Skip navigation
All Places > Metasploit > Blog > Authors Shane Rudy

Metasploit

2 Posts authored by: Shane Rudy

By guest blogger Shane Rudy, Information Security Manager, AOScloud, C|EH | E|CSA | L|PT | CPT | CEPT

 

About a month ago I wrote an article about the new anti-virus evasion capabilities in the latest release of Metasploit Pro 4.9. In this article I'll take this a step further and discuss another related feature: Dynamic Payload generation from the Metasploit Pro console using the auxiliary/pro/generate_dynamic_stager auxiliary module. This module has replaced the older exploit/pro/windows/dynamic_exe module.

 

I’ll discuss using this module in conjunction with the bypassuac memory injection module over a public network scenario. I’m writing this article because it addresses some questions that I have seen posted around the net and have also pondered myself. My aim is to provide you a clearer understanding on the behavior of payloads, stagers and architecture and what to expect when attacking through NAT. Things aren’t always what they seem...

 

In this article you will learn the following:

  • How to use the new auxiliary/pro/generate_dynamic_stager auxiliary module to create your stager executable that will bypass antivirus
  • Issues you could encounter if the proper architecture isn't specified or if you have a mismatch in the exploit target or payload
  • How to use the bypassuac memory injection technique to elevate your privileges on the target
  • How to perform all of the above through NAT

 

*Note: If you're using the free version of Metasploit, the auxiliary/pro/generate_dynamic_stager auxillary module will not be available. If this is the case have a look at downloading and using the Veil Framework for AV evasion for your initial payload.


There a couple caveats that need to be addressed. First when you use any of the Metasploit bypassuac modules, the account that your Meterpreter payload is running as needs to be a member of the Administrators group on the target. If you read the documentation on them you should notice this. Second you may ask, well if my account that Meterpreter is running under already has admin rights then why is this important? It's important for a couple of reasons. First UAC has multiple modes in which it can run that can hinder your progress. We want to bypass them altogether. Second, if your Meterpreter session doesn’t have elevated rights then you may not get that far depending on your skill set. Many great articles have been written on the elevation of privilege which is outside the scope of this article, but I suggest you read them so you don’t get lazy. A good place to start reading up on the basics is here.


To begin we have setup a simple network for this exercise that looks like this:

Network.jpeg.jpg

In the scenario above the attacker located behind a firewall and has been given a public IP address of 74.222.220.166. Port 4444 is open on the external interface of the firewall to allow traffic from the Internet to be forwarded to his attack system located behind the firewall at IP 10.2.0.125.

 

First I will create the initial stager using the new auxiliary/pro/generate_dynamic_stager that replaced the old standalone exploit/pro/windows/dynamic_exe.

I will be using the following version of Metasploit Pro:

version.jpeg.jpg

Next I will load the new dynamic stager auxiliary by typing use auxiliary/pro/generate_dynamic_stager I then configure it once it's loaded as shown:

stager_options.jpeg.jpg

Notice above the ARCH setting is set to x86_64. Most systems these days are 64-bit. If you do not set this and use a 32-bit stager with this exercise you will need to migrate to a 64-bit process or you could  see the error Exploit Failed: Rex:: TimeoutError Operation timed out. So just make a mental note that if you see this, more than likely it's was usually because you were using a  64-bit-only piece of meterpreter functionality while in a 32-bit process space. To avoid issues make sure you know whether you require 64-bit functionality or not. For example If you're using a 32-bit meterpreter you will want to migrate up to a 64-bit process if you require something like a memory read using mimikatz on a 64-bit system. This may seem trivial to some of you, but I have seen that error posted a ton on a lot of blogs so I wanted to address it.


Once I type exploit my stager is now ready for the victim. Next I type exploit and the stager executable is created as shown:

generate_stager.jpeg.jpg

Once the stager is created I can upload it to my victim host for testing demonstrating this proof of concept. In real life this could be a social engineering expedition or some other form of awesome hacktivism (powersploit invoke shellcode anyone?) but for demo purposes this will suffice.

windows.jpeg.jpg

Next I will go back to my attacker box and fire up Metasploit's multi/handler utility as shown:

fireup_multi.jpeg.jpg

Next I will start a listener using Metasploit’s multi/handler utility to handle the inbound connection from the victim machine as shown:

start_listener.jpeg.jpg

Again notice here that I have used the 64-bit version of Meterpreter. I have set my LHOST to 10.2.0.125. This is fine for my first connection. However as you will see I will change this IP address to the attacker's public IP address once I setup and execute the bypassuac exploit. Just keep this in the back of your mind for right now.

 

Now I will type exploit and then go to the victim machine and run the stager executable to establish my initial connection and Meterpreter session as shown:

stager_execution.jpeg.jpg

Above you can see that I have established my first session. Now I am going to background this session, but I will use it to launch the bypassuac attack.

background.jpeg.jpg

Next I search metasploit for bypassuac exploits and I get two hits as shown:

search_bypass.jpeg.jpg

In this exercise I will use the bypassuac_injection exploit. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. My options will be set as shown below. Notice that I have set the session to 1 because that is the first session I established and will use to exploit UAC to gain a second elevated session. I have also created a new Meterpreter payload and set the LHOST setting to the public IP address of the attacker. What is important to note on this, is that when this actually executes, the initial bind to that public IP will look like it fails on the screen and it will be set to 0.0.0.0. But remember how I said that things aren’t what they seem? Even though this happens, that public address will still be written to the payload and connect back to the attacker’s public IP address from the victim sitting behind their corporate firewall with a private IP address behind a NAT.

bypass_injection_options.jpeg.jpg

Now all that is left is to type exploit and I should be good to go.

bypass_exploitation.jpeg.jpg

Notice above that the handler failed to bind to the public IP address and instead started the reverse handler on 0.0.0.0:4444. This is expected. But he exploit succeeds and I now have a new session called session 2 that has been opened. This is the new elevated session. Let’s check this to be sure:

privs.jpeg.jpg

whoami.jpeg.jpg

And there you have it.

