March 12, 2013 at 1:07 pm #8288Dark_KnightParticipant
Thought I would share my recent blogpost..enjoy:
March 12, 2013 at 1:50 pm #52207dynamikParticipant
Nice post. I’m getting back into C++ myself and appreciate the sample code.
For whatever reason, Symantec only has an attack signature for Meterpreter’s reverse_tcp payload: http://www.symantec.com/security_response/attacksignatures/ It’s the stupidest thing in the world. Bind_tcp, reverse_https like you used, etc. work just fine.
Depending on the configuration, you are sometimes unable to disable smc in that manner (I believe this is functionality that can be disabled via the management console), so it’s good to know about the alternate payloads.
Also, SEP was catching default msfvenom exes, but using the -t option with pslist.exe got around that. Sometimes it’s just too easy.
March 12, 2013 at 6:33 pm #52208BillVParticipant
That’s funny, I was also on a recent engagement with a similar issue. The client was running SEP with various features enabled. I could get my payload on but the network detection piece would block me each time, and I thought I did try reverse_https as well as others with no luck. I already had credentials at this point so ended up modifying gsecdump and WCE and just used psexec to maneuver around and obtain more credentials 🙂 Worked perfectly.
Nice write-up though, thanks. I’m going to take a closer look at this and do some playing around later.
March 12, 2013 at 8:21 pm #52209Dark_KnightParticipant
Yeah so….I actually used the reverse_tcp meterpreter payload and not https. Also I didn’t stop the Smc.exe process. That is still running.
Stopping the Smc.exe process is smc -stop
As opposed to a smc -disable -ntp that targets the ntp. And ntp doesnt stay dead for very long. It comes back online in 5 minutes. I timed it 🙂
However even when it does it won’t kill your meterpreter session 🙂
I tell you though I havn’t looked at c++ in a while though……
March 12, 2013 at 9:25 pm #52210m0wgliParticipant
Interesting post. Thanks for sharing. New bookmark acquired! 🙂
You must be logged in to reply to this topic.