Building a Python Payload with outbound TCPPort scanning

This is a Python payload that I am working on.

I felt inspired yesterday evening and worked late into the night last night as well as all day today to bring this to a functional level. This is my first endeavor into payload creation AND my first Python project so I am learning a hell of a lot along the way. Here is the gist of the functionality at this point:

– Tests for open outbound ports upon execution.
– builds and executes powershell payloads on the fly using the results of the port testing.
– Custom written so it should avoid easily avoid AV. It has so far with Kaspersky during testing.
– Powershell payloads generated on the fly.

This utilizes @Mattifestation’s Invoke-Shellcode in order to build and execute reverse HTTPS Meterpreter sessions based on port availability. Right now it is being compiled with Pyinstaller. I am looking into using PWNstaller.

Walk-through:

Block a couple of outbound ports. Right now the scripts loops through 443, 53, 9443, and 80 in that order :
Screen Shot 2015-02-25 at 6.13.21 PM
1. Payload is executed and loops through an array of ports until it finds one that is open.
NOTE: This window is strictly for debugging
Screen Shot 2015-02-25 at 6.12.39 PM
2. Starts notepad.exe process

Screen Shot 2015-02-25 at 6.12.48 PM

3. Uses the Invoke-Shellcode command to build shellcode based on that open port and injects it into the notepad.exe process. Port 9443 was found to be open and as a result a session comes in on that port.
Screen Shot 2015-02-25 at 6.12.19 PM
The payload is quite large, about 3.4Mb, so I am going to port it to C in the future to help cut down on the size. I have tested this at a couple of clients and it flies right by antivirus and establishes a success connection. In that respect I consider this a success.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s