So smbexec https://github.com/brav0hax/smbexec is great, you should already know that. If you don’t, play with it on your Kali Linux box/image and now know it is great. Once you have a windows hash for a password you can use smbexec to do all kinds of things, including get you a meterpreter session on the box. Yes, you can already do this inside msfconsole but all stock metasploit payloads now get picked up by AV. Smbexec already does a good job working around this issue. But you can take it one step future. Note this in the smbexec readme:
v1.2.8 - 05/22/2013
ADDED - If you have crypter.exe installed on your system it will encrypt your payload after obfuscation. (uncomment line 46)
What does that mean? Well check out Hyperion http://nullsecurity.net/tools/binary.html. This is a cool little tool that will encrypt your executable with a weak key it does not keep and then brute forces the key at execution time. This is amazingly effective at bypassing AV. So what that note in the readme means, is if smbexec sees crypter.exe on your system it will use it on the payloads it makes making it even less likely AV will pick them up. There are a few things you will need to do in order to get this working since the download page linked above for the tool is source code only. So let’s get it working.
Use smbexec to make a backdoor.exe payload to make sure everything is working with it first. Run smbexec, select option 2, and 2 again. Pick a payload out your IP and watch it work. If things are working you will get no errors and when you exit the tool you will find a backdoor.exe file in the directory smbexec made. If this doesn’t work download the tool from github and run the install.sh script. If it still doesn’t work and you are running Kali on 64 bit, make sure you don’t have mingw packages installed other than binutils-mingw-w64 gcc-mingw-w64 mingw-w64 mingw-w64-dev. If you have those and 32 bit versions or others, remove the other ones and try again.
Now that you are sure smbexec is working, let’s get setup to compile crypter.exe.
If you are running the 64 bit version of Kali, we need to switch your version of Wine to the 32 bit version. To do it run these commands from a shell:
dpkg –add-architecture i386
apt-get install wine-bin:i386
If you are already running the 32-bit version of Kali Linux, skip that part, you already have the right version of Wine.
Now let’s install the Windows g++ compiler. Download this file: http://sourceforge.net/projects/mingw/files/Installer/mingw-get-inst/mingw-get-inst-20120426/mingw-get-inst-20120426.exe/download
Copy this exe file you just downloaded to the /root/.wine/drive_c/users/root/Desktop folder. Now in the Applications menu select System Tools, Wine Uninstaller. In the Wine Uninstaller program click the Install button, tell it to see all files, find that exe file on your desktop and tell it to install. It is mostly a click next install but you do need to click on C++ and the MinGW Developer Toolkit when it prompts you, leave C checked of course. Everything else the default is fine. This will hang at the end for a long time, just wait it out and it will finally finish with an error that means nothing.
If that all worked at a command line you should be able to go to the /root/.wine/drive_c/MinGW/bin directory and see the g++.exe file. If so, we are good to go.
Download Hyperion from here: http://nullsecurity.net/tools/binary.html Put all the contents of this download in a /opt/crypter directory. Make sure /opt/crypter/Src is a directory. If it isn’t fix that, you probably left things under the default Hyperion-1.0 directory or something. You can simply rename the default directory it unzips to crypter and move that dir to /opt if you like. Technically you can put it anywhere you like and call the dir anything you want. But the rest of the directions are assuming you are using /opt/crypter. If you want to use something else just alter the paths in the upcoming commands.
Now cd into the /root/.wine/drive_c/MinGW/bin directory and run the following commands:
wine ./g++.exe -static /opt/crypter/Src/Crypter/*.cpp -o crypter.exe
mv crypter.exe /opt/crypter
That -static switch part is required, without if the file give dll errors when you try to use it.
If all that worked you now have the crypter.exe file in /opt/crypter and locate found it.
Now next time you generate a payload with smbexec as we did above, you will see it encrypt it. You can also use crypter.exe simply using the wine crypter.exe command at your shell on any payload file you want to.
Enjoy and never let AV kill your shell. Never.