 

In this article I introduced you to the new auxiliary/pro/generate_dynamic_stager that replaced the old standalone exploit/pro/windows/dynamic_exe, I demonstrated setting up your Meterpreter payload when dealing with NAT as well as discussing the dreaded Exploit Failed: Rex:: TimeoutError message and finally using the bypassuac injection technique to gain elevated privileges.  I hope you enjoyed this article. --Happy Hackin'.

By guest blogger Shane Rudy, Information Security Manager, AOScloud, C|EH | E|CSA | L|PT | CPT | CEPT

 

A few weeks ago I was excited when Rapid7, asked me to participate in their 2014 Tech Preview Program for Metasploit Pro version 4.9 I have always enjoyed the interaction I have had with the talented crew over at Rapid7 and I have been a big fan of Metasploit Framework since its inception years ago.

 

Rapid7 has done an excellent job of interacting and allowing its users to participate within their community and they are a humble group of cool, fun people. This was only made more apparent during this year’s tech review program for the release of Metasploit Pro 4.9. The team was all about our feedback. Good or bad they wanted to hear it and they were open and honest and listened.

 

Metasploit Pro 4.9 has some great new features that we were all briefed on when the preview got under way and you can read more about them on your own time as you explore the product. For the purpose of this post I’ll talk about what I was the most excited about testing: Dynamic Payload Generation to avoid possible detection from anti-virus solutions.

 

As a penetration tester and especially for those who are starting out, bypassing AV is essential to a successful compromise of an organization. You do not want to experience a moment where you find a box you have a pretty good chance of owning and blowing the process by having your payload discovered by the organization’s defenses or having your payload detected during phishing or social engineering campaigns.  You also don’t want a company to get a false sense of security because they detected and stopped your attacks.  Years ago I was on a rather large penetration test for a company who trusted their AV a little too much. So much so that they would blow off patching their systems to a degree. So exploitation was pretty easy, however all my payloads got detected and I was reminded by their admin just how awesome their AV was. So what did I do? I researched their version of AV, its detection mechanisms and developed a payload to bypass their defenses. They were not happy about it when I showed them, but at least they knew they were not immune, that they needed to patch their systems and deploy additional countermeasures. Unfortunately the downside was that developing this took time away from the initial testing.

 

To avoid AV in the past I read many articles, tried many methods only to discover that most of the AV vendors had already caught up with these methods. I did have success re-coding and recompiling the source code of tools that typically would be detected such as injector programs and then using them in my payloads that I would drop onto a box (shown below) to get a Meterpreter shell and go unnoticed. It’s not pretty, I know, but it was quick and successful most of time. Since most AV solutions use signatures and heuristics to identify malware and have issues with in-memory detection my success rate was pretty good, but in certain situations it became inconvenient.

JavaPayload.jpg

JavaPayload2.jpg

 

To aid in helping users of Metasploit Pro bypass AV, Dynamic Payload Generation has gotten an overhaul in the recent version 4.9 release. Rapid7 tells us with Dynamic Payloads, you’ll have these advantages:

•    Evade all leading anti-virus vendors: Dynamic Payloads evade the top 10 AV solutions in more than 90% of cases. No AV vendor detects all MSP payload options!

•    More stable sessions: Dynamic Payloads use error corrections to make sessions more stable than regular MSF sessions

•    IPS Evasion through stage encoding: Stager will encode the traffic when downloading the payload, which can help evade IPS

In version 4.9 Dynamic Payload Generation has been incorporated into the user interface as shown:

payload_gen_gui.jpg

Just Select the Dynamic Payload (AV evasion) radio dialog, choose your stager and stage, fill in the local host (LHOST) and local port (LPORT) click Generate and you’ll be off and running.

 

For die-hard console guys like myself, dynamic stager generation has been incorporated into exploit modules that have EXE based payloads. For example if you look at the following exploit:

exploit/windows/fileformat/ms12_005 you will see a new DynamicStager option as shown:

exploit_dynamic_stager.jpg

Notice the description: Use Dynamic C-Stager if applicable (AV evasion). These stagers are available automatically in the pro console in any exploit that uses EXE payloads. I will mention that the old standalone /exploit/pro/windows/dynamic_exe that was available in past msfpro consoles has been removed. The Metasploit team is aware of this and will be looking to bring this back in the next update. It will be replaced with auxiliary/pro/generate_dynamic_stager. I just thought I would mention that for those of you who have used this feature in the past.

 

In my testing during the tech preview all Dynamic Payloads that I generated from Metasploit were not detected when ran against several major ant-virus vendors. I did briefly test the new feature against IPS and was able to slip through the cracks. My sessions never crashed during the testing.

 

My conclusion at this point is that Metasploit Pro is a pretty excellent product that can save you time trying to evade defenses and improve your success rate of conducting successful testing. The team of developers and product managers are a great group of people who desire to hear the feedback of their users. My experience with the team has always been that if you have a fix or a good idea that will improve or enhance Metasploit Framework they want to hear it.

 

I hope you found this blog post informative and stay tuned for more from me in the future. Until then Happy Hackin…

Filter Blog

By date: By tag: