Maandelijks archief: augustus 2013

How to create a powershell meterpreter payload which is not detected by AV

This guide shows how easy it is to create a backdoor which is not detected by AV

To create the backdoor we use SET which is a pentest automation tool available within the BackTrack distribution.

The steps to follow are the following:

– Startup SET

start set

– Select option 1

set option 1

– Select option 10

set option 10

– Select Payload option 1

set payload 1

– Provide the IP address and port number you like to connect back to

set provide loopback ip and port

– Start the listener to start accepting connections

set start listener

– Browse to the payload and save the txt file a .bat file

set browse to x86 payload

 

set save as test.bet

– Use BAT-to-EXE converter to create a .exe file

set compile bat to exe

– Copy the file over to you victim and execute is

– Check meterpreter is able to establish a new session

set metasploit session created

– Proof that AV on the victim machine is running and up-to-date

set AV enabled

Enjoy

How to publish web resource using proxy pass-through with different FQDN and certificates

Sometimes you would like to publish certain web resources like Microsoft ActiveSync or Exchange auto discovery URLS on the internet using different FQDN and SSL certificates.

If you have a Juniper SA or MAG you are able to do this without the need of extra user licenses.

In this example I’m using the following Lab setup:

SA-Visio

As you can see I have a Juniper SA through which I like to publish two resources on the internet being; the normal juniper SA portal access using the remote.egineers.com FQDN and a ActiveSync synchronization URL using the pda.employees.com FQDN. Apart from that I want both resources to use valid certificates. Note that the use of a wildcard certificate is scenario is not an option as both domain names differ (engineers.com vs. employees.com)

To realize this setup follow the steps below:

  • Login on the Admin portal of you Juniper SA or MAG
  • Browse to System -> Network -> Internal Port -> Virtual Ports

– Create a new Virtual port using the beginning of the FQDN you like the ActivSync clients to connect to:

sa virtual port

  • Browse to System -> Configuration -> Certificates -> Device Certificates

– Import a valid or self-signed certificate for the FQDN you like ActivSync clients to connect to

– In our case this is pda.employees.com

– Bind this certificate to the virtual port you created earlier

sa cert

*Note that the remote.engineers.com certificate is already bound to the internal interface. If you like to use a different certificate for this follow steps 5 and bind the certificate to the internal interface

  • Browse to Users -> User Roles

– Create a new User Role with the following options set:

– Session Options

– UI Options

– Access features -> Web options

sa roles

sa roles-2

  • Browse to Authentication -> Signing In -> Sign-In Policies

– Create a new URL

sa sign-in-01

– Specify it is for  Authorization Only Access & enter the following information:

– Enter the FQDN in the Virtual Hostname field (pda.employees.com)

– Enter the IP or URL of the backend server *note URL paths are not supported (https://192.168.75.100:433)

– Select No Authorization in the Authorization Server field

– Select the user role you created earlier

* Option select Allow ActiveSync Traffic Only if this is only to be used to mail synchronization

sa sign-in-02

  • Create an external DNS registration for the FQDN you like ActivSync clients to connect to in our example pda.employees.com
  • Check you are able to reach the website and check the User Log entries:

sa -log