metasploit

A bit of context

During our penetration test we’ve managed to obtain the credentials of a privileged user. This user, let’s call him Robert, had local administrative rights on multiple workstations in the Windows domain.

Using Robert’s credentials, we managed to create a low privileged domain user, which we’ll further denote by OurUser, but we were not able to add it to the Domain Admins group.

If you want to execute code stealthily on a machine and the antivirus stands in your way, you should think about avoiding the disk because this is the place where the antivirus reigns.

In this scenario, you might find it useful to execute a DLL directly inside the address space of a running process without touching the disk. This will bypass the AV in a stealthy and powerful way.

To achieve this, all you need to do is upgrade your DLL to Reflective DLL.

Introduction

The antivirus can sometimes be a significant problem during a penetration test in the post-exploitation phase. For dealing with this issue, several strategies have been proposed:

making use of the command line / PowerShell
executing a program (EXE) from memory
executing a DLL from memory

Sometimes the command line interface is severely limited.

Also, by executing a program from memory you may still run into problems with the antivirus; you might get away with it by making use of a crypter (a tool that encrypts an executable, decrypting it during execution and executing it from memory) but most of them are detectable.

Thus, you may find it useful to use a DLL instead of an EXE to do your job.

Continue reading →

Security Café

Security Research and Services

Scripting Metasploit for a Real-Life Pentest

A bit of context

Upgrade your DLL to Reflective DLL

Introduction