Friday, August 23, 2013

Encrypting Payloads with Smbexec on Kali Linux with Hyperion Crypter

So smbexec https://github.com/brav0hax/smbexec is great, you should already know that.  If you don’t, play with it on your Kali Linux box/image and now know it is great.  Once you have a windows hash for a password you can use smbexec to do all kinds of things, including get you a meterpreter session on the box.  Yes, you can already do this inside msfconsole but all stock metasploit payloads now get picked up by AV.  Smbexec already does a good job working around this issue.  But you can take it one step future.  Note this in the smbexec readme:

v1.2.8 - 05/22/2013
ADDED - If you have crypter.exe installed on your system it will encrypt your payload after obfuscation. (uncomment line 46)

What does that mean?  Well check out Hyperion http://nullsecurity.net/tools/binary.html.  This is a cool little tool that will encrypt your executable with a weak key it does not keep and then brute forces the key at execution time.  This is amazingly effective at bypassing AV.  So what that note in the readme means, is if smbexec sees crypter.exe on your system it will use it on the payloads it makes making it even less likely AV will pick them up.  There are a few things you will need to do in order to get this working since the download page linked above for the tool is source code only.  So let’s get it working.

Use smbexec to make a backdoor.exe payload to make sure everything is working with it first.  Run smbexec, select option 2, and 2 again.  Pick a payload out your IP and watch it work.  If things are working you will get no errors and when you exit the tool you will find a backdoor.exe file in the directory smbexec made.  If this doesn’t work download the tool from github and run the install.sh script.  If it still doesn’t work and you are running Kali on 64 bit, make sure you don’t have mingw packages installed other than binutils-mingw-w64 gcc-mingw-w64 mingw-w64 mingw-w64-dev.  If you have those and 32 bit versions or others, remove the other ones and try again.

Now that you are sure smbexec is working, let’s get setup to compile crypter.exe.

If you are running the 64 bit version of Kali, we need to switch your version of Wine to the 32 bit version.  To do it run these commands from a shell:
dpkg –add-architecture i386
apt-get update
apt-get install wine-bin:i386
If you are already running the 32-bit version of Kali Linux, skip that part, you already have the right version of Wine.


Copy this exe file you just downloaded to the  /root/.wine/drive_c/users/root/Desktop folder.  Now in the Applications menu select System Tools, Wine Uninstaller.  In the Wine Uninstaller program click the Install button, tell it to see all files, find that exe file on your desktop and tell it to install.  It is mostly a click next install but you do need to click on C++ and the MinGW Developer Toolkit when it prompts you, leave C checked of course.  Everything else the default is fine.  This will hang at the end for a long time, just wait it out and it will finally finish with an error that means nothing.

If that all worked at a command line you should be able to go to the /root/.wine/drive_c/MinGW/bin directory and see the g++.exe file.  If so, we are good to go.

Download Hyperion from here: http://nullsecurity.net/tools/binary.html  Put all the contents of this download in a /opt/crypter directory.   Make sure /opt/crypter/Src is a directory.  If it isn’t fix that, you probably left things under the default Hyperion-1.0 directory or something.  You can simply rename the default directory it unzips to crypter and move that dir to /opt if you like.  Technically you can put it anywhere you like and call the dir anything you want.  But the rest of the directions are assuming you are using /opt/crypter.  If you want to use something else just alter the paths in the upcoming commands.

Now cd into the  /root/.wine/drive_c/MinGW/bin directory and run the following commands:
wine ./g++.exe -static /opt/crypter/Src/Crypter/*.cpp -o crypter.exe
mv crypter.exe /opt/crypter
updatedb
locate crypter.exe

That -static switch part is required, without if the file give dll errors when you try to use it.

If all that worked you now have the crypter.exe file in /opt/crypter and locate found it.

Now next time you generate a payload with smbexec as we did above, you will see it encrypt it.  You can also use crypter.exe simply using the wine crypter.exe command at your shell on any payload file you want to. 


Enjoy and never let AV kill your shell.  Never.

4 comments:

  1. help it dosnt work
    it gives a error when testing it on a payload
    herer is the last bit of verbose
    Found Section: .text
    VSize: 0xa966, VAddress: 0x1000, RawSize: 0xb000, RawAddress: 0x1000

    Found Section: .rdata
    VSize: 0xfe6, VAddress: 0xc000, RawSize: 0x1000, RawAddress: 0xc000

    Found Section: .data
    VSize: 0x705c, VAddress: 0xd000, RawSize: 0x4000, RawAddress: 0xd000

    Found Section: .rsrc
    VSize: 0x7c8, VAddress: 0x15000, RawSize: 0x1000, RawAddress: 0x11000

    Input file size + Checksum: 0x1204e
    Rounded up to a multiple of key size: 0x12050
    Generated Checksum: 0x5eb9f7
    Generated Encryption Key: 0x0 0x1 0x3 0x2 0x2 0x3 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0

    Error: Could not open output file Src\FasmContainer32\infile.asm, aborting...

    ReplyDelete
  2. i am on kali linux 32bit with all upgradeed
    i have a g++.exe and it have compiled and i can run the program but when i ask it to crypt somtthing it stops and says it cant
    gives an error

    ReplyDelete
    Replies
    1. I had the same error "Error: Could not open output file Src\FasmContainer32\infile.asm, aborting..." while on a Kali Linux 32bit box. The error seemed to have went away when you use hyperion with the binary you want to encrypt in the same directory. ex) wine hyperion.exe backdoor.exe newbackdoor.exe

      Delete
  3. That is an odd one. It looks like an Hyperion Crypter error. I assume you get that error when trying to use it outside of smbexec. Are you running it as root? I'm guessing either you can't write to the directory for some reason, the input file is messed up, or crypter wasn't compiled correctly. Try using it on a simple payload flowing this page: http://e-spohn.com/blog/2012/08/ and see what happens. If you are simply in a hurry to get past AV for a gig since it is Q4 get viel going and use it until you figure this out. https://www.veil-evasion.com/

    ReplyDelete