which we named “edll.txt” for encoded DLL.

Now to execute the payload to compromise the target, we need to decode it. We use the decode parameter in certutil to decode the payload and saved it as “exploit.dll”. Now to execute this DLL we decide to use regsvr32. It executes DLL directly into memory.

We went back to our Attacker Machine to see that a meterpreter instance is generated and captured by our listener. We run sysinfo to see the details of the Target System. We have successfully Compromised the Target Machine using a combination of Certutil and an Encoded Malicious Executable.

As we talked about evading Antivirus Software. Let’s inspect the files that we generated and used in the attempt to compromise the target. We use VirusTotal for this analysis. We first inspect the “dll.txt”. Upon successful upload and analysis of the dll.txt, we see that it was detected by 54 out of 67 Antivirus Engines. That can’t be good.

So, the inspection of the dll.txt file was not acceptable. Now let’s test the file we encoded using certutil. We uploaded the edll.txt. Upon analysis of the edll.txt, we see that it was detected by 4 out of 56 Antivirus Engines. It is not perfect but it is a huge difference. 

Another flavour of this attack can be as depicted below:
We create a payload in the form of an executable(payload.exe). Then we use certutil to encode it to a specific binary. For example, “payload.enc”. Then post the output of the encoding process on Github, Pastebin or other alternative services. The purpose of this procedure is to separate the encoded payload from the stager to avoid detection. Now use the certutil on the target machine to download the content from the remote server (Github/Pastebin). Finally, decode the malicious payload into an executable extension using Certutil and execute it to compromise the Target.

Practical #8: Compromising with Malicious Executable inside ADS

We started our attack with Exploit Development. We used the msfvenom tool to generate a Payload for a Reverse TCP Connection to our attacker machine. We provided the msfvenom with the appropriate LHOST and LPORT. The format of the payload was set to an Executable(.exe) File. We named it “virus.exe”. After successful execution, the file was created in our “/root” directory. Now to transfer the newly generated we decided to use the HTTP Server generated by a Python One-liner. 

Now that the payload is hosted on the server, before executing the payload on the Target Machine, we need to start a Listener on Attacker Machine to capture the meterpreter session that would be generated after the execution of the payload.

This time we will use a different approach altogether. We are going to use the Alternative Data Stream. Alternative Data Stream (ADS) was created by Microsoft to supporting compatibility with Apple McIntosh’s file system. In the Mac, files have a huge amount of metadata in addition to regular data. To save the exe file into ADS, we need to specify the name of the file in whose ADS we want to save another file, then (:) followed by name and extension of another file. As shown, we saved the virus.exe inside the ADS of harmless.txt file.

Here, it can be observed that there is no file named virus.exe in the directory and the size of harmless.txt is 0 as well as it contains nothing as it was an originally an empty text file.

Now to execute the file that we put in the ADS; we will be using wmic. We will use the create flag followed by the path of the payload as shown in the image. It says that the Execution was successful.

We went back to our Attacker Machine to see that a meterpreter instance is generated and captured by our listener. We run sysinfo to see the details of the Target System.

We have successfully Compromised the Target Machine using a combination of Certutil and a Malicious Executable concealed in Alternative Data Stream.

Mitigation

As tools like certutil can be used by an attacker with physical access to the machine or by malicious code unknowingly downloaded by a user after a phishing or other social engineering attack.
Certutil usage should be monitored, particularly if detected it being used with -decode or -decodeHex options where that would not normally be expected in your network. It is paramount not to depend on tools that simply whitelist built-in or signed code as obviously these will be bypassed by such Living Off the Land (LOL) techniques.

Conclusion

This kind of attack is very much happening in real life. There have been multiple incidents targeted to different office environments as well as banks. It was a fun learning experience working with certutil. We are going to write more articles about other LOLS that we could find. Stay Tuned