Hide a Hacker's Reverse Shell in ONE Command

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this might be one of my new favorite low bins or living off the land techniques because if you stage it right it can blend in so well take a look you add a registry key to the hkey local machine Hive under system current control set control terminal servers under utilities for the query command and you can stage your own operation or little sub command to run that can be literally anything all that needs to be ran to execute it is the command query and then whatever name you decided for your sub procedure as always credit where credit is due this is another gem coming from gregora's torque or OG tweet over on Twitter forgive me I know I always get your name wrong my friend but man he's always pumping out some super cool low bin techniques or just strange idiosyncrasy stuff that can come from a whole lot of the built-in native Windows applications and programs this came out on December 27th or at least that's when he tweeted about this way back in 2022 but I think it's gold not gonna lie if you take a look at the Microsoft documentation for the remote desktop Services terminal Services command line tools reference to or whatever it kind of just briefly mentions these but doesn't actually dig into detail as to how you could actually play with them and manipulate them within the Windows registry they list off all these commands all the different things that you might be able to do related to RDP or terminal services or a lot of these remote desktop utilities and they're actually listing out hey query term server query user yada yada yada and if you go take a look at all of the commands that come under query as the utility that you can run it just tells you look it displays information about the processes sessions and remote desktop session host servers and that's kind of it it gives you some of the arguments that you can run but I haven't found a reference or at least a note that look this is modified and configurable within the Windows registry you can take a look at query process or any of the other articles specific to each of the sub commands but they just tell you kind of what that one does but not exactly where it's coming from or how it's all put together I don't exactly know they showcase some examples and other related links but like that's it that's the end of the article same thing for session same thing for term server same thing for user all they showcase is the use message of the command but not a whole lot more of how it's all coming together in the background so anyway let's go ahead and play with this I'm going to fire up a terminal I am inside of my Kali Lumix virtual machine for the moment but I've gone ahead and staged this registry command so that we can work with it take a look this was the syntax just using the old school reg.exe dos command and you add into this registry key setting the value for the new key to lobin but you could set this to really whatever you want the type should be reg multi-string SZ thing and that looks like they're using like escaped zeros which I believe is one of the representations for a no-byte which I just think is kind of interesting to put this in as a lot of the Stacked values inside of the registry or that might just be the representation for some of their new lines because if we take a look at it within the registry let me hop over to a Windows Virtual Machine where I can open up the registry editor and we'll go ahead and move into that location yep hklm system current control set control terminal server utilities look at these entries because app server is present here process session user winsta and looks like it's running a subcon and like qprocess.exe can I do this on my own here let me fire it up I will go ahead and run just query and you'll see the syntax that we need to supply are any of these sub commands that you can pass as parameters query user and it just lists out okay whatever active users here but that was just simply trying to run Q user.exe can I just run quser.exe and it's the exact same thing all the arguments that you pass to query will still funnel down and go through the little sub command or executable train underneath it but if I double click on cue user here one of the entries look all of these uh have the sort of new lines denoting these and I don't know if that backslash zero kind of Associates with that and I'm just dumb hey so in previous videos where we showcased a lot of these low Bend or living off the land techniques whether it's for persistence mechanisms or what have you we've just used a simple innocent benign payload like popping open a calculator application and that's what we saw OG tweet do in his Twitter response but it would be very cool to do something a little bit more realistic like try to Stage something whether it's a reverse shell whether it's another implant some other Beacon whatever so in this video I am going to go use hoax shell one of the other cool uh applications that we can use to try to put together a reverse shell on Windows but however this is now detected by amsi or the anti-malware scan interface or amsi on Modern versions of Windows I need to supply AI my IP address which is 192.168.11166 now I can run hoax shell with that as The Listener and it just spits out a whole lot of Powershell syntax encoded base64 while it's waiting for a connection I can go ahead and copy this whole thing but back on my Windows Virtual Machine obviously if I try to open up a terminal go ahead and paste this in to run this reverse shell we get an error because look this contains malicious content and it's been blocked by your antivirus software of course Windows Defender is on doing its thing if I actually take a look at the virus and throat protection Center look at this we do have oh even an alert for it okay just run away here but if I scroll down into virus and threat protection oh whatever Cloud delivered protection is off but that's fine real-time protection is still doing its thing we could try to break amsi or MZ using flankvix website and toolmz.fail if we were to generate a payload it'll try to give us oh Matt graber's reflection method or some of roster Mouse's different methods to see if we could oh just stage out a patch for the amsi scan buffer function now all of these used to work for me in the past but I do think that even these still now get flagged and if I try to paste this in it will still trigger and tell me look hey you can't do this uh the script contains malicious content and it's been blocked by AV every single one I've tried even generating an encoded rendition will just still get the same error I don't believe I can get a whole lot of luck out of amsi.fail to try and break amsi right now so let's not use this vanilla Windows 11 virtual machine for our low bin testing let's go ahead and use a separate virtual machine where I can still stage the same sort of process but just for showcase sake if I were to go ahead and add a I don't know like what's the thing that blends in with a query Command right on the command line uh let me just try to take the syntax from one of these others and then rename it to use the SQL database connector I think that will blend in just fine uh and we'll just pop open calc.exe right so let's save that and now from my terminal I'll open up another one here as a low privilege user I can query SQL database connector and then there's the boring Dumbo calculator.exe opens us for us nice now you can of course stage this to like some second order persistence mechanism maybe hide it inside of a Powershell script or a batch script that just gets ran automatically from other scheduled task or service or whatever oh and hey by the way if you're using a whole lot of these living off the land techniques for your red team engagements or for your penetration tests and you probably don't want to have to deal with writing the report after the fact you should probably check out our sponsor hey please allow me to give some love and support to today's sponsor of this video Plex track when you're performing a penetration test you're in the zone you're hacking away and you're having fun Gathering findings beating up vulnerabilities and earning domain admin but you might be dreading the work that comes after you have to write a report but writing a pen test report doesn't have to be dull and boring and long and tedious in fact it can be a breeze you don't even have to worry about your report because Plex track can handle it for you if you aren't familiar Plex track is the Premier cyber security reporting and collaboration platform that makes penetration testers red teamers and cyber security teams more efficient effective and proactive Plex track removes the pain of reporting and lets you collaborate between both red and blue teams for Effective purple teaming and faster remediation the Plex track platform lets you easily aggregate findings pull in reusable content from write-up databases and content libraries and track and measure engagement progress in real time import assets from CSV files or nmap or nessus and so many others of your favorite tools with over 25 Integrations you can streamline your reporting and collaboration process right into your existing workflow you can do even faster testing with plextract run books and show the impact to managers in leadership with Plex tracks analytics and visual realizations within minutes you can have your pen test report done and dusted all with your team's logo and details and then sent off to the client spend more time hacking and less time reporting learn how you can boost your team's efficiency by 30 percent and cut reporting Time by up to 65 percent with Plex track seriously check out Plex track I have great colleagues and peers that use Plex track every day for reporting get started with my link below in the video description and let you and your team get back to hacking huge thanks to Plex track for sponsoring this video but let's get some real fireworks here and let's use this in a different virtual machine that has another antivirus product set up and stage with it it is not using Windows Defender currently it is going to end up using this antivirus where our hope show payload it just flies right onto the radar and runs without an issue so let me go ahead and grab this syntax here I'll change this low bin to use like again another SQL database connector something that will fit in with the word query so at this point I'd love to give this to you for your own exploration or maybe an exercise for the reader or Watcher I don't know if you could stage this without any arguments kind of in the mix or if you can supply those arguments one way or the other maybe you could pull this down for a remote resource maybe iwr invoke web request pipe to IEX uh you could pull it from a file system you can get super creative if you want it I guess see Windows tasks is normally a world writable folder we can call this service and paste in our Powershell syntax just for the sake of showcase here and let me uh save this as really a DOT bad extension so we can run oh I missed a backslash there that should be corrected okay stage again done yes overwrite try to run let's check hope shell do it did it it did it it finally did it okay now I have my uh reverse shell prompt and there we go with the stupid little antivirus that is not detecting this thing a little AV bypass we can do whatever we want granted it is just a reverse shell that's faked uh you can still want anything that you did and then do maliciously with whatever tradecraft we just worry about your AV in the meantime but if we could do some private SK if we can turn that thing off if we can disable the security protections then we're in business and maybe you could stage that query command to hide inside of a system administrator script something that looks like I don't know it's going to work with the database you can have it camouflage you could have it blend in you could set up persistence mechanisms and some sort of second order thing where you still have some cheesy cutesy foothold but then your real Detonator is masked behind this living off the land technique I don't know about you I thought it was kind of cool I hope you enjoyed something like this all credit kudos to ogtweed he's always putting out incredible stuff hey thanks so much for watching hope you learned something and enjoyed this video if you did please do all those YouTube algorithm things like comment subscribe and if you'd be willing to if you feeling super duper generous there are links to patreon down below if you want to become a member of the channel That super duper helps support and keep the channel grown and me I don't know able to keep doing stuff like this thanks again everyone I'll see you in the next video

Info

Channel: John Hammond

Views: 76,470

Rating: undefined out of 5

Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners

Id: gzv3d7rvjKA

Channel Id: undefined

Length: 11min 29sec (689 seconds)

Published: Fri May 12 2